PKI KRA Key Archive Java API - dogtagpki/pki GitHub Wiki
To archive a secret already encrypted in a template, prepare the input parameters (see KeyClient.java). For example, to archive a passphrase:
// get algorithm OID String algorithmOID = EncryptionAlgorithm.DES3_CBC.toOID().toString(); // generate nonce byte[] nonceData = CryptoUtil.getNonceData(8); // generate session key SymmetricKey sessionKey = crypto.generateSessionKey(); // wrap session key with transport key byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, this.transportCert); // encrypt passphrase with session key byte[] encryptedData = crypto.wrapWithSessionKey(passphrase, nonceData, sessionKey, KeyRequestResource.DES3_ALGORITHM);
To archive a symmetric key:
// get algorithm OID String algorithmOID = EncryptionAlgorithm.DES3_CBC.toOID().toString(); // generate nonce byte[] nonceData = CryptoUtil.getNonceData(8); // generate session key SymmetricKey sessionKey = crypto.generateSessionKey(); // wrap session key with transport key byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, this.transportCert); // encrypt symmetric key with session key byte[] encryptedData = crypto.wrapWithSessionKey(secret, sessionKey, nonceData);
Store the input parameters in a file. For example, in XML format:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <KeyArchivalRequest> <Attributes> <Attribute name="clientKeyID">test</Attribute> <Attribute name="dataType">passPhrase</Attribute> <Attribute name="keyAlgorithm"/> <Attribute name="keySize">0</Attribute> <Attribute name="algorithmOID">{1 2 840 113549 3 7}</Attribute> <Attribute name="symmetricAlgorithmParams">...</Attribute> <Attribute name="wrappedPrivateData">...</Attribute> <Attribute name="transWrappedSessionKey">...</Attribute> </Attributes> <ClassName>com.netscape.certsrv.key.KeyArchivalRequest</ClassName> </KeyArchivalRequest>
Then execute the following command:
$ pki -n caadmin \ kra-key-archive \ --input input.xml \ --input-format xml
Alternatively, the input parameters can be specified in JSON format:
{ "Attributes": { "Attribute": [ { "name": "clientKeyID", "value": "test" }, { "name": "dataType", "value":"passPhrase" }, { "name": "keySize", "value": "0" }, { "name": "algorithmOID", "value": "{1 2 840 113549 3 7}" }, { "name": "symmetricAlgorithmParams", "value": "..." }, { "name": "wrappedPrivateData", "value": "..." }, { "name": "transWrappedSessionKey", "value": "..." } ] }, "ClassName": "com.netscape.certsrv.key.KeyArchivalRequest" }
Then execute the following command:
$ pki -n caadmin \ kra-key-archive \ --input input.json \ --input-format json