Class KeyClient

java.lang.Object
com.netscape.certsrv.client.Client
com.netscape.certsrv.key.KeyClient

public class KeyClient extends Client
Author:
Endi S. Dewata, Abhishek Koneru
  • Field Details

    • logger

      public static org.slf4j.Logger logger
    • keyRequestClient

      public KeyRequestClient keyRequestClient
  • Constructor Details

  • Method Details

    • init

      public void init() throws Exception
      Throws:
      Exception
    • getCrypto

      public CryptoProvider getCrypto()
    • setCrypto

      public void setCrypto(CryptoProvider crypto)
    • setTransportCert

      public void setTransportCert(org.mozilla.jss.crypto.X509Certificate transportCert) throws Exception
      Throws:
      Exception
    • setUseOAEP

      public void setUseOAEP(boolean useOAEP)
    • getUseOAEP

      public boolean getUseOAEP()
    • listKeys

      public KeyInfoCollection listKeys(String clientKeyID, String status, Integer maxResults, Integer maxTime, Integer start, Integer size, String realm, String ownerName) throws Exception
      List/Search archived secrets in the DRM.
      Parameters:
      clientKeyID - -- Client Key Identifier
      status - -- Status of the keys to be listed
      maxResults - -- Maximum number of keys to be fetched
      maxTime - -- Maximum time for the operation to take
      start - -- Start index of list
      size - -- Size of the list to be returned.
      realm - - authz realm
      Returns:
      a KeyInfoCollection object.
      Throws:
      Exception
    • listKeys

      @Deprecated(since="11.5.0", forRemoval=true) public KeyInfoCollection listKeys(String clientKeyID, String status, Integer maxResults, Integer maxTime, Integer start, Integer size, String ownerName) throws Exception
      Deprecated, for removal: This API element is subject to removal in a future version.
      Throws:
      Exception
    • listRequests

      public KeyRequestInfoCollection listRequests(String requestState, String requestType, String realm) throws Exception
      Search key requests in the DRM based on the state/type of the requests.
      Parameters:
      requestState - -- State of the requests to be queried.
      requestType - -- Type of the requests to be queried.
      realm - -- Authz Realm
      Returns:
      a KeyRequestCollection object.
      Throws:
      Exception
    • listRequests

      public KeyRequestInfoCollection listRequests(String requestState, String requestType) throws Exception
      Throws:
      Exception
    • listRequests

      public KeyRequestInfoCollection listRequests(String requestState, String requestType, String clientKeyID, RequestId start, Integer pageSize, Integer maxResults, Integer maxTime, String realm) throws Exception
      List/Search key requests in the DRM
      Parameters:
      requestState - -- State of the requests to be queried.
      requestType - -- Type of the requests to be queried.
      clientKeyID - -- Client Key Identifier
      start - -- Start index of list
      pageSize - -- Size of the list to be returned.
      maxResults - -- Maximum number of requests to be fetched
      maxTime - -- Maximum time for the operation to take
      realm - -- Authz Realm
      Returns:
      a KeyRequestInfoCollection object.
      Throws:
      Exception
    • getRequestInfo

      public KeyRequestInfo getRequestInfo(RequestId id) throws Exception
      Return a KeyRequestInfo object for a specific request.
      Parameters:
      id - -- A Request Id object
      Returns:
      the KeyRequestInfo object for a specific request.
      Throws:
      Exception
    • getKeyInfo

      public KeyInfo getKeyInfo(KeyId id) throws Exception
      Get the info in the KeyRecord for a specific secret in the DRM.
      Parameters:
      id - -- key id for secret
      Returns:
      the KeyInfo object for a specific request.
      Throws:
      Exception
    • getActiveKeyInfo

      public KeyInfo getActiveKeyInfo(String clientKeyID) throws Exception
      Get the info in the KeyRecord for the active secret in the DRM.
      Parameters:
      clientKeyID - -- Client Key Identifier
      Throws:
      Exception
    • modifyKeyStatus

      public void modifyKeyStatus(KeyId id, String status) throws Exception
      Modify the status of a key
      Parameters:
      id - -- key id for secret
      status - -- Status to be set for the key
      Throws:
      Exception
    • approveRequest

