public static void main(String args[]) {

    try {

      if (args.length < 2) {
        System.out.println(
            "Usage: FipsTest <dbdir> <fipsmode enter: "
                + "enable OR disable OR chkfips > <password file>");
        return;
      }
      String dbdir = args[0];
      String fipsmode = args[1];

      String password = "";

      if (args.length == 3) {
        password = args[2];
        System.out.println("The password file " + password);
      }

      CryptoManager.InitializationValues vals = new CryptoManager.InitializationValues(dbdir);

      System.out.println("output of Initilization values ");
      System.out.println("Manufacturer ID: " + vals.getManufacturerID());
      System.out.println("Library: " + vals.getLibraryDescription());
      System.out.println("Internal Slot: " + vals.getInternalSlotDescription());
      System.out.println("Internal Token: " + vals.getInternalTokenDescription());
      System.out.println("Key Storage Slot: " + vals.getFIPSKeyStorageSlotDescription());
      System.out.println("Key Storage Token: " + vals.getInternalKeyStorageTokenDescription());
      System.out.println("FIPS Slot: " + vals.getFIPSSlotDescription());
      System.out.println("FIPS Key Storage: " + vals.getFIPSKeyStorageSlotDescription());

      if (fipsmode.equalsIgnoreCase("enable")) {
        vals.fipsMode = CryptoManager.InitializationValues.FIPSMode.ENABLED;
      } else if (fipsmode.equalsIgnoreCase("disable")) {
        vals.fipsMode = CryptoManager.InitializationValues.FIPSMode.DISABLED;
      } else {
        vals.fipsMode = CryptoManager.InitializationValues.FIPSMode.UNCHANGED;
      }

      CryptoManager.initialize(vals);

      CryptoManager cm = CryptoManager.getInstance();

      if (cm.FIPSEnabled() == true) {
        System.out.println("\n\t\tFIPS enabled\n");
      } else {
        System.out.println("\n\t\tFIPS not enabled\n");
      }

      java.util.Enumeration items;
      items = cm.getModules();
      System.out.println("\nListing of Modules:");
      while (items.hasMoreElements()) {
        System.out.println("\t" + ((PK11Module) items.nextElement()).getName());
      }
      CryptoToken tok;
      String tokenName;

      items = cm.getAllTokens();
      System.out.println("\nAll Tokens:");
      while (items.hasMoreElements()) {
        tok = (CryptoToken) items.nextElement();

        System.out.print("\t" + tok.getName());
        if (tok.needsLogin() == true) {
          System.out.println("\t - Needs login.\n");
        } else {
          System.out.println("\t - Does not need login.\n");
        }
      }

      items = cm.getExternalTokens();
      System.out.println("\nExternal Tokens:");
      while (items.hasMoreElements()) {
        System.out.println("\t" + ((CryptoToken) items.nextElement()).getName());
      }

      /* find the Internal Key Storage token */
      if (cm.FIPSEnabled() == true) {
        tokenName = vals.getFIPSSlotDescription();
      } else {
        tokenName = vals.getInternalKeyStorageTokenDescription();
      }

      /* truncate to 32 bytes and remove trailing white space*/
      tokenName = tokenName.substring(0, 32);
      tokenName = tokenName.trim();
      System.out.println("\nFinding the Internal Key Storage token: " + tokenName);
      tok = cm.getTokenByName(tokenName);

      if (((PK11Token) tok).isInternalKeyStorageToken()
          && tok.equals(cm.getInternalKeyStorageToken())) {
        System.out.println(
            "Good, " + tok.getName() + ", knows it is " + "the internal Key Storage Token");
      } else {
        System.out.println(
            "ERROR: " + tok.getName() + ", doesn't know" + " it is the internal key storage token");
      }

      if (!password.equals("")) {
        System.out.println("logging in to the Token: " + tok.getName());
        PasswordCallback cb = new FilePasswordCallback(password);
        tok.login(cb);
        System.out.println("logged in to the Token: " + tok.getName());
      }

      /* find the Internal Crypto token */
      if (cm.FIPSEnabled() == true) {
        tokenName = vals.getFIPSSlotDescription();
      } else {
        tokenName = vals.getInternalTokenDescription();
      }

