public static void main(String args[]) { try { if (args.length < 2) { System.out.println( "Usage: FipsTest <dbdir> <fipsmode enter: " + "enable OR disable OR chkfips > <password file>"); return; } String dbdir = args[0]; String fipsmode = args[1]; String password = ""; if (args.length == 3) { password = args[2]; System.out.println("The password file " + password); } CryptoManager.InitializationValues vals = new CryptoManager.InitializationValues(dbdir); System.out.println("output of Initilization values "); System.out.println("Manufacturer ID: " + vals.getManufacturerID()); System.out.println("Library: " + vals.getLibraryDescription()); System.out.println("Internal Slot: " + vals.getInternalSlotDescription()); System.out.println("Internal Token: " + vals.getInternalTokenDescription()); System.out.println("Key Storage Slot: " + vals.getFIPSKeyStorageSlotDescription()); System.out.println("Key Storage Token: " + vals.getInternalKeyStorageTokenDescription()); System.out.println("FIPS Slot: " + vals.getFIPSSlotDescription()); System.out.println("FIPS Key Storage: " + vals.getFIPSKeyStorageSlotDescription()); if (fipsmode.equalsIgnoreCase("enable")) { vals.fipsMode = CryptoManager.InitializationValues.FIPSMode.ENABLED; } else if (fipsmode.equalsIgnoreCase("disable")) { vals.fipsMode = CryptoManager.InitializationValues.FIPSMode.DISABLED; } else { vals.fipsMode = CryptoManager.InitializationValues.FIPSMode.UNCHANGED; } CryptoManager.initialize(vals); CryptoManager cm = CryptoManager.getInstance(); if (cm.FIPSEnabled() == true) { System.out.println("\n\t\tFIPS enabled\n"); } else { System.out.println("\n\t\tFIPS not enabled\n"); } java.util.Enumeration items; items = cm.getModules(); System.out.println("\nListing of Modules:"); while (items.hasMoreElements()) { System.out.println("\t" + ((PK11Module) items.nextElement()).getName()); } CryptoToken tok; String tokenName; items = cm.getAllTokens(); System.out.println("\nAll Tokens:"); while (items.hasMoreElements()) { tok = (CryptoToken) items.nextElement(); System.out.print("\t" + tok.getName()); if (tok.needsLogin() == true) { System.out.println("\t - Needs login.\n"); } else { System.out.println("\t - Does not need login.\n"); } } items = cm.getExternalTokens(); System.out.println("\nExternal Tokens:"); while (items.hasMoreElements()) { System.out.println("\t" + ((CryptoToken) items.nextElement()).getName()); } /* find the Internal Key Storage token */ if (cm.FIPSEnabled() == true) { tokenName = vals.getFIPSSlotDescription(); } else { tokenName = vals.getInternalKeyStorageTokenDescription(); } /* truncate to 32 bytes and remove trailing white space*/ tokenName = tokenName.substring(0, 32); tokenName = tokenName.trim(); System.out.println("\nFinding the Internal Key Storage token: " + tokenName); tok = cm.getTokenByName(tokenName); if (((PK11Token) tok).isInternalKeyStorageToken() && tok.equals(cm.getInternalKeyStorageToken())) { System.out.println( "Good, " + tok.getName() + ", knows it is " + "the internal Key Storage Token"); } else { System.out.println( "ERROR: " + tok.getName() + ", doesn't know" + " it is the internal key storage token"); } if (!password.equals("")) { System.out.println("logging in to the Token: " + tok.getName()); PasswordCallback cb = new FilePasswordCallback(password); tok.login(cb); System.out.println("logged in to the Token: " + tok.getName()); } /* find the Internal Crypto token */ if (cm.FIPSEnabled() == true) { tokenName = vals.getFIPSSlotDescription(); } else { tokenName = vals.getInternalTokenDescription(); } /* truncate to 32 bytes and remove trailing white space*/ tokenName = tokenName.substring(0, 32); tokenName = tokenName.trim(); System.out.println("\nFinding the Internal Crypto token: " + tokenName); tok = cm.getTokenByName(tokenName); if (((PK11Token) tok).isInternalCryptoToken() && tok.equals(cm.getInternalCryptoToken())) { System.out.println("Good, " + tok.getName() + ", knows it is the internal Crypto token"); } else { System.out.println( "ERROR: " + tok.getName() + ", doesn't know that it is the internal Crypto token"); } System.exit(0); } catch (Exception e) { e.printStackTrace(); System.exit(1); } }
public static void main(String[] args) { try { // Read arguments if (args.length != 3) { System.out.println("Usage: PFX <dbdir> <infile> <outfile>"); System.exit(-1); } // open input file for reading FileInputStream infile = null; try { infile = new FileInputStream(args[1]); } catch (FileNotFoundException f) { System.out.println("Cannot open file " + args[1] + " for reading: " + f.getMessage()); return; } int certfile = 0; // initialize CryptoManager. This is necessary because there is // crypto involved with decoding a PKCS #12 file CryptoManager.initialize(args[0]); CryptoManager manager = CryptoManager.getInstance(); // Decode the P12 file PFX.Template pfxt = new PFX.Template(); PFX pfx = (PFX) pfxt.decode(new BufferedInputStream(infile, 2048)); System.out.println("Decoded PFX"); // print out information about the top-level PFX structure System.out.println("Version: " + pfx.getVersion()); AuthenticatedSafes authSafes = pfx.getAuthSafes(); SEQUENCE safeContentsSequence = authSafes.getSequence(); System.out.println("AuthSafes has " + safeContentsSequence.size() + " SafeContents"); // Get