mirror of https://github.com/OpenIdentityPlatform/OpenDJ.git
parent: 445b7af4 | patch | commit | ignore whitespace
dugan
05.08.2008 47708ca9aa095601497fa0fb05dfe2f697cc83c6 
Re-add key wrapping  transformation attribute. Issue 2865.
2 files modified
111 ■■■■■ changed files
opends/src/admin/defn/org/opends/server/admin/std/CryptoManagerConfiguration.xml 28 ●●●●● patch | view | raw | blame | history
opends/src/server/org/opends/server/crypto/CryptoManagerImpl.java 83 ●●●● patch | view | raw | blame | history 
 opends/src/admin/defn/org/opends/server/admin/std/CryptoManagerConfiguration.xml


@@ -189,6 +189,34 @@


      </ldap:attribute>


    </adm:profile>


  </adm:property>


    <adm:property name="key-wrapping-transformation" multi-valued="false" advanced="false">


    <adm:synopsis>


      The preferred key wrapping transformation for the Directory Server. This value must


      be the same for all server instances in a replication topology.


    </adm:synopsis>


    <adm:requires-admin-action>


      <adm:none>


        <adm:synopsis>


          Changes to this property will take effect immediately but will


          only affect cryptographic operations performed after the


          change.


        </adm:synopsis>


      </adm:none>


    </adm:requires-admin-action>


    <adm:default-behavior>


      <adm:defined>


        <adm:value>RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING</adm:value>


      </adm:defined>


    </adm:default-behavior>


    <adm:syntax>


      <adm:string />


    </adm:syntax>


    <adm:profile name="ldap">


      <ldap:attribute>


        <ldap:name>ds-cfg-key-wrapping-transformation</ldap:name>


      </ldap:attribute>


    </adm:profile>


  </adm:property>


  <adm:property name="ssl-protocol" multi-valued="true">


    <adm:synopsis>


      Specifies the names of the SSL protocols that will be allowed for




 opends/src/server/org/opends/server/crypto/CryptoManagerImpl.java


@@ -176,11 +176,9 @@


  private final Map<KeyEntryID, MacKeyEntry> macKeyEntryCache


          = new ConcurrentHashMap<KeyEntryID, MacKeyEntry>();




  // The shared secret key wrapping transformation.


  // TODO: Trying OAEPWITHSHA-512ANDMGF1PADDING throws an exception "Key too


  // TODO: small...". https://opends.dev.java.net/issues/show_bug.cgi?id=2474


  private static final String sharedSecretKeyWrappingTransformation


          = "RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING";




  // The preferred key wrapping transformation


  private String preferredKeyWrappingTransformation;






  // TODO: Move the following configuration to backup or backend configuration.


@@ -386,24 +384,25 @@


        isAcceptable = false;


      }


    }




    // Shared secret key wrapping cipher and validation. Note that this value is


    // not set from a configuration attribute, but it needs to be validated, and


    // validation depends on the MAC cipher produced above for a secret key to


    // wrap.


    if (3 != sharedSecretKeyWrappingTransformation.split("/", 0).length) {


      unacceptableReasons.add(


              ERR_CRYPTOMGR_FULL_KEY_WRAPPING_TRANSFORMATION_REQUIRED.get(


                      sharedSecretKeyWrappingTransformation));


      isAcceptable = false;


    }


    else {


      try {


        /* Note that the TrustStoreBackend not available at initial,


           CryptoManager configuration, hence a "dummy" certificate must be used


           to validate the choice of secret key wrapping cipher. Otherwise, call


           getInstanceKeyCertificateFromLocalTruststore() */


        final String certificateBase64 =


    // Requested secret key wrapping cipher and validation. Validation


    // depends on MAC cipher for secret key.


