diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2017-06-08 14:25:23 +1000 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-06-09 14:27:33 -0400 |
| commit | 53564487e46040a9115fba51c8403ecacb50187e (patch) | |
| tree | 2d7ac8b2d57a6ea123770d1e59ab3a5dde6f6c8b /base/kra/src/com/netscape | |
| parent | 9edd684fef78845acee95a766f34a9c57a1ab604 (diff) | |
| download | pki-53564487e46040a9115fba51c8403ecacb50187e.tar.gz pki-53564487e46040a9115fba51c8403ecacb50187e.tar.xz pki-53564487e46040a9115fba51c8403ecacb50187e.zip | |
KRA PKCS #12 export: add config to use 3DES PBE encryption
Restore the 3DES PKCS #12 key recovery code path, alongside the new
AES variant, which is broken on Thales nethsm. Add the
'kra.legacyPKCS12' config for selecting which version to use, with
the default value of 'true' (i.e., use 3DES).
Part of: https://pagure.io/dogtagpki/issue/2728
Change-Id: Ic02fe8ba3a4c2c049913ff48d3f6dfdc830b4360
Diffstat (limited to 'base/kra/src/com/netscape')
| -rw-r--r-- | base/kra/src/com/netscape/kra/RecoveryService.java | 43 |
1 files changed, 32 insertions, 11 deletions
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java index eee800aa8..023eb8093 100644 --- a/base/kra/src/com/netscape/kra/RecoveryService.java +++ b/base/kra/src/com/netscape/kra/RecoveryService.java @@ -487,19 +487,40 @@ public class RecoveryService implements IService { PasswordConverter passConverter = new PasswordConverter(); - byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo( - /* NSS has a bug that causes any AES CBC encryption - * to use AES-256, but AlgorithmID contains chosen - * alg. To avoid mismatch, use AES_256_CBC. */ - passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey); - CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned"); - if (epkiBytes == null) { - CMS.debug("RecoverService: createPFX() epkiBytes null"); - throw new EBaseException("getEncryptedPrivateKeyInfo returned null"); + boolean legacyP12 = + CMS.getConfigStore().getBoolean("kra.legacyPKCS12", true); + + ASN1Value key; + if (legacyP12) { + Random ran = new SecureRandom(); + byte[] salt = new byte[20]; + ran.nextBytes(salt); + + key = EncryptedPrivateKeyInfo.createPBE( + PBEAlgorithm.PBE_SHA1_DES3_CBC, + pass, salt, 1, passConverter, priKey, ct); + CMS.debug("RecoverService: createPFX() EncryptedPrivateKeyInfo.createPBE() returned"); + if (key == null) { + CMS.debug("RecoverService: createPFX() key null"); + throw new EBaseException("EncryptedPrivateKeyInfo.createPBE() failed"); + } else { + CMS.debug("RecoverService: createPFX() key not null"); + } } else { - CMS.debug("RecoverService: createPFX() epkiBytes not null"); + byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo( + /* NSS has a bug that causes any AES CBC encryption + * to use AES-256, but AlgorithmID contains chosen + * alg. To avoid mismatch, use AES_256_CBC. */ + passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey); + CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned"); + if (epkiBytes == null) { + CMS.debug("RecoverService: createPFX() epkiBytes null"); + throw new EBaseException("getEncryptedPrivateKeyInfo returned null"); + } else { + CMS.debug("RecoverService: createPFX() epkiBytes not null"); + } + key = new ANY(epkiBytes); } - ASN1Value key = new ANY(epkiBytes); SET keyAttrs = createBagAttrs( x509cert.getSubjectDN().toString(), |