Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CryptoUtil.getKeywrapAlgorithmFromOID: Fix DES-EDE3-CBC selection #259

Merged
merged 3 commits into from Sep 19, 2019
Merged

CryptoUtil.getKeywrapAlgorithmFromOID: Fix DES-EDE3-CBC selection #259

merged 3 commits into from Sep 19, 2019

Conversation

frasertweedale
Copy link
Contributor

Commit dbd2d9b contained the edit:

-        if (oid.equals(KW_DES_CBC_PAD))
+        if (oid.equals(KeyWrapAlgorithm.DES_CBC_PAD_OID))

KW_DES_CBC_PAD was 1.2.840.113549.3.7 (DES-EDE3-CBC; this definition was
removed in the same commit). But KeyWrapAlgorithm.DES_CBC_PAD_OID is
1.3.14.3.2.7. This is a behaviour change that breaks KRA archival
(possibly recovery too).

Test equality to KeyWrapAlgorithm.DES3_CBC_PAD_OID to restore the correct
behaviour. Also fix a similar error in WrappingParams.java.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1709585

@frasertweedale
SecurityDataProcess.archive: log decryption failure
2f0cca5
@frasertweedale
CryptoUtil: include OID in NoSuchAlgorithmException
6c79041
@frasertweedale
CryptoUtil.getKeywrapAlgorithmFromOID: Fix DES-EDE3-CBC selection
bcdcc2c 
Commit dbd2d9b contained the edit:

-        if (oid.equals(KW_DES_CBC_PAD))
+        if (oid.equals(KeyWrapAlgorithm.DES_CBC_PAD_OID))

KW_DES_CBC_PAD was 1.2.840.113549.3.7 (DES-EDE3-CBC; this definition
was removed in the same commit). But
KeyWrapAlgorithm.DES_CBC_PAD_OID is 1.3.14.3.2.7.  This is a
behaviour change that breaks KRA archival (possibly recovery too).

Test equality to KeyWrapAlgorithm.DES3_CBC_PAD_OID to restore the
correct behaviour.  Also fix a similar error in WrappingParams.java.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1709585
@cipherboy
Copy link
Member

cipherboy commented Sep 19, 2019
edited

I can confirm that the correct replacement oid for KW_DES_CBC_PAD is KeyWrapAlgorithm.DES3_CBC_PAD_OID; that has the same OID value in JSS.

@frasertweedale
Copy link
Contributor Author

Based on @ladycfu's ack of #258, will merge this one too.

@frasertweedale frasertweedale merged commit c6b5b05 into dogtagpki:DOGTAG_10_6_BRANCH Sep 19, 2019
@frasertweedale frasertweedale deleted the fix/oid-regression-10.6 branch September 19, 2019 23:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ladycfu ladycfu Awaiting requested review from ladycfu

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@frasertweedale @cipherboy