Package com.netscape.certsrv.key
Class KeyClient
java.lang.Object
com.netscape.certsrv.client.Client
com.netscape.certsrv.key.KeyClient
- Author:
- Endi S. Dewata, Abhishek Koneru
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic org.slf4j.Logger
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionvoid
Approve a secret recovery requestarchiveEncryptedData
(String clientKeyId, String dataType, String keyAlgorithm, Integer keySize, String algorithmOID, byte[] nonceData, byte[] encryptedData, byte[] transWrappedSessionKey) Deprecated.archiveEncryptedData
(String clientKeyId, String dataType, String keyAlgorithm, Integer keySize, String algorithmOID, byte[] nonceData, byte[] encryptedData, byte[] transWrappedSessionKey, String realm) Archive a secret (symmetric key or passphrase) on the DRM.archivePKIOptions
(String clientKeyId, String dataType, String keyAlgorithm, int keySize, byte[] pkiArchiveOptions) Deprecated.archivePKIOptions
(String clientKeyId, String dataType, String keyAlgorithm, int keySize, byte[] pkiArchiveOptions, String realm) Archive a secret (symmetric key or passphrase) on the DRM using a PKIArchiveOptions data format.archiveSecret
(String clientKeyId, byte[] secret) archiveSecret
(String clientKeyId, byte[] secret, String realm) Archive a secret on the KRA.archiveSymmetricKey
(String clientKeyId, org.mozilla.jss.crypto.SymmetricKey secret, String keyAlgorithm, Integer keySize) Deprecated.archiveSymmetricKey
(String clientKeyId, org.mozilla.jss.crypto.SymmetricKey secret, String keyAlgorithm, Integer keySize, String realm) Archive a symmetric key on the DRM.void
Cancel a secret recovery requestgenerateAsymmetricKey
(String clientKeyId, String keyAlgorithm, int keySize, List<String> usages, byte[] transWrappedSessionKey) Deprecated.generateAsymmetricKey
(String clientKeyId, String keyAlgorithm, int keySize, List<String> usages, byte[] transWrappedSessionKey, String realm) Generate and archive an asymmetric keys in the DRMorg.mozilla.jss.crypto.SymmetricKey
generateSymmetricKey
(String clientKeyId, String keyAlgorithm, int keySize, List<String> usages, String transWrappedSessionKey) Deprecated.generateSymmetricKey
(String clientKeyId, String keyAlgorithm, int keySize, List<String> usages, String transWrappedSessionKey, String realm) Generate and archive a symmetric key in the DRM.getActiveKeyInfo
(String clientKeyID) Get the info in the KeyRecord for the active secret in the DRM.getKeyInfo
(KeyId id) Get the info in the KeyRecord for a specific secret in the DRM.Return a KeyRequestInfo object for a specific request.void
init()
listKeys
(String clientKeyID, String status, Integer maxSize, Integer maxTime, Integer start, Integer size) listKeys
(String clientKeyID, String status, Integer maxSize, Integer maxTime, Integer start, Integer size, String realm) List/Search archived secrets in the DRM.listRequests
(String requestState, String requestType) listRequests
(String requestState, String requestType, String realm) Search key requests in the DRM based on the state/type of the requests.listRequests
(String requestState, String requestType, String clientKeyID, RequestId start, Integer pageSize, Integer maxResults, Integer maxTime, String realm) List/Search key requests in the DRMvoid
modifyKeyStatus
(KeyId id, String status) Modify the status of a keyvoid
processKeyData
(Key data, org.mozilla.jss.crypto.SymmetricKey sessionKey) recoverKey
(KeyId keyId, byte[] sessionWrappedPassphrase, byte[] transWrappedSessionKey, byte[] nonceData, String b64Certificate) Create a request to recover a secret.void
Reject a secret recovery requestretrieveKey
(KeyId keyId, byte[] transWrappedSessionKey) Retrieve a secret (passphrase or symmetric key) from the DRM.retrieveKey
