1 files changed, 15 insertions, 5 deletions

diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index b06faa6be..25de2dd60 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -191,7 +191,7 @@ public class CRMFPopClient {
         options.addOption(option);
 
         option = new Option("w", true, "Algorithm to be used for key wrapping");
-        option.setArgName("keySet");
+        option.setArgName("keywrap algorithm");
         options.addOption(option);
 
         options.addOption("y", false, "for Self-signed cmc.");
@@ -655,13 +655,23 @@ public class CRMFPopClient {
             KeyPair keyPair,
             Name subject,
             KeyWrapAlgorithm keyWrapAlgorithm) throws Exception {
-        byte[] iv = null;
-        if (keyWrapAlgorithm.getParameterClasses() != null) {
-            iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize());
-        }
+        byte[] iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize());
         OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm);
 
+        /* TODO(alee)
+         *
+         * HACK HACK!
+         * algorithms like AES KeyWrap do not require an IV, but we need to include one
+         * in the AlgorithmIdentifier above, or the creation and parsing of the
+         * PKIArchiveOptions options will fail.  So we include an IV in aid, but null it
+         * later to correctly encrypt the data
+         */
         AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv));
+
+        Class[] iv_classes = keyWrapAlgorithm.getParameterClasses();
+        if (iv_classes == null || iv_classes.length == 0)
+            iv = null;
+
         WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv);
 
         PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(