Modify storage unit to generate a new IV

Currently, the storage unit reuses the same IV each time a record
is stored.  This works (probably) for DES3, but not for AES.

The getWrappingParams() method is modified to check the config as follows
(in order):
-- if the iv is defined, use that iv
-- if the length is defined, generate a byte array of that length
-- return null

To ensure that the same IV used to encrypt the secret is stored in the
DB, the wrapping param is defined once in the archival process, and
passed in to the wrapping functions in storageUnit.

Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854

1 files changed, 2 insertions, 0 deletions

diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java
index c471a2869..b1e6cd6da 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java
@@ -53,10 +53,12 @@ public class KeyRecordParser {
     public final static String OUT_SK_WRAP_ALGORITHM = "sessionKeyWrapAlgorithm";
     public final static String OUT_PL_WRAP_ALGORITHM = "payloadWrapAlgorithm";
     public final static String OUT_PL_WRAP_IV = "payloadWrapIV";
+    public final static String OUT_PL_WRAP_IV_LEN = "payloadWrapIVLen";
     public final static String OUT_PL_ENCRYPTION_ALGORITHM = "payloadEncryptionAlgorithm";
     public final static String OUT_PL_ENCRYPTION_MODE = "payloadEncryptionMode";
     public final static String OUT_PL_ENCRYPTION_PADDING = "payloadEncryptionPadding";
     public final static String OUT_PL_ENCRYPTION_IV = "payloadEncryptionIV";
+    public final static String OUT_PL_ENCRYPTION_IV_LEN = "payloadEncryptionIVLen";
     public final static String OUT_PL_ENCRYPTION_OID = "payloadEncryptionOID";
 
     /**