diff options
author | Ade Lee <alee@redhat.com> | 2017-05-01 18:25:59 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2017-05-06 10:06:42 -0400 |
commit | bea446868e282955d9c70028be657530eaccbe29 (patch) | |
tree | 7cca08320ae943614b893649fafe99e09a2f6cd3 /base/kra/src/com/netscape/kra/NetkeyKeygenService.java | |
parent | f84bfab30647ae1492fcdca0a026bfa4d91350c9 (diff) | |
download | pki-bea446868e282955d9c70028be657530eaccbe29.tar.gz pki-bea446868e282955d9c70028be657530eaccbe29.tar.xz pki-bea446868e282955d9c70028be657530eaccbe29.zip |
Use AES-CBC in storage unit for archival in key wrapping
When AES-KW or AES-KWP is not available, we need to be sure to use
a key wrap algorithm that is available for keywrap. This would
be AES-CBC. Removes some TODOs.
Refactor so that getWrappingParams is only defined on the StorageUnit,
which is where it makes sense in any case.
Part of Bugzilla BZ# 1386303
Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51
Diffstat (limited to 'base/kra/src/com/netscape/kra/NetkeyKeygenService.java')
-rw-r--r-- | base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index f068a4a81..636e93ed0 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -41,6 +41,7 @@ import org.mozilla.jss.util.Base64OutputStream; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRecord; @@ -155,6 +156,9 @@ public class NetkeyKeygenService implements IService { IVParameterSpec algParam = new IVParameterSpec(iv); + IConfigStore configStore = CMS.getConfigStore(); + boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false); + wrapped_des_key = null; boolean archive = true; byte[] publicKeyData = null; @@ -405,8 +409,7 @@ public class NetkeyKeygenService implements IService { WrappingParams params = null; try { - // TODO(alee) What happens if key wrap algorithm is not supported? - params = mStorageUnit.getWrappingParams(); + params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params); } catch (Exception e) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); |