diff options
author | Ade Lee <alee@redhat.com> | 2017-06-16 19:25:05 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2017-06-16 19:33:26 -0400 |
commit | a91b457abfd61c39e1e4318c2443e38b2dd93c5c (patch) | |
tree | 1ffdb8a1fcb7c5d7ee70d044c373e257283e7228 /base | |
parent | 80ca2e30cd90023ba39b0c93e10b98029ccdf455 (diff) | |
download | pki-a91b457abfd61c39e1e4318c2443e38b2dd93c5c.tar.gz pki-a91b457abfd61c39e1e4318c2443e38b2dd93c5c.tar.xz pki-a91b457abfd61c39e1e4318c2443e38b2dd93c5c.zip |
Fix token enrollment and recovery ivs
In encryption mode, the archival of the geenrated key uses the
wrapIV, while the recovery uses the encryptIV. To make sure
these are consistent, they need to be set to be the same.
Bugzilla BZ #1458043
Change-Id: I1ecece74bd6e486c0f37b5e1df4929744fac262b
Diffstat (limited to 'base')
-rw-r--r-- | base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index 96d7aae43..07333b7f4 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -406,6 +406,12 @@ public class NetkeyKeygenService implements IService { try { params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival); + + // In encrypt mode, the recovery side is doing a decrypt() using the + // encryption IV. To be sure this is successful, we will make sure' + // the IVs are the same. + params.setPayloadEncryptionIV(params.getPayloadWrappingIV()); + privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params); } catch (Exception e) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); |