diff options
8 files changed, 267 insertions, 50 deletions
diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java index 8236d7f6b..a05bb78df 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyClient.java +++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java @@ -18,11 +18,16 @@ package com.netscape.certsrv.key; import java.net.URISyntaxException; +import java.security.NoSuchAlgorithmException; import java.util.List; import javax.ws.rs.core.Response; +import org.dogtagpki.common.Info; +import org.dogtagpki.common.InfoResource; +import org.dogtagpki.common.Version; import org.mozilla.jss.crypto.EncryptionAlgorithm; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.SymmetricKey; import com.netscape.certsrv.base.ResourceMessage; @@ -42,19 +47,55 @@ public class KeyClient extends Client { public KeyResource keyClient; public KeyRequestResource keyRequestClient; + public InfoResource infoClient; private CryptoProvider crypto; private String transportCert; + private EncryptionAlgorithm encryptAlgorithm; + private KeyWrapAlgorithm wrapAlgorithm; + private int wrapIVLength; public KeyClient(PKIClient client, String subsystem) throws Exception { super(client, subsystem, "key"); init(); - this.crypto = client.getCrypto(); + crypto = client.getCrypto(); + + // TODO(alee) enable this when we figure out why its not working + // Version serverVersion = getServerVersion(); + + Version serverVersion= new Version("10.4.0"); + if ((serverVersion.getMajor() >= 10) && (serverVersion.getMinor() >=4)) { + encryptAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; + wrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; + wrapIVLength = 0; + } else { + encryptAlgorithm = EncryptionAlgorithm.DES3_CBC; + wrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + wrapIVLength = 8; + } + } + + private Version getServerVersion() { + Version ret = null; + try { + Response response = infoClient.getInfo(); + Info info = client.getEntity(response, Info.class); + String version = info.getVersion(); + ret = new Version(version); + } catch (Exception e) { + // TODO(alee) - narrow the exception here. We should only + // return Version(0.0.0) in the case where get a 404 response. + + // old server - may not have the Info service + ret = new Version("0.0.0"); + } + return ret; } public void init() throws URISyntaxException { keyClient = createProxy(KeyResource.class); keyRequestClient = createProxy(KeyRequestResource.class); + infoClient = createProxy(InfoResource.class); } public CryptoProvider getCrypto() { @@ -363,13 +404,13 @@ public class KeyClient extends Client { if (keyId == null) { throw new IllegalArgumentException("KeyId must be specified."); } - SymmetricKey sessionKey = crypto.generateSessionKey(); + SymmetricKey sessionKey = crypto.generateSessionKey(encryptAlgorithm); byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert); Key data = retrieveKey(keyId, transWrappedSessionKey); if (data.getEncryptedData()!= null) data.setData(crypto.unwrapWithSessionKey(data.getEncryptedData(), sessionKey, - KeyRequestResource.DES3_ALGORITHM, data.getNonceData())); + encryptAlgorithm, data.getNonceData())); return data; } @@ -378,17 +419,18 @@ public class KeyClient extends Client { if (requestId == null) { throw new IllegalArgumentException("RequestId must be specified."); } - SymmetricKey sessionKey = crypto.generateSessionKey(); + SymmetricKey sessionKey = crypto.generateSessionKey(encryptAlgorithm); byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert); KeyRecoveryRequest recoveryRequest = new KeyRecoveryRequest(); recoveryRequest.setRequestId(requestId); recoveryRequest.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey)); + recoveryRequest.setPayloadEncryptionOID(getEncryptAlgorithmOID()); Key data = retrieveKeyData(recoveryRequest); if (data.getEncryptedData() != null) data.setData(crypto.unwrapWithSessionKey(data.getEncryptedData(), sessionKey, - KeyRequestResource.DES3_ALGORITHM, data.getNonceData())); + encryptAlgorithm, data.getNonceData())); return data; } @@ -423,6 +465,7 @@ public class KeyClient extends Client { KeyRecoveryRequest recoveryRequest = new KeyRecoveryRequest(); recoveryRequest.setKeyId(keyId); recoveryRequest.