      public void approveRequest(RequestId id) throws Exception
      Approve a secret recovery request
      Parameters:
      id - -- Id of the request
      Throws:
      Exception
    • rejectRequest

      public void rejectRequest(RequestId id) throws Exception
      Reject a secret recovery request
      Parameters:
      id - -- Id of the request
      Throws:
      Exception
    • cancelRequest

      public void cancelRequest(RequestId id) throws Exception
      Cancel a secret recovery request
      Parameters:
      id - -- Id of the request
      Throws:
      Exception
    • recoverKey

      public KeyRequestResponse recoverKey(KeyId keyId, byte[] sessionWrappedPassphrase, byte[] transWrappedSessionKey, byte[] nonceData, String b64Certificate) throws Exception
      Create a request to recover a secret. To retrieve a symmetric key or passphrase, the only parameter that is required is the KeyId object. It is possible (but not required) to pass in the session keys/passphrase and nonceData for the retrieval at this time. To retrieve an asymmetric key, the keyId and the the base-64 encoded certificate is required.
      Parameters:
      keyId - -- key id for secret
      sessionWrappedPassphrase - -- A passphrase wrapped by a session key
      transWrappedSessionKey - -- The session key, used to wrap the passphrase, wrapped by the DRM transport cert.
      nonceData - -- IV parameter used while encrypting the passphrase using the session key.
      b64Certificate - -- A certificate in encoded using Base64
      Returns:
      A KeyRequestResponse object containing information about the key request and the key.
      Throws:
      Exception
    • retrieveKeyData

      public KeyData retrieveKeyData(KeyRecoveryRequest data) throws Exception
      Retrieve a secret from the DRM.
      Parameters:
      data - -- a KeyRecoveryRequest containing the keyId of the secret being retrieved, the request_id of the approved recovery request and a wrapping mechanism.
      Returns:
      A Key object containing the wrapped secret.
      Throws:
      Exception
    • generateSessionKey

      public org.mozilla.jss.crypto.SymmetricKey generateSessionKey() throws Exception
      Throws:
      Exception
    • retrieveKey

      public KeyData retrieveKey(KeyId keyId, org.mozilla.jss.crypto.SymmetricKey sessionKey) throws Exception
      Retrieve a secret (passphrase or symmetric key) from the DRM. To ensure data security in transit, the data will be returned encrypted by a session key (168 bit 3DES symmetric key) - which is first wrapped (encrypted) by the public key of the DRM transport certificate before being sent to the DRM. This method will call CryptoUtil methods to generate the session key and wrap it with the DRM transport cert. The function will return the Key object, but with the secret set to the variable data. (The decryption of the encryptedData is done on the client side i.e. the secret is not transmitted as it is by the server.)
      Parameters:
      keyId - -- key id for secret
      Returns:
      A Key object containing the unwrapped secret (set to the attribute data).
      Throws:
      Exception - - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
    • processKeyData

      public void processKeyData(Key data, org.mozilla.jss.crypto.SymmetricKey sessionKey) throws Exception
      Throws:
      Exception
    • retrieveKeyByRequest

      public KeyData retrieveKeyByRequest(RequestId requestId, org.mozilla.jss.crypto.SymmetricKey sessionKey) throws Exception
      Throws:
      Exception
    • retrieveKey

      public KeyData retrieveKey(KeyId keyId, byte[] transWrappedSessionKey) throws Exception
      Retrieve a secret (passphrase or symmetric key) from the DRM. This function generates a key recovery request, approves it, and retrieves the secret referred to by keyId. This assumes that only one approval is required to authorize the recovery. The parameter transWrappedSessionKey refers to the session key wrapped with the transport cert. The method will simply pass the data to the DRM, and will return the secret wrapped in the session key. The secret will still need to be unwrapped by the caller.
      Parameters:
      keyId - -- key id for secret
      transWrappedSessionKey - -- session key wrapped by the transport cert.
      Returns:
      A Key object containing the wrapped secret.
      Throws:
      Exception - - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
    • retrieveKeyByPassphrase

