Package com.netscape.certsrv.key
Class KeyClient
- java.lang.Object
-
- com.netscape.certsrv.client.Client
-
- com.netscape.certsrv.key.KeyClient
-
public class KeyClient extends Client
- Author:
- Endi S. Dewata, Abhishek Koneru
-
-
Field Summary
Fields Modifier and Type Field Description KeyResource
keyClient
KeyRequestResource
keyRequestClient
KRAInfoResource
kraInfoClient
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description void
approveRequest(RequestId id)
Approve a secret recovery requestKeyRequestResponse
archiveEncryptedData(java.lang.String clientKeyId, java.lang.String dataType, java.lang.String keyAlgorithm, int keySize, java.lang.String algorithmOID, byte[] nonceData, byte[] encryptedData, byte[] transWrappedSessionKey)
Deprecated.KeyRequestResponse
archiveEncryptedData(java.lang.String clientKeyId, java.lang.String dataType, java.lang.String keyAlgorithm, int keySize, java.lang.String algorithmOID, byte[] nonceData, byte[] encryptedData, byte[] transWrappedSessionKey, java.lang.String realm)
Archive a secret (symmetric key or passphrase) on the DRM.KeyRequestResponse
archivePKIOptions(java.lang.String clientKeyId, java.lang.String dataType, java.lang.String keyAlgorithm, int keySize, byte[] pkiArchiveOptions)
Deprecated.KeyRequestResponse
archivePKIOptions(java.lang.String clientKeyId, java.lang.String dataType, java.lang.String keyAlgorithm, int keySize, byte[] pkiArchiveOptions, java.lang.String realm)
Archive a secret (symmetric key or passphrase) on the DRM using a PKIArchiveOptions data format.KeyRequestResponse
archiveSecret(java.lang.String clientKeyId, byte[] secret)
KeyRequestResponse
archiveSecret(java.lang.String clientKeyId, byte[] secret, java.lang.String realm)
Archive a secret on the KRA.KeyRequestResponse
archiveSymmetricKey(java.lang.String clientKeyId, org.mozilla.jss.crypto.SymmetricKey secret, java.lang.String keyAlgorithm, int keySize)
Deprecated.KeyRequestResponse
archiveSymmetricKey(java.lang.String clientKeyId, org.mozilla.jss.crypto.SymmetricKey secret, java.lang.String keyAlgorithm, int keySize, java.lang.String realm)
Archive a symmetric key on the DRM.void
cancelRequest(RequestId id)
Cancel a secret recovery requestKeyRequestResponse
generateAsymmetricKey(java.lang.String clientKeyId, java.lang.String keyAlgorithm, int keySize, java.util.List<java.lang.String> usages, byte[] transWrappedSessionKey)
Deprecated.KeyRequestResponse
generateAsymmetricKey(java.lang.String clientKeyId, java.lang.String keyAlgorithm, int keySize, java.util.List<java.lang.String> usages, byte[] transWrappedSessionKey, java.lang.String realm)
Generate and archive an asymmetric keys in the DRMKeyRequestResponse
generateSymmetricKey(java.lang.String clientKeyId, java.lang.String keyAlgorithm, int keySize, java.util.List<java.lang.String> usages, java.lang.String transWrappedSessionKey)
Deprecated.KeyRequestResponse
generateSymmetricKey(java.lang.String clientKeyId, java.lang.String keyAlgorithm, int keySize, java.util.List<java.lang.String> usages, java.lang.String transWrappedSessionKey, java.lang.String realm)
Generate and archive a symmetric key in the DRM.KeyInfo
getActiveKeyInfo(java.lang.String clientKeyID)
Get the info in the KeyRecord for the active secret in the DRM.CryptoProvider
getCrypto()
KeyInfo
getKeyInfo(KeyId id)
Get the info in the KeyRecord for a specific secret in the DRM.KeyRequestInfo
getRequestInfo(RequestId id)
Return a KeyRequestInfo object for a specific request.void
init()
KeyInfoCollection
listKeys(java.lang.String clientKeyID, java.lang.String status, java.lang.Integer maxSize, java.lang.Integer maxTime, java.lang.Integer start, java.lang.Integer size)
KeyInfoCollection
listKeys(java.lang.String clientKeyID, java.lang.String status, java.lang.Integer maxSize, java.lang.Integer maxTime, java.lang.Integer start, java.lang.Integer size, java.lang.String realm)
List/Search archived secrets in the DRM.KeyRequestInfoCollection
listRequests(java.lang.String requestState, java.lang.String requestType)
KeyRequestInfoCollection
