|
|
92a605 |
From e5bd4436541b726f128afd18b113ff80ce18a6b5 Mon Sep 17 00:00:00 2001
|
|
|
92a605 |
From: Ade Lee <alee@redhat.com>
|
|
|
92a605 |
Date: Fri, 16 Jun 2017 19:25:05 -0400
|
|
|
92a605 |
Subject: [PATCH 1/4] Fix token enrollment and recovery ivs
|
|
|
92a605 |
|
|
|
92a605 |
In encryption mode, the archival of the geenrated key uses the
|
|
|
92a605 |
wrapIV, while the recovery uses the encryptIV. To make sure
|
|
|
92a605 |
these are consistent, they need to be set to be the same.
|
|
|
92a605 |
|
|
|
92a605 |
Bugzilla BZ #1458043
|
|
|
92a605 |
|
|
|
92a605 |
Change-Id: I1ecece74bd6e486c0f37b5e1df4929744fac262b
|
|
|
92a605 |
(cherry picked from commit a91b457abfd61c39e1e4318c2443e38b2dd93c5c)
|
|
|
92a605 |
---
|
|
|
92a605 |
base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 6 ++++++
|
|
|
92a605 |
1 file changed, 6 insertions(+)
|
|
|
92a605 |
|
|
|
92a605 |
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
92a605 |
index 96d7aae..07333b7 100644
|
|
|
92a605 |
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
92a605 |
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
92a605 |
@@ -406,6 +406,12 @@ public class NetkeyKeygenService implements IService {
|
|
|
92a605 |
|
|
|
92a605 |
try {
|
|
|
92a605 |
params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival);
|
|
|
92a605 |
+
|
|
|
92a605 |
+ // In encrypt mode, the recovery side is doing a decrypt() using the
|
|
|
92a605 |
+ // encryption IV. To be sure this is successful, we will make sure'
|
|
|
92a605 |
+ // the IVs are the same.
|
|
|
92a605 |
+ params.setPayloadEncryptionIV(params.getPayloadWrappingIV());
|
|
|
92a605 |
+
|
|
|
92a605 |
privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
|
|
|
92a605 |
} catch (Exception e) {
|
|
|
92a605 |
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
|
|
|
92a605 |
--
|
|
|
92a605 |
1.8.3.1
|
|
|
92a605 |
|