On Fri, Apr 22, 2016 at 07:50:06PM -0400, John Magne wrote: > I took a look at the stuff alee asked for. > > CFU even took a quick look when I asked her a couple of questions. > She was unsure of something (as was I) and she would like to be able > to take a closer look next week. I will give my quick thoughts. > > 1. I agree that HSM support is not in the patch, seems fine to move that > to a future ticket. > > Here is one thing I was kind of worried about: > This is the code that imports the archive of the desired private key. > > > ublic static PrivateKey importPKIArchiveOptions( > + CryptoToken token, PrivateKey unwrappingKey, > + PublicKey pubkey, byte[] data) > + throws InvalidBERException, Exception { > + ByteArrayInputStream in = new ByteArrayInputStream(data); > + PKIArchiveOptions options = (PKIArchiveOptions) > + (new PKIArchiveOptions.Template()).decode(in); > + EncryptedKey encKey = options.getEncryptedKey(); > + EncryptedValue encVal = encKey.getEncryptedValue(); > + AlgorithmIdentifier algId = encVal.getSymmAlg(); > + BIT_STRING encSymKey = encVal.getEncSymmKey(); > + BIT_STRING encPrivKey = encVal.getEncValue(); > > This the wrapper object that is build off of the caSigningUnit key gotten > in the other patch, the RetrieverThread like this: > > > > PrivateKey unwrappingKey = hostCA.mSigningUnit.getPrivateKey(); > > > > The code below works fine if said key is RSA. I talked over with CFU and she > said there > could be a chance this key is ECC for an ECC CA. > > We both think the rest of the code in this routine is fine, except for > possibly that. > She is also not even sure if JSS can support an ECC private key wrapper. > > She requests you guys give her a day or two to look at it. > > Except for the hsm issue, the code that calls this routine in the thread > seems fine too. > > + > + KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); > + wrapper.initUnwrap(unwrappingKey, null); > > > > > > > + SymmetricKey sk = wrapper.unwrapSymmetric( > + encSymKey.getBits(), SymmetricKey.Type.DES3, 0); > + > + ASN1Value v = algId.getParameters(); > + v = ((ANY) v).decodeWith(new OCTET_STRING.Template()); > + byte iv[] = ((OCTET_STRING) v).toByteArray(); > + IVParameterSpec ivps = new IVParameterSpec(iv); > + > + wrapper = token.getKeyWrapper(KeyWrapAlgorithm.DES3_CBC_PAD); > + wrapper.initUnwrap(sk, ivps); > + PrivateKey.Type keyType = pubkey.getAlgorithm().equals("EC") > + ? PrivateKey.Type.EC > + : PrivateKey.Type.RSA; > + return wrapper.unwrapPrivate(encPrivKey.getBits(), keyType, pubkey); > + } > Pushed to master.
Christina, I know you were were/are very busy so thanks for spending some time looking at these patches. If you have any other questions or concerns let me know ASAP. 24992c089b9b5088f4481fda3d01a907565b5121 Lightweight CAs: authority schema changes dc8c21cc9a68968a2b1db87f9b21cf3afbdb966a Add method CryptoUtil.importPKIArchiveOptions e21aadd5e14dbcda73c20f20e67b1bcc8d5b5bfc Add ca-authority-key-export command 94ee373d053b34e534fbb61826e586693a38c934 Lightweight CAs: add key retrieval framework a2a4117dbc7e489cbb1964d6ce5f95b786a03fde Lightweight CAs: add IPACustodiaKeyRetriever Cheers, Fraser _______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel