use of org.mozilla.jss.util.PasswordCallback in project jss by dogtagpki.
the class FipsTest method main.
public static void main(String[] args) {
try {
if (args.length < 2) {
System.out.println("Usage: FipsTest <dbdir> <fipsmode enter: " + "enable OR disable OR chkfips > <password file>");
return;
}
String dbdir = args[0];
String fipsmode = args[1];
String password = "";
if (args.length == 3) {
password = args[2];
System.out.println("The password file " + password);
}
InitializationValues vals = new InitializationValues(dbdir);
System.out.println("output of Initilization values ");
System.out.println("Manufacturer ID: " + vals.getManufacturerID());
System.out.println("Library: " + vals.getLibraryDescription());
System.out.println("Internal Slot: " + vals.getInternalSlotDescription());
System.out.println("Internal Token: " + vals.getInternalTokenDescription());
System.out.println("Key Storage Slot: " + vals.getFIPSKeyStorageSlotDescription());
System.out.println("Key Storage Token: " + vals.getInternalKeyStorageTokenDescription());
System.out.println("FIPS Slot: " + vals.getFIPSSlotDescription());
System.out.println("FIPS Key Storage: " + vals.getFIPSKeyStorageSlotDescription());
if (fipsmode.equalsIgnoreCase("enable")) {
vals.fipsMode = InitializationValues.FIPSMode.ENABLED;
} else if (fipsmode.equalsIgnoreCase("disable")) {
vals.fipsMode = InitializationValues.FIPSMode.DISABLED;
} else {
vals.fipsMode = InitializationValues.FIPSMode.UNCHANGED;
}
CryptoManager.initialize(vals);
CryptoManager cm = CryptoManager.getInstance();
if (cm.FIPSEnabled() == true) {
System.out.println("\n\t\tFIPS enabled\n");
} else {
System.out.println("\n\t\tFIPS not enabled\n");
}
Enumeration<PK11Module> modules = cm.getModules();
System.out.println("\nListing of Modules:");
while (modules.hasMoreElements()) {
System.out.println("\t" + modules.nextElement().getName());
}
CryptoToken tok;
String tokenName;
Enumeration<CryptoToken> tokens = cm.getAllTokens();
System.out.println("\nAll Tokens:");
while (tokens.hasMoreElements()) {
tok = tokens.nextElement();
System.out.print("\t" + tok.getName());
if (tok.needsLogin() == true) {
System.out.println("\t - Needs login.\n");
} else {
System.out.println("\t - Does not need login.\n");
}
}
tokens = cm.getExternalTokens();
System.out.println("\nExternal Tokens:");
while (tokens.hasMoreElements()) {
System.out.println("\t" + tokens.nextElement().getName());
}
/* find the Internal Key Storage token */
if (cm.FIPSEnabled() == true) {
tokenName = vals.getFIPSSlotDescription();
} else {
tokenName = vals.getInternalKeyStorageTokenDescription();
}
/* truncate to 32 bytes and remove trailing white space*/
tokenName = tokenName.substring(0, 32);
tokenName = tokenName.trim();
System.out.println("\nFinding the Internal Key Storage token: " + tokenName);
tok = cm.getTokenByName(tokenName);
if (((PK11Token) tok).isInternalKeyStorageToken() && tok.equals(cm.getInternalKeyStorageToken())) {
System.out.println("Good, " + tok.getName() + ", knows it is " + "the internal Key Storage Token");
} else {
System.out.println("ERROR: " + tok.getName() + ", doesn't know" + " it is the internal key storage token");
}
if (!password.equals("")) {
System.out.println("logging in to the Token: " + tok.getName());
PasswordCallback cb = new FilePasswordCallback(password);
tok.login(cb);
System.out.println("logged in to the Token: " + tok.getName());
}
/* find the Internal Crypto token */
if (cm.FIPSEnabled() == true) {
tokenName = vals.getFIPSSlotDescription();
} else {
tokenName = vals.getInternalTokenDescription();
}
/* truncate to 32 bytes and remove trailing white space*/
tokenName = tokenName.substring(0, 32);
tokenName = tokenName.trim();
System.out.println("\nFinding the Internal Crypto token: " + tokenName);
tok = cm.getTokenByName(tokenName);
if (((PK11Token) tok).isInternalCryptoToken() && tok.equals(cm.getInternalCryptoToken())) {
System.out.println("Good, " + tok.getName() + ", knows it is the internal Crypto token");
} else {
System.out.println("ERROR: " + tok.getName() + ", doesn't know that it is the internal Crypto token");
}
System.exit(0);
} catch (Exception e) {
e.printStackTrace();
System.exit(1);
}
}
use of org.mozilla.jss.util.PasswordCallback in project jss by dogtagpki.
