From e3afcfd9fa240b52a53310bd72b0e8a6bd30fc14 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 24 Jul 2019 12:33:46 +1000
Subject: [PATCH] ca-authority-key-export: support AES

Add support for exporting wrapped private keys using AES128-CBC as
the symmetric algorithm.

Fixes: https://pagure.io/dogtagpki/issue/2666
---
 .../cmstools/authority/AuthorityKeyExportCLI.java | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java
index 85c930ba9eb..54c7e1847b1 100644
--- a/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/authority/AuthorityKeyExportCLI.java
@@ -30,6 +30,8 @@ public class AuthorityKeyExportCLI extends CLI {
 
     private OBJECT_IDENTIFIER DES_EDE3_CBC_OID =
         new OBJECT_IDENTIFIER("1.2.840.113549.3.7");
+    private OBJECT_IDENTIFIER AES_128_CBC_OID =
+        new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2");
 
     public AuthorityKeyExportCLI(AuthorityCLI authorityCLI) {
         super("key-export", "Export wrapped CA signing key", authorityCLI);
@@ -118,6 +120,19 @@ public void execute(String[] args) throws Exception {
             aid = new AlgorithmIdentifier(algOid, new OCTET_STRING(iv));
         }
 
+        else if (algOid.equals(AES_128_CBC_OID)) {
+            EncryptionAlgorithm encAlg = EncryptionAlgorithm.AES_CBC_PAD;
+            byte iv[] = CryptoUtil.getNonceData(encAlg.getIVLength());
+            IVParameterSpec ivps = new IVParameterSpec(iv);
+
+            params = new WrappingParams(
+                SymmetricKey.AES, KeyGenAlgorithm.AES, 128,
+                KeyWrapAlgorithm.RSA, encAlg,
+                KeyWrapAlgorithm.AES_CBC_PAD, ivps, ivps);
+
+            aid = new AlgorithmIdentifier(algOid, new OCTET_STRING(iv));
+        }
+
         else {
             throw new Exception("Unsupported algorithm: " + algOid.toString());
         }