diff options
author | Ade Lee <alee@redhat.com> | 2017-03-15 17:19:01 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2017-03-21 18:49:07 -0400 |
commit | 82478227debddbe11bd9b9eeb0e1e2f3bd5282fb (patch) | |
tree | 62418ffdfff9d90cec9ca6749f0524a83bf41233 /base/util | |
parent | f40e0d002e57cadd5dc254d096db52de439ed900 (diff) | |
download | pki-82478227debddbe11bd9b9eeb0e1e2f3bd5282fb.tar.gz pki-82478227debddbe11bd9b9eeb0e1e2f3bd5282fb.tar.xz pki-82478227debddbe11bd9b9eeb0e1e2f3bd5282fb.zip |
Fix Java client to use AES
* Changed the client to use AES-128-CBC-PAD rather than DES-3.
Because AES-256-CBC-PAD has no OID defined, we use the following
hack:
* Pass in the AES-256-CBC OID as the encrypt algorithm OID
* Use PKCS#1.5 Padding.
* Changed the client to use AES for the wrapping key on retrieval.
* Changed the server to implicitly assume PKCS#1.5 (and a key size
of 128) when recieving the OID for AES.
* Changed the client to send, and the server to pass through
the encryption algorithm expected when retrieving the key.
* Fixed the generate_iv() function to generate an appropriately
sized IV on retrieval.
This code has been tested to successfully create and retrieve
secrets using AES. Ideally, we'd be using GCM rather than CBC,
which then requires no padding - and no hack needed. Hopefully,
we can get that working in a subsequent commit.
Change-Id: Ic9e8d50169be0fe357a48a5a1b1c452c7a3dfad0
Diffstat (limited to 'base/util')
-rw-r--r-- | base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index c436b4d02..593d93f46 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -1938,6 +1938,8 @@ public class CryptoUtil { EncryptedContentInfo cInfo = null; //We have to do this to get the decoding to work. + // TODO (alee) - this needs to work with AES keys. It does not appear to be used though in the current KeyClient + // We may end up simply removing this. @SuppressWarnings("unused") PBEAlgorithm pbeAlg = PBEAlgorithm.PBE_SHA1_DES3_CBC; |