Package com.netscape.cmstools

Class hsmCompatVerifyServ

java.lang.Object
com.netscape.cmstools.hsmCompatVerifyServ
public class hsmCompatVerifyServ extends Object
KRA HSM/PKCS#11 Compatibility Verification Tool This tool verifies the minimum capabilities required for KRA key archival and recovery operations without requiring a full PKI installation. Two-phase operation: 1. Setup Phase (--setup-only): Creates CA/KRA certificates on HSM - CA signing certificate (self-signed) - KRA transport certificate (signed by CA) - KRA storage certificate (signed by CA) 2. Verification Phase: Verifies complete archival/recovery workflow - Generate user key on client token - Archive using transport key (HSM) - Store using storage key (HSM) - Recover using storage key (HSM) - Create PKCS#12 This verifies essential PKCS#11 mechanisms: HSM: - RSA or EC key pair generation (for CA cert) - RSA key pair generation (for transport/storage certs, required for key wrapping) - Self-signed certificate creation - Certificate signing - RSA key wrapping/unwrapping (with optional OAEP support) - Session key (AES) generation and operations Client token: - RSA or EC key pair generation (user keys) - Symmetric key wrapping/unwrapping Note: KRA transport and storage certificates must be RSA for key wrapping operations. CA and user certificates can be RSA or EC. Code references (mimicing the real PKI operations): - Client-side wrapping: base/tools/src/main/java/com/netscape/cmstools/CRMFPopClient.java - KRA archival: base/kra/src/main/java/com/netscape/kra/EnrollmentService.java - KRA recovery: base/kra/src/main/java/com/netscape/kra/RecoveryService.java - Transport key ops: base/kra/src/main/java/com/netscape/kra/TransportKeyUnit.java - Storage key ops: base/kra/src/main/java/com/netscape/kra/StorageKeyUnit.java
Author:
Christina Fu (cfu)

  • Field Details

  • Constructor Details

    • hsmCompatVerifyServ

      public hsmCompatVerifyServ()

  • Method Details

    • createOptions

      public static org.apache.commons.cli.Options createOptions()

    • printHelp

      public static void printHelp()

    • printError

      public static void printError(String message)

    • main

      public static void main(String[] args) throws Exception
      Throws:
      Exception

    • setVerbose

      public void setVerbose(boolean verbose)

    • setUseOAEP

      public void setUseOAEP(boolean useOAEP)

    • setAutoYes

      public void setAutoYes(boolean autoYes)

    • runSetup

      public void runSetup(String pkiservDB, String pkiservPasswd, String hsmToken, String hsmTokenPasswd, String caKeyAlgorithm, String caKeySize, String caSubject, int caValidity, String caNickname, String transportSubject, int transportValidity, String transportNickname, String transportOpFlagsStr, String transportOpFlagsMaskStr, String storageSubject, int storageValidity, String storageNickname, String storageOpFlagsStr, String storageOpFlagsMaskStr) throws Exception
      Setup phase: Creates PKI infrastructure on HSM Creates three certificate/key pairs on the HSM: 1. CA signing certificate (self-signed) 2. KRA transport certificate (signed by CA) 3. KRA storage certificate (signed by CA) Also stores public certificates in PKI server NSS DB for reference. Adopted from various PKI cert generation utilities, but simplified for testing.
      Throws:
      Exception

    • runTest

      public void runTest(String pkiservDB, String clientDB, String wrappedSessionFile, String wrappedPrivateFile, String publicKeyFile, String ivFile, String hsmToken, String hsmTokenPasswd, String caNickname, String transportNickname, String storageNickname, String subjectDN, String outputFile, String recoveryPasswd, String keywrapAlg, boolean archiveOnly, boolean recoverOnly, String ldifFile, boolean legacyPKCS12) throws Exception
      Test phase: Runs archival and/or recovery workflow This method supports three modes: 1. Archival only (archiveOnly=true): Archive keys to LDIF and stop 2. Recovery only (recoverOnly=true): Read from LDIF and recover to PKCS#12 3. Combined (neither flag): Full archival+recovery workflow (creates LDIF + recovers to PKCS#12) Adopted from: CRMFPopClient, EnrollmentService, RecoveryService, TransportKeyUnit, StorageKeyUnit (see detailed comments inline)
      Parameters:
      pkiservDB - PKI system NSS database path - REQUIRED for HSM access. CryptoManager must be initialized with this database because it contains the modutil configuration that loads the HSM PKCS#11 module. Without this, the HSM token won't be found.
      clientDB - Client NSS database directory (base path for wrapped key files and p12 output)
      wrappedSessionFile - Wrapped session key file (from hsmCompatVerifyClnt, null for recovery mode)
      wrappedPrivateFile - Wrapped private key file (from hsmCompatVerifyClnt, null for recovery mode)
      publicKeyFile - Public key file in DER format (from hsmCompatVerifyClnt, null for recovery mode)
      archiveOnly - If true, create LDIF and stop (archival only mode, no recovery)
      recoverOnly - If true, read from existing LDIF file (recovery only mode, no archival)
      ldifFile - LDIF file path for archival output or recovery input
      Throws:
      Exception