From 86ba72f6824c62c7bbed44431dcd459da0f687cb Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 24 Feb 2025 14:40:33 -0600 Subject: [PATCH] Refactor CRMFPopClient (part 2) The CRMFPopClient has been updated to generate the CRMF request using NSSDatabase.createCRMFRequest(). --- .../java/org/dogtagpki/nss/NSSDatabase.java | 28 ++++---- .../com/netscape/cmstools/CRMFPopClient.java | 70 +++++++------------ .../cmstools/client/ClientCertRequestCLI.java | 13 ++-- 3 files changed, 48 insertions(+), 63 deletions(-) diff --git a/base/common/src/main/java/org/dogtagpki/nss/NSSDatabase.java b/base/common/src/main/java/org/dogtagpki/nss/NSSDatabase.java index 726e04534e5..6ded3d29b21 100644 --- a/base/common/src/main/java/org/dogtagpki/nss/NSSDatabase.java +++ b/base/common/src/main/java/org/dogtagpki/nss/NSSDatabase.java @@ -1125,20 +1125,17 @@ public PKCS10 createPKCS10Request( extensions); } - public String createCRMFRequest( + public byte[] createCRMFRequest( CryptoToken token, KeyPair keyPair, org.mozilla.jss.crypto.X509Certificate transportCert, - String subjectDN, - boolean attributeEncoding, + Name subject, SignatureAlgorithm signatureAlgorithm, - boolean withPop, + Boolean withPop, KeyWrapAlgorithm keyWrapAlgorithm, boolean useOAEP, boolean useSharedSecret) throws Exception { - Name subject = CryptoUtil.createName(subjectDN, attributeEncoding); - CertRequest certRequest = CryptoUtil.createCertRequest( useSharedSecret, token, @@ -1149,19 +1146,24 @@ public String createCRMFRequest( useOAEP); ProofOfPossession pop = null; - if (withPop) { + if (withPop != null) { // !POP_NONE Signature signer = CryptoUtil.createSigner(token, signatureAlgorithm, keyPair); - ByteArrayOutputStream bo = new ByteArrayOutputStream(); - certRequest.encode(bo); - signer.update(bo.toByteArray()); - byte[] signature = signer.sign(); + if (withPop) { // POP_SUCCESS + ByteArrayOutputStream bo = new ByteArrayOutputStream(); + certRequest.encode(bo); + signer.update(bo.toByteArray()); + } else { // POP_FAIL + byte[] data = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + signer.update(data); + } + + byte[] signature = signer.sign(); pop = CryptoUtil.createPop(signatureAlgorithm, signature); } - byte[] crmfRequest = CryptoUtil.createCRMFRequest(certRequest, pop); - return Utils.base64encode(crmfRequest, true); + return CryptoUtil.createCRMFRequest(certRequest, pop); } public static int validityUnitFromString(String validityUnit) throws Exception { diff --git a/base/tools/src/main/java/com/netscape/cmstools/CRMFPopClient.java b/base/tools/src/main/java/com/netscape/cmstools/CRMFPopClient.java index b20b7054af9..ba176ca6e85 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/CRMFPopClient.java +++ b/base/tools/src/main/java/com/netscape/cmstools/CRMFPopClient.java @@ -18,7 +18,6 @@ package com.netscape.cmstools; import java.io.BufferedReader; -import java.io.ByteArrayOutputStream; import java.io.FileWriter; import java.io.InputStreamReader; import java.io.PrintWriter; @@ -53,13 +52,10 @@ import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.PrivateKey; -import org.mozilla.jss.crypto.Signature; import org.mozilla.jss.crypto.SignatureAlgorithm; import org.mozilla.jss.crypto.X509Certificate; import org.mozilla.jss.netscape.security.util.Cert; import org.mozilla.jss.netscape.security.util.Utils; -import org.mozilla.jss.pkix.crmf.CertRequest; -import org.mozilla.jss.pkix.crmf.ProofOfPossession; import org.mozilla.jss.pkix.primitive.AVA; import org.mozilla.jss.pkix.primitive.Name; import org.mozilla.jss.util.Password; @@ -516,56 +512,38 @@ public static void main(String args[]) throws Exception { keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg); } - if (verbose) System.out.println("Creating certificate request"); - CertRequest certRequest = CryptoUtil.createCertRequest( - use_shared_secret, - token, - transportCert, - keyPair, - subject, - keyWrapAlgorithm, - client.useOAEP()); - - ProofOfPossession