      /* truncate to 32 bytes and remove trailing white space*/
      tokenName = tokenName.substring(0, 32);
      tokenName = tokenName.trim();
      System.out.println("\nFinding the Internal Crypto token: " + tokenName);
      tok = cm.getTokenByName(tokenName);

      if (((PK11Token) tok).isInternalCryptoToken() && tok.equals(cm.getInternalCryptoToken())) {
        System.out.println("Good, " + tok.getName() + ", knows it is the internal Crypto token");
      } else {
        System.out.println(
            "ERROR: " + tok.getName() + ", doesn't know that it is the internal Crypto token");
      }

      System.exit(0);

    } catch (Exception e) {
      e.printStackTrace();
      System.exit(1);
    }
  }
Example #2
0
  public static void main(String[] args) {

    try {

      // Read arguments
      if (args.length != 3) {
        System.out.println("Usage: PFX <dbdir> <infile> <outfile>");
        System.exit(-1);
      }

      // open input file for reading
      FileInputStream infile = null;
      try {
        infile = new FileInputStream(args[1]);
      } catch (FileNotFoundException f) {
        System.out.println("Cannot open file " + args[1] + " for reading: " + f.getMessage());
        return;
      }
      int certfile = 0;

      // initialize CryptoManager. This is necessary because there is
      // crypto involved with decoding a PKCS #12 file
      CryptoManager.initialize(args[0]);
      CryptoManager manager = CryptoManager.getInstance();

      // Decode the P12 file
      PFX.Template pfxt = new PFX.Template();
      PFX pfx = (PFX) pfxt.decode(new BufferedInputStream(infile, 2048));
      System.out.println("Decoded PFX");

      // print out information about the top-level PFX structure
      System.out.println("Version: " + pfx.getVersion());
      AuthenticatedSafes authSafes = pfx.getAuthSafes();
      SEQUENCE safeContentsSequence = authSafes.getSequence();
      System.out.println("AuthSafes has " + safeContentsSequence.size() + " SafeContents");

      // Get the password for the old file
      System.out.println("Enter password: "******"Enter new password:"******"AuthSafes verifies correctly.");
      } else {
        System.out.println("AuthSafes failed to verify because: " + sb);
      }

      // Create a new AuthenticatedSafes. As we read the contents of the
      // old authSafes, we will store them into the new one.  After we have
      // cycled through all the contents, they will all have been copied into
      // the new authSafes.
      AuthenticatedSafes newAuthSafes = new AuthenticatedSafes();

      // Loop over contents of the old authenticated safes
      // for(int i=0; i < asSeq.size(); i++) {
      for (int i = 0; i < safeContentsSequence.size(); i++) {

        // The safeContents may or may not be encrypted.  We always send
        // the password in.  It will get used if it is needed.  If the
        // decryption of the safeContents fails for some reason (like
        // a bad password), then this method will throw an exception
        SEQUENCE safeContents = authSafes.getSafeContentsAt(pass, i);

        System.out.println("\n\nSafeContents #" + i + " has " + safeContents.size() + " bags");

        // Go through all the bags in this SafeContents
        for (int j = 0; j < safeContents.size(); j++) {
          SafeBag safeBag = (SafeBag) safeContents.elementAt(j);

          // The type of the bag is an OID
          System.out.println("\nBag " + j + " has type " + safeBag.getBagType());

          // look for bag attributes
          SET attribs = safeBag.getBagAttributes();
          if (attribs == null) {
            System.out.println("Bag has no attributes");
          } else {
            for (int b = 0; b < attribs.size(); b++) {
              Attribute a = (Attribute) attribs.elementAt(b);
              if (a.getType().equals(SafeBag.FRIENDLY_NAME)) {
                // the friendly name attribute is a nickname
                BMPString bs =
                    (BMPString)
                        ((ANY) a.getValues().elementAt(0)).decodeWith(BMPString.getTemplate());
                System.out.println("Friendly Name: " + bs);
              } else if (a.getType().equals(SafeBag.LOCAL_KEY_ID)) {
                // the local key id is used to match a key
                // to its cert.  The key id is the SHA-1 hash of
                // the DER-encoded cert.
                OCTET_STRING os =
                    (OCTET_STRING)
                        ((ANY) a.getValues().elementAt(0)).decodeWith(OCTET_STRING.getTemplate());
                System.out.println("LocalKeyID:");
                /*
                                     AuthenticatedSafes.
                                         print_byte_array(os.toByteArray());
                */
              } else {
                System.out.println("Unknown attribute type: " + a.getType().toString());
              }
            }
          }

