diff options
author | Ade Lee <alee@redhat.com> | 2017-06-16 14:48:27 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2017-06-16 16:45:33 -0400 |
commit | 89f14cc5b7858e60107dc0776a59394bdfb8edaf (patch) | |
tree | ea761ba8bc23fe4f5aa2e17c4b974188452371a5 | |
parent | a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de (diff) | |
download | pki-89f14cc5b7858e60107dc0776a59394bdfb8edaf.tar.gz pki-89f14cc5b7858e60107dc0776a59394bdfb8edaf.tar.xz pki-89f14cc5b7858e60107dc0776a59394bdfb8edaf.zip |
Fix 3DES archival
A previous commit mistakenly conflated the wrapping parameters for
DES and DES3 cases, resulting in incorrect data being stored if the
storage was successful at all. This broke ipa vault and probably
also token key archival and recovery.
This patch sets the right parameters for the 3DES case again.
Part of BZ# 1458043
Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4
-rw-r--r-- | base/util/src/netscape/security/util/WrappingParams.java | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java index cda887068..ded572f39 100644 --- a/base/util/src/netscape/security/util/WrappingParams.java +++ b/base/util/src/netscape/security/util/WrappingParams.java @@ -67,6 +67,10 @@ public class WrappingParams { // New clients set this correctly. // We'll assume the old DES3 wrapping here. encrypt = EncryptionAlgorithm.DES_CBC_PAD; + } else if (encryptOID.equals(CryptoUtil.KW_DES_CBC_PAD.toString())) { + encrypt = EncryptionAlgorithm.DES3_CBC_PAD; + } else if (encryptOID.equals(CryptoUtil.KW_AES_CBC_PAD.toString())) { + encrypt = EncryptionAlgorithm.AES_128_CBC_PAD; } else { encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID)); } @@ -135,23 +139,26 @@ public class WrappingParams { payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; skLength = 128; - } - - if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { + } else if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { skType = SymmetricKey.AES; skKeyGenAlgorithm = KeyGenAlgorithm.AES; payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD; payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; skLength = 128; - } - - if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { + } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) { + skType = SymmetricKey.DES3; + skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; + skLength = payloadEncryptionAlgorithm.getKeyStrength(); + } else if (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { skType = SymmetricKey.DES; skKeyGenAlgorithm = KeyGenAlgorithm.DES; skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; - payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; - skLength = 0; + payloadEncryptionAlgorithm = EncryptionAlgorithm.DES_CBC_PAD; + skLength = payloadEncryptionAlgorithm.getKeyStrength(); } if (priKeyAlgo.equals("EC")) { |