ca-authority-key-export: support AES

Add support for exporting wrapped private keys using AES128-CBC as the symmetric algorithm. Fixes: https://pagure.io/dogtagpki/issue/2666
dogtagpki · Aug 7, 2019 · e3afcfd · e3afcfd
1 parent 477c4f0
commit e3afcfd
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java
@@ -30,6 +30,8 @@ public class AuthorityKeyExportCLI extends CLI {
 
     private OBJECT_IDENTIFIER DES_EDE3_CBC_OID =
         new OBJECT_IDENTIFIER("1.2.840.113549.3.7");
+    private OBJECT_IDENTIFIER AES_128_CBC_OID =
+        new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2");
 
     public AuthorityKeyExportCLI(AuthorityCLI authorityCLI) {
         super("key-export", "Export wrapped CA signing key", authorityCLI);
@@ -118,6 +120,19 @@ public void execute(String[] args) throws Exception {
             aid = new AlgorithmIdentifier(algOid, new OCTET_STRING(iv));
         }
 
+        else if (algOid.equals(AES_128_CBC_OID)) {
+            EncryptionAlgorithm encAlg = EncryptionAlgorithm.AES_CBC_PAD;
+            byte iv[] = CryptoUtil.getNonceData(encAlg.getIVLength());
+            IVParameterSpec ivps = new IVParameterSpec(iv);
+
+            params = new WrappingParams(
+                SymmetricKey.AES, KeyGenAlgorithm.AES, 128,
+                KeyWrapAlgorithm.RSA, encAlg,
+                KeyWrapAlgorithm.AES_CBC_PAD, ivps, ivps);
+
+            aid = new AlgorithmIdentifier(algOid, new OCTET_STRING(iv));
+        }
+
         else {
             throw new Exception("Unsupported algorithm: " + algOid.toString());
         }