From e5bd4436541b726f128afd18b113ff80ce18a6b5 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 16 Jun 2017 19:25:05 -0400
Subject: [PATCH 1/4] Fix token enrollment and recovery ivs

In encryption mode, the archival of the geenrated key uses the
wrapIV, while the recovery uses the encryptIV.  To make sure
these are consistent, they need to be set to be the same.

Bugzilla BZ #1458043

Change-Id: I1ecece74bd6e486c0f37b5e1df4929744fac262b
(cherry picked from commit a91b457abfd61c39e1e4318c2443e38b2dd93c5c)
---
 base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index 96d7aae..07333b7 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -406,6 +406,12 @@ public class NetkeyKeygenService implements IService {
 
                     try {
                         params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival);
+
+                        // In encrypt mode, the recovery side is doing a decrypt() using the
+                        // encryption IV.  To be sure this is successful, we will make sure'
+                        // the IVs are the same.
+                        params.setPayloadEncryptionIV(params.getPayloadWrappingIV());
+
                         privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
                     } catch (Exception e) {
                         request.setExtData(IRequest.RESULT, Integer.valueOf(4));
-- 
1.8.3.1