Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CryptoUtil.getKeywrapAlgorithmFromOID: Fix DES-EDE3-CBC selection #258

Merged
merged 3 commits into from Sep 19, 2019
Merged

CryptoUtil.getKeywrapAlgorithmFromOID: Fix DES-EDE3-CBC selection #258

merged 3 commits into from Sep 19, 2019

Conversation

frasertweedale
Copy link
Contributor

Commit dbd2d9b contained the edit:

-        if (oid.equals(KW_DES_CBC_PAD))
+        if (oid.equals(KeyWrapAlgorithm.DES_CBC_PAD_OID))

KW_DES_CBC_PAD was 1.2.840.113549.3.7 (DES-EDE3-CBC; this definition was
removed in the same commit). But KeyWrapAlgorithm.DES_CBC_PAD_OID is
1.3.14.3.2.7. This is a behaviour change that breaks KRA archival
(possibly recovery too).

Test equality to KeyWrapAlgorithm.DES3_CBC_PAD_OID to restore the correct
behaviour. Also fix a similar error in WrappingParams.java.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1709585

@frasertweedale
SecurityDataProcess.archive: log decryption failure
815c257
@frasertweedale
CryptoUtil: include OID in NoSuchAlgorithmException
c626fa2
@frasertweedale
CryptoUtil.getKeywrapAlgorithmFromOID: Fix DES-EDE3-CBC selection
f37011e 
Commit dbd2d9b contained the edit:

-        if (oid.equals(KW_DES_CBC_PAD))
+        if (oid.equals(KeyWrapAlgorithm.DES_CBC_PAD_OID))

KW_DES_CBC_PAD was 1.2.840.113549.3.7 (DES-EDE3-CBC; this definition
was removed in the same commit). But
KeyWrapAlgorithm.DES_CBC_PAD_OID is 1.3.14.3.2.7.  This is a
behaviour change that breaks KRA archival (possibly recovery too).

Test equality to KeyWrapAlgorithm.DES3_CBC_PAD_OID to restore the
correct behaviour.  Also fix a similar error in WrappingParams.java.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1709585
ladycfu
ladycfu approved these changes Sep 19, 2019
View reviewed changes
Copy link
Contributor

@ladycfu ladycfu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch, Fraser! I would never have guessed that what seemed like a straightforward replacement back then should have deserved a bit more attention. Thanks!

@frasertweedale frasertweedale mentioned this pull request Sep 19, 2019
Merged
@frasertweedale
Copy link
Contributor Author

Thanks! Merging.

@frasertweedale frasertweedale merged commit 4d9b4f2 into dogtagpki:DOGTAG_10_5_BRANCH Sep 19, 2019
@frasertweedale frasertweedale deleted the log/archivekey-symkey-decrypt-fail-10.5 branch September 19, 2019 23:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ladycfu ladycfu ladycfu approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@frasertweedale @ladycfu