|
 |
b80204 |
From 1d7117081ad3b623af3938595436a35873b0bac6 Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: Ade Lee <alee@redhat.com>
|
|
|
b80204 |
Date: Fri, 16 Jun 2017 14:48:27 -0400
|
|
|
b80204 |
Subject: [PATCH 4/4] Fix 3DES archival
|
|
|
b80204 |
|
|
|
b80204 |
A previous commit mistakenly conflated the wrapping parameters for
|
|
|
b80204 |
DES and DES3 cases, resulting in incorrect data being stored if the
|
|
|
b80204 |
storage was successful at all. This broke ipa vault and probably
|
|
|
b80204 |
also token key archival and recovery.
|
|
|
b80204 |
|
|
|
b80204 |
This patch sets the right parameters for the 3DES case again.
|
|
|
b80204 |
Part of BZ# 1458043
|
|
|
b80204 |
|
|
|
b80204 |
Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4
|
|
|
b80204 |
(cherry picked from commit 89f14cc5b7858e60107dc0776a59394bdfb8edaf)
|
|
|
b80204 |
---
|
|
|
b80204 |
.../src/netscape/security/util/WrappingParams.java | 23 ++++++++++++++--------
|
|
|
b80204 |
1 file changed, 15 insertions(+), 8 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java
|
|
|
b80204 |
index cda8870..ded572f 100644
|
|
|
b80204 |
--- a/base/util/src/netscape/security/util/WrappingParams.java
|
|
|
b80204 |
+++ b/base/util/src/netscape/security/util/WrappingParams.java
|
|
|
b80204 |
@@ -67,6 +67,10 @@ public class WrappingParams {
|
|
|
b80204 |
// New clients set this correctly.
|
|
|
b80204 |
// We'll assume the old DES3 wrapping here.
|
|
|
b80204 |
encrypt = EncryptionAlgorithm.DES_CBC_PAD;
|
|
|
b80204 |
+ } else if (encryptOID.equals(CryptoUtil.KW_DES_CBC_PAD.toString())) {
|
|
|
b80204 |
+ encrypt = EncryptionAlgorithm.DES3_CBC_PAD;
|
|
|
b80204 |
+ } else if (encryptOID.equals(CryptoUtil.KW_AES_CBC_PAD.toString())) {
|
|
|
b80204 |
+ encrypt = EncryptionAlgorithm.AES_128_CBC_PAD;
|
|
|
b80204 |
} else {
|
|
|
b80204 |
encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID));
|
|
|
b80204 |
}
|
|
|
b80204 |
@@ -135,23 +139,26 @@ public class WrappingParams {
|
|
|
b80204 |
payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
|
|
|
b80204 |
payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD;
|
|
|
b80204 |
skLength = 128;
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
- if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) {
|
|
|
b80204 |
+ } else if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) {
|
|
|
b80204 |
skType = SymmetricKey.AES;
|
|
|
b80204 |
skKeyGenAlgorithm = KeyGenAlgorithm.AES;
|
|
|
b80204 |
payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD;
|
|
|
b80204 |
payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD;
|
|
|
b80204 |
skLength = 128;
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
- if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) {
|
|
|
b80204 |
+ } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) {
|
|
|
b80204 |
+ skType = SymmetricKey.DES3;
|
|
|
b80204 |
+ skKeyGenAlgorithm = KeyGenAlgorithm.DES3;
|
|
|
b80204 |
+ skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
|
|
|
b80204 |
+ payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
|
|
|
b80204 |
+ payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD;
|
|
|
b80204 |
+ skLength = payloadEncryptionAlgorithm.getKeyStrength();
|
|
|
b80204 |
+ } else if (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) {
|
|
|
b80204 |
skType = SymmetricKey.DES;
|
|
|
b80204 |
skKeyGenAlgorithm = KeyGenAlgorithm.DES;
|
|
|
b80204 |
skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
|
|
|
b80204 |
payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD;
|
|
|
b80204 |
- payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD;
|
|
|
b80204 |
- skLength = 0;
|
|
|
b80204 |
+ payloadEncryptionAlgorithm = EncryptionAlgorithm.DES_CBC_PAD;
|
|
|
b80204 |
+ skLength = payloadEncryptionAlgorithm.getKeyStrength();
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
if (priKeyAlgo.equals("EC")) {
|
|
|
b80204 |
--
|
|
|
b80204 |
1.8.3.1
|
|
|
b80204 |
|