the class TokenCallbackInfo method changePassword.
/**
* Change password. This changes the user's PIN after it has already
* been initialized.
*
* @param oldPINcb The user's old PIN callback.
* @param newPINcb The new PIN callback.
* @exception IncorrectPasswordException If the old PIN is incorrect.
* @exception TokenException If some other error occurs on the token.
*/
@Override
public void changePassword(PasswordCallback oldPINcb, PasswordCallback newPINcb) throws IncorrectPasswordException, TokenException {
byte[] oldPW = null;
byte[] newPW = null;
Password oldPIN = null;
Password newPIN = null;
PasswordCallbackInfo pwcb = makePWCBInfo();
if (oldPINcb == null) {
oldPINcb = new NullPasswordCallback();
}
if (newPINcb == null) {
newPINcb = new NullPasswordCallback();
}
try {
// Verify the old password
oldPIN = oldPINcb.getPasswordFirstAttempt(pwcb);
oldPW = Tunnel.getPasswordByteCopy(oldPIN);
if (!userPasswordIsCorrect(oldPW)) {
do {
Password.wipeBytes(oldPW);
oldPIN.clear();
oldPIN = oldPINcb.getPasswordAgain(pwcb);
oldPW = Tunnel.getPasswordByteCopy(oldPIN);
} while (!userPasswordIsCorrect(oldPW));
}
// Now change the PIN
newPIN = newPINcb.getPasswordFirstAttempt(pwcb);
newPW = Tunnel.getPasswordByteCopy(newPIN);
changePassword(oldPW, newPW);
} catch (PasswordCallback.GiveUpException e) {
throw new IncorrectPasswordException(e.toString());
} finally {
if (oldPW != null) {
Password.wipeBytes(oldPW);
}
if (oldPIN != null) {
oldPIN.clear();
}
if (newPW != null) {
Password.wipeBytes(newPW);
}
if (newPIN != null) {
newPIN.clear();
}
}
}
use of org.mozilla.jss.util.PasswordCallback in project jss by dogtagpki.
the class TokenCallbackInfo method initPassword.
/**
* Determines whether this is a removable token. For example, a smart card
* is removable, while the Netscape internal module and a hardware
* accelerator card are not removable.
* @return true if the token is removable, false otherwise.
*/
// public native boolean isRemovable();
/**
* Initialize PIN. This sets the user's new PIN, using the current
* security officer PIN for authentication.
*
* @param ssopwcb The security officer's current password callback.
* @param userpwcb The user's new password callback.
* @exception IncorrectPasswordException If the security officer PIN is
* incorrect.
* @exception AlreadyInitializedException If the password hasn't already
* been set.
* @exception TokenException If the PIN was already initialized,
* or there was an unspecified error in the token.
