diff options
| author | Ade Lee <alee@redhat.com> | 2017-03-24 10:27:37 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2017-03-24 16:38:43 -0400 |
| commit | c063947c5a2e70ef588a796038c6e108ad013876 (patch) | |
| tree | 81e5d07460c2ff7c7070fbbd3446719888d080d5 /base/kra/shared | |
| parent | 874825f2d8e41b276aa3674d0cff5912dc6a55fa (diff) | |
| download | pki-c063947c5a2e70ef588a796038c6e108ad013876.tar.gz pki-c063947c5a2e70ef588a796038c6e108ad013876.tar.xz pki-c063947c5a2e70ef588a796038c6e108ad013876.zip | |
Modify storage unit to generate a new IV
Currently, the storage unit reuses the same IV each time a record
is stored. This works (probably) for DES3, but not for AES.
The getWrappingParams() method is modified to check the config as follows
(in order):
-- if the iv is defined, use that iv
-- if the length is defined, generate a byte array of that length
-- return null
To ensure that the same IV used to encrypt the secret is stored in the
DB, the wrapping param is defined once in the archival process, and
passed in to the wrapping functions in storageUnit.
Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854
Diffstat (limited to 'base/kra/shared')
| -rw-r--r-- | base/kra/shared/conf/CS.cfg | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index a6e915d33..a38a3b174 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -285,7 +285,7 @@ kra.storageUnit.wrapping.1.payloadEncryptionPadding=PKCS5Padding kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm=AES kra.storageUnit.wrapping.1.payloadEncryptionAlgorithm=AES kra.storageUnit.wrapping.1.payloadEncryptionMode=CBC -kra.storageUnit.wrapping.1.payloadEncryptionIV=AQEBAQEBAQEBAQEBAQEBAQ== +kra.storageUnit.wrapping.1.payloadEncryptionIVLen=16 kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES KeyWrap/Padding kra.storageUnit.wrapping.1.sessionKeyType=AES kra.storageUnit.wrapping.choice=1 |