the password for the old file System.out.println("Enter password: "******"Enter new password:"******"AuthSafes verifies correctly."); } else { System.out.println("AuthSafes failed to verify because: " + sb); } // Create a new AuthenticatedSafes. As we read the contents of the // old authSafes, we will store them into the new one. After we have // cycled through all the contents, they will all have been copied into // the new authSafes. AuthenticatedSafes newAuthSafes = new AuthenticatedSafes(); // Loop over contents of the old authenticated safes // for(int i=0; i < asSeq.size(); i++) { for (int i = 0; i < safeContentsSequence.size(); i++) { // The safeContents may or may not be encrypted. We always send // the password in. It will get used if it is needed. If the // decryption of the safeContents fails for some reason (like // a bad password), then this method will throw an exception SEQUENCE safeContents = authSafes.getSafeContentsAt(pass, i); System.out.println("\n\nSafeContents #" + i + " has " + safeContents.size() + " bags"); // Go through all the bags in this SafeContents for (int j = 0; j < safeContents.size(); j++) { SafeBag safeBag = (SafeBag) safeContents.elementAt(j); // The type of the bag is an OID System.out.println("\nBag " + j + " has type " + safeBag.getBagType()); // look for bag attributes SET attribs = safeBag.getBagAttributes(); if (attribs == null) { System.out.println("Bag has no attributes"); } else { for (int b = 0; b < attribs.size(); b++) { Attribute a = (Attribute) attribs.elementAt(b); if (a.getType().equals(SafeBag.FRIENDLY_NAME)) { // the friendly name attribute is a nickname BMPString bs = (BMPString) ((ANY) a.getValues().elementAt(0)).decodeWith(BMPString.getTemplate()); System.out.println("Friendly Name: " + bs); } else if (a.getType().equals(SafeBag.LOCAL_KEY_ID)) { // the local key id is used to match a key // to its cert. The key id is the SHA-1 hash of // the DER-encoded cert. OCTET_STRING os = (OCTET_STRING) ((ANY) a.getValues().elementAt(0)).decodeWith(OCTET_STRING.getTemplate()); System.out.println("LocalKeyID:"); /* AuthenticatedSafes. print_byte_array(os.toByteArray()); */ } else { System.out.println("Unknown attribute type: " + a.getType().toString()); } } } // now look at the contents of the bag ASN1Value val = safeBag.getInterpretedBagContent(); if (val instanceof PrivateKeyInfo) { // A PrivateKeyInfo contains an unencrypted private key System.out.println("content is PrivateKeyInfo"); } else if (val instanceof EncryptedPrivateKeyInfo) { // An EncryptedPrivateKeyInfo is, well, an encrypted // PrivateKeyInfo. Usually, strong crypto is used in // an EncryptedPrivateKeyInfo. EncryptedPrivateKeyInfo epki = ((EncryptedPrivateKeyInfo) val); System.out.println( "content is EncryptedPrivateKeyInfo, algoid:" + epki.getEncryptionAlgorithm().getOID()); // Because we are in a PKCS #12 file, the passwords are // char-to-byte converted in a special way. We have to // use the special converter class instead of the default. PrivateKeyInfo pki = epki.decrypt(pass, new org.mozilla.jss.pkcs12.PasswordConverter()); // import the key into the key3.db CryptoToken tok = manager.getTokenByName("Internal Key Storage Token"); CryptoStore store = tok.getCryptoStore(); tok.login(new ConsolePasswordCallback()); ByteArrayOutputStream baos = new ByteArrayOutputStream(); pki.encode(baos); store.importPrivateKey(baos.toByteArray(), PrivateKey.RSA); // re-encrypt the PrivateKeyInfo with the new password // and random salt byte[] salt = new byte[PBEAlgorithm.PBE_SHA1_DES3_CBC.getSaltLength()]; JSSSecureRandom rand = CryptoManager.getInstance().getSecureRNG(); rand.nextBytes(salt); epki = EncryptedPrivateKeyInfo.createPBE( PBEAlgorithm.PBE_SHA1_DES3_CBC, newPass, salt, 1, new PasswordConverter(), pki); // Overwrite the previous EncryptedPrivateKeyInfo with // this new one we just created using the new password. // This is what will get put in the new PKCS #12 file // we are creating. safeContents.insertElementAt( new SafeBag(safeBag.getBagType(), epki, safeBag.getBagAttributes()), i); safeContents.removeElementAt(i + 1); } else if (val instanceof CertBag) { System.out.println("content is CertBag"); CertBag cb = (CertBag) val; if (cb.getCertType().equals(CertBag.X509_CERT_TYPE)) { // this is an X.509 certificate OCTET_STRING os = (OCTET_STRING) cb.getInterpretedCert(); Certificate cert = (Certificate) ASN1Util.decode(Certificate.getTemplate(), os.toByteArray()); cert.getInfo().print(System.out); } else { System.out.println("Unrecognized cert type"); } } else { System.out.println("content is ANY"); } } // Add the new safe contents to the new authsafes if (authSafes.safeContentsIsEncrypted(i)) { newAuthSafes.addEncryptedSafeContents( authSafes.DEFAULT_KEY_GEN_ALG, newPass, null, authSafes.DEFAULT_ITERATIONS, safeContents); } else { newAuthSafes.addSafeContents(safeContents); } } // Create new PFX from the new authsafes PFX newPfx = new PFX(newAuthSafes); // Add a MAC to the new PFX newPfx.computeMacData(newPass, null, PFX.DEFAULT_ITERATIONS); // write the new PFX out to a file FileOutputStream fos = new FileOutputStream(args[2]); newPfx.encode(fos); fos.close(); } catch (Exception e) { e.printStackTrace(); } }