PKI KRA Key Archive Java API - dogtagpki/pki GitHub Wiki

Archiving a Pre-encrypted Secret

To archive a secret already encrypted in a template, prepare the input parameters (see KeyClient.java). For example, to archive a passphrase:

// get algorithm OID
String algorithmOID = EncryptionAlgorithm.DES3_CBC.toOID().toString();

// generate nonce
byte[] nonceData = CryptoUtil.getNonceData(8);

// generate session key
SymmetricKey sessionKey = crypto.generateSessionKey();

// wrap session key with transport key
byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, this.transportCert);

// encrypt passphrase with session key
byte[] encryptedData = crypto.wrapWithSessionKey(passphrase, nonceData, sessionKey, KeyRequestResource.DES3_ALGORITHM);

To archive a symmetric key:

// get algorithm OID
String algorithmOID = EncryptionAlgorithm.DES3_CBC.toOID().toString();

// generate nonce
byte[] nonceData = CryptoUtil.getNonceData(8);

// generate session key
SymmetricKey sessionKey = crypto.generateSessionKey();

// wrap session key with transport key
byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, this.transportCert);

// encrypt symmetric key with session key
byte[] encryptedData = crypto.wrapWithSessionKey(secret, sessionKey, nonceData);

Store the input parameters in a file. For example, in XML format:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyArchivalRequest>
    <Attributes>
        <Attribute name="clientKeyID">test</Attribute>
        <Attribute name="dataType">passPhrase</Attribute>
        <Attribute name="keyAlgorithm"/>
        <Attribute name="keySize">0</Attribute>
        <Attribute name="algorithmOID">{1 2 840 113549 3 7}</Attribute>
        <Attribute name="symmetricAlgorithmParams">...</Attribute>
        <Attribute name="wrappedPrivateData">...</Attribute>
        <Attribute name="transWrappedSessionKey">...</Attribute>
    </Attributes>
    <ClassName>com.netscape.certsrv.key.KeyArchivalRequest</ClassName>
</KeyArchivalRequest>

Then execute the following command:

$ pki -n caadmin \
    kra-key-archive \
    --input input.xml \
    --input-format xml

Alternatively, the input parameters can be specified in JSON format:

{
    "Attributes": {
        "Attribute": [
            {
                "name": "clientKeyID",
                "value": "test"
            },
            {
                "name": "dataType",
                "value":"passPhrase"
            },
            {
                "name": "keySize",
                "value": "0"
            },
            {
                "name": "algorithmOID",
                "value": "{1 2 840 113549 3 7}"
            },
            {
                "name": "symmetricAlgorithmParams",
                "value": "..."
            },
            {
                "name": "wrappedPrivateData",
                "value": "..."
            },
            {
                "name": "transWrappedSessionKey",
                "value": "..."
            }
        ]
    },
    "ClassName": "com.netscape.certsrv.key.KeyArchivalRequest"
}

Then execute the following command:

$ pki -n caadmin \
    kra-key-archive \
    --input input.json \
    --input-format json

See Also

⚠️ **GitHub.com Fallback** ⚠️