From ab470a00827673f327d5f171ff3fdf1baea4ae5e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 6 Apr 2017 16:07:07 +1000
Subject: [PATCH] KRA: do not accumulate recovered keys in token

When using token-based unwrapping of archived keys, the key is being
stored in the token.  We do not want to accumulate the keys here;
make them temporary.

Part of: https://pagure.io/dogtagpki/issue/2610
---
 base/kra/src/com/netscape/kra/RecoveryService.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
index c89e2f388f037bb8608b24389b26f8076511adf7..817f3f01586e851007d25e0724c03d213f0b6c4a 100644
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -409,7 +409,7 @@ public class RecoveryService implements IService {
                 privKey = mStorageUnit.unwrap(
                         keyRecord.getPrivateKeyData(),
                         pubkey,
-                        false,
+                        true /* temporary */,
                         keyRecord.getWrappingParams(mKRA.getStorageKeyUnit().getOldWrappingParams()));
             } catch (Exception e) {
                 mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND"));
-- 
2.9.3