From e433237aa40075e4c17a1c83c4ef924887f38d16 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 24 Jul 2019 10:48:23 +1000 Subject: [PATCH] importPKIArchiveOptions: support AES CryptoUtil.importPKIArchiveOptions() is used for Lightweight CA (LWCA) key import. Update it to support AES-encrypted keys. DES import remains supported for backwards compatibility. Fixes: https://pagure.io/dogtagpki/issue/2777 --- .../netscape/cmsutil/crypto/CryptoUtil.java | 29 ++++++++++++++++--- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index 5a5255a3561..8a17086e71c 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -2435,16 +2435,37 @@ public static PrivateKey importPKIArchiveOptions( BIT_STRING encSymKey = encVal.getEncSymmKey(); BIT_STRING encPrivKey = encVal.getEncValue(); - SymmetricKey sk = unwrap( - token, SymmetricKey.Type.DES3, 0, SymmetricKey.Usage.UNWRAP, - unwrappingKey, encSymKey.getBits(), KeyWrapAlgorithm.RSA); + OBJECT_IDENTIFIER oid = algId.getOID(); ASN1Value v = algId.getParameters(); v = ((ANY) v).decodeWith(new OCTET_STRING.Template()); byte iv[] = ((OCTET_STRING) v).toByteArray(); IVParameterSpec ivps = new IVParameterSpec(iv); - return unwrap(token, pubkey, false, sk, encPrivKey.getBits(), KeyWrapAlgorithm.DES3_CBC_PAD, ivps); + // des-ede3-cbc + if (oid.equals(new OBJECT_IDENTIFIER("1.2.840.113549.3.7"))) { + SymmetricKey sk = unwrap( + token, SymmetricKey.Type.DES3, 0, SymmetricKey.Usage.UNWRAP, + unwrappingKey, encSymKey.getBits(), KeyWrapAlgorithm.RSA); + return unwrap( + token, pubkey, false, sk, encPrivKey.getBits(), + KeyWrapAlgorithm.DES3_CBC_PAD, ivps); + + // aes128-cbc + } else if (oid.equals(new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2"))) { + SymmetricKey sk = unwrap( + token, SymmetricKey.Type.AES, 0, SymmetricKey.Usage.UNWRAP, + unwrappingKey, encSymKey.getBits(), KeyWrapAlgorithm.RSA); + return unwrap( + token, pubkey, false, sk, encPrivKey.getBits(), + KeyWrapAlgorithm.AES_CBC_PAD, ivps); + + // unsupported algorithm + } else { + throw new IOException( + "PKIArchiveOptions symmetric algorithm " + oid.toString() + " not supported"); + } + } public static boolean sharedSecretExists(String nickname) throws NotInitializedException, TokenException {