      public KeyData retrieveKeyByPassphrase(KeyId keyId, String passphrase) throws Exception
      The secret is secured in transit by wrapping the secret with the passphrase using PBE encryption. CryptoUtil methods will be called to create the data to securely send the passphrase to the DRM. Basically, three pieces of data will be sent: - the passphrase wrapped by a 168 bit 3DES symmetric key (the session key). - the session key wrapped with the public key in the DRM transport certificate. - an ivps vector to be used as nonceData.
      Parameters:
      keyId - -- key id of secret.
      passphrase - -- passphrase used to wrap the secret in the response.
      Returns:
      A Key object with the secret wrapped with the passphrase.
      Throws:
      Exception - - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
    • retrieveKeyByRequestWithPassphrase

      public Key retrieveKeyByRequestWithPassphrase(RequestId requestId, String passphrase) throws Exception
      Throws:
      Exception
    • retrieveKeyUsingWrappedPassphrase

      public KeyData retrieveKeyUsingWrappedPassphrase(KeyId keyId, byte[] transWrappedSessionKey, byte[] sessionWrappedPassphrase, byte[] nonceData) throws Exception
      This method generates a key recovery request, approves it, and retrieves the secret referred to by keyId. This assumes that only one approval is required to authorize the recovery. The method will return the secret encrypted by the passphrase using PBE Encryption. The secret will still need to be decrypted by the caller.
      Parameters:
      keyId - -- key id for secret
      transWrappedSessionKey - -- Session key wrapped with the transport cert
      sessionWrappedPassphrase - -- Passphrase wrapped with the session key
      nonceData - -- nonce data used for encryption.
      Returns:
      A Key object with the secret wrapped by the passphrase provided.
      Throws:
      Exception - - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
    • retrieveKeyByPKCS12

      public KeyData retrieveKeyByPKCS12(KeyId keyId, String certificate, String passphrase) throws Exception
      Retrieve an asymmetric private key and return it as PKCS12 data. This function generates a key recovery request, approves it, and retrieves the secret referred to by key_id in a PKCS12 file. This assumes that only one approval is required to authorize the recovery.
      Parameters:
      keyId - -- key id for secret
      certificate - -- the certificate associated with the private key
      passphrase - -- A passphrase for the pkcs12 file.
      Returns:
      A Key object with the wrapped secret
      Throws:
      Exception
    • archiveSecret

      public KeyRequestResponse archiveSecret(String clientKeyId, byte[] secret, String realm) throws Exception
      Archive a secret on the KRA. Requires a user-supplied client ID. There can be only one active key with a specified client ID. If a record for a duplicate active key exists, a BadRequestException is thrown.
      Parameters:
      clientKeyId - -- Client Key Identfier
      secret - -- Secret to be archived
      realm - -- authorization realm
      Returns:
      A KeyRequestResponse object with information about the request.
      Throws:
      Exception - - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, IOException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
    • archiveSecret

      public KeyRequestResponse archiveSecret(String clientKeyId, byte[] secret) throws Exception
      Throws:
      Exception
    • getWrapAlgorithmName

      public String getWrapAlgorithmName()
    • archiveSymmetricKey

      public KeyRequestResponse archiveSymmetricKey(String clientKeyId, org.mozilla.jss.crypto.SymmetricKey secret, String keyAlgorithm, Integer keySize, String realm) throws Exception
      Archive a symmetric key on the DRM. Requires a user-supplied client ID. There can be only one active key with a specified client ID. If a record for a duplicate active key exists, a BadRequestException is thrown.
      Parameters:
      clientKeyId - -- Client Key Identifier
      keyAlgorithm - -- Algorithm used by the symmetric key
      keySize - -- Strength of the symmetric key (secret)
      realm - -- authorization realm
      Returns:
      A KeyRequestResponse object with information about the request.
      Throws:
      Exception - - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, IOException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
    • archiveSymmetricKey

