Bug 1035437

Summary: ECC signature not always padded correctly.
Product: Red Hat Enterprise Linux 6 Reporter: Jack Magne <jmagne>
Component: coolkeyAssignee: Bob Relyea <rrelyea>
Status: CLOSED WORKSFORME QA Contact: Asha Akkiangady <aakkiang>
Severity: high Docs Contact:
Priority: high    
Version: 6.6CC: cww, sforsber
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1001299 Environment:
Last Closed: 2014-05-14 21:34:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1001299, 1035438    
Bug Blocks: 994246, 1070830    

Description Jack Magne 2013-11-27 18:52:03 UTC 
+++ This bug was initially created as a clone of Bug #1001299 +++

Description of problem:

Now that we can make ECC signatures, this requires often that the signature data has to be padded or truncated correctly based on what is returned by the card and what is required by NSS.

We already have a method to do this but it only handles the truncation case, not the padding case.


Version-Release number of selected component (if applicable):

Latest rhel5 coolkey


How reproducible:

Always.

Steps to reproduce.

1. Enroll a 384 bit or higher token with rhcs ecc upcoming errata candidate.

2. Run BobR's smartcard test program.




Actual results:

Some of the signatures attempted by the tool will fail.

Expected results:

We want all support signature types to be performed correctly.

--- Additional comment from Suzanne Forsberg on 2013-08-29 10:22:57 EDT ---

Since 5.10 is only accepting blocker bugs at this point(they have already built a release candidate), I am recommending that we defer this fix until 5.11 and we consider fixing this in 5.10.z.

--- Additional comment from Bob Relyea on 2013-11-26 20:36:03 EST ---

Jack please clone this bug for RHEL6 (target 6.6) and RHEL 7
Comment 3 Bob Relyea 2014-05-12 22:24:57 UTC 
running smartcard tests I get:

bobslaptop.local(78) smartcard
Running Smart Card tests...
Starting thread for Module NSS Internal Crypto Services
Starting thread for Module CoolKey PKCS #11 Module
Waiting for card insert
SmartCardThread for NSS Internal Crypto Services started
SmartCardThread for CoolKey PKCS #11 Module started
event for slot NSS Application Slot 00000004
 insert NSS system database into slot NSS Application Slot 00000004
Found Smart cart NSS system database. running Tests
event for slot OmniKey CardMan 3121 00 00
 insert jmagne into slot OmniKey CardMan 3121 00 00
-----Found Cert 1: CN=Test ECC P-256 CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US
-Not a user cert, skipping key tests
-----Found Cert 2: CN=Test ECC P-384 CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US
-Not a user cert, skipping key tests
-----Found Cert 3: CN=Test RSA 2048-bit CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US
-Not a user cert, skipping key tests
-----Found Cert 4: CN=Test PIV-I RSA 2048-bit CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US
-Not a user cert, skipping key tests
-----Found Cert 5: CN=Test RSA 3072-bit CA for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US
-Not a user cert, skipping key tests
-----Found Cert 6: CN=Test Trust Anchor for Test PIV Cards,OU=Test CA,O=Test Certificates 2010,C=US
-Not a user cert, skipping key tests
-----Found Cert 7: CN=DOD CLASS 3 JITC CA-9,OU=PKI,OU=DoD,O=U.S. Government,C=US
-Not a user cert, skipping key tests
-----Found Cert 8: CN=DOD JITC CA-23,OU=PKI,OU=DoD,O=U.S. Government,C=US
-Not a user cert, skipping key tests
-----Found Cert 9: CN=DOD JITC CA-19,OU=PKI,OU=DoD,O=U.S. Government,C=US
-Not a user cert, skipping key tests
Waiting for card insert
Found Smart cart jmagne. running Tests
Password for jmagne? 
-----Found Cert 1: UID=jmagne,O=Token Key User
  KeyType: ECC
  CertID [1] =  01
  KeyID [1] =  01
 Key can sign.. Testing Signing
  signature len = 96
  signing with SHA1 length = 20
signature length = 96
 sign with SHA1 test succeeded
  signing with SHA224 length = 28
signature length = 96
 sign with SHA224 test succeeded
  signing with SHA256 length = 32
signature length = 96
 sign with SHA256 test succeeded
  signing with SHA384 length = 48
signature length = 96
 sign with SHA384 test succeeded
  signing with SHA512 length = 64
signature length = 96
 sign with SHA512 test succeeded
**signing test succeeded
-----Found Cert 2: UID=jmagne,O=Token Key User
  KeyType: ECC
  CertID [1] =  02
  KeyID [1] =  02
 Key can do key agreement... Testing key agreement
  Key [32] =  ac f8 00 14 e8 7d 2f 63 bc ca 8b a3 c8 c9 56 1b cc 58 01 44 4e ec 1d 83 1e 0e 52 2c bb 6e 9b 10
  Key2 [32] =  ac f8 00 14 e8 7d 2f 63 bc ca 8b a3 c8 c9 56 1b cc 58 01 44 4e ec 1d 83 1e 0e 52 2c bb 6e 9b 10
**derive test succeeded
Waiting for card insert


NOTE that the SHA384 token was able to sign with SHA512, which seems to indicate that this is already fixed in RHEL-6.5.

coolkey-1.1.0-31.el6.x86_64


bob
Comment 4 Bob Relyea 2014-05-14 21:34:21 UTC 
Also tested ECC 256 coolkey from Jack, and it works. So I'm closing this WORKSFORME. If we find a new card that it doesn't work on we can reopen this bug.

Found Smart cart jmagne. running Tests
Password for jmagne? 
-----Found Cert 1: UID=jmagne,O=Token Key User
  KeyType: ECC
  CertID [1] =  01
  KeyID [1] =  01
 Key can sign.. Testing Signing
  signature len = 64
  signing with SHA1 length = 20
signature length = 64
 sign with SHA1 test succeeded
  signing with SHA224 length = 28
signature length = 64
 sign with SHA224 test succeeded
  signing with SHA256 length = 32
signature length = 64
 sign with SHA256 test succeeded
  signing with SHA384 length = 48
signature length = 64
 sign with SHA384 test succeeded
  signing with SHA512 length = 64
signature length = 64
 sign with SHA512 test succeeded
**signing test succeeded