diff options
author | Ade Lee <alee@redhat.com> | 2017-06-16 14:48:27 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2017-06-16 16:45:33 -0400 |
commit | 89f14cc5b7858e60107dc0776a59394bdfb8edaf (patch) | |
tree | ea761ba8bc23fe4f5aa2e17c4b974188452371a5 /base | |
parent | a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de (diff) | |
download | pki-89f14cc5b7858e60107dc0776a59394bdfb8edaf.tar.gz pki-89f14cc5b7858e60107dc0776a59394bdfb8edaf.tar.xz pki-89f14cc5b7858e60107dc0776a59394bdfb8edaf.zip |
Fix 3DES archival
A previous commit mistakenly conflated the wrapping parameters for
DES and DES3 cases, resulting in incorrect data being stored if the
storage was successful at all. This broke ipa vault and probably
also token key archival and recovery.
This patch sets the right parameters for the 3DES case again.
Part of BZ# 1458043
Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4
Diffstat (limited to 'base')
-rw-r--r-- | base/util/src/netscape/security/util/WrappingParams.java | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java index cda887068..ded572f39 100644 --- a/base/util/src/netscape/security/util/WrappingParams.java +++ b/base/util/src/netscape/security/util/WrappingParams.java @@ -67,6 +67,10 @@ public class WrappingParams { // New clients set this correctly. // We'll assume the old DES3 wrapping here. encrypt = EncryptionAlgorithm.DES_CBC_PAD; + } else if (encryptOID.equals(CryptoUtil.KW_DES_CBC_PAD.toString())) { + encrypt = EncryptionAlgorithm.DES3_CBC_PAD; + } else if (encryptOID.equals(CryptoUtil.KW_AES_CBC_PAD.toString())) { + encrypt = EncryptionAlgorithm.AES_128_CBC_PAD; } else { encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID)); } @@ -135,23 +139,26 @@ public class WrappingParams { payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; skLength = 128; - } - - if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { + } else if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { skType = SymmetricKey.AES; skKeyGenAlgorithm = KeyGenAlgorithm.AES; payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD; payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; skLength = 128; - } - - if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { + } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) { + skType = SymmetricKey.DES3; + skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; + skLength = payloadEncryptionAlgorithm.getKeyStrength(); + } else if (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { skType = SymmetricKey.DES; skKeyGenAlgorithm = KeyGenAlgorithm.DES; skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; - payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; - skLength = 0; + payloadEncryptionAlgorithm = EncryptionAlgorithm.DES_CBC_PAD; + skLength = payloadEncryptionAlgorithm.getKeyStrength(); } if (priKeyAlgo.equals("EC")) { |