From 9590944d5726ff32d94c6a2b2909175eae946466 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 28 Apr 2017 17:44:19 -0400
Subject: Fix symkey retrieval using NSS python client

This is tested using Barbican as a client.  We are simply
reverting to the same behavior we had before for the
NSS Crypto provider case.

Change-Id: I11300b3bea5670c783e1b4736d98f35f30ecf2ce
---
 base/common/python/pki/crypto.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'base/common/python')

diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py
index 7f0384658..edb32c044 100644
--- a/base/common/python/pki/crypto.py
+++ b/base/common/python/pki/crypto.py
@@ -325,9 +325,17 @@ class NSSCryptoProvider(CryptoProvider):
         :param nonce_iv         Nonce data
         :return:                Unwrapped data
 
-        Return unwrapped data for data wrapped using AES KeyWrap
+        Return unwrapped data for data that has been keywrapped.
+        For NSS, we only support 3DES - so something that has been
+        keywrapped can be decrypted.  This is precisely what we used
+        to do before.
         """
-        raise NotImplementedError()
+        return self.symmetric_unwrap(
+            data,
+            wrapping_key,
+            mechanism=nss.CKM_DES3_CBC_PAD,
+            nonce_iv=nonce_iv
+        )
 
     def get_cert(self, cert_nick):
         """
-- 
cgit