      @Deprecated public KeyRequestResponse archiveSymmetricKey(String clientKeyId, org.mozilla.jss.crypto.SymmetricKey secret, String keyAlgorithm, Integer keySize) throws Exception
      Deprecated.
      Throws:
      Exception
    • archiveEncryptedData

      public KeyRequestResponse archiveEncryptedData(String clientKeyId, String dataType, String keyAlgorithm, Integer keySize, String algorithmOID, byte[] nonceData, byte[] encryptedData, byte[] transWrappedSessionKey, String realm) throws Exception
      Archive a secret (symmetric key or passphrase) on the DRM. This method is useful if the caller wants to do their own wrapping of the secret, or if the secret was generated on a separate client machine and the wrapping was done there.
      Parameters:
      clientKeyId - -- Client Key Identifier
      dataType - -- Type of secret being archived
      keyAlgorithm - -- Algorithm used - if the secret is a symmetric key
      keySize - -- Strength of the symmetric key (secret)
      algorithmOID - -- OID of the algorithm used for the symmetric key wrap
      nonceData - -- nonce data
      encryptedData - -- which is the secret wrapped by a session key (168 bit 3DES symmetric key)
      transWrappedSessionKey - -- session key wrapped by the transport cert.
      realm - -- authorization realm
      Returns:
      A KeyRequestResponse object with information about the request.
      Throws:
      Exception
    • archiveEncryptedData

      @Deprecated public KeyRequestResponse archiveEncryptedData(String clientKeyId, String dataType, String keyAlgorithm, Integer keySize, String algorithmOID, byte[] nonceData, byte[] encryptedData, byte[] transWrappedSessionKey) throws Exception
      Deprecated.
      Throws:
      Exception
    • archivePKIOptions

      public KeyRequestResponse archivePKIOptions(String clientKeyId, String dataType, String keyAlgorithm, int keySize, byte[] pkiArchiveOptions, String realm) throws Exception
      Archive a secret (symmetric key or passphrase) on the DRM using a PKIArchiveOptions data format.
      Parameters:
      clientKeyId - -- Client Key Identifier
      dataType - -- Type of secret bring archived
      keyAlgorithm - -- Algorithm used if the secret is a symmetric key
      keySize - -- Strength of the symmetric key
      pkiArchiveOptions - -- is the data to be archived wrapped in a PKIArchiveOptions structure
      realm - -- authorization realm
      Returns:
      A KeyRequestResponse object with information about the request.
      Throws:
      Exception
    • archivePKIOptions

      @Deprecated public KeyRequestResponse archivePKIOptions(String clientKeyId, String dataType, String keyAlgorithm, int keySize, byte[] pkiArchiveOptions) throws Exception
      Deprecated.
      Throws:
      Exception
    • generateSymmetricKey

      public KeyRequestResponse generateSymmetricKey(String clientKeyId, String keyAlgorithm, int keySize, List<String> usages, String transWrappedSessionKey, String realm) throws Exception
      Generate and archive a symmetric key in the DRM.
      Parameters:
      clientKeyId - -- Client Key Identifier
      keyAlgorithm - -- Algorithm to be used to generate the key
      keySize - -- Strength of the keys
      usages - -- Usages of the generated key.
      transWrappedSessionKey - - client generated session key wrapped by KRA transport key
      realm - -- authorization realm
      Returns:
      a KeyRequestResponse which contains a KeyRequestInfo object that describes the URL for the request and generated key.
      Throws:
      Exception
    • generateSymmetricKey

      @Deprecated public KeyRequestResponse generateSymmetricKey(String clientKeyId, String keyAlgorithm, int keySize, List<String> usages, String transWrappedSessionKey) throws Exception
      Deprecated.
      Throws:
      Exception
    • generateAsymmetricKey

      public KeyRequestResponse generateAsymmetricKey(String clientKeyId, String keyAlgorithm, int keySize, List<String> usages, byte[] transWrappedSessionKey, String realm) throws Exception
      Generate and archive an asymmetric keys in the DRM
      Parameters:
      clientKeyId - -- Client Key Identifier
      keyAlgorithm - -- Algorithm to be used to generate the asymmetric keys
      keySize - -- Strength of the keys
      usages - -- key usages
      transWrappedSessionKey - -- client generated session key wrapped by the KRA transport key
      realm - -- authorization realm
      Throws:
      Exception
    • generateAsymmetricKey

      @Deprecated public KeyRequestResponse generateAsymmetricKey(String clientKeyId, String keyAlgorithm, int keySize, List<String> usages, byte[] transWrappedSessionKey) throws Exception
      Deprecated.
      Throws:
      Exception