(KeyId keyId, org.mozilla.jss.crypto.SymmetricKey sessionKey) Retrieve a secret (passphrase or symmetric key) from the DRM.retrieveKeyByPassphrase
(KeyId keyId, String passphrase) The secret is secured in transit by wrapping the secret with the passphrase using PBE encryption.retrieveKeyByPKCS12
(KeyId keyId, String certificate, String passphrase) Retrieve an asymmetric private key and return it as PKCS12 data.retrieveKeyByRequest
(RequestId requestId, org.mozilla.jss.crypto.SymmetricKey sessionKey) retrieveKeyByRequestWithPassphrase
(RequestId requestId, String passphrase) Retrieve a secret from the DRM.retrieveKeyUsingWrappedPassphrase
(KeyId keyId, byte[] transWrappedSessionKey, byte[] sessionWrappedPassphrase, byte[] nonceData) This method generates a key recovery request, approves it, and retrieves the secret referred to by keyId.void
setCrypto
(CryptoProvider crypto) void
setTransportCert
(org.mozilla.jss.crypto.X509Certificate transportCert) Methods inherited from class com.netscape.certsrv.client.Client
addClient, createProxy, get, get, get, get, getClient, getName, getSubsystem, post, post, post, post, removeClient
-
Field Details
-
logger
public static org.slf4j.Logger logger -
keyClient
-
keyRequestClient
-
kraInfoClient
-
-
Constructor Details
-
KeyClient
- Throws:
Exception
-
-
Method Details
-
init
- Throws:
Exception
-
getCrypto
-
setCrypto
-
setTransportCert
- Throws:
Exception
-
listKeys
public KeyInfoCollection listKeys(String clientKeyID, String status, Integer maxSize, Integer maxTime, Integer start, Integer size, String realm) throws Exception List/Search archived secrets in the DRM.- Parameters:
clientKeyID
- -- Client Key Identifierstatus
- -- Status of the keys to be listedmaxSize
- -- Maximum number of keys to be fetchedmaxTime
- -- Maximum time for the operation to takestart
- -- Start index of listsize
- -- Size of the list to be returned.realm
- - authz realm- Returns:
- a KeyInfoCollection object.
- Throws:
Exception
-
listKeys
public KeyInfoCollection listKeys(String clientKeyID, String status, Integer maxSize, Integer maxTime, Integer start, Integer size) throws Exception - Throws:
Exception
-
listRequests
public KeyRequestInfoCollection listRequests(String requestState, String requestType, String realm) throws Exception Search key requests in the DRM based on the state/type of the requests.- Parameters:
requestState
- -- State of the requests to be queried.requestType
- -- Type of the requests to be queried.realm
- -- Authz Realm- Returns:
- a KeyRequestCollection object.
- Throws:
Exception
-
listRequests
public KeyRequestInfoCollection listRequests(String requestState, String requestType) throws Exception - Throws:
Exception
-
listRequests
public KeyRequestInfoCollection listRequests(String requestState, String requestType, String clientKeyID, RequestId start, Integer pageSize, Integer maxResults, Integer maxTime, String realm) throws Exception List/Search key requests in the DRM- Parameters:
requestState
- -- State of the requests to be queried.requestType
- -- Type of the requests to be queried.clientKeyID
- -- Client Key Identifierstart
- -- Start index of listpageSize
- -- Size of the list to be returned.maxResults
- -- Maximum number of requests to be fetchedmaxTime
- -- Maximum time for the operation to takerealm
- -- Authz Realm- Returns:
- a KeyRequestInfoCollection object.
- Throws:
Exception
-
getRequestInfo
Return a KeyRequestInfo object for a specific request.- Parameters:
id
- -- A Request Id object- Returns:
- the KeyRequestInfo object for a specific request.
- Throws:
Exception
-
getKeyInfo
Get the info in the KeyRecord for a specific secret in the DRM.- Parameters:
id
- -- key id for secret- Returns:
- the KeyInfo object for a specific request.
