From d5c331a42955365b76a1549aec047e613d3185dc Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 6 Jun 2017 16:16:40 -0400
Subject: Server side changes to correctly parse the new PKIArchiveOptions

The server is modified to read the new OIDs in the PKIArchiveOptions
and handle them correctly.

Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4
---
 .../src/com/netscape/cmstools/CRMFPopClient.java     | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

(limited to 'base/java-tools')

diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index b06faa6be..25de2dd60 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -191,7 +191,7 @@ public class CRMFPopClient {
         options.addOption(option);
 
         option = new Option("w", true, "Algorithm to be used for key wrapping");
-        option.setArgName("keySet");
+        option.setArgName("keywrap algorithm");
         options.addOption(option);
 
         options.addOption("y", false, "for Self-signed cmc.");
@@ -655,13 +655,23 @@ public class CRMFPopClient {
             KeyPair keyPair,
             Name subject,
             KeyWrapAlgorithm keyWrapAlgorithm) throws Exception {
-        byte[] iv = null;
-        if (keyWrapAlgorithm.getParameterClasses() != null) {
-            iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize());
-        }
+        byte[] iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize());
         OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm);
 
+        /* TODO(alee)
+         *
+         * HACK HACK!
+         * algorithms like AES KeyWrap do not require an IV, but we need to include one
+         * in the AlgorithmIdentifier above, or the creation and parsing of the
+         * PKIArchiveOptions options will fail.  So we include an IV in aid, but null it
+         * later to correctly encrypt the data
+         */
         AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv));
+
+        Class[] iv_classes = keyWrapAlgorithm.getParameterClasses();
+        if (iv_classes == null || iv_classes.length == 0)
+            iv = null;
+
         WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv);
 
         PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
-- 
cgit