From 1d7117081ad3b623af3938595436a35873b0bac6 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Fri, 16 Jun 2017 14:48:27 -0400 Subject: [PATCH 4/4] Fix 3DES archival A previous commit mistakenly conflated the wrapping parameters for DES and DES3 cases, resulting in incorrect data being stored if the storage was successful at all. This broke ipa vault and probably also token key archival and recovery. This patch sets the right parameters for the 3DES case again. Part of BZ# 1458043 Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4 (cherry picked from commit 89f14cc5b7858e60107dc0776a59394bdfb8edaf) --- .../src/netscape/security/util/WrappingParams.java | 23 ++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java index cda8870..ded572f 100644 --- a/base/util/src/netscape/security/util/WrappingParams.java +++ b/base/util/src/netscape/security/util/WrappingParams.java @@ -67,6 +67,10 @@ public class WrappingParams { // New clients set this correctly. // We'll assume the old DES3 wrapping here. encrypt = EncryptionAlgorithm.DES_CBC_PAD; + } else if (encryptOID.equals(CryptoUtil.KW_DES_CBC_PAD.toString())) { + encrypt = EncryptionAlgorithm.DES3_CBC_PAD; + } else if (encryptOID.equals(CryptoUtil.KW_AES_CBC_PAD.toString())) { + encrypt = EncryptionAlgorithm.AES_128_CBC_PAD; } else { encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID)); } @@ -135,23 +139,26 @@ public class WrappingParams { payloadWrapAlgorithm = KeyWrapAlgorithm.AES_KEY_WRAP_PAD; payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; skLength = 128; - } - - if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { + } else if (kwAlg == KeyWrapAlgorithm.AES_CBC_PAD) { skType = SymmetricKey.AES; skKeyGenAlgorithm = KeyGenAlgorithm.AES; payloadWrapAlgorithm = KeyWrapAlgorithm.AES_CBC_PAD; payloadEncryptionAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; skLength = 128; - } - - if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD || kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { + } else if (kwAlg == KeyWrapAlgorithm.DES3_CBC_PAD) { + skType = SymmetricKey.DES3; + skKeyGenAlgorithm = KeyGenAlgorithm.DES3; + skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; + payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; + skLength = payloadEncryptionAlgorithm.getKeyStrength(); + } else if (kwAlg == KeyWrapAlgorithm.DES_CBC_PAD) { skType = SymmetricKey.DES; skKeyGenAlgorithm = KeyGenAlgorithm.DES; skWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; payloadWrapAlgorithm = KeyWrapAlgorithm.DES3_CBC_PAD; - payloadEncryptionAlgorithm = EncryptionAlgorithm.DES3_CBC_PAD; - skLength = 0; + payloadEncryptionAlgorithm = EncryptionAlgorithm.DES_CBC_PAD; + skLength = payloadEncryptionAlgorithm.getKeyStrength(); } if (priKeyAlgo.equals("EC")) { -- 1.8.3.1