*/
@Override
public void initPassword(PasswordCallback ssopwcb, PasswordCallback userpwcb) throws IncorrectPasswordException, AlreadyInitializedException, TokenException {
byte[] ssopwArray = null;
byte[] userpwArray = null;
Password ssopw = null;
Password userpw = null;
PasswordCallbackInfo pwcb = makePWCBInfo();
if (ssopwcb == null) {
ssopwcb = new NullPasswordCallback();
}
if (userpwcb == null) {
userpwcb = new NullPasswordCallback();
}
try {
// checks for the internal module
if (!PWInitable()) {
throw new AlreadyInitializedException();
}
// Verify the SSO Password, except on internal module
if (isInternalKeyStorageToken()) {
ssopwArray = new byte[] { 0 };
} else {
ssopw = ssopwcb.getPasswordFirstAttempt(pwcb);
ssopwArray = Tunnel.getPasswordByteCopy(ssopw);
while (!SSOPasswordIsCorrect(ssopwArray)) {
Password.wipeBytes(ssopwArray);
ssopw.clear();
ssopw = ssopwcb.getPasswordAgain(pwcb);
ssopwArray = Tunnel.getPasswordByteCopy(ssopw);
}
}
// Now change the PIN
userpw = userpwcb.getPasswordFirstAttempt(pwcb);
userpwArray = Tunnel.getPasswordByteCopy(userpw);
initPassword(ssopwArray, userpwArray);
} catch (PasswordCallback.GiveUpException e) {
throw new IncorrectPasswordException(e.toString());
} finally {
// zero-out the arrays
if (ssopwArray != null) {
Password.wipeBytes(ssopwArray);
}
if (ssopw != null) {
ssopw.clear();
}
if (userpwArray != null) {
Password.wipeBytes(userpwArray);
}
if (userpw != null) {
userpw.clear();
}
}
}
use of org.mozilla.jss.util.PasswordCallback in project jss by dogtagpki.
the class JSS_SelfServServer method doIt.
public void doIt(String[] args) throws Exception {
if (args.length < 5 || args[0].toLowerCase().equals("-h")) {
System.out.println(usage);
System.exit(1);
}
try {
if (!args[0].equals("."))
fCertDbPath = args[0];
if (!args[1].equals("passwords"))
fPasswordFile = args[1];
if (!args[2].equals("localhost"))
fServerHost = args[2];
if (args[3].equalsIgnoreCase("true") == true)
TestInetAddress = true;
if (args.length >= 5)
port = Integer.parseInt(args[4]);
if (args.length >= 6 && args[5].equalsIgnoreCase("verbose")) {
bVerbose = true;
}
if (args.length >= 7 && !args[6].equalsIgnoreCase("default")) {
fServerCertNick = args[6];
}
} catch (NumberFormatException e) {
System.out.println("Error parsing command line " + e.getMessage());
System.out.println(usage);
System.exit(1);
}
if (bVerbose)
System.out.println("initializing JSS");
CryptoManager cm = CryptoManager.getInstance();
CryptoToken tok = cm.getInternalKeyStorageToken();
PasswordCallback cb = new FilePasswordCallback(fPasswordFile);
tok.login(cb);
// We have to configure the server session ID cache before
// creating any server sockets.
SSLServerSocket.configServerSessionIDCache(10, 100, 100, null);
if (cm.FIPSEnabled()) {
/* turn on only FIPS ciphersuites */
/* Disable SSL2 and SSL3 ciphers */
SSLSocket.enableSSL2Default(false);
SSLSocket.enableSSL3Default(false);
// Enable only FIPS ciphersuites.
int[] ciphers = org.mozilla.jss.ssl.SSLSocket.getImplementedCipherSuites();
for (int i = 0; i < ciphers.length; ++i) {
if (SSLSocket.isFipsCipherSuite(ciphers[i])) {
/* enable the FIPS ciphersuite */
SSLSocket.setCipherPreferenceDefault(ciphers[i], true);
} else if (SSLSocket.getCipherPreferenceDefault(ciphers[i])) {
/* disable the non fips ciphersuite */
SSLSocket.setCipherPreferenceDefault(ciphers[i], false);
}
}
} else {
/* turn on all implemented ciphersuites the server certificate
* will determine if the ciphersuites can be used.