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey)); + recoveryRequest.setPayloadEncryptionOID(getEncryptAlgorithmOID()); return retrieveKeyData(recoveryRequest); } @@ -453,11 +496,11 @@ public class KeyClient extends Client { if (passphrase == null) { throw new IllegalArgumentException("Passphrase must be specified."); } - SymmetricKey sessionKey = crypto.generateSessionKey(); - byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, this.transportCert); - byte[] nonceData = CryptoUtil.getNonceData(8); + SymmetricKey sessionKey = crypto.generateSessionKey(encryptAlgorithm); + byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert); + byte[] nonceData = CryptoUtil.getNonceData(encryptAlgorithm.getIVLength()); byte[] sessionWrappedPassphrase = crypto.wrapWithSessionKey(passphrase, nonceData, sessionKey, - KeyRequestResource.DES3_ALGORITHM); + encryptAlgorithm); return retrieveKeyUsingWrappedPassphrase(keyId, transWrappedSessionKey, sessionWrappedPassphrase, nonceData); } @@ -470,17 +513,18 @@ public class KeyClient extends Client { throw new IllegalArgumentException("Passphrase must be specified."); } - SymmetricKey sessionKey = crypto.generateSessionKey(); - byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, this.transportCert); - byte[] nonceData = CryptoUtil.getNonceData(8); + SymmetricKey sessionKey = crypto.generateSessionKey(encryptAlgorithm); + byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert); + byte[] nonceData = CryptoUtil.getNonceData(encryptAlgorithm.getIVLength()); byte[] sessionWrappedPassphrase = crypto.wrapWithSessionKey(passphrase, nonceData, sessionKey, - KeyRequestResource.DES3_ALGORITHM); + encryptAlgorithm); KeyRecoveryRequest data = new KeyRecoveryRequest(); data.setRequestId(requestId); data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey)); data.setSessionWrappedPassphrase(Utils.base64encode(sessionWrappedPassphrase)); data.setNonceData(Utils.base64encode(nonceData)); + data.setPayloadEncryptionOID(getEncryptAlgorithmOID()); return retrieveKeyData(data); } @@ -528,6 +572,7 @@ public class KeyClient extends Client { KeyRecoveryRequest data = new KeyRecoveryRequest(); data.setKeyId(keyId); data.setRequestId(requestId); + data.setPayloadEncryptionOID(getEncryptAlgorithmOID()); if (transWrappedSessionKey != null) { data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey)); @@ -589,18 +634,34 @@ public class KeyClient extends Client { */ public KeyRequestResponse archivePassphrase(String clientKeyId, String passphrase, String realm) throws Exception { - // Default algorithm OID for DES_EDE3_CBC - String algorithmOID = EncryptionAlgorithm.DES3_CBC.toOID().toString(); - byte[] nonceData = CryptoUtil.getNonceData(8); - SymmetricKey sessionKey = crypto.generateSessionKey(); - byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, this.transportCert); - byte[] encryptedData = crypto.wrapWithSessionKey(passphrase, nonceData, - sessionKey, KeyRequestResource.DES3_ALGORITHM); + String algorithmOID = getEncryptAlgorithmOID(); + + byte[] nonceData = CryptoUtil.getNonceData(encryptAlgorithm.getIVLength()); + SymmetricKey sessionKey = crypto.generateSessionKey(encryptAlgorithm); + byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert); + + byte[] encryptedData = crypto.wrapWithSessionKey( + passphrase, + nonceData, + sessionKey, + encryptAlgorithm); return archiveEncryptedData(clientKeyId, KeyRequestResource.PASS_PHRASE_TYPE, null, 0, algorithmOID, nonceData, encryptedData, transWrappedSessionKey, realm); } + private String getEncryptAlgorithmOID() throws NoSuchAlgorithmException { + String algorithmOID; + if (encryptAlgorithm.getAlg().toString().equalsIgnoreCase("AES")) { + // TODO(alee) - horrible hack until we figure out how to do GCM right + // We assume the client will have AES 128 CBC with padding + algorithmOID = EncryptionAlgorithm.AES_128_CBC.toOID().toString(); + } else { + algorithmOID = encryptAlgorithm.toOID().toString(); + } + return algorithmOID; + } + /* Old signature for backwards compatibility */ @Deprecated public KeyRequestResponse archivePassphrase(String clientKeyId, String passphrase) throws Exception { @@ -626,12 +687,16 @@ public class KeyClient extends Client { public KeyRequestResponse archiveSymmetricKey(String clientKeyId, SymmetricKey secret, String keyAlgorithm, int keySize, String realm) throws Exception { - // Default algorithm OID for DES_EDE3_CBC - String algorithmOID = EncryptionAlgorithm.DES3_CBC.toOID().toString(); - SymmetricKey sessionKey = crypto.generateSessionKey(); - byte[] nonceData = CryptoUtil.getNonceData(8); - byte[] encryptedData = crypto.wrapWithSessionKey(secret, sessionKey, nonceData); - byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, this.transportCert); + String algorithmOID = getEncryptAlgorithmOID(); + + byte[] nonceData = null; + if (wrapIVLength > 0) { + nonceData = CryptoUtil.getNonceData(wrapIVLength); + } + + SymmetricKey sessionKey = crypto.generateSessionKey(encryptAlgorithm); + byte[] encryptedData = crypto.wrapWithSessionKey(secret, sessionKey, nonceData, wrapAlgorithm); + byte[] transWrappedSessionKey = crypto.wrapSessionKeyWithTransportCert(sessionKey, transportCert); return archiveEncryptedData(clientKeyId, KeyRequestResource.SYMMETRIC_KEY_TYPE, keyAlgorithm, keySize, algorithmOID, nonceData, encryptedData, transWrappedSessionKey, realm); diff --git a/base/common/src/com/netscape/certsrv/security/WrappingParams.java b/base/common/src/com/netscape/certsrv/security/WrappingParams.java index 5d8dc3a6e..e1bc83500 100644 --- a/base/common/src/com/netscape/certsrv/security/WrappingParams.java +++ b/base/common/src/com/netscape/certsrv/security/WrappingParams.java @@ -59,6 +59,11 @@ public class WrappingParams { switch (encrypt.getAlg().toString()) { case "AES": + // TODO(alee) - Terrible hack till we figure out why GCM is not working + // or a way to detect the padding. + // We are going to assume AES-128-PAD + encrypt = EncryptionAlgorithm.AES_128_CBC_PAD; + this.skType = SymmetricKey.AES; this.skKeyGenAlgorithm = KeyGenAlgorithm.AES; if (wrap == null) this.payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; diff --git a/base/common/src/com/netscape/certsrv/util/CryptoProvider.java b/base/common/src/com/netscape/certsrv/util/CryptoProvider.java index d0c753ae0..0ec520580 100644 --- a/base/common/src/com/netscape/certsrv/util/CryptoProvider.java +++ b/base/common/src/com/netscape/certsrv/util/CryptoProvider.java @@ -1,5 +1,7 @@ package com.netscape.certsrv.util; +import org.mozilla.jss.crypto.EncryptionAlgorithm; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.SymmetricKey; /** @@ -17,17 +19,28 @@ public abstract class CryptoProvider { public abstract SymmetricKey generateSessionKey() throws Exception; + public abstract SymmetricKey generateSessionKey(EncryptionAlgorithm algorithm) throws Exception; + public abstract byte[] wrapSessionKeyWithTransportCert(SymmetricKey sessionKey, String transportCert) throws Exception; public abstract byte[] wrapWithSessionKey(String passphrase, byte[] iv, SymmetricKey key, String keyAlgorithm) throws Exception; + public abstract byte[] wrapWithSessionKey(String passphrase, byte[] iv, SymmetricKey key, EncryptionAlgorithm keyAlgorithm) + throws Exception; + public abstract byte[] wrapWithSessionKey(SymmetricKey secret, SymmetricKey sessionKey, byte[] iv) throws Exception; + public abstract byte[] wrapWithSessionKey(SymmetricKey secret, SymmetricKey sessionKey, byte[] iv, + KeyWrapAlgorithm wrapAlg) throws Exception; + public abstract byte[] unwrapWithSessionKey(byte[] wrappedRecoveredKey, SymmetricKey recoveryKey, String keyAlgorithm, byte[] nonceData) throws Exception; + public abstract byte[] unwrapWithSessionKey(byte[] wrappedRecoveredKey, SymmetricKey recoveryKey, + EncryptionAlgorithm keyAlgorithm, byte[] nonceData) throws Exception; + public abstract byte[] unwrapWithPassphrase(byte[] wrappedRecoveredKey, String recoveryPassphrase) throws Exception; diff --git a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java index a2d204347..423ad68e6 100644 --- a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java +++ b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java @@ -108,7 +108,14 @@ public class NSSCryptoProvider extends CryptoProvider { @Override public SymmetricKey generateSessionKey() throws Exception { - return generateSymmetricKey(KeyRequestResource.DES3_ALGORITHM, 168); + return generateSymmetricKey(KeyRequestResource.AES_ALGORITHM, 128); + } + + @Override + public SymmetricKey generateSessionKey(EncryptionAlgorithm algorithm) throws Exception { + return generateSymmetricKey( + algorithm.getAlg().toString(), + algorithm.getKeyStrength()); } @Override @@ -122,22 +129,37 @@ public class NSSCryptoProvider extends CryptoProvider { @Override