diff options
| author | Ade Lee <alee@redhat.com> | 2017-04-11 14:18:32 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-04-12 15:19:34 -0400 |
| commit | eb7c9139c1ab017a8749d87e163e9dcc42037fb2 (patch) | |
| tree | 3f2b2ab15fe3427b29275c55da35501627dce445 /base/util | |
| parent | 20a307e4683e62b033f7662ed4aa2f18dfad6226 (diff) | |
| download | pki-eb7c9139c1ab017a8749d87e163e9dcc42037fb2.tar.gz pki-eb7c9139c1ab017a8749d87e163e9dcc42037fb2.tar.xz pki-eb7c9139c1ab017a8749d87e163e9dcc42037fb2.zip | |
Modified CRMFPopClient to use correct wrapping for encrypt case
When the server cannot do key wrapping using the AES KeyWrap,
probably because the backend HSM cannot do key wrapping, then
there is a setting to allow it to use encrypt/decrypt instead.
If the key wrap algorithm is something simple like 3DES or AES-CBC,
then the client can just use key wrapping to wrap the key on its
token, and the server can use an encryption algorithm to decrypt.
The client does not need to know that the server cannot handle a
key wrap, because keywrapping and encryption are pretty much the
same mechanism - just either in server memory or not.
When we do key wrapping using AES KeyWrap though, there is no
corresponding encryption algorithm used to decrypt. So the server
cannot simply decrypt a message wrapped with AES Keywrap (or at least
not in any obvious way). So in this case, the client needs to know
if the server can handle keywrap.
The patch therefore does the following:
1. For CRMFPopClient, adds a command line option to specify if key
wrapping or encryption is required.
2. Reads an environment variable if no option is provided.
3. If encryption is specified, uses key wrapping using AES-CBC
which can be decrypted on the server side.
4. For cert-client, contacts the server to determine from the
CAInfoResource if keywrapping is supported.
Change-Id: If66f51c929cfde1c0ff3b9f39cb57b92fcdc150c
Diffstat (limited to 'base/util')
| -rw-r--r-- | base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 16 |
1 files changed, 2 insertions, 14 deletions
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 35888522f..d22856db5 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -1962,7 +1962,7 @@ public class CryptoUtil { return decodedData; } - public static byte[] wrapPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk, + public static byte[] encryptPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk, EncryptionAlgorithm alg) throws NoSuchAlgorithmException, TokenException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, IOException { @@ -2010,17 +2010,6 @@ public class CryptoUtil { return encodePKIArchiveOptions(opts); } - /* Used to create PKIArchiveOptions for wrapped symmetric key */ - public static PKIArchiveOptions createPKIArchiveOptions( - CryptoToken token, - PublicKey wrappingKey, - SymmetricKey data, - WrappingParams params, - AlgorithmIdentifier aid) throws Exception { - return createPKIArchiveOptionsInternal( - token, wrappingKey, null, null, data, params, aid); - } - public static byte[] createEncodedPKIArchiveOptions( CryptoToken token, PublicKey wrappingKey, @@ -2068,10 +2057,9 @@ public class CryptoUtil { params.getSkLength(), null, false); - byte[] key_data; if (passphraseData != null) { - key_data = wrapPassphrase( + key_data = encryptPassphrase( token, passphraseData, params.getPayloadEncryptionIV(), |