KRA PKCS #12 export: add config to use 3DES PBE encryption

Restore the 3DES PKCS #12 key recovery code path, alongside the new AES variant, which is broken on Thales nethsm. Add the 'kra.legacyPKCS12' config for selecting which version to use, with the default value of 'true' (i.e., use 3DES). Part of: https://pagure.io/dogtagpki/issue/2728 Change-Id: Ic02fe8ba3a4c2c049913ff48d3f6dfdc830b4360
dogtagpki · Jun 9, 2017 · 5356448 · 5356448
1 parent 9edd684
commit 5356448
Showing 1 changed file with 32 additions and 11 deletions.
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -487,19 +487,40 @@ public void createPFX(IRequest request, Hashtable<String, Object> params,
             PasswordConverter passConverter = new
                     PasswordConverter();
 
-            byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo(
-                /* NSS has a bug that causes any AES CBC encryption
-                 * to use AES-256, but AlgorithmID contains chosen
-                 * alg.  To avoid mismatch, use AES_256_CBC. */
-                passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey);
-            CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned");
-            if (epkiBytes == null) {
-                CMS.debug("RecoverService: createPFX() epkiBytes null");
-                throw new EBaseException("getEncryptedPrivateKeyInfo returned null");
+            boolean legacyP12 =
+                CMS.getConfigStore().getBoolean("kra.legacyPKCS12", true);
+
+            ASN1Value key;
+            if (legacyP12) {
+                Random ran = new SecureRandom();
+                byte[] salt = new byte[20];
+                ran.nextBytes(salt);
+
+                key = EncryptedPrivateKeyInfo.createPBE(
+                        PBEAlgorithm.PBE_SHA1_DES3_CBC,
+                        pass, salt, 1, passConverter, priKey, ct);
+                CMS.debug("RecoverService: createPFX() EncryptedPrivateKeyInfo.createPBE() returned");
+                if (key == null) {
+                    CMS.debug("RecoverService: createPFX() key null");
+                    throw new EBaseException("EncryptedPrivateKeyInfo.createPBE() failed");
+                } else {
+                    CMS.debug("RecoverService: createPFX() key not null");
+                }
             } else {
-                CMS.debug("RecoverService: createPFX() epkiBytes not null");
+                byte[] epkiBytes = ct.getCryptoStore().getEncryptedPrivateKeyInfo(
+                    /* NSS has a bug that causes any AES CBC encryption
+                     * to use AES-256, but AlgorithmID contains chosen
+                     * alg.  To avoid mismatch, use AES_256_CBC. */
+                    passConverter, pass, EncryptionAlgorithm.AES_256_CBC, 0, priKey);
+                CMS.debug("RecoverService: createPFX() getEncryptedPrivateKeyInfo() returned");
+                if (epkiBytes == null) {
+                    CMS.debug("RecoverService: createPFX() epkiBytes null");
+                    throw new EBaseException("getEncryptedPrivateKeyInfo returned null");
+                } else {
+                    CMS.debug("RecoverService: createPFX() epkiBytes not null");
+                }
+                key = new ANY(epkiBytes);
             }
-            ASN1Value key = new ANY(epkiBytes);
 
             SET keyAttrs = createBagAttrs(
                     x509cert.getSubjectDN().toString(),