*/
int[] ciphers = org.mozilla.jss.ssl.SSLSocket.getImplementedCipherSuites();
for (int i = 0; i < ciphers.length; ++i) {
try {
SSLSocket.setCipherPreferenceDefault(ciphers[i], true);
if (bVerbose) {
System.out.println(Constants.cipher.cipherToString(ciphers[i]) + " " + Integer.toHexString(ciphers[i]));
}
} catch (Exception ex) {
ex.printStackTrace();
System.exit(1);
}
}
// disable SSL2 ciphersuites
SSLSocket.enableSSL2Default(false);
}
// open the server socket and bind to the port
if (bVerbose)
System.out.println("JSS_SelfServServ about .... to create socket");
if (TestInetAddress) {
if (bVerbose)
System.out.println("JSS_SelfServServ HostName " + fServerHost + " the Inet Address " + InetAddress.getByName(fServerHost));
serverSock = new SSLServerSocket(port, 5, InetAddress.getByName(fServerHost), null, true);
} else {
if (bVerbose)
System.out.println("Inet set to Null");
serverSock = new SSLServerSocket(port, 5, null, null, true);
}
if (bVerbose)
System.out.println("JSS_SelfServServ created socket");
// Set timeout for 10 minutes
serverSock.setSoTimeout(600 * 1000);
serverSock.requireClientAuth(SSLSocket.SSL_REQUIRE_NO_ERROR);
serverSock.setServerCertNickname("Server_ECDSA");
serverSock.setServerCertNickname("Server_RSA");
serverSock.setServerCertNickname("Server_DSS");
if (bVerbose)
System.out.println("JSS_SelfServServ specified cert by nickname");
System.out.println("JSS_SelfServServ " + fServerHost + " ready to accept connections on " + port);
int socketCntr = 0;
try {
while (true) {
// accept the connection
sock = (SSLSocket) serverSock.accept();
sock.addHandshakeCompletedListener(new HandshakeListener("server", this));
socketCntr++;
sock.setSoTimeout(300 * 1000);
if (bVerbose) {
System.out.println("Timeout value for SSL sockets: " + sock.getSoTimeout() + " milliseconds");
}
readWriteThread rwThread = new readWriteThread(sock, socketCntr);
rwThread.start();
}
} catch (SocketTimeoutException ex) {
if (socketCntr == 0) {
System.out.println("JSS_SelfServServ No Client attempted to " + "connect! If " + "test ran from all.pl check the client execution " + "for errors.");
} else {
System.out.println("JSS_SelfServServ there has been " + socketCntr + " client " + " connections but the server Accept has timed out!");
}
System.out.println("JSS_SelfServServ Timeout value: " + serverSock.getSoTimeout() + " milliseconds");
ex.printStackTrace();
System.out.println("JSS_SelfServServ exiting due to timeout.");
System.exit(1);
} catch (Exception ex) {
System.out.println("JSS_SelfServServ Exception:");
ex.printStackTrace();
System.out.println("JSS_SelfServServ exiting.");
System.exit(1);
}
}
use of org.mozilla.jss.util.PasswordCallback in project jss by dogtagpki.
the class KeyFactoryTest method main.
public static void main(String[] argv) throws Throwable {
if (argv.length < 2) {
System.out.println("Usage: java org.mozilla.jss.tests.KeyFactoryTest " + "<dbdir> <passwordFile>");
System.exit(1);
}
CryptoToken tok = CryptoManager.getInstance().getInternalKeyStorageToken();
PasswordCallback cb = new FilePasswordCallback(argv[1]);
tok.login(cb);
/* This is just a huge amount of needless info for the tinderbox and nightly QA
* Provider []provs = Security.getProviders();
* for( int i=0; i < provs.length; ++i) {
* System.out.println("======");
* System.out.println(provs[i].getName());
* provs[i].list(System.out);
* System.out.println("======");
* }
*/
(new KeyFactoryTest()).doTest();
}
Aggregations