    String requestedKeyWrappingTransformation


            = cfg.getKeyWrappingTransformation();


    if (! requestedKeyWrappingTransformation.equals(


            this.preferredKeyWrappingTransformation)) {


      if (3 != requestedKeyWrappingTransformation.split("/", 0).length) {


        unacceptableReasons.add(


                ERR_CRYPTOMGR_FULL_KEY_WRAPPING_TRANSFORMATION_REQUIRED.get(


                        requestedKeyWrappingTransformation));


        isAcceptable = false;


      }


      else {


        try {


          /* Note that the TrustStoreBackend not available at initial,


         CryptoManager configuration, hence a "dummy" certificate must be used


         to validate the choice of secret key wrapping cipher. Otherwise, call


         getInstanceKeyCertificateFromLocalTruststore() */


          final String certificateBase64 =


                "MIIB2jCCAUMCBEb7wpYwDQYJKoZIhvcNAQEEBQAwNDEbMBkGA1UEChMST3B" +


                "lbkRTIENlcnRpZmljYXRlMRUwEwYDVQQDEwwxMC4wLjI0OC4yNTEwHhcNMD" +


                "cwOTI3MTQ0NzUwWhcNMjcwOTIyMTQ0NzUwWjA0MRswGQYDVQQKExJPcGVuR" +


@@ -415,25 +414,25 @@


                "jucN34MZwvzbmFHT/leUu3/cpykbGM9HL2QUX7iKvv2LJVqexhj7CLoXxZP" +


                "oNL+HHKW0vi5/7W5KwOZsPqKI2SdYV7nDqTZklm5ZP0gmIuNO6mTqBRtC2D" +


                "lplX1Iq+BrQJAmteiPtwhdZD+EIghe51CaseImjlLlY2ZK8w==";


        final byte[] certificate = Base64.decode(certificateBase64);


        final String keyID = getInstanceKeyID(certificate);


        final SecretKey macKey = MacKeyEntry.generateKeyEntry(null,


                requestedMACAlgorithm,


                requestedMACAlgorithmKeyLengthBits).getSecretKey();


        encodeSymmetricKeyAttribute(sharedSecretKeyWrappingTransformation,


                keyID, certificate, macKey);


      }


      catch (Exception ex) {


        if (debugEnabled()) {


          TRACER.debugCaught(DebugLogLevel.ERROR, ex);


          final byte[] certificate = Base64.decode(certificateBase64);


          final String keyID = getInstanceKeyID(certificate);


          final SecretKey macKey = MacKeyEntry.generateKeyEntry(null,


                  requestedMACAlgorithm,


                  requestedMACAlgorithmKeyLengthBits).getSecretKey();


          encodeSymmetricKeyAttribute(requestedKeyWrappingTransformation,


                  keyID, certificate, macKey);


        }


        unacceptableReasons.add(


                ERR_CRYPTOMGR_CANNOT_GET_PREFERRED_KEY_WRAPPING_CIPHER.get(


                        getExceptionMessage(ex)));


        isAcceptable = false;


        catch (Exception ex) {


          if (debugEnabled()) {


            TRACER.debugCaught(DebugLogLevel.ERROR, ex);


          }


          unacceptableReasons.add(


                  ERR_CRYPTOMGR_CANNOT_GET_PREFERRED_KEY_WRAPPING_CIPHER.get(


                          getExceptionMessage(ex)));


          isAcceptable = false;


        }


      }


    }




    return isAcceptable;


  }




@@ -453,7 +452,7 @@


    preferredMACAlgorithmKeyLengthBits = cfg.getMacKeyLength();


    preferredCipherTransformation = cfg.getCipherTransformation();


    preferredCipherTransformationKeyLengthBits = cfg.getCipherKeyLength();




    preferredKeyWrappingTransformation = cfg.getKeyWrappingTransformation();


    return new ConfigChangeResult(resultCode, adminActionRequired, messages);


  }




@@ -833,7 +832,7 @@


          final SecretKey secretKey)


          throws CryptoManagerException {


    return encodeSymmetricKeyAttribute(


            sharedSecretKeyWrappingTransformation,


            preferredKeyWrappingTransformation,


         wrappingKeyID,


         wrappingKeyCertificateData,


         secretKey);


@@ -1030,7 +1029,7 @@


    final byte[] wrappingKeyCert =


            certMap.get(requestedInstanceKeyID);


    return encodeSymmetricKeyAttribute(


            sharedSecretKeyWrappingTransformation,


            preferredKeyWrappingTransformation,


         requestedInstanceKeyID, wrappingKeyCert, secretKey);


  }