1 files changed, 40 insertions, 16 deletions

diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 670185666..5e53bee67 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -544,27 +544,20 @@ public class CRMFPopClient {
             String algorithm,
             KeyPair keyPair,
             Name subject) throws Exception {
+        EncryptionAlgorithm encryptAlg = null;
+        String keyset = System.getenv("KEY_WRAP_PARAMETER_SET");
 
-        byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
-        IVParameterSpec ivps = new IVParameterSpec(iv);
-
-        AlgorithmIdentifier aid;
-        if (algorithm.equals("rsa")) {
-            aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"), new OCTET_STRING(iv));
-
-        } else if (algorithm.equals("ec")) {
-            aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv));
-
+        if ((keyset != null) && (keyset.equalsIgnoreCase("0"))) {
+            // talking to an old server?
+            encryptAlg = EncryptionAlgorithm.DES3_CBC;
         } else {
-            throw new Exception("Unknown algorithm: " + algorithm);
+            encryptAlg = EncryptionAlgorithm.AES_128_CBC;
         }
 
-        WrappingParams params = new WrappingParams(
-                SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
-                KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
-                KeyWrapAlgorithm.DES3_CBC_PAD, ivps, ivps);
+        byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength());
+        AlgorithmIdentifier aid = getAlgorithmId(algorithm, encryptAlg, iv);
+        WrappingParams params = getWrappingParams(encryptAlg, iv);
 
-        // TODO(alee) check the cast on the third argument
         PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
                 token,
                 transportCert.getPublicKey(),
@@ -583,6 +576,37 @@ public class CRMFPopClient {
         return new CertRequest(new INTEGER(1), certTemplate, seq);
     }
 
+    private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV) throws Exception {
+        if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) {
+            return new WrappingParams(
+                SymmetricKey.AES, KeyGenAlgorithm.AES, 128,
+                KeyWrapAlgorithm.RSA, encryptAlg,
+                KeyWrapAlgorithm.AES_KEY_WRAP_PAD, null, null);
+        } else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) {
+            return new WrappingParams(
+                    SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
+                    KeyWrapAlgorithm.RSA, EncryptionAlgorithm.DES3_CBC_PAD,
+                    KeyWrapAlgorithm.DES3_CBC_PAD,
+                    new IVParameterSpec(wrapIV), new IVParameterSpec(wrapIV));
+        } else {
+            throw new Exception("Invalid encryption algorithm");
+        }
+    }
+
+    private AlgorithmIdentifier getAlgorithmId(String algorithm, EncryptionAlgorithm encryptAlg, byte[] iv)
+            throws Exception {
+        AlgorithmIdentifier aid;
+        if (algorithm.equals("rsa")) {
+            aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv));
+        } else if (algorithm.equals("ec")) {
+            // TODO(alee) figure out what this should be for ECC
+            aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv));
+        } else {
+            throw new Exception("Unknown algorithm: " + algorithm);
+        }
+        return aid;
+    }
+
     public OCTET_STRING createIDPOPLinkWitness() throws Exception {
 
         String secretValue = "testing";