- Throws:
Exception
-
getActiveKeyInfo
Get the info in the KeyRecord for the active secret in the DRM.- Parameters:
clientKeyID
- -- Client Key Identifier- Throws:
Exception
-
modifyKeyStatus
Modify the status of a key- Parameters:
id
- -- key id for secretstatus
- -- Status to be set for the key- Throws:
Exception
-
approveRequest
Approve a secret recovery request- Parameters:
id
- -- Id of the request- Throws:
Exception
-
rejectRequest
Reject a secret recovery request- Parameters:
id
- -- Id of the request- Throws:
Exception
-
cancelRequest
Cancel a secret recovery request- Parameters:
id
- -- Id of the request- Throws:
Exception
-
recoverKey
public KeyRequestResponse recoverKey(KeyId keyId, byte[] sessionWrappedPassphrase, byte[] transWrappedSessionKey, byte[] nonceData, String b64Certificate) throws Exception Create a request to recover a secret. To retrieve a symmetric key or passphrase, the only parameter that is required is the KeyId object. It is possible (but not required) to pass in the session keys/passphrase and nonceData for the retrieval at this time. To retrieve an asymmetric key, the keyId and the the base-64 encoded certificate is required.- Parameters:
keyId
- -- key id for secretsessionWrappedPassphrase
- -- A passphrase wrapped by a session keytransWrappedSessionKey
- -- The session key, used to wrap the passphrase, wrapped by the DRM transport cert.nonceData
- -- IV parameter used while encrypting the passphrase using the session key.b64Certificate
- -- A certificate in encoded using Base64- Returns:
- A KeyRequestResponse object containing information about the key request and the key.
- Throws:
Exception
-
retrieveKeyData
Retrieve a secret from the DRM.- Parameters:
data
- -- a KeyRecoveryRequest containing the keyId of the secret being retrieved, the request_id of the approved recovery request and a wrapping mechanism.- Returns:
- A Key object containing the wrapped secret.
- Throws:
Exception
-
generateSessionKey
- Throws:
Exception
-
retrieveKey
public KeyData retrieveKey(KeyId keyId, org.mozilla.jss.crypto.SymmetricKey sessionKey) throws Exception Retrieve a secret (passphrase or symmetric key) from the DRM. To ensure data security in transit, the data will be returned encrypted by a session key (168 bit 3DES symmetric key) - which is first wrapped (encrypted) by the public key of the DRM transport certificate before being sent to the DRM. This method will call CryptoUtil methods to generate the session key and wrap it with the DRM transport cert. The function will return the Key object, but with the secret set to the variable data. (The decryption of the encryptedData is done on the client side i.e. the secret is not transmitted as it is by the server.)- Parameters:
keyId
- -- key id for secret- Returns:
- A Key object containing the unwrapped secret (set to the attribute data).
- Throws:
Exception
- - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
-
processKeyData
public void processKeyData(Key data, org.mozilla.jss.crypto.SymmetricKey sessionKey) throws Exception - Throws:
Exception
-
retrieveKeyByRequest
public KeyData retrieveKeyByRequest(RequestId requestId, org.mozilla.jss.crypto.SymmetricKey sessionKey) throws Exception - Throws:
Exception
-
retrieveKey
Retrieve a secret (passphrase or symmetric key) from the DRM. This function generates a key recovery request, approves it, and retrieves the secret referred to by keyId. This assumes that only one approval is required to authorize the recovery. The parameter transWrappedSessionKey refers to the session key wrapped with the transport cert. The method will simply pass the data to the DRM, and will return the secret wrapped in the session key. The secret will still need to be unwrapped by the caller.- Parameters:
keyId
- -- key id for secrettransWrappedSessionKey
- -- session key wrapped by the transport cert.- Returns:
- A Key object containing the wrapped secret.
- Throws:
Exception
- - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
-
retrieveKeyByPassphrase
The secret is secured in transit by wrapping the secret with the passphrase using PBE encryption. CryptoUtil methods will be called to create the data to securely send the passphrase to the DRM. Basically, three pieces of data will be sent: - the passphrase wrapped by a 168 bit 3DES symmetric key (the session key). - the session key wrapped with the public key in the DRM transport certificate. - an ivps vector to be used as nonceData.- Parameters:
keyId
- -- key id of secret.passphrase
- -- passphrase used to wrap the secret in the response.- Returns:
- A Key object with the secret wrapped with the passphrase.
