fix: apkam - add IV to self encryption key and encryption private key

packages/at_secondary_server/lib/src/verb/handler/enroll_verb_handler.dart

@@ -249,9 +249,6 @@ class EnrollVerbHandler extends AbstractVerbHandler {
       final inboundConnectionMetadata =
           atConnection.metaData as InboundConnectionMetadata;
       inboundConnectionMetadata.enrollmentId = newEnrollmentId;
-      // Store default encryption private key and self encryption key(both encrypted)
-      // for future retrieval
-      await _storeEncryptionKeys(newEnrollmentId, enrollParams, currentAtSign);
       // store this apkam as default pkam public key for old clients
       // The keys with AT_PKAM_PUBLIC_KEY does not sync to client.
       await keyStore.put(AtConstants.atPkamPublicKey,
@@ -409,12 +406,18 @@ class EnrollVerbHandler extends AbstractVerbHandler {
       String newEnrollmentId, EnrollParams enrollParams, String atSign) async {
     var privateKeyJson = {};
     privateKeyJson['value'] = enrollParams.encryptedDefaultEncryptionPrivateKey;
+    if (enrollParams.encPrivateKeyIV != null) {
+      privateKeyJson['iv'] = enrollParams.encPrivateKeyIV;
+    }
     await keyStore.put(
         '$newEnrollmentId.${AtConstants.defaultEncryptionPrivateKey}.$enrollManageNamespace$atSign',
         AtData()..data = jsonEncode(privateKeyJson),
         skipCommit: true);
     var selfKeyJson = {};
     selfKeyJson['value'] = enrollParams.encryptedDefaultSelfEncryptionKey;
+    if (enrollParams.selfEncKeyIV != null) {
+      selfKeyJson['iv'] = enrollParams.selfEncKeyIV;
+    }
     await keyStore.put(
         '$newEnrollmentId.${AtConstants.defaultSelfEncryptionKey}.$enrollManageNamespace$atSign',
         AtData()..data = jsonEncode(selfKeyJson),

packages/at_secondary_server/pubspec.yaml

@@ -34,6 +34,13 @@ dependencies:
   yaml: 3.1.2
   logging: 1.2.0
 
+dependency_overrides:
+  at_commons:
+    git:
+      url: https://github.com/atsign-foundation/at_libraries.git
+      path: packages/at_commons
+      ref: apkam_iv_issue_fix
+
 dev_dependencies:
   build_runner: ^2.3.3
   test: ^1.25.9

tests/at_functional_test/test/enroll_verb_test.dart

@@ -1,6 +1,7 @@
 import 'dart:convert';
 import 'dart:io';
 
+import 'package:at_chops/at_chops.dart';
 import 'package:at_commons/at_commons.dart';
 import 'package:at_demo_data/at_demo_data.dart' as at_demos;
 import 'package:at_demo_data/at_demo_data.dart';
@@ -274,35 +275,6 @@ void main() {
       expect(llookupResponseMap['errorCode'], 'AT0009');
       expect(llookupResponseMap['errorDescription'],
           'UnAuthorized client in request : Connection with enrollment ID $enrollmentId is not authorized to llookup key: $enrollmentKey');
-
-      // keys:get:self should return default self encryption key
-      var selfKey = '$enrollmentId.default_self_enc_key.__manage$firstAtSign';
-      String selfKeyResponse =
-          await socketConnection2.sendRequestToServer('keys:get:self');
-      expect(selfKeyResponse.contains(selfKey), true);
-
-      // keys:get:private should return private encryption key
-      var privateKey =
-          '$enrollmentId.default_enc_private_key.__manage$firstAtSign';
-      String privateKeyResponse =
-          await socketConnection2.sendRequestToServer('keys:get:private');
-      expect(privateKeyResponse.contains(privateKey), true);
-
-      // keys:get:keyName should return the enrollment key with __manage namespace
-      String selfKeyGetResponse = await socketConnection2
-          .sendRequestToServer('keys:get:keyName:$selfKey');
-      expect(
-          selfKeyGetResponse
-              .contains('${apkamEncryptedKeysMap['encryptedSelfEncKey']}'),
-          true);
-
-      // keys:get:keyName should return the enrollment key with __manage namespace
-      String privateKeyGetResponse = await socketConnection2
-          .sendRequestToServer('keys:get:keyName:$privateKey');
-      expect(
-          privateKeyGetResponse.contains(
-              '${apkamEncryptedKeysMap['encryptedDefaultEncPrivateKey']}'),
-          true);
     });
 
     test(
@@ -387,8 +359,12 @@ void main() {
       var secondEnrollId = enrollJson['enrollmentId'];
 
       // connect to the first client to approve the enroll request
+      final encryptionPrivateKeyIV =
+          base64Encode(AtChopsUtil.generateRandomIV(16).ivBytes);
+      final selfEncryptionKeyIV =
+          base64Encode(AtChopsUtil.generateRandomIV(16).ivBytes);
       String approveResponse = (await firstAtSignConnection.sendRequestToServer(
-              'enroll:approve:{"enrollmentId":"$secondEnrollId","encryptedDefaultEncryptionPrivateKey":"${apkamEncryptedKeysMap['encryptedDefaultEncPrivateKey']}","encryptedDefaultSelfEncryptionKey": "${apkamEncryptedKeysMap['encryptedSelfEncKey']}"}'))
+              'enroll:approve:{"enrollmentId":"$secondEnrollId","encryptedDefaultEncryptionPrivateKey":"${apkamEncryptedKeysMap['encryptedDefaultEncPrivateKey']}","encPrivateKeyIV":"$encryptionPrivateKeyIV","encryptedDefaultSelfEncryptionKey": "${apkamEncryptedKeysMap['encryptedSelfEncKey']}","selfEncKeyIV":"$selfEncryptionKeyIV"}'))
           .replaceFirst('data:', '');
       var approveJson = jsonDecode(approveResponse);
       expect(approveJson['status'], 'approved');
@@ -406,12 +382,27 @@ void main() {
           await socketConnection2.sendRequestToServer('keys:get:self');
       expect(selfKeyResponse.contains(selfKey), true);
 
+      String selfKeyGetResponse = await socketConnection2
+          .sendRequestToServer('keys:get:keyName:$selfKey');
+      selfKeyGetResponse = selfKeyGetResponse.replaceFirst('data:', '');
+      var selfKeyResponseJson = jsonDecode(selfKeyGetResponse);
+      expect(selfKeyResponseJson['value'],
+          apkamEncryptedKeysMap['encryptedSelfEncKey']);
+      expect(selfKeyResponseJson['iv'], selfEncryptionKeyIV);
+
       // keys:get:private should return private encryption key
       var privateKey =
           '$secondEnrollId.default_enc_private_key.__manage$firstAtSign';
       String privateKeyResponse =
           await socketConnection2.sendRequestToServer('keys:get:private');
       expect(privateKeyResponse.contains(privateKey), true);
+      String privateKeyGetResponse = await socketConnection2
+          .sendRequestToServer('keys:get:keyName:$privateKey');
+      privateKeyGetResponse = privateKeyGetResponse.replaceFirst('data:', '');
+      var privateKeyResponseJson = jsonDecode(privateKeyGetResponse);
+      expect(privateKeyResponseJson['value'],
+          apkamEncryptedKeysMap['encryptedDefaultEncPrivateKey']);
+      expect(privateKeyResponseJson['iv'], encryptionPrivateKeyIV);
     });
 
     test(