summaryrefslogtreecommitdiffstats
path: root/base
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2017-06-16 19:25:05 -0400
committerAde Lee <alee@redhat.com>2017-06-16 19:33:26 -0400
commita91b457abfd61c39e1e4318c2443e38b2dd93c5c (patch)
tree1ffdb8a1fcb7c5d7ee70d044c373e257283e7228 /base
parent80ca2e30cd90023ba39b0c93e10b98029ccdf455 (diff)
downloadpki-a91b457abfd61c39e1e4318c2443e38b2dd93c5c.tar.gz
pki-a91b457abfd61c39e1e4318c2443e38b2dd93c5c.tar.xz
pki-a91b457abfd61c39e1e4318c2443e38b2dd93c5c.zip
Fix token enrollment and recovery ivs
In encryption mode, the archival of the geenrated key uses the wrapIV, while the recovery uses the encryptIV. To make sure these are consistent, they need to be set to be the same. Bugzilla BZ #1458043 Change-Id: I1ecece74bd6e486c0f37b5e1df4929744fac262b
Diffstat (limited to 'base')
-rw-r--r--base/kra/src/com/netscape/kra/NetkeyKeygenService.java6
1 files changed, 6 insertions, 0 deletions
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index 96d7aae43..07333b7f4 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -406,6 +406,12 @@ public class NetkeyKeygenService implements IService {
try {
params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival);
+
+ // In encrypt mode, the recovery side is doing a decrypt() using the
+ // encryption IV. To be sure this is successful, we will make sure'
+ // the IVs are the same.
+ params.setPayloadEncryptionIV(params.getPayloadWrappingIV());
+
privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
} catch (Exception e) {
request.setExtData(IRequest.RESULT, Integer.valueOf(4));