Hi all,
I have some questions about KRA operation. These questions came up
as part of my PKCS #12 AES key bag encryption effort.
1) the kra.allowEncDecrypt.recovery setting controls whether
unwrapping the archived key takes place on a crypto token (the
default) or within Dogtag. It seems to be an instance-wide setting.
What is the purpose of this setting? Is it just a provision for
environments that do not support the key (un)wrapping on a token?
Or does it have some other purpose?
2) When kra.allowEncDecrypt.recovery is false, the private keys
being recovered accumulate in the /etc/pki/pki-tomcat/alias NSSDB
(i.e. the NSS internal token). Presumably the same occurs for
hardware tokens, too. The unwrapping of the archived key in
RecoveryService.recoverKey() calls with boolean temporary = false;
This seems like the wrong behaviour... why would we want to keep the
key in the token?
Thanks,
Fraser