listRequests(java.lang.String requestState, java.lang.String requestType, java.lang.String realm)
Search key requests in the DRM based on the state/type of the requests.KeyRequestInfoCollection
listRequests(java.lang.String requestState, java.lang.String requestType, java.lang.String clientKeyID, RequestId start, java.lang.Integer pageSize, java.lang.Integer maxResults, java.lang.Integer maxTime, java.lang.String realm)
List/Search key requests in the DRMvoid
modifyKeyStatus(KeyId id, java.lang.String status)
Modify the status of a keyvoid
processKeyData(Key data, org.mozilla.jss.crypto.SymmetricKey sessionKey)
KeyRequestResponse
recoverKey(KeyId keyId, byte[] sessionWrappedPassphrase, byte[] transWrappedSessionKey, byte[] nonceData, java.lang.String b64Certificate)
Create a request to recover a secret.void
rejectRequest(RequestId id)
Reject a secret recovery requestKey
retrieveKey(KeyId keyId)
Retrieve a secret (passphrase or symmetric key) from the DRM.Key
retrieveKey(KeyId keyId, byte[] transWrappedSessionKey)
Retrieve a secret (passphrase or symmetric key) from the DRM.Key
retrieveKeyByPassphrase(KeyId keyId, java.lang.String passphrase)
The secret is secured in transit by wrapping the secret with the passphrase using PBE encryption.Key
retrieveKeyByPKCS12(KeyId keyId, java.lang.String certificate, java.lang.String passphrase)
Retrieve an asymmetric private key and return it as PKCS12 data.Key
retrieveKeyByRequest(RequestId requestId)
Key
retrieveKeyByRequestWithPassphrase(RequestId requestId, java.lang.String passphrase)
Key
retrieveKeyData(KeyRecoveryRequest data)
Retrieve a secret from the DRM.Key
retrieveKeyUsingWrappedPassphrase(KeyId keyId, byte[] transWrappedSessionKey, byte[] sessionWrappedPassphrase, byte[] nonceData)
This method generates a key recovery request, approves it, and retrieves the secret referred to by keyId.void
setCrypto(CryptoProvider crypto)
void
setTransportCert(org.mozilla.jss.crypto.X509Certificate transportCert)
-
Methods inherited from class com.netscape.certsrv.client.Client
addClient, createProxy, getClient, getName, getSubsystem, removeClient
-
-
-
-
Field Detail
-
keyClient
public KeyResource keyClient
-
keyRequestClient
public KeyRequestResource keyRequestClient
-
kraInfoClient
public KRAInfoResource kraInfoClient
-
-
Constructor Detail
-
KeyClient
public KeyClient(PKIClient client, java.lang.String subsystem) throws java.lang.Exception
- Throws:
java.lang.Exception
-
-
Method Detail
-
init
public void init() throws java.net.URISyntaxException
- Throws:
java.net.URISyntaxException
-
getCrypto
public CryptoProvider getCrypto()
-
setCrypto
public void setCrypto(CryptoProvider crypto)
-
setTransportCert
public void setTransportCert(org.mozilla.jss.crypto.X509Certificate transportCert) throws java.lang.Exception
- Throws:
java.lang.Exception
-
listKeys
public KeyInfoCollection listKeys(java.lang.String clientKeyID, java.lang.String status, java.lang.Integer maxSize, java.lang.Integer maxTime, java.lang.Integer start, java.lang.Integer size, java.lang.String realm)
List/Search archived secrets in the DRM.- Parameters:
clientKeyID
- -- Client Key Identifierstatus
- -- Status of the keys to be listedmaxSize
- -- Maximum number of keys to be fetchedmaxTime
- -- Maximum time for the operation to takestart
- -- Start index of listsize
- -- Size of the list to be returned.realm
- - authz realm- Returns:
- a KeyInfoCollection object.
-
listKeys
public KeyInfoCollection listKeys(java.lang.String clientKeyID, java.lang.String status, java.lang.Integer maxSize, java.lang.Integer maxTime, java.lang.Integer start, java.lang.Integer size)
-
listRequests
public KeyRequestInfoCollection listRequests(java.lang.String requestState, java.lang.String requestType, java.lang.String realm)
Search key requests in the DRM based on the state/type of the requests.- Parameters:
requestState
- -- State of the requests to be queried.requestType
- -- Type of the requests to be queried.realm
- -- Authz Realm- Returns:
- a KeyRequestCollection object.
