Fix ca-authority-key-export server side code to support both AES and 3DES

[pki-bot]

This issue was migrated from Pagure Issue #2777. Originally filed by mharmsen (@mharmsen) on 2017-07-05 18:50:03:

• Assigned to ftweedal (@frasertweedale)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1448235

---

The ca-authority-key-export command outputs a PKIArchiveOptions object wrapped to the main CA public key (a hybrid encryption where a symmetric key is wrapped to the public key, and the private key to be exported is enciphered with a symmetric algorithm). The symmetric algorithm used must continue to be 3DES as it cannot be changed to AES at this time.

The corresponding decryption code in KeyRetrieverRunner must continue to support decrypting 3DES-enciphered keys.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-07-05 18:50:50

Metadata Update from @mharmsen:

• Custom field component adjusted to General
• Custom field feature adjusted to ''
• Custom field origin adjusted to Community
• Custom field proposedmilestone adjusted to ''
• Custom field proposedpriority adjusted to ''
• Custom field reviewer adjusted to ''
• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1448235
• Custom field type adjusted to defect
• Custom field version adjusted to ''
• Issue priority set to: critical
• Issue set to the milestone: 10.4

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-03 19:31:41

Metadata Update from @mharmsen:

• Issue assigned to frasertweedale
• Issue set to the milestone: 10.5 (was: 10.4)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-09-25 16:59:16

Metadata Update from @mharmsen:

• Issue priority set to: major (was: critical)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-10-25 12:30:39

[20171025] - Offline Triage ==> 10.6

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-10-25 12:30:40

Metadata Update from @mharmsen:

• Issue set to the milestone: 10.6 (was: 10.5)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-04-18 21:09:19

Per 10.5.x/10.6 Triage: FUTURE

frasertweedale: precursor to using AES encryption in LWCA key replication

[pki-bot]

Comment from mharmsen (@mharmsen) at 2018-04-18 21:12:38

Metadata Update from @mharmsen:

• Issue set to the milestone: FUTURE (was: 10.6)

[pki-bot]

Comment from ftweedal (@frasertweedale) at 2019-08-21 11:22:23

Fixed:

commit e3afcfd9fa240b52a53310bd72b0e8a6bd30fc14
Author: Fraser Tweedale <frasertweedale@redhat.com>
Date:   Wed Jul 24 12:33:46 2019 +1000

    ca-authority-key-export: support AES

    Add support for exporting wrapped private keys using AES128-CBC as
    the symmetric algorithm.

    Fixes: https://pagure.io/dogtagpki/issue/2666

commit 477c4f06fa1041557161241f8aedf36432f02b5e
Author: Fraser Tweedale <frasertweedale@redhat.com>
Date:   Wed Jul 24 11:36:01 2019 +1000

    ca-authority-key-export: use random IV

    Part of: https://pagure.io/dogtagpki/issue/2666

commit a47581fe0884074a2ada28366fc4a44d40f443ab
Author: Fraser Tweedale <frasertweedale@redhat.com>
Date:   Wed Jul 24 11:26:21 2019 +1000

    ca-authority-key-export: add --algorithm option

    We need to support AES key export, but also require backwards
    compatibility with existing servers that can only import
    DES-EDE3-CBC.  So as a first step, teach the ca-authority-key-export
    command the --algorithm option, which defaults to 1.2.840.113549.3.7
    (DES-EDE3-CBC).  AES support will be added in a subsequent commit.

    Part of: https://pagure.io/dogtagpki/issue/2666

commit e433237aa40075e4c17a1c83c4ef924887f38d16
Author: Fraser Tweedale <frasertweedale@redhat.com>
Date:   Wed Jul 24 10:48:23 2019 +1000

    importPKIArchiveOptions: support AES

    CryptoUtil.importPKIArchiveOptions() is used for Lightweight CA
    (LWCA) key import.  Update it to support AES-encrypted keys.  DES
    import remains supported for backwards compatibility.

    Fixes: https://pagure.io/dogtagpki/issue/2777