Use AES-CBC in storage unit for archival in key wrapping

When AES-KW or AES-KWP is not available, we need to be sure to use a key wrap algorithm that is available for keywrap. This would be AES-CBC. Removes some TODOs. Refactor so that getWrappingParams is only defined on the StorageUnit, which is where it makes sense in any case. Part of Bugzilla BZ# 1386303 Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51
author: Ade Lee <alee@redhat.com> 2017-05-01 18:25:59 -0400
committer: Ade Lee <alee@redhat.com> 2017-05-06 10:06:42 -0400
commit: bea446868e282955d9c70028be657530eaccbe29 (patch)
tree: 7cca08320ae943614b893649fafe99e09a2f6cd3 /base/kra/src/com/netscape/kra/NetkeyKeygenService.java
parent: f84bfab30647ae1492fcdca0a026bfa4d91350c9 (diff)
download: pki-bea446868e282955d9c70028be657530eaccbe29.tar.gz
pki-bea446868e282955d9c70028be657530eaccbe29.tar.xz
pki-bea446868e282955d9c70028be657530eaccbe29.zip
1 files changed, 5 insertions, 2 deletions
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index f068a4a81..636e93ed0 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -41,6 +41,7 @@ import org.mozilla.jss.util.Base64OutputStream;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.MetaInfo;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.dbs.keydb.IKeyRecord;
@@ -155,6 +156,9 @@ public class NetkeyKeygenService implements IService {
 
         IVParameterSpec algParam = new IVParameterSpec(iv);
 
+        IConfigStore configStore = CMS.getConfigStore();
+        boolean allowEncDecrypt_archival = configStore.getBoolean("kra.allowEncDecrypt.archival", false);
+
         wrapped_des_key = null;
         boolean archive = true;
         byte[] publicKeyData = null;
@@ -405,8 +409,7 @@ public class NetkeyKeygenService implements IService {
                     WrappingParams params = null;
 
                     try {
-                        // TODO(alee)  What happens if key wrap algorithm is not supported?
-                        params = mStorageUnit.getWrappingParams();
+                        params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival);
                         privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
                     } catch (Exception e) {
                         request.setExtData(IRequest.RESULT, Integer.valueOf(4));
author	Ade Lee <alee@redhat.com>	2017-05-01 18:25:59 -0400
committer	Ade Lee <alee@redhat.com>	2017-05-06 10:06:42 -0400
commit	bea446868e282955d9c70028be657530eaccbe29 (patch)
tree	7cca08320ae943614b893649fafe99e09a2f6cd3 /base/kra/src/com/netscape/kra/NetkeyKeygenService.java
parent	f84bfab30647ae1492fcdca0a026bfa4d91350c9 (diff)
download	pki-bea446868e282955d9c70028be657530eaccbe29.tar.gz pki-bea446868e282955d9c70028be657530eaccbe29.tar.xz pki-bea446868e282955d9c70028be657530eaccbe29.zip