public byte[] wrapWithSessionKey(String passphrase, byte[] iv, SymmetricKey key, String encryptionAlgorithm) throws Exception { + return wrapWithSessionKey(passphrase, iv, key, getEncryptionAlgorithm(encryptionAlgorithm)); + } + + @Override + public byte[] wrapWithSessionKey(String passphrase, byte[] iv, SymmetricKey key, EncryptionAlgorithm encryptionAlgorithm) + throws Exception { if (token == null) { throw new NotInitializedException(); } - return CryptoUtil.wrapPassphrase(token, passphrase, new IVParameterSpec(iv), key, - getEncryptionAlgorithm(encryptionAlgorithm)); + return CryptoUtil.wrapPassphrase(token, passphrase, new IVParameterSpec(iv), key, encryptionAlgorithm); } @Override public byte[] unwrapWithSessionKey(byte[] wrappedRecoveredKey, SymmetricKey recoveryKey, String encryptionAlgorithm, byte[] nonceData) throws Exception { + return unwrapWithSessionKey(wrappedRecoveredKey, recoveryKey, + getEncryptionAlgorithm(encryptionAlgorithm), nonceData); + } + + @Override + public byte[] unwrapWithSessionKey(byte[] wrappedRecoveredKey, SymmetricKey recoveryKey, + EncryptionAlgorithm encryptionAlgorithm, byte[] nonceData) throws Exception { if (token == null) { throw new NotInitializedException(); } - return CryptoUtil.decryptUsingSymmetricKey(token, new IVParameterSpec(nonceData), wrappedRecoveredKey, - recoveryKey, - getEncryptionAlgorithm(encryptionAlgorithm)); + IVParameterSpec ivps = null; + if (nonceData != null) { + ivps = new IVParameterSpec(nonceData); + } + return CryptoUtil.decryptUsingSymmetricKey(token, ivps, wrappedRecoveredKey, + recoveryKey, encryptionAlgorithm); } @Override @@ -217,8 +239,22 @@ public class NSSCryptoProvider extends CryptoProvider { token, sessionKey, secret, - new IVParameterSpec(iv), - KeyWrapAlgorithm.DES3_CBC_PAD); + null, + KeyWrapAlgorithm.AES_KEY_WRAP_PAD); } + @Override + public byte[] wrapWithSessionKey(SymmetricKey secret, SymmetricKey sessionKey, byte[] iv, KeyWrapAlgorithm wrapAlg) + throws Exception { + IVParameterSpec ivps = null; + if (iv != null) { + ivps = new IVParameterSpec(iv); + } + return CryptoUtil.wrapUsingSymmetricKey( + token, + sessionKey, + secret, + ivps, + wrapAlg); + } } diff --git a/base/common/src/org/dogtagpki/common/Version.java b/base/common/src/org/dogtagpki/common/Version.java new file mode 100644 index 000000000..4f87e07ec --- /dev/null +++ b/base/common/src/org/dogtagpki/common/Version.java @@ -0,0 +1,85 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package org.dogtagpki.common; + +public class Version { + + private int major; + private int minor; + private int micro; + + public Version(String version) { + String[] parts = version.split("[.]"); + major = Integer.valueOf(parts[0]); + + if (parts.length > 1) { + minor = Integer.valueOf(parts[1]); + } + if (parts.length > 2) { + micro = Integer.valueOf(parts[2]); + } + } + + public int getMajor() { + return major; + } + + public void setMajor(int major) { + this.major = major; + } + + public int getMinor() { + return minor; + } + + public void setMinor(int minor) { + this.minor = minor; + } + + public int getMicro() { + return micro; + } + + public void setMicro(int micro) { + this.micro = micro; + } + + public static void main(String args[]) throws Exception { + Version version = new Version("10.4.0"); + if (version.getMajor() != 10) System.out.println("Error in getting major"); + if (version.getMinor() != 4) System.out.println("Error in getting minor"); + if (version.getMicro() != 0) System.out.println("Error in getting micro"); + + version = new Version("9.1"); + if (version.getMajor() != 9) System.out.println("Error in getting major"); + if (version.getMinor() != 1) System.out.println("Error in getting minor"); + if (version.getMicro() != 0) System.out.println("Error in getting micro"); + + version = new Version("4"); + if (version.getMajor() != 4) System.out.println("Error in getting major"); + if (version.getMinor() != 0) System.out.println("Error in getting minor"); + if (version.getMicro() != 0) System.out.println("Error in getting micro"); + + version = new Version("8.53.2.6"); + if (version.getMajor() != 8) System.out.println("Error in getting major"); + if (version.getMinor() != 53) System.out.println("Error in getting minor"); + if (version.getMicro() != 2) System.out.println("Error in getting