Bug 1458043
Summary: | Key recovery on token fails with invalid public key error on KRA | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Roshni <rpattath> |
Component: | pki-core | Assignee: | Ade Lee <alee> |
Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | alee, lmiksik, mharmsen |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pki-core-10.4.1-10.el7 | Doc Type: | No Doc Update |
Doc Text: |
This is something that would have been encountered in an intermediate build that was never released. So it should not ever be encountered in the wild, so no doc required.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-01 22:52:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1425972, 1455617 |
Description
Roshni
2017-06-01 20:41:25 UTC
commit 08bf26f786b8d233382c6fedfad5d33d8c11d78f Author: Ade Lee <alee> Date: Thu Jun 1 17:46:27 2017 -0400 Fix NPE in audit log invocation Some audit log objects take a RequestId or KeyId, on which we call toString(). In some cases, we were creating a KeyId or RequestId with null values, resulting in an NPE. We fix these in this patch. Bugzilla BZ# 1458043 Change-Id: I38d5a20e9920966c8414d56afd7690dc3c11a1db Still seeing this failure on KRA during key recovery [13/Jun/2017:11:26:21][http-bio-31042-exec-6]: TokenKeyRecoveryService: received des key [13/Jun/2017:11:26:23][http-bio-31042-exec-6]: TokenKeyRecoveryService: got token slot:NHSM-RPATTATH-SOFTCARD [13/Jun/2017:11:26:23][http-bio-31042-exec-6]: KRA reading key record [13/Jun/2017:11:26:23][http-bio-31042-exec-6]: TokenKeyRecoveryService: recover by cert [13/Jun/2017:11:26:23][http-bio-31042-exec-6]: In LdapBoundConnFactory::getConn() [13/Jun/2017:11:26:23][http-bio-31042-exec-6]: masterConn is connected: true [13/Jun/2017:11:26:23][http-bio-31042-exec-6]: getConn: conn is connected true [13/Jun/2017:11:26:23][http-bio-31042-exec-6]: getConn: mNumConns now 2 [13/Jun/2017:11:26:23][http-bio-31042-exec-6]: filter= (publicKey=x509cert#"MIIC/zCCAeegAwIBAgIEDbcSJDANBgkqhkiG9w0BAQ0FADBaMSAwHgYDVQQKDBdw^M a2ktY2EtSnVuMTItc2VjLWRvbWFpbjEVMBMGA1UECwwMcGtpLWNhLUp1bjEyMR8w^M HQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE3MDYxMzE1MTEzMloX^M DTIyMDYxMjE1MTEzMlowMzEXMBUGA1UECgwOVG9rZW4gS2V5IFVzZXIxGDAWBgoJ^M kiaJk/IsZAEBDAhzY3B1c2VyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA^M 3tMYlrNbT9LlX3A2XkiIOsIT2+NjsHe4QfqZz0DpuoxTacgY0tYlwk2yruowZh9j^M IYLD6NxlXnJqsu/d26LJPgbZWVjj6VDgbDiVvXd6Z/eN3hect19/80snPDHoWLWr^M UMu16teyB8cmA7Yh3qLcqExzJLIUUiImHjaa8LyTNkkCAwEAAaN4MHYwDgYDVR0P^M AQH/BAQDAgUgMBkGA1UdEQQSMBCBDiRyZXF1ZXN0Lm1haWwkMB0GA1UdDgQWBBTo^M epJo2K8F2sFpGvHVJw3TghW/gTAfBgNVHSMEGDAWgBS6/4d1dU2VTYlZo0WdAbiA^M W8GJ5TAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBDQUAA4IBAQDpeAyEfkbtMXPmi4W9^M dZx42u/Ca/0N2tOfubq984sbdMW0f8GkKjdrBTctXniWC47V/3eUCRqEeddGbHyr^M zkMeHtkFTCv2K8MpJJzyNlUYGWW0f0AeHw1Qr5/VQe6cT1L0g6GTQ5z7llYs7h1/^M NgXzwqTLokkKF2ijIWMsQvvErLAMpdZSbVZHvEAnKV0zMQcGE+ybhrJgv+huK1a8^M GdBr7eD6ahs1YJAChJpPbVepD03ZnhFQylvBhuAIcwDGgbrNqmcIL3IQ/sa15X83^M Uy0fKzYz2C7KDzxqYgrRsDpu5HeDZj027gN4Tp6LRZ+Tp1N0oiW9MLPsYmPV7GQO^M