Change transport unit to create wrapping parameters based on incoming data

The PKIArchiveOptions object contains an OID for the encryption algorithm.
Use this to create the correct WrappingParam for the tranport unit instead
of defaulting to DES3.

Change-Id: Id591fff8b7fc5e4506afbe619621904e4937c44f

1 files changed, 10 insertions, 26 deletions

diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
index 768aee552..0f62fffe7 100644
--- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java
+++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java
@@ -21,10 +21,7 @@ import java.security.PublicKey;
 
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.crypto.CryptoToken;
-import org.mozilla.jss.crypto.EncryptionAlgorithm;
 import org.mozilla.jss.crypto.IVParameterSpec;
-import org.mozilla.jss.crypto.KeyGenAlgorithm;
-import org.mozilla.jss.crypto.KeyWrapAlgorithm;
 import org.mozilla.jss.crypto.ObjectNotFoundException;
 import org.mozilla.jss.crypto.PrivateKey;
 import org.mozilla.jss.crypto.Signature;
@@ -277,17 +274,14 @@ public class TransportKeyUnit extends EncryptionUnit implements
             throws Exception {
 
         CMS.debug("EncryptionUnit.decryptExternalPrivate");
-        CryptoToken token = getToken(transCert);
-
-        // TODO(alee) Strictly speaking, we should set the wrapping params from the
-        // params coming in. (symmAlgOID etc).  Will fix this in a later patch.
-        WrappingParams params = getWrappingParams();
-        params.setPayloadEncryptionIV(new IVParameterSpec(symmAlgParams));
 
+        if (transCert == null) {
+            transCert = mCert;
+        }
+        CryptoToken token = getToken(transCert);
         PrivateKey wrappingKey = getPrivateKey(transCert);
         String priKeyAlgo = wrappingKey.getAlgorithm();
-        if (priKeyAlgo.equals("EC"))
-            params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB);
+        WrappingParams params = new WrappingParams(symmAlgOID, priKeyAlgo, new IVParameterSpec(symmAlgParams));
 
         SymmetricKey sk = unwrap_session_key(
                 token,
@@ -308,12 +302,11 @@ public class TransportKeyUnit extends EncryptionUnit implements
             byte encValue[], SymmetricKey.Type algorithm, int strength)
             throws Exception {
 
-        // TODO(alee) Strictly speaking, we should set the wrapping params from the
-        // params coming in. (symmAlgOID etc).  Will fix this in a later patch.
-        WrappingParams params = getWrappingParams();
-        params.setPayloadEncryptionIV(new IVParameterSpec(symmAlgParams));
-
         CryptoToken token = getToken();
+        PrivateKey wrappingKey = getPrivateKey(mCert);
+        String priKeyAlgo = wrappingKey.getAlgorithm();
+        WrappingParams params = new WrappingParams(symmAlgOID, priKeyAlgo, new IVParameterSpec(symmAlgParams));
+
         // (1) unwrap the session key
         SymmetricKey sk = unwrap_session_key(token, encSymmKey, SymmetricKey.Usage.UNWRAP, params);
 
@@ -341,18 +334,9 @@ public class TransportKeyUnit extends EncryptionUnit implements
             org.mozilla.jss.crypto.X509Certificate transCert)
             throws Exception {
         CryptoToken token = getToken(transCert);
-
-        WrappingParams params = new WrappingParams(
-                SymmetricKey.DES3, KeyGenAlgorithm.DES3, 0,
-                KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
-                KeyWrapAlgorithm.DES3_CBC_PAD,
-                new IVParameterSpec(symmAlgParams),
-                new IVParameterSpec(symmAlgParams));
-
         PrivateKey wrappingKey = getPrivateKey(transCert);
         String priKeyAlgo = wrappingKey.getAlgorithm();
-        if (priKeyAlgo.equals("EC"))
-            params.setSkWrapAlgorithm(KeyWrapAlgorithm.AES_ECB);
+        WrappingParams params = new WrappingParams(symmAlgOID, priKeyAlgo, new IVParameterSpec(symmAlgParams));
 
         // (1) unwrap the session key
         SymmetricKey sk = unwrap_session_key(