diff options
author | Ade Lee <alee@redhat.com> | 2017-06-06 16:16:40 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2017-06-07 16:00:52 -0400 |
commit | d5c331a42955365b76a1549aec047e613d3185dc (patch) | |
tree | 6258a518501aa166cb803abe04f046da410aec31 /base/util | |
parent | 38df4274214938ceece85627abb6d4fe77b960ff (diff) | |
download | pki-d5c331a42955365b76a1549aec047e613d3185dc.tar.gz pki-d5c331a42955365b76a1549aec047e613d3185dc.tar.xz pki-d5c331a42955365b76a1549aec047e613d3185dc.zip |
Server side changes to correctly parse the new PKIArchiveOptions
The server is modified to read the new OIDs in the PKIArchiveOptions
and handle them correctly.
Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4
Diffstat (limited to 'base/util')
-rw-r--r-- | base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 34 | ||||
-rw-r--r-- | base/util/src/netscape/security/util/WrappingParams.java | 55 |
2 files changed, 82 insertions, 7 deletions
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 84e4a650d..eca8dddb6 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -2713,6 +2713,10 @@ public class CryptoUtil { throw new NoSuchAlgorithmException(); } + public static final OBJECT_IDENTIFIER KW_AES_KEY_WRAP_PAD = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8"); + public static final OBJECT_IDENTIFIER KW_AES_CBC_PAD = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2"); + public static final OBJECT_IDENTIFIER KW_DES_CBC_PAD = new OBJECT_IDENTIFIER("1.2.840.113549.3.7"); + /* * Useful method to map KeyWrap algorithms to an OID. * This is not yet defined within JSS, although it will be valuable to do @@ -2724,13 +2728,29 @@ public class CryptoUtil { * the subsequent reverse mapping method below. */ public static OBJECT_IDENTIFIER getOID(KeyWrapAlgorithm kwAlg) throws NoSuchAlgorithmException { - if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) - return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8"); - if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) - return new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2"); - if ((kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) || - (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD)) - return new OBJECT_IDENTIFIER("1.2.840.113549.3.7"); + String name = kwAlg.toString(); + if (name.equals(KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString())) + return KW_AES_KEY_WRAP_PAD; + if (name.equals(KeyWrapAlgorithm.AES_CBC_PAD.toString())) + return KW_AES_CBC_PAD; + if (name.equals(KeyWrapAlgorithm.DES3_CBC_PAD.toString())) + return KW_DES_CBC_PAD; + if (name.equals(KeyWrapAlgorithm.DES_CBC_PAD.toString())) + return KW_DES_CBC_PAD; + + throw new NoSuchAlgorithmException(); + } + + public static KeyWrapAlgorithm getKeyWrapAlgorithmFromOID(String wrapOID) throws NoSuchAlgorithmException { + OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID); + if (oid.equals(KW_AES_KEY_WRAP_PAD)) + return KeyWrapAlgorithm.AES_KEY_WRAP_PAD; + + if (oid.equals(KW_AES_CBC_PAD)) + return KeyWrapAlgorithm.AES_CBC_PAD; + + if (oid.equals(KW_DES_CBC_PAD)) + return KeyWrapAlgorithm.DES3_CBC_PAD; throw new NoSuchAlgorithmException(); } diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java index 8fe5df670..cda887068 100644 --- a/base/util/src/netscape/security/util/WrappingParams.java +++ b/base/util/src/netscape/security/util/WrappingParams.java @@ -10,6 +10,8 @@ import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.SymmetricKey; import org.mozilla.jss.crypto.SymmetricKey.Type; +import com.netscape.cmsutil.crypto.CryptoUtil; + public class WrappingParams { // session key attributes SymmetricKey.Type skType; @@ -123,6 +125,59 @@ public class WrappingParams { } } + private WrappingParams(String wrapOID, String priKeyAlgo, IVParameterSpec wrapIV) + throws NumberFormatException, NoSuchAlgorithmException { + KeyWrapAlgorithm kwAlg = CryptoUtil.getKeyWrapAlgorithmFromOID(wrapOID); + + if (kwAlg == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) { + skType = SymmetricKey.AES; + skKeyGenAlgorithm = KeyGenAlgorithm.AES; + payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; + payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; + skLength = 128; + } + + if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { + skType = SymmetricKey.AES; + skKeyGenAlgorithm = KeyGenAlgorithm.AES; + payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD; + payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; + skLength = 128; + } + + if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { + skType = SymmetricKey.DES; + skKeyGenAlgorithm = KeyGenAlgorithm.DES; + skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; + skLength = 0; + } + + if (priKeyAlgo.equals("EC")) { + skWrapAlgorithm = KeyWrapAlgorithm.AES_ECB; + } else { + skWrapAlgorithm = KeyWrapAlgorithm.RSA; + } + + // set the IVs + payloadEncryptionIV = wrapIV; + + if (payloadWrapAlgorithm == KeyWrapAlgorithm.AES_KEY_WRAP_PAD) { + // TODO(alee) Hack -- if we pass in null for the iv in the + // PKIArchiveOptions, we fail to decode correctly when parsing a + // CRMFPopClient request. + payloadWrappingIV = null; + } else { + payloadWrappingIV = wrapIV; + } + } + + public static WrappingParams getWrappingParamsFromArchiveOptions(String wrapOID, String priKeyAlgo, IVParameterSpec wrapIV) + throws NumberFormatException, NoSuchAlgorithmException { + return new WrappingParams(wrapOID, priKeyAlgo, wrapIV); + } + public SymmetricKey.Type getSkType() { return skType; } |