Fixed KRA key recovery via CLI in FIPS mode.

Based on investigation and solution provided by cfu and jmagne, the SecurityDataRecoveryService.serviceRequest() has been modified to use EncryptionUnit.unwrap_temp() for key recovery via CLI in FIPS mode. https://fedorahosted.org/pki/ticket/2500
dogtagpki · Nov 1, 2016 · 650b00d · 650b00d
1 parent 613d8e8
commit 650b00d
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java b/base/common/src/com/netscape/certsrv/security/IEncryptionUnit.java
@@ -142,6 +142,9 @@ public SymmetricKey unwrap_symmetric(byte sessionKey[], String symmAlgOID,
     public SymmetricKey unwrap_sym(byte encSymmKey[],
             SymmetricKey.Usage usage);
 
+    public PrivateKey unwrap_temp(byte privateKey[], PublicKey pubKey)
+            throws EBaseException;
+
     /**
      * Unwraps data. This method rebuilds the private key by
      * unwrapping the private key data.

diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java
@@ -222,7 +222,7 @@ public boolean serviceRequest(IRequest request)
                     byte[] privateKeyData = keyRecord.getPrivateKeyData();
 
                     PublicKey publicKey = X509Key.parsePublicKey(new DerValue(publicKeyData));
-                    privateKey = mStorageUnit.unwrap(privateKeyData, publicKey);
+                    privateKey = mStorageUnit.unwrap_temp(privateKeyData, publicKey);
                 }
 
             } catch (IOException e) {