diff options
5 files changed, 19 insertions, 7 deletions
diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java index 2c99e1c22..9a69372b5 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyClient.java +++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java @@ -429,7 +429,7 @@ public class KeyClient extends Client { bytes = crypto.unwrapSymmetricKeyWithSessionKey( data.getEncryptedData(), sessionKey, - wrapAlgorithm, + KeyWrapAlgorithm.fromString(data.getWrapAlgorithm()), data.getNonceData(), data.getAlgorithm(), data.getSize()); @@ -446,7 +446,7 @@ public class KeyClient extends Client { bytes = crypto.unwrapAsymmetricKeyWithSessionKey( data.getEncryptedData(), sessionKey, - wrapAlgorithm, + KeyWrapAlgorithm.fromString(data.getWrapAlgorithm()), data.getNonceData(), pubKey); } diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java index b460c9e27..eb8a2f8bc 100644 --- a/base/kra/src/com/netscape/kra/EncryptionUnit.java +++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -84,7 +84,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { return CryptoUtil.unwrap( token, params.getSkType(), - 0, + params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(), usage, wrappingKey, encSymmKey, params.getSkWrapAlgorithm()); diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index 95d07c4f4..344f376e5 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -411,6 +411,18 @@ public class SecurityDataProcessor { String payloadWrapName = (String) params.get(IRequest.SECURITY_DATA_PL_WRAPPING_NAME); String transportKeyAlgo = transportUnit.getCertificate().getPublicKey().getAlgorithm(); + if (allowEncDecrypt_recovery) { + if (payloadWrapName == null) { + // assume old client + payloadWrapName = "DES3/CBC/Pad"; + } else if (payloadWrapName.equals("AES KeyWrap/Padding") || + payloadWrapName.equals("AES KeyWrap")) { + // Some HSMs have not implemented AES-KW yet + // Make sure we select an algorithm that is supported. + payloadWrapName = "AES/CBC/PKCS5Padding"; + } + } + byte[] iv = null; byte[] iv_wrap = null; try { diff --git a/base/kra/src/com/netscape/kra/TransportKeyUnit.java b/base/kra/src/com/netscape/kra/TransportKeyUnit.java index fc66e662b..d0ad8b3e4 100644 --- a/base/kra/src/com/netscape/kra/TransportKeyUnit.java +++ b/base/kra/src/com/netscape/kra/TransportKeyUnit.java @@ -289,7 +289,7 @@ public class TransportKeyUnit extends EncryptionUnit implements SymmetricKey sk = CryptoUtil.unwrap( token, params.getSkType(), - 0, + params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(), SymmetricKey.Usage.DECRYPT, wrappingKey, encSymmKey, @@ -360,7 +360,7 @@ public class TransportKeyUnit extends EncryptionUnit implements SymmetricKey sk = CryptoUtil.unwrap( token, params.getSkType(), - 0, + params.getSkType().equals(SymmetricKey.DES3)? 0: params.getSkLength(), SymmetricKey.Usage.UNWRAP, wrappingKey, encSymmKey, diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index d22856db5..e529a0f91 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -2346,7 +2346,7 @@ public class CryptoUtil { KeyWrapAlgorithm wrapAlgorithm, IVParameterSpec wrappingIV) throws Exception { KeyWrapper wrapper = token.getKeyWrapper(wrapAlgorithm); wrapper.initUnwrap(wrappingKey, wrappingIV); - return wrapper.unwrapSymmetric(wrappedData, keyType, usage, strength); + return wrapper.unwrapSymmetric(wrappedData, keyType, usage, strength/8); } public static SymmetricKey unwrap(CryptoToken token, SymmetricKey.Type keyType, @@ -2355,7 +2355,7 @@ public class CryptoUtil { KeyWrapper keyWrapper = token.getKeyWrapper(wrapAlgorithm); keyWrapper.initUnwrap(wrappingKey, null); - return keyWrapper.unwrapSymmetric(wrappedData, keyType, usage, strength); + return keyWrapper.unwrapSymmetric(wrappedData, keyType, usage, strength/8); } public static PrivateKey unwrap(CryptoToken token, PublicKey pubKey, boolean temporary, |