Change CRMFPopClient to use AES-KeyWrap with padding

Also made a couple of small changes to WrappingParams.
* Set the wrapIV to null when AES KeyWrap is used.  Trying to unpack
  the PKIArchiveOptions package with this IV set to null fails.
* removed superfluous this modifiers.

Added a parameter KEY_WRAP_PARAMETER_SET which is set in /etc/pki/pki.conf.
If this parameter is set to 0, we will use the old DES3 algorithms.  This
can be set by clients talking to old servers.

CRMFPopClient has the ability to automatically submit requests to
a CA.  In this case, we shouldcontact the server and determine the
version using InfoClient, and choose the algorithm accordingly.
We will implement this in a separate patch.

Change-Id: Ib4a99545cb59b62a96c272311595e96dda10979e

1 files changed, 16 insertions, 0 deletions

diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf
index c0b607308..e9b55221c 100644
--- a/base/common/share/etc/pki.conf
+++ b/base/common/share/etc/pki.conf
@@ -44,3 +44,19 @@ export SSL_DEFAULT_CIPHERS
 # To disable a cipher, specify a "-" sign in front of the cipher name or ID.
 SSL_CIPHERS=""
 export SSL_CIPHERS
+
+# Key wrapping parameter set
+# This parameter specifies the encryption and key wrapping algorithms to use
+# when storing secrets in the KRA, or creating CRMF data using CRMFPopClient.
+#
+# Parameter sets are:
+# O: (legacy, for interacting with pre-10.4 servers)
+#    Encryption Algorithm: DES3_CBC
+#    Padding: PKCS#1.5 Padding
+#    Key Wrapping: DES3_CBC_PAD
+# 1: AES (default for 10.4+ servers)
+#    Encryption Algorithm: AES_128_CBC
+#    Padding: PKCS#1.5 Padding
+#    Key Wrapping: AES KeyWrap with Padding
+KEY_WRAP_PARAMETER_SET=1
+export KEY_WRAP_PARAMETER_SET