Fix 3DES archival

A previous commit mistakenly conflated the wrapping parameters for DES and DES3 cases, resulting in incorrect data being stored if the storage was successful at all. This broke ipa vault and probably also token key archival and recovery. This patch sets the right parameters for the 3DES case again. Part of BZ# 1458043 Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4
author: Ade Lee <alee@redhat.com> 2017-06-16 14:48:27 -0400
committer: Ade Lee <alee@redhat.com> 2017-06-16 16:45:33 -0400
commit: 89f14cc5b7858e60107dc0776a59394bdfb8edaf (patch)
tree: ea761ba8bc23fe4f5aa2e17c4b974188452371a5 /base
parent: a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de (diff)
download: pki-89f14cc5b7858e60107dc0776a59394bdfb8edaf.tar.gz
pki-89f14cc5b7858e60107dc0776a59394bdfb8edaf.tar.xz
pki-89f14cc5b7858e60107dc0776a59394bdfb8edaf.zip
1 files changed, 15 insertions, 8 deletions
diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java
index cda887068..ded572f39 100644
--- a/base/util/src/netscape/security/util/WrappingParams.java
+++ b/base/util/src/netscape/security/util/WrappingParams.java
@@ -67,6 +67,10 @@ public class WrappingParams {
             // New clients set this correctly.
             // We'll assume the old DES3 wrapping here.
             encrypt = EncryptionAlgorithm.DES_CBC_PAD;
+        } else if (encryptOID.equals(CryptoUtil.KW_DES_CBC_PAD.toString())) {
+            encrypt = EncryptionAlgorithm.DES3_CBC_PAD;
+        } else if (encryptOID.equals(CryptoUtil.KW_AES_CBC_PAD.toString())) {
+            encrypt = EncryptionAlgorithm.AES_128_CBC_PAD;
         } else {
             encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID));
         }
@@ -135,23 +139,26 @@ public class WrappingParams {
             payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
             payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD;
             skLength = 128;
-        }
-
-        if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) {
+        } else if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) {
             skType = SymmetricKey.AES;
             skKeyGenAlgorithm = KeyGenAlgorithm.AES;
             payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD;
             payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD;
             skLength = 128;
-        }
-
-        if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) {
+        } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) {
+            skType = SymmetricKey.DES3;
+            skKeyGenAlgorithm = KeyGenAlgorithm.DES3;
+            skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
+            payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
+            payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD;
+            skLength = payloadEncryptionAlgorithm.getKeyStrength();
+        } else if (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) {
             skType = SymmetricKey.DES;
             skKeyGenAlgorithm = KeyGenAlgorithm.DES;
             skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
             payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
-            payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD;
-            skLength = 0;
+            payloadEncryptionAlgorithm = EncryptionAlgorithm.DES_CBC_PAD;
+            skLength = payloadEncryptionAlgorithm.getKeyStrength();
         }
 
         if (priKeyAlgo.equals("EC")) {
author	Ade Lee <alee@redhat.com>	2017-06-16 14:48:27 -0400
committer	Ade Lee <alee@redhat.com>	2017-06-16 16:45:33 -0400
commit	89f14cc5b7858e60107dc0776a59394bdfb8edaf (patch)
tree	ea761ba8bc23fe4f5aa2e17c4b974188452371a5 /base
parent	a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de (diff)
download	pki-89f14cc5b7858e60107dc0776a59394bdfb8edaf.tar.gz pki-89f14cc5b7858e60107dc0776a59394bdfb8edaf.tar.xz pki-89f14cc5b7858e60107dc0776a59394bdfb8edaf.zip