From 82478227debddbe11bd9b9eeb0e1e2f3bd5282fb Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 15 Mar 2017 17:19:01 -0400 Subject: Fix Java client to use AES * Changed the client to use AES-128-CBC-PAD rather than DES-3. Because AES-256-CBC-PAD has no OID defined, we use the following hack: * Pass in the AES-256-CBC OID as the encrypt algorithm OID * Use PKCS#1.5 Padding. * Changed the client to use AES for the wrapping key on retrieval. * Changed the server to implicitly assume PKCS#1.5 (and a key size of 128) when recieving the OID for AES. * Changed the client to send, and the server to pass through the encryption algorithm expected when retrieving the key. * Fixed the generate_iv() function to generate an appropriately sized IV on retrieval. This code has been tested to successfully create and retrieve secrets using AES. Ideally, we'd be using GCM rather than CBC, which then requires no padding - and no hack needed. Hopefully, we can get that working in a subsequent commit. Change-Id: Ic9e8d50169be0fe357a48a5a1b1c452c7a3dfad0 --- base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 2 ++ 1 file changed, 2 insertions(+) (limited to 'base/util') diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index c436b4d02..593d93f46 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -1938,6 +1938,8 @@ public class CryptoUtil { EncryptedContentInfo cInfo = null; //We have to do this to get the decoding to work. + // TODO (alee) - this needs to work with AES keys. It does not appear to be used though in the current KeyClient + // We may end up simply removing this. @SuppressWarnings("unused") PBEAlgorithm pbeAlg = PBEAlgorithm.PBE_SHA1_DES3_CBC; -- cgit