From 0984d8a114b326a75b2c32cd9da2b7dee23920bb Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 26 May 2017 22:57:07 -0400
Subject: Convert CMC code to use AES

* Switched out CrytoUtil calls that use DES and replaced them
  with AES equivalents.  Removed these now unneeded methods.
* Added 16 byte constant IV for AES operations.  This must be
  replaced by a randomly generated IV.  Added TODOs where IVs
  should be replaced.
* Corrected misspellings of "enreypted" in both request fields
  and variable names
* Removed some code from null checks where the result could
  never be null.  These cases were flagged in eclipse as dead
  code.

Change-Id: Iec0c0e86fd772af8b3c9588f11a0ea1e517776fb
---
 .../src/com/netscape/cmstools/CMCRequest.java          | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

(limited to 'base/java-tools/src')

diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
index 9c4140304..8d49b209b 100644
--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
@@ -52,6 +52,9 @@ import org.mozilla.jss.asn1.SET;
 import org.mozilla.jss.asn1.UTF8String;
 import org.mozilla.jss.crypto.CryptoToken;
 import org.mozilla.jss.crypto.DigestAlgorithm;
+import org.mozilla.jss.crypto.EncryptionAlgorithm;
+import org.mozilla.jss.crypto.IVParameterSpec;
+import org.mozilla.jss.crypto.KeyWrapAlgorithm;
 import org.mozilla.jss.crypto.ObjectNotFoundException;
 import org.mozilla.jss.crypto.PrivateKey;
 import org.mozilla.jss.crypto.Signature;
@@ -1718,19 +1721,30 @@ public class CMCRequest {
             CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName);
             SymmetricKey symKey = CryptoUtil.unwrap(
                     token,
+                    SymmetricKey.AES,
+                    128,
                     SymmetricKey.Usage.DECRYPT,
                     privKey,
-                    recipient.getEncryptedKey().toByteArray());
+                    recipient.getEncryptedKey().toByteArray(),
+                    KeyWrapAlgorithm.RSA);
+
             if (symKey == null) {
                 System.out.println(method + "symKey returned null from CryptoUtil.unwrap(). Abort!");
                 System.exit(1);
             }
             System.out.println(method + "symKey unwrapped.");
 
+            // TODO(alee) The code below should be replaced by code that generates a random IV
+            byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
+            IVParameterSpec default_iv = new IVParameterSpec(iv);
+
             byte challenge[] = CryptoUtil.decryptUsingSymmetricKey(
                     token,
+                    default_iv,
                     encCI.getEncryptedContent().toByteArray(),
-                    symKey);
+                    symKey,
+                    EncryptionAlgorithm.AES_128_CBC);
+
             if (challenge == null) {
                 System.out
                         .println(method + "challenge returned null from CryptoUtil.decryptUsingSymmetricKey(). Abort!");
-- 
cgit