- Throws:
Exception
- - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
-
retrieveKeyByRequestWithPassphrase
public Key retrieveKeyByRequestWithPassphrase(RequestId requestId, String passphrase) throws Exception - Throws:
Exception
-
retrieveKeyUsingWrappedPassphrase
public KeyData retrieveKeyUsingWrappedPassphrase(KeyId keyId, byte[] transWrappedSessionKey, byte[] sessionWrappedPassphrase, byte[] nonceData) throws Exception This method generates a key recovery request, approves it, and retrieves the secret referred to by keyId. This assumes that only one approval is required to authorize the recovery. The method will return the secret encrypted by the passphrase using PBE Encryption. The secret will still need to be decrypted by the caller.- Parameters:
keyId
- -- key id for secrettransWrappedSessionKey
- -- Session key wrapped with the transport certsessionWrappedPassphrase
- -- Passphrase wrapped with the session keynonceData
- -- nonce data used for encryption.- Returns:
- A Key object with the secret wrapped by the passphrase provided.
- Throws:
Exception
- - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
-
retrieveKeyByPKCS12
public KeyData retrieveKeyByPKCS12(KeyId keyId, String certificate, String passphrase) throws Exception Retrieve an asymmetric private key and return it as PKCS12 data. This function generates a key recovery request, approves it, and retrieves the secret referred to by key_id in a PKCS12 file. This assumes that only one approval is required to authorize the recovery.- Parameters:
keyId
- -- key id for secretcertificate
- -- the certificate associated with the private keypassphrase
- -- A passphrase for the pkcs12 file.- Returns:
- A Key object with the wrapped secret
- Throws:
Exception
-
archiveSecret
public KeyRequestResponse archiveSecret(String clientKeyId, byte[] secret, String realm) throws Exception Archive a secret on the KRA. Requires a user-supplied client ID. There can be only one active key with a specified client ID. If a record for a duplicate active key exists, a BadRequestException is thrown.- Parameters:
clientKeyId
- -- Client Key Identfiersecret
- -- Secret to be archivedrealm
- -- authorization realm- Returns:
- A KeyRequestResponse object with information about the request.
- Throws:
Exception
- - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, IOException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
-
archiveSecret
- Throws:
Exception
-
getWrapAlgorithmName
-
archiveSymmetricKey
public KeyRequestResponse archiveSymmetricKey(String clientKeyId, org.mozilla.jss.crypto.SymmetricKey secret, String keyAlgorithm, Integer keySize, String realm) throws Exception Archive a symmetric key on the DRM. Requires a user-supplied client ID. There can be only one active key with a specified client ID. If a record for a duplicate active key exists, a BadRequestException is thrown.- Parameters:
clientKeyId
- -- Client Key IdentifierkeyAlgorithm
- -- Algorithm used by the symmetric keykeySize
- -- Strength of the symmetric key (secret)realm
- -- authorization realm- Returns:
- A KeyRequestResponse object with information about the request.
