diff options
author | Ade Lee <alee@redhat.com> | 2017-06-08 16:08:30 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2017-06-08 20:20:46 -0400 |
commit | 5bf30f2f6a52b7164ba31ab12ed2317b2c572610 (patch) | |
tree | d6ed45eb8266a328c1308198dba659e4eceec753 /base/server/cms | |
parent | 0e7cf72f4a6ec81fcbb8b3ac83f1eb2921f9bdb0 (diff) | |
download | pki-5bf30f2f6a52b7164ba31ab12ed2317b2c572610.tar.gz pki-5bf30f2f6a52b7164ba31ab12ed2317b2c572610.tar.xz pki-5bf30f2f6a52b7164ba31ab12ed2317b2c572610.zip |
Stop using hardcoded IV in CMC
Bugzilla #BZ 1458055
Change-Id: I229d7f18c46f0b55ec83f051614de1b59e125b82
Diffstat (limited to 'base/server/cms')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 13 | ||||
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java | 8 |
2 files changed, 9 insertions, 12 deletions
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java index 12fb73694..2591acefa 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -403,8 +403,7 @@ public abstract class EnrollProfile extends BasicProfile String tokenName = CMS.getConfigStore().getString("cmc.token", CryptoUtil.INTERNAL_TOKEN_NAME); token = CryptoUtil.getCryptoToken(tokenName); - // TODO(alee) Replace the IV definition with a call that generates a random IV of the correct length - byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; + byte[] iv = CryptoUtil.getNonceData(EncryptionAlgorithm.AES_128_CBC.getIVLength()); IVParameterSpec ivps = new IVParameterSpec(iv); PublicKey userPubKey = X509Key.parsePublicKey(new DerValue(req_key_data)); @@ -466,6 +465,8 @@ public abstract class EnrollProfile extends BasicProfile req.setExtData("pop_userPubEncryptedSession", pop_userPubEncryptedSession); + req.setExtData("pop_encryptedDataIV", iv); + // now compute and set witness CMS.debug(method + "now compute and set witness"); String hashName = CryptoUtil.getDefaultHashAlgName(); @@ -1123,14 +1124,12 @@ public abstract class EnrollProfile extends BasicProfile return null; } - // TODO(alee) The code below should be replaced by code that gets the IV from the Pop request - // This IV is supposed to be random - byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - IVParameterSpec default_iv = new IVParameterSpec(iv); + byte[] iv = req.getExtDataInByteArray("pop_encryptedDataIV"); + IVParameterSpec ivps = new IVParameterSpec(iv); byte[] challenge_b = CryptoUtil.decryptUsingSymmetricKey( token, - default_iv, + ivps, pop_encryptedData, symKey, EncryptionAlgorithm.AES_128_CBC); diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java index 8e472985e..8d6c37f2c 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java @@ -491,6 +491,7 @@ public class CMCOutputTemplate { //don't need this for encryptedPOP, but need to check for existence anyway byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession"); byte[] pop_userPubEncryptedSession = req.getExtDataInByteArray("pop_userPubEncryptedSession"); + byte[] iv = req.getExtDataInByteArray("pop_encryptedDataIV"); if ((pop_encryptedData != null) && (pop_sysPubEncryptedSession != null) && (pop_userPubEncryptedSession != null)) { @@ -517,11 +518,8 @@ public class CMCOutputTemplate { throw new EBaseException(method + msg); } - // TODO(alee) The code below should be replaced by code that generates a random IV - byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID(); - AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv)); + AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(iv)); encPop = new EncryptedPOP( tReq, @@ -532,7 +530,7 @@ public class CMCOutputTemplate { } catch (Exception e) { CMS.debug(method + " excepton:" + e); - throw new EBaseException(method + " excepton:" + e); + throw new EBaseException(method + " exception:" + e); } } else { |