-
listRequests
public KeyRequestInfoCollection listRequests(java.lang.String requestState, java.lang.String requestType)
-
listRequests
public KeyRequestInfoCollection listRequests(java.lang.String requestState, java.lang.String requestType, java.lang.String clientKeyID, RequestId start, java.lang.Integer pageSize, java.lang.Integer maxResults, java.lang.Integer maxTime, java.lang.String realm)
List/Search key requests in the DRM- Parameters:
requestState
- -- State of the requests to be queried.requestType
- -- Type of the requests to be queried.clientKeyID
- -- Client Key Identifierstart
- -- Start index of listpageSize
- -- Size of the list to be returned.maxResults
- -- Maximum number of requests to be fetchedmaxTime
- -- Maximum time for the operation to takerealm
- -- Authz Realm- Returns:
- a KeyRequestInfoCollection object.
-
getRequestInfo
public KeyRequestInfo getRequestInfo(RequestId id)
Return a KeyRequestInfo object for a specific request.- Parameters:
id
- -- A Request Id object- Returns:
- the KeyRequestInfo object for a specific request.
-
getKeyInfo
public KeyInfo getKeyInfo(KeyId id)
Get the info in the KeyRecord for a specific secret in the DRM.- Parameters:
id
- -- key id for secret- Returns:
- the KeyInfo object for a specific request.
-
getActiveKeyInfo
public KeyInfo getActiveKeyInfo(java.lang.String clientKeyID)
Get the info in the KeyRecord for the active secret in the DRM.- Parameters:
clientKeyID
- -- Client Key Identifier
-
modifyKeyStatus
public void modifyKeyStatus(KeyId id, java.lang.String status)
Modify the status of a key- Parameters:
id
- -- key id for secretstatus
- -- Status to be set for the key
-
approveRequest
public void approveRequest(RequestId id)
Approve a secret recovery request- Parameters:
id
- -- Id of the request
-
rejectRequest
public void rejectRequest(RequestId id)
Reject a secret recovery request- Parameters:
id
- -- Id of the request
-
cancelRequest
public void cancelRequest(RequestId id)
Cancel a secret recovery request- Parameters:
id
- -- Id of the request
-
recoverKey
public KeyRequestResponse recoverKey(KeyId keyId, byte[] sessionWrappedPassphrase, byte[] transWrappedSessionKey, byte[] nonceData, java.lang.String b64Certificate)
Create a request to recover a secret. To retrieve a symmetric key or passphrase, the only parameter that is required is the KeyId object. It is possible (but not required) to pass in the session keys/passphrase and nonceData for the retrieval at this time. To retrieve an asymmetric key, the keyId and the the base-64 encoded certificate is required.- Parameters:
keyId
- -- key id for secretsessionWrappedPassphrase
- -- A passphrase wrapped by a session keytransWrappedSessionKey
- -- The session key, used to wrap the passphrase, wrapped by the DRM transport cert.nonceData
- -- IV parameter used while encrypting the passphrase using the session key.b64Certificate
- -- A certificate in encoded using Base64- Returns:
- A KeyRequestResponse object containing information about the key request and the key.
-
retrieveKeyData
public Key retrieveKeyData(KeyRecoveryRequest data)
Retrieve a secret from the DRM.- Parameters:
data
- -- a KeyRecoveryRequest containing the keyId of the secret being retrieved, the request_id of the approved recovery request and a wrapping mechanism.- Returns:
- A Key object containing the wrapped secret.
-
retrieveKey
public Key retrieveKey(KeyId keyId) throws java.lang.Exception
Retrieve a secret (passphrase or symmetric key) from the DRM. To ensure data security in transit, the data will be returned encrypted by a session key (168 bit 3DES symmetric key) - which is first wrapped (encrypted) by the public key of the DRM transport certificate before being sent to the DRM. This method will call CryptoUtil methods to generate the session key and wrap it with the DRM transport cert. The function will return the Key object, but with the secret set to the variable data. (The decryption of the encryptedData is done on the client side i.e. the secret is not transmitted as it is by the server.)- Parameters:
keyId
- -- key id for secret- Returns:
- A Key object containing the unwrapped secret (set to the attribute data).
- Throws:
java.lang.Exception
- - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
-
processKeyData
public void processKeyData(Key data, org.mozilla.jss.crypto.SymmetricKey sessionKey) throws java.lang.Exception
- Throws:
java.lang.Exception
-
retrieveKeyByRequest
public Key retrieveKeyByRequest(RequestId requestId) throws java.lang.Exception
- Throws:
java.lang.Exception
-
retrieveKey
public Key retrieveKey(KeyId keyId, byte[] transWrappedSessionKey) throws java.lang.Exception
Retrieve a secret (passphrase or symmetric key) from the DRM. This function generates a key recovery request, approves it, and retrieves the secret referred to by keyId. This assumes that only one approval is required to authorize the recovery. The parameter transWrappedSessionKey refers to the session key wrapped with the transport cert. The method will simply pass the data to the DRM, and will return the secret wrapped in the session key. The secret will still need to be unwrapped by the caller.- Parameters:
keyId
- -- key id for secrettransWrappedSessionKey
- -- session key wrapped by the transport cert.- Returns:
- A Key object containing the wrapped secret.
