diff options
| author | Ade Lee <alee@redhat.com> | 2017-04-06 17:09:39 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-04-13 17:20:51 -0400 |
| commit | 716dca464943a22eb6588187fba9fad85e1c1345 (patch) | |
| tree | 0bcdb9ed7892fb6c4e0d4c05c10fc3e0d70c18d4 /base/java-tools/src/com | |
| parent | c381566ddf1f4f05330063bb012d59e5c1753b13 (diff) | |
| download | pki-716dca464943a22eb6588187fba9fad85e1c1345.tar.gz pki-716dca464943a22eb6588187fba9fad85e1c1345.tar.xz pki-716dca464943a22eb6588187fba9fad85e1c1345.zip | |
Fix symkey retrieval in python client
Keys (like symmetric keys and asymmetric keys) are returned
from the KRA either encrypted or key wrapped. Because the
AES keywrapping algorithm cannot be decrypted using AES CBC,
we need special logic to unwrap the keys.
The flow here is as follows:
1. When a key retrieval request is sent to the server,
the client sends the encryption and key wrapping
algorithms it requires the key to be wrapped along
with the wrapping key.
2. If no encryption algorithm or key wrap algorithm is
recieved, the server assumes its talking to an old
client and uses DES3.
3. The key is retrieved and (on server's choice) is wrapped
or encrypted. The return package will have either
encryption or key wrap algorithm set (depending on how
the key was encrypted/wrapped.)
4. client uses that to determine how to unwrap key.
This patch:
1. Makes sure the key wrap algorithm requested by client
is passed through and used to wrap the retrieved key.
2. Adds logic in the python client to unwrap/decrypt.
3. As python-cryptography does not yet support
AES KeyWrap with padding, the python client is configured
to request AES-CBC by default.
Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1
Diffstat (limited to 'base/java-tools/src/com')
0 files changed, 0 insertions, 0 deletions