Encryption madness. Part IV

Interesting, dm_crypto_create utility is able to create AES128, AES192 and AES256 encryption keys, note -algorithm argument:

[dmadmin@docu72dev01 ~]$ dm_crypto_create --help
Option --help has no meaning !!
Usage: dm_crypto_db_create [-lockbox <lockbox>] [-lockboxpassphrase [lockboxpassphrase]] 
                           [-keyname <keyname>] [-location <location>] 
                           [-passphrase [passphrase]] [-noprompt] [-move] 
                           [-check] [-algorithm] [-help] 

  -lockbox  - Optional lockbox to store administration key.
  -lockboxpassphrase  - Passphrase for the lockbox.
               Should be specified for a new lockbox.
  -keyname  - Optional name of the administration key to be stored in lockbox.
  -location  - Optional location of the administration key file.
  -passphrase  - Optional passphrase to protect the administration key.
               If not specified a default passphrase will be used.
  -move     - Optional argument to move existing key into lockbox.

  -check     - Optional argument to check for an existing administration key at
               the specified location.

  -algorithm   - Optional argument to specify the algorithm used for generating key.
                Valid values are AES_128_CBC, AES_192_CBC and AES_256_CBC. 
  -noprompt  - Optional flag to not prompt for default passphrase confirmation.
  -help      - Print this help/usage information.

** If -location is not specified, environment variable 
   DM_CRYPTO_FILE or DOCUMENTUM will be used to determine the location.
** -passphrase and -noprompt options are exclusive.

** It is suggested that you specify a passphrase **

but DFC recognises AES128 keys only – AES256 fails with “PBKDF2WithHmacSHA256 SecretKeyFactory not available” error (this factory is available since Java8 only):

 ~]$ dm_crypto_create -location /tmp/aek.key -noprompt -algorithm AES_256_CBC

** Will use default passphrase **



Please wait. This will take a few seconds ...
** Successfully created key store /tmp/aek.key using algorithm AES_256_CBC
[dmadmin@docu72dev01 ~]$ iapi DCTM_DEV
Please enter a user (dmadmin): 
Please enter password for dmadmin: 


        EMC Documentum iapi - Interactive API interface
        (c) Copyright EMC Corp., 1992 - 2015
        All rights reserved.
        Client Library Release 7.2.0030.0072


Connecting to Server using docbase DCTM_DEV
[DM_SESSION_I_SESSION_START]info:  "Session 01024be98000746a started for user dmadmin."


Connected to Documentum Server running Release 7.2.0030.0195  Linux64.Oracle
Session id is s0
API> initcrypto,c,/tmp/aek.key
...
Unexpected problem with key generation: PBKDF2WithHmacSHA256 SecretKeyFactory not available


API> 

AES192 fails with “Unsupported algorithm ID: 4” error:

 ~]$ dm_crypto_create -location /tmp/aek.key -noprompt -algorithm AES_192_CBC

** Will use default passphrase **



Please wait. This will take a few seconds ...
** Successfully created key store /tmp/aek.key using algorithm AES_192_CBC
[dmadmin@docu72dev01 ~]$ iapi DCTM_DEV
Please enter a user (dmadmin): 
Please enter password for dmadmin: 


        EMC Documentum iapi - Interactive API interface
        (c) Copyright EMC Corp., 1992 - 2015
        All rights reserved.
        Client Library Release 7.2.0030.0072


Connecting to Server using docbase DCTM_DEV
[DM_SESSION_I_SESSION_START]info:  "Session 01024be98000746d started for user dmadmin."


Connected to Documentum Server running Release 7.2.0030.0195  Linux64.Oracle
Session id is s0
API> initcrypto,c,/tmp/aek.key
...
Unsupported algorithm ID: 4


API> 

I have checked DFC and found out that EMC made mess not only of encryption algorithm names on CS side – their understanding of cryptography on java side is also extremely poor.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s