pop = null; - - if (!popOption.equals("POP_NONE")) { - - if (verbose) System.out.println("Creating signer"); - - SignatureAlgorithm signatureAlgorithm; - if (algorithm.equals("rsa")) { - signatureAlgorithm = SignatureAlgorithm.RSASignatureWithSHA256Digest; - - } else if (algorithm.equals("ec")) { - signatureAlgorithm = SignatureAlgorithm.ECSignatureWithSHA256Digest; - - } else { - throw new Exception("Unknown algorithm: " + algorithm); - } - - Signature signer = CryptoUtil.createSigner(token, signatureAlgorithm, keyPair); - - if (popOption.equals("POP_SUCCESS")) { - - ByteArrayOutputStream bo = new ByteArrayOutputStream(); - certRequest.encode(bo); - signer.update(bo.toByteArray()); + SignatureAlgorithm signatureAlgorithm; + if (algorithm.equals("rsa")) { + signatureAlgorithm = SignatureAlgorithm.RSASignatureWithSHA256Digest; - } else if (popOption.equals("POP_FAIL")) { + } else if (algorithm.equals("ec")) { + signatureAlgorithm = SignatureAlgorithm.ECSignatureWithSHA256Digest; - byte[] data = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + } else { + throw new Exception("Unknown algorithm: " + algorithm); + } - signer.update(data); - } + Boolean withPop = null; // POP_NONE - byte[] signature = signer.sign(); + if (popOption.equals("POP_SUCCESS")) { + withPop = true; - if (verbose) System.out.println("Creating POP"); - pop = CryptoUtil.createPop(signatureAlgorithm, signature); + } else if (popOption.equals("POP_FAIL")) { + withPop = false; } if (verbose) System.out.println("Creating CRMF request"); - byte[] crmfRequest = CryptoUtil.createCRMFRequest(certRequest, pop); + + byte[] crmfRequest = nssdb.createCRMFRequest( + token, + keyPair, + transportCert, + subject, + signatureAlgorithm, + withPop, + keyWrapAlgorithm, + useOAEP, + use_shared_secret); String request = Utils.base64encode(crmfRequest, true); StringWriter sw = new StringWriter(); diff --git a/base/tools/src/main/java/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/tools/src/main/java/com/netscape/cmstools/client/ClientCertRequestCLI.java index 3a29cba4b20..93f158d8ac4 100644 --- a/base/tools/src/main/java/com/netscape/cmstools/client/ClientCertRequestCLI.java +++ b/base/tools/src/main/java/com/netscape/cmstools/client/ClientCertRequestCLI.java @@ -41,8 +41,10 @@ import org.mozilla.jss.crypto.X509Certificate; import org.mozilla.jss.netscape.security.pkcs.PKCS10; import org.mozilla.jss.netscape.security.util.Cert; +import org.mozilla.jss.netscape.security.util.Utils; import org.mozilla.jss.netscape.security.x509.Extensions; import org.mozilla.jss.netscape.security.x509.X500Name; +import org.mozilla.jss.pkix.primitive.Name; import com.netscape.certsrv.ca.AuthorityID; import com.netscape.certsrv.ca.CACertClient; @@ -54,6 +56,7 @@ import com.netscape.certsrv.profile.ProfileInput; import com.netscape.cmstools.ca.CACertRequestCLI; import com.netscape.cmstools.cli.MainCLI; +import com.netscape.cmsutil.crypto.CryptoUtil; import netscape.ldap.util.DN; import netscape.ldap.util.RDN; @@ -218,7 +221,7 @@ public void execute(CommandLine cmd) throws Exception { } } - boolean withPop = !cmd.hasOption("without-pop"); + Boolean withPop = cmd.hasOption("without-pop") ? null : true; AuthorityID aid = null; if (cmd.hasOption("issuer-id")) { @@ -320,17 +323,19 @@ public void execute(CommandLine cmd) throws Exception { throw new Exception("Unknown algorithm: " + algorithm); } - csr = nssdb.createCRMFRequest( + Name subject = CryptoUtil.createName(subjectDN, attributeEncoding); + + byte[] crmfRequest = nssdb.createCRMFRequest( token, keyPair, transportCert, - subjectDN, - attributeEncoding, + subject, signatureAlgorithm, withPop, keyWrapAlgorithm, useOAEP, false); // useSharedSecret + csr = Utils.base64encode(crmfRequest, true); } else { throw new Exception("Unknown request type: " + requestType);