Change CRMFPopClient to use AES-KeyWrap with padding

Also made a couple of small changes to WrappingParams.
* Set the wrapIV to null when AES KeyWrap is used.  Trying to unpack
  the PKIArchiveOptions package with this IV set to null fails.
* removed superfluous this modifiers.

Added a parameter KEY_WRAP_PARAMETER_SET which is set in /etc/pki/pki.conf.
If this parameter is set to 0, we will use the old DES3 algorithms.  This
can be set by clients talking to old servers.

CRMFPopClient has the ability to automatically submit requests to
a CA.  In this case, we shouldcontact the server and determine the
version using InfoClient, and choose the algorithm accordingly.
We will implement this in a separate patch.

Change-Id: Ib4a99545cb59b62a96c272311595e96dda10979e

1 files changed, 40 insertions, 16 deletions

diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 670185666..5e53bee67 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -544,27 +544,20 @@ public class CRMFPopClient {
             String algorithm,
             KeyPair keyPair,
             Name subject) throws Exception {
+        EncryptionAlgorithm encryptAlg = null;
+        String keyset = System.getenv("KEY_WRAP_PARAMETER_SET");
 
-        byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
-        IVParameterSpec ivps = new IVParameterSpec(iv);
-
-        AlgorithmIdentifier aid;
-        if (algorithm.equals("rsa")) {
-            aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"), new OCTET_STRING(iv));
-
-        } else if (algorithm.equals("ec")) {
-            aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv));
-
+        if ((keyset != null) && (keyset.equalsIgnoreCase("0"))) {
+            // talking to an old server?
+            encryptAlg = EncryptionAlgorithm.DES3_CBC;
         } else {
-            throw new Exception("Unknown algorithm: " + algorithm);
+            encryptAlg = EncryptionAlgorithm.AES_128_CBC;
         }
 
-        WrappingParams params = new WrappingParams(
-                SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
-                KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
-                KeyWrapAlgorithm.DES3_CBC_PAD, ivps, ivps);
+        byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength());
+        AlgorithmIdentifier aid = getAlgorithmId(algorithm, encryptAlg, iv);
+        WrappingParams params = getWrappingParams(encryptAlg, iv);
 
-        // TODO(alee) check the cast on the third argument
         PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
                 token,
                 transportCert.getPublicKey(),
@@ -583,6 +576,37 @@ public class CRMFPopClient {
         return new CertRequest(new INTEGER(1), certTemplate, seq);
     }
 
+    private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV) throws Exception {
+        if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) {
+            return new WrappingParams(
+                SymmetricKey.AES, KeyGenAlgorithm.AES, 128,
+                KeyWrapAlgorithm.RSA, encryptAlg,
+                KeyWrapAlgorithm.AES_KEY_WRAP_PAD, null, null);
+        } else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) {
+            return new WrappingParams(
+                    SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
+                    KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+                    KeyWrapAlgorithm.DES3_CBC_PAD,
+                    new IVParameterSpec(wrapIV), new IVParameterSpec(wrapIV));
+        } else {
+            throw new Exception("Invalid encryption algorithm");
+        }
+    }
+
+    private AlgorithmIdentifier getAlgorithmId(String algorithm, EncryptionAlgorithm encryptAlg, byte[] iv)
+            throws Exception {
+        AlgorithmIdentifier aid;
+        if (algorithm.equals("rsa")) {
+            aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv));
+        } else if (algorithm.equals("ec")) {
+            // TODO(alee) figure out what this should be for ECC
+            aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv));
+        } else {
+            throw new Exception("Unknown algorithm: " + algorithm);
+        }
+        return aid;
+    }
+
     public OCTET_STRING createIDPOPLinkWitness() throws Exception {
 
         String secretValue = "testing";