diff options
| author | Ade Lee <alee@redhat.com> | 2017-05-26 13:06:18 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-06-07 16:00:41 -0400 |
| commit | 38df4274214938ceece85627abb6d4fe77b960ff (patch) | |
| tree | c3361a13185302f03ddb4162aa04f5816190c27d /base/util | |
| parent | 9db838825b60719e6670c92957db3f33c5b12ae0 (diff) | |
| download | pki-38df4274214938ceece85627abb6d4fe77b960ff.tar.gz pki-38df4274214938ceece85627abb6d4fe77b960ff.tar.xz pki-38df4274214938ceece85627abb6d4fe77b960ff.zip | |
Refactor client to not use keysets
It is simpler to simply tell the client which
algorithm to use for key wrapping and encryption, rather
than use key sets. Therefore:
* KRAInfo and CAInfo are refactored to provide the
algorithms required for key wrapping and encryption.
* Client is modified to use these parameters to determine
which algorithms to use.
* We specify the OIDs that will be used in the PKIARchiveOptions
more correctly. The options are basically:
AES-128-CBC, DES3-CBC, AES KeyWrap/Pad
Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
Diffstat (limited to 'base/util')
| -rw-r--r-- | base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 95b8f815b..84e4a650d 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -2713,6 +2713,28 @@ public class CryptoUtil { throw new NoSuchAlgorithmException(); } + /* + * Useful method to map KeyWrap algorithms to an OID. + * This is not yet defined within JSS, although it will be valuable to do + * so. The hard thing though is that the KeyWrapAlgorithms in JSS do not take + * KEK key size into account for algorithms like AES. We assume 128 bits in + * this case. + * + * This is used in the generation of CRMF requests, and will be correlated to + * the subsequent reverse mapping method below. + */ + public static OBJECT_IDENTIFIER getOID(KeyWrapAlgorithm kwAlg) throws NoSuchAlgorithmException { + if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) + return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8"); + if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) + return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2"); + if ((kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) || + (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD)) + return new OBJECT_IDENTIFIER("1.2.840.113549.3.7"); + + throw new NoSuchAlgorithmException(); + } + } // START ENABLE_ECC |