- Throws:
java.lang.Exception
- - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
-
retrieveKeyByPassphrase
public Key retrieveKeyByPassphrase(KeyId keyId, java.lang.String passphrase) throws java.lang.Exception
The secret is secured in transit by wrapping the secret with the passphrase using PBE encryption. CryptoUtil methods will be called to create the data to securely send the passphrase to the DRM. Basically, three pieces of data will be sent: - the passphrase wrapped by a 168 bit 3DES symmetric key (the session key). - the session key wrapped with the public key in the DRM transport certificate. - an ivps vector to be used as nonceData.- Parameters:
keyId
- -- key id of secret.passphrase
- -- passphrase used to wrap the secret in the response.- Returns:
- A Key object with the secret wrapped with the passphrase.
- Throws:
java.lang.Exception
- - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
-
retrieveKeyByRequestWithPassphrase
public Key retrieveKeyByRequestWithPassphrase(RequestId requestId, java.lang.String passphrase) throws java.lang.Exception
- Throws:
java.lang.Exception
-
retrieveKeyUsingWrappedPassphrase
public Key retrieveKeyUsingWrappedPassphrase(KeyId keyId, byte[] transWrappedSessionKey, byte[] sessionWrappedPassphrase, byte[] nonceData) throws java.lang.Exception
This method generates a key recovery request, approves it, and retrieves the secret referred to by keyId. This assumes that only one approval is required to authorize the recovery. The method will return the secret encrypted by the passphrase using PBE Encryption. The secret will still need to be decrypted by the caller.- Parameters:
keyId
- -- key id for secrettransWrappedSessionKey
- -- Session key wrapped with the transport certsessionWrappedPassphrase
- -- Passphrase wrapped with the session keynonceData
- -- nonce data used for encryption.- Returns:
- A Key object with the secret wrapped by the passphrase provided.
- Throws:
java.lang.Exception
- - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
-
retrieveKeyByPKCS12
public Key retrieveKeyByPKCS12(KeyId keyId, java.lang.String certificate, java.lang.String passphrase)
Retrieve an asymmetric private key and return it as PKCS12 data. This function generates a key recovery request, approves it, and retrieves the secret referred to by key_id in a PKCS12 file. This assumes that only one approval is required to authorize the recovery.- Parameters:
keyId
- -- key id for secretcertificate
- -- the certificate associated with the private keypassphrase
- -- A passphrase for the pkcs12 file.- Returns:
- A Key object with the wrapped secret
-
archiveSecret
public KeyRequestResponse archiveSecret(java.lang.String clientKeyId, byte[] secret, java.lang.String realm) throws java.lang.Exception
Archive a secret on the KRA. Requires a user-supplied client ID. There can be only one active key with a specified client ID. If a record for a duplicate active key exists, a BadRequestException is thrown.- Parameters:
clientKeyId
- -- Client Key Identfiersecret
- -- Secret to be archivedrealm
- -- authorization realm- Returns:
- A KeyRequestResponse object with information about the request.
- Throws:
java.lang.Exception
- - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, IOException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
-
archiveSecret
public KeyRequestResponse archiveSecret(java.lang.String clientKeyId, byte[] secret) throws java.lang.Exception
- Throws:
java.lang.Exception
-
archiveSymmetricKey
public KeyRequestResponse archiveSymmetricKey(java.lang.String clientKeyId, org.mozilla.jss.crypto.SymmetricKey secret, java.lang.String keyAlgorithm, int keySize, java.lang.String realm) throws java.lang.Exception
Archive a symmetric key on the DRM. Requires a user-supplied client ID. There can be only one active key with a specified client ID. If a record for a duplicate active key exists, a BadRequestException is thrown.- Parameters:
clientKeyId
- -- Client Key IdentifierkeyAlgorithm
- -- Algorithm used by the symmetric keykeySize
- -- Strength of the symmetric key (secret)realm
- -- authorization realm- Returns:
- A KeyRequestResponse object with information about the request.
