无法使用 LDAP 从 Symantec Encryption Management Server 删除或修改 PGP 密钥

Unable to delete or modify PGP keys from Symantec Encryption Management Server using LDAP

我想使用 LDAP 从 SEMS 服务器删除或修改 PGP public 密钥。为此,我正在使用 LDAP SDK 来自 UnboundIDDidisoft PGP java 库。当我执行代码时 connection.modify(request)connection.delete(request) 都给出相同的结果 Success ,但没有从服务器中删除,我仍然可以在服务器上看到密钥。我的代码是这样的。

待修改

if (keyFound)
   {
     byte[] bytes = keyStr.getBytes();
     this.tmpKS.purge();
     KeyPairInformation[] keysTmp = this.tmpKS.importKeyRing(new ByteArrayInputStream(bytes));
     KeyPairInformation tmpKeys = keysTmp[0];
     String certIdS = Long.toHexString(tmpKeys.getKeyID()).toUpperCase();
     for (int i = 0; i < 16 - certIdS.length(); i++) {
         certIdS = "0" + certIdS;
     }
     object = "pgpCertID=" + certIdS + "," + keysDn;
     ModifyRequest request = new ModifyRequest(object, new Modification[] { new Modification(ModificationType.REPLACE, "pgpCertID", certId), new Modification(ModificationType.REPLACE, "pgpKeyID", key.getKeyIDHex()), new Modification(ModificationType.REPLACE, "pgpKeyType", key.getAlgorithm()), new Modification(ModificationType.REPLACE, "pgpKeyCreateTime", keyCreationTime), new Modification(ModificationType.REPLACE, "pgpSignerID", certId), new Modification(ModificationType.REPLACE, "pgpRevoked", key.isRevoked() ? "1" : "0"), new Modification(ModificationType.REPLACE, "pgpCertID", certId), new Modification(ModificationType.REPLACE, "pgpDisabled", "0"), new Modification(ModificationType.REPLACE, "pgpKeyID", key.getKeyIDHex()), new Modification(ModificationType.REPLACE, "pgpKeyType", key.getAlgorithm()), new Modification(ModificationType.REPLACE, "pgpUserID", key.getUserID() + '[=10=]0'), new Modification(ModificationType.REPLACE, "pgpSignerID", certId), new Modification(ModificationType.REPLACE, "pgpKeySize", padLeft(key.getKeySize(), 5)), new Modification(ModificationType.REPLACE, "pgpDisabled", "0"), new Modification(ModificationType.REPLACE, "objectClass", "pgpKeyInfo"), new Modification(ModificationType.REPLACE, "pgpKey", tmpOut.toByteArray()) });
     for (int i = 0; i < keysTmp.length; i++) {
       request.addModification(new Modification(ModificationType.REPLACE, "pgpSubKeyID", Long.toHexString(keysTmp[i].getKeyID()).toUpperCase()));
     }
     LDAPResult result = connection.modify(request);
     return result.getResultCode().intValue() == 0;
}

用于删除目的

if (keyFound)
{
    byte[] bytes = keyStr.getBytes();
    this.tmpKS.purge();
    KeyPairInformation[] keysTmp = this.tmpKS.importKeyRing(new ByteArrayInputStream(bytes));
    KeyPairInformation tmpKeys = keysTmp[0];
    String certIdS = Long.toHexString(tmpKeys.getKeyID()).toUpperCase();
    for (int i = 0; i < 16 - certIdS.length(); i++) {
        certIdS = "0" + certIdS;
    }
    object = "pgpCertID=" + certIdS + "," + keysDn;
    DeleteRequest request1 = new DeleteRequest(object);
    LDAPResult result1 = connection.delete(request1);
    LDAPResult result = connection.modify(request);
    return result.getResultCode().intValue() == 0;
}

LDAP 结果: LDAPResult(resultCode=0 (成功), messageID=3, opType='modify')

删除旧密钥并推送新密钥的通常方法是撤销旧密钥,上传它,然后再上传新密钥。

如果您丢失了旧私钥也没有吊销证书,那么根据 Symantec 的 PGP SDK,有一个方法:

PGPDeleteFromKeyServer( PGPKeyServerRef     inKeyServerRef,
PGPKeySetRef    inKeysToDelete,
PGPKeySetRef *  outKeysThatFailed    
)

注意:必须使用 kPGPKeyServerAccessType_Administrator.

的访问类型建立密钥服务器连接

如果您建立的 LDAP 连接已验证为管理员 LDAP 用户,那么您必须能够执行删除操作。