micro"); + } + +} diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index 598ed0232..1125ee19f 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -4,19 +4,19 @@ import java.io.ByteArrayOutputStream; import java.math.BigInteger; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; +import java.security.SecureRandom; import java.security.spec.AlgorithmParameterSpec; import java.util.Arrays; import java.util.Hashtable; -import java.util.Random; import javax.crypto.spec.RC2ParameterSpec; import org.dogtagpki.server.kra.rest.KeyRequestService; +import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; import org.mozilla.jss.asn1.OCTET_STRING; import org.mozilla.jss.crypto.CryptoToken; import org.mozilla.jss.crypto.EncryptionAlgorithm; import org.mozilla.jss.crypto.IVParameterSpec; -import org.mozilla.jss.crypto.KeyGenAlgorithm; import org.mozilla.jss.crypto.KeyGenerator; import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.PBEAlgorithm; @@ -416,7 +416,12 @@ public class SecurityDataProcessor { String payloadWrapName = (String) params.get(IRequest.SECURITY_DATA_PL_WRAPPING_NAME); String transportKeyAlgo = transportUnit.getCertificate().getPublicKey().getAlgorithm(); - byte[] iv = generate_iv(); + byte[] iv = null; + try { + iv = generate_iv(payloadEncryptOID, transportUnit.getOldWrappingParams()); + } catch (Exception e1) { + throw new EBaseException("Failed to generate IV when wrapping secret", e1); + } String ivStr = Utils.base64encode(iv); WrappingParams wrapParams = null; @@ -610,20 +615,17 @@ public class SecurityDataProcessor { return false; //return true ? TODO } - private byte[] generate_iv() { - //TODO(alee) Fix this -- this will only work for DES3. Needs to be based on algorithm. - // Is there a function in JSS for this? Also note that the iv generated here is actually - // used for both encryption and wrapping algorithms above. - byte[] iv = new byte[8]; - byte iv_default[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - - try { - Random rnd = new Random(); - rnd.nextBytes(iv); - } catch (Exception e) { - iv = iv_default; + private byte[] generate_iv(String oid, WrappingParams old) throws Exception { + int numBytes = 0; + if (oid != null) { + numBytes = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)).getIVLength(); + } else { + // old client (OID not provided) + numBytes = old.getPayloadEncryptionAlgorithm().getIVLength(); } - return iv; + + SecureRandom rnd = new SecureRandom(); + return rnd.generateSeed(numBytes); } public SymmetricKey recoverSymKey(KeyRecord keyRecord) diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java index b83ab1afd..b2008f262 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java @@ -279,6 +279,10 @@ public class KeyRequestDAO extends CMSRequestDAO { request.setExtData(IRequest.ATTR_REQUEST_OWNER, requestor); request.setExtData(IRequest.ATTR_APPROVE_AGENTS, requestor); + String encryptOID = data.getPaylodEncryptionOID(); + if (encryptOID != null) + request.setExtData(IRequest.SECURITY_DATA_PL_ENCRYPTION_OID, encryptOID); + return request; } @@ -289,6 +293,7 @@ public class KeyRequestDAO extends CMSRequestDAO { String wrappedSessionKeyStr = data.getTransWrappedSessionKey(); String wrappedPassPhraseStr = data.getSessionWrappedPassphrase(); String nonceDataStr = data.getNonceData(); + String encryptOID = data.getPaylodEncryptionOID(); if (wrappedPassPhraseStr != null) { requestParams.put(IRequest.SECURITY_DATA_SESS_PASS_PHRASE, wrappedPassPhraseStr); @@ -301,6 +306,10 @@ public class KeyRequestDAO extends CMSRequestDAO { if (nonceDataStr != null) { requestParams.put(IRequest.SECURITY_DATA_IV_STRING_IN, nonceDataStr); } + + if (encryptOID != null) { + requestParams.put(IRequest.SECURITY_DATA_PL_ENCRYPTION_OID, encryptOID); + } } public Hashtable<String, Object> getTransientData(IRequest request) throws EBaseException { diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index c436b4d02..593d93f46 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -1938,6 +1938,8 @@ public class CryptoUtil { EncryptedContentInfo cInfo = null; //We have to do this to get the decoding to work. + // TODO (alee) - this needs to work with AES keys. It does not appear to be used though in the current KeyClient + // We may end up simply removing this. @SuppressWarnings("unused") PBEAlgorithm pbeAlg = PBEAlgorithm.PBE_SHA1_DES3_CBC; |