- Throws:
java.lang.Exception
- - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, IOException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
-
archiveSymmetricKey
@Deprecated public KeyRequestResponse archiveSymmetricKey(java.lang.String clientKeyId, org.mozilla.jss.crypto.SymmetricKey secret, java.lang.String keyAlgorithm, int keySize) throws java.lang.Exception
Deprecated.- Throws:
java.lang.Exception
-
archiveEncryptedData
public KeyRequestResponse archiveEncryptedData(java.lang.String clientKeyId, java.lang.String dataType, java.lang.String keyAlgorithm, int keySize, java.lang.String algorithmOID, byte[] nonceData, byte[] encryptedData, byte[] transWrappedSessionKey, java.lang.String realm)
Archive a secret (symmetric key or passphrase) on the DRM. This method is useful if the caller wants to do their own wrapping of the secret, or if the secret was generated on a separate client machine and the wrapping was done there.- Parameters:
clientKeyId
- -- Client Key IdentifierdataType
- -- Type of secret being archivedkeyAlgorithm
- -- Algorithm used - if the secret is a symmetric keykeySize
- -- Strength of the symmetric key (secret)algorithmOID
- -- OID of the algorithm used for the symmetric key wrapnonceData
- -- nonce dataencryptedData
- -- which is the secret wrapped by a session key (168 bit 3DES symmetric key)transWrappedSessionKey
- -- session key wrapped by the transport cert.realm
- -- authorization realm- Returns:
- A KeyRequestResponse object with information about the request.
-
archiveEncryptedData
@Deprecated public KeyRequestResponse archiveEncryptedData(java.lang.String clientKeyId, java.lang.String dataType, java.lang.String keyAlgorithm, int keySize, java.lang.String algorithmOID, byte[] nonceData, byte[] encryptedData, byte[] transWrappedSessionKey)
Deprecated.
-
archivePKIOptions
public KeyRequestResponse archivePKIOptions(java.lang.String clientKeyId, java.lang.String dataType, java.lang.String keyAlgorithm, int keySize, byte[] pkiArchiveOptions, java.lang.String realm)
Archive a secret (symmetric key or passphrase) on the DRM using a PKIArchiveOptions data format.- Parameters:
clientKeyId
- -- Client Key IdentifierdataType
- -- Type of secret bring archivedkeyAlgorithm
- -- Algorithm used if the secret is a symmetric keykeySize
- -- Strength of the symmetric keypkiArchiveOptions
- -- is the data to be archived wrapped in a PKIArchiveOptions structurerealm
- -- authorization realm- Returns:
- A KeyRequestResponse object with information about the request.
- Throws:
java.lang.Exception
-
archivePKIOptions
@Deprecated public KeyRequestResponse archivePKIOptions(java.lang.String clientKeyId, java.lang.String dataType, java.lang.String keyAlgorithm, int keySize, byte[] pkiArchiveOptions)
Deprecated.
-
generateSymmetricKey
public KeyRequestResponse generateSymmetricKey(java.lang.String clientKeyId, java.lang.String keyAlgorithm, int keySize, java.util.List<java.lang.String> usages, java.lang.String transWrappedSessionKey, java.lang.String realm)
Generate and archive a symmetric key in the DRM.- Parameters:
clientKeyId
- -- Client Key IdentifierkeyAlgorithm
- -- Algorithm to be used to generate the keykeySize
- -- Strength of the keysusages
- -- Usages of the generated key.transWrappedSessionKey
- - client generated session key wrapped by KRA transport keyrealm
- -- authorization realm- Returns:
- a KeyRequestResponse which contains a KeyRequestInfo object that describes the URL for the request and generated key.
-
generateSymmetricKey
@Deprecated public KeyRequestResponse generateSymmetricKey(java.lang.String clientKeyId, java.lang.String keyAlgorithm, int keySize, java.util.List<java.lang.String> usages, java.lang.String transWrappedSessionKey)
Deprecated.
-
generateAsymmetricKey
public KeyRequestResponse generateAsymmetricKey(java.lang.String clientKeyId, java.lang.String keyAlgorithm, int keySize, java.util.List<java.lang.String> usages, byte[] transWrappedSessionKey, java.lang.String realm)
Generate and archive an asymmetric keys in the DRM- Parameters:
clientKeyId
- -- Client Key IdentifierkeyAlgorithm
- -- Algorithm to be used to generate the asymmetric keyskeySize
- -- Strength of the keysusages
- -- key usagestransWrappedSessionKey
- -- client generated session key wrapped by the KRA transport keyrealm
- -- authorization realm
-
generateAsymmetricKey
@Deprecated public KeyRequestResponse generateAsymmetricKey(java.lang.String clientKeyId, java.lang.String keyAlgorithm, int keySize, java.util.List<java.lang.String> usages, byte[] transWrappedSessionKey)
Deprecated.
-
-