          // now look at the contents of the bag
          ASN1Value val = safeBag.getInterpretedBagContent();

          if (val instanceof PrivateKeyInfo) {
            // A PrivateKeyInfo contains an unencrypted private key
            System.out.println("content is PrivateKeyInfo");
          } else if (val instanceof EncryptedPrivateKeyInfo) {
            // An EncryptedPrivateKeyInfo is, well, an encrypted
            // PrivateKeyInfo. Usually, strong crypto is used in
            // an EncryptedPrivateKeyInfo.
            EncryptedPrivateKeyInfo epki = ((EncryptedPrivateKeyInfo) val);
            System.out.println(
                "content is EncryptedPrivateKeyInfo, algoid:"
                    + epki.getEncryptionAlgorithm().getOID());

            // Because we are in a PKCS #12 file, the passwords are
            // char-to-byte converted in a special way.  We have to
            // use the special converter class instead of the default.
            PrivateKeyInfo pki = epki.decrypt(pass, new org.mozilla.jss.pkcs12.PasswordConverter());

            // import the key into the key3.db
            CryptoToken tok = manager.getTokenByName("Internal Key Storage Token");
            CryptoStore store = tok.getCryptoStore();
            tok.login(new ConsolePasswordCallback());
            ByteArrayOutputStream baos = new ByteArrayOutputStream();
            pki.encode(baos);
            store.importPrivateKey(baos.toByteArray(), PrivateKey.RSA);

            // re-encrypt the PrivateKeyInfo with the new password
            // and random salt
            byte[] salt = new byte[PBEAlgorithm.PBE_SHA1_DES3_CBC.getSaltLength()];
            JSSSecureRandom rand = CryptoManager.getInstance().getSecureRNG();
            rand.nextBytes(salt);
            epki =
                EncryptedPrivateKeyInfo.createPBE(
                    PBEAlgorithm.PBE_SHA1_DES3_CBC, newPass, salt, 1, new PasswordConverter(), pki);

            // Overwrite the previous EncryptedPrivateKeyInfo with
            // this new one we just created using the new password.
            // This is what will get put in the new PKCS #12 file
            // we are creating.
            safeContents.insertElementAt(
                new SafeBag(safeBag.getBagType(), epki, safeBag.getBagAttributes()), i);
            safeContents.removeElementAt(i + 1);

          } else if (val instanceof CertBag) {
            System.out.println("content is CertBag");
            CertBag cb = (CertBag) val;
            if (cb.getCertType().equals(CertBag.X509_CERT_TYPE)) {
              // this is an X.509 certificate
              OCTET_STRING os = (OCTET_STRING) cb.getInterpretedCert();
              Certificate cert =
                  (Certificate) ASN1Util.decode(Certificate.getTemplate(), os.toByteArray());
              cert.getInfo().print(System.out);
            } else {
              System.out.println("Unrecognized cert type");
            }
          } else {
            System.out.println("content is ANY");
          }
        }

        // Add the new safe contents to the new authsafes
        if (authSafes.safeContentsIsEncrypted(i)) {
          newAuthSafes.addEncryptedSafeContents(
              authSafes.DEFAULT_KEY_GEN_ALG,
              newPass,
              null,
              authSafes.DEFAULT_ITERATIONS,
              safeContents);
        } else {
          newAuthSafes.addSafeContents(safeContents);
        }
      }

      // Create new PFX from the new authsafes
      PFX newPfx = new PFX(newAuthSafes);

      // Add a MAC to the new PFX
      newPfx.computeMacData(newPass, null, PFX.DEFAULT_ITERATIONS);

      // write the new PFX out to a file
      FileOutputStream fos = new FileOutputStream(args[2]);
      newPfx.encode(fos);
      fos.close();

    } catch (Exception e) {
      e.printStackTrace();
    }
  }