- Throws:
Exception
- - Exceptions of type NoSuchAlgorithmException, IllegalStateException, TokenException, IOException, CertificateEncodingException, InvalidKeyException, InvalidAlgorithmParameterException, BadPaddingException, IllegalBlockSizeException
-
archiveSymmetricKey
@Deprecated public KeyRequestResponse archiveSymmetricKey(String clientKeyId, org.mozilla.jss.crypto.SymmetricKey secret, String keyAlgorithm, Integer keySize) throws Exception Deprecated.- Throws:
Exception
-
archiveEncryptedData
public KeyRequestResponse archiveEncryptedData(String clientKeyId, String dataType, String keyAlgorithm, Integer keySize, String algorithmOID, byte[] nonceData, byte[] encryptedData, byte[] transWrappedSessionKey, String realm) throws Exception Archive a secret (symmetric key or passphrase) on the DRM. This method is useful if the caller wants to do their own wrapping of the secret, or if the secret was generated on a separate client machine and the wrapping was done there.- Parameters:
clientKeyId
- -- Client Key IdentifierdataType
- -- Type of secret being archivedkeyAlgorithm
- -- Algorithm used - if the secret is a symmetric keykeySize
- -- Strength of the symmetric key (secret)algorithmOID
- -- OID of the algorithm used for the symmetric key wrapnonceData
- -- nonce dataencryptedData
- -- which is the secret wrapped by a session key (168 bit 3DES symmetric key)transWrappedSessionKey
- -- session key wrapped by the transport cert.realm
- -- authorization realm- Returns:
- A KeyRequestResponse object with information about the request.
- Throws:
Exception
-
archiveEncryptedData
@Deprecated public KeyRequestResponse archiveEncryptedData(String clientKeyId, String dataType, String keyAlgorithm, Integer keySize, String algorithmOID, byte[] nonceData, byte[] encryptedData, byte[] transWrappedSessionKey) throws Exception Deprecated.- Throws:
Exception
-
archivePKIOptions
public KeyRequestResponse archivePKIOptions(String clientKeyId, String dataType, String keyAlgorithm, int keySize, byte[] pkiArchiveOptions, String realm) throws Exception Archive a secret (symmetric key or passphrase) on the DRM using a PKIArchiveOptions data format.- Parameters:
clientKeyId
- -- Client Key IdentifierdataType
- -- Type of secret bring archivedkeyAlgorithm
- -- Algorithm used if the secret is a symmetric keykeySize
- -- Strength of the symmetric keypkiArchiveOptions
- -- is the data to be archived wrapped in a PKIArchiveOptions structurerealm
- -- authorization realm- Returns:
- A KeyRequestResponse object with information about the request.
- Throws:
Exception
-
archivePKIOptions
@Deprecated public KeyRequestResponse archivePKIOptions(String clientKeyId, String dataType, String keyAlgorithm, int keySize, byte[] pkiArchiveOptions) throws Exception Deprecated.- Throws:
Exception
-
generateSymmetricKey
public KeyRequestResponse generateSymmetricKey(String clientKeyId, String keyAlgorithm, int keySize, List<String> usages, String transWrappedSessionKey, String realm) throws Exception Generate and archive a symmetric key in the DRM.- Parameters:
clientKeyId
- -- Client Key IdentifierkeyAlgorithm
- -- Algorithm to be used to generate the keykeySize
- -- Strength of the keysusages
- -- Usages of the generated key.transWrappedSessionKey
- - client generated session key wrapped by KRA transport keyrealm
- -- authorization realm- Returns:
- a KeyRequestResponse which contains a KeyRequestInfo object that describes the URL for the request and generated key.
- Throws:
Exception
-
generateSymmetricKey
@Deprecated public KeyRequestResponse generateSymmetricKey(String clientKeyId, String keyAlgorithm, int keySize, List<String> usages, String transWrappedSessionKey) throws Exception Deprecated.- Throws:
Exception
-
generateAsymmetricKey
public KeyRequestResponse generateAsymmetricKey(String clientKeyId, String keyAlgorithm, int keySize, List<String> usages, byte[] transWrappedSessionKey, String realm) throws Exception Generate and archive an asymmetric keys in the DRM- Parameters:
clientKeyId
- -- Client Key IdentifierkeyAlgorithm
- -- Algorithm to be used to generate the asymmetric keyskeySize
- -- Strength of the keysusages
- -- key usagestransWrappedSessionKey
- -- client generated session key wrapped by the KRA transport keyrealm
- -- authorization realm- Throws:
Exception
-
generateAsymmetricKey
@Deprecated public KeyRequestResponse generateAsymmetricKey(String clientKeyId, String keyAlgorithm, int keySize, List<String> usages, byte[] transWrappedSessionKey) throws Exception Deprecated.- Throws:
Exception
-