UqQp") [13/Jun/2017:11:26:26][http-bio-31042-exec-6]: returnConn: mNumConns now 3 [13/Jun/2017:11:26:26][http-bio-31042-exec-6]: read key record [13/Jun/2017:11:26:26][http-bio-31042-exec-6]: TokenKeyRecoveryService: owner name on record =40906145C76224192809:scpuser1 [13/Jun/2017:11:26:26][http-bio-31042-exec-6]: TokenKeyRecoveryService: owner name from TPS =40906145C76224192809:scpuser1 [13/Jun/2017:11:26:26][http-bio-31042-exec-6]: TokenKeyRecoveryService: owner name matches [13/Jun/2017:11:26:26][http-bio-31042-exec-6]: TokenKeyRecoveryService: recoverKey() - with allowEncDecrypt_archival being true [13/Jun/2017:11:26:26][http-bio-31042-exec-6]: EncryptionUnit.decryptInternalPrivate [13/Jun/2017:11:26:26][http-bio-31042-exec-6]: decryptInternalPrivate(): getting key wrapper on slot:NHSM-RPATTATH-SOFTCARD [13/Jun/2017:11:26:26][http-bio-31042-exec-6]: TokenKeyRecoveryService: got private key...about to verify [13/Jun/2017:11:26:26][http-bio-31042-exec-6]: request.setExtData: iv_s: %3B%E4%0B%50%61%17%2B%A8 [13/Jun/2017:11:26:26][http-bio-31042-exec-6]: length different data length=64 real length=634 [13/Jun/2017:11:26:26][http-bio-31042-exec-6]: SignedAuditEventFactory: create() message created for eventType=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED Invalid Public Key at com.netscape.kra.TokenKeyRecoveryService.serviceRequest(TokenKeyRecoveryService.java:488) at com.netscape.kra.KRAService.serviceRequest(KRAService.java:96) at com.netscape.cmscore.request.ARequestQueue.stateEngine(ARequestQueue.java:614) at com.netscape.cmscore.request.ARequestQueue.processRequest(ARequestQueue.java:381) at com.netscape.cms.servlet.connector.TokenKeyRecoveryServlet.processTokenKeyRecovery(TokenKeyRecoveryServlet.java:204) at com.netscape.cms.servlet.connector.TokenKeyRecoveryServlet.process(TokenKeyRecoveryServlet.java:353) at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:510) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.GeneratedMethodAccessor39.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.GeneratedMethodAccessor38.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748) [13/Jun/2017:11:26:27][http-bio-31042-exec-6]: ARequestNotifier notify mIsPublishingQueueEnabled=false mMaxThreads=1 [13/Jun/2017:11:26:27][http-bio-31042-exec-6]: processTokenKeyRecovery finished [13/Jun/2017:11:26:27][Thread-17]: RunListeners:: noQueue SingleRequest [13/Jun/2017:11:26:27][Thread-17]: RunListeners: noQueue SingleRequest [13/Jun/2017:11:26:27][http-bio-31042-exec-6]: In LdapBoundConnFactory::getConn() [13/Jun/2017:11:26:27][http-bio-31042-exec-6]: masterConn is connected: true [13/Jun/2017:11:26:27][http-bio-31042-exec-6]: getConn: conn is connected true [13/Jun/2017:11:26:27][http-bio-31042-exec-6]: getConn: mNumConns now 2 [13/Jun/2017:11:26:27][http-bio-31042-exec-6]: returnConn: mNumConns now 3 [13/Jun/2017:11:26:27][http-bio-31042-exec-6]: TokenKeyRecoveryServlet:outputString.length 8 [13/Jun/2017:11:26:27][http-bio-31042-exec-6]: CMSServlet: curDate=Tue Jun 13 11:26:27 EDT 2017 id=kraTokenKeyRecovery time=6990 [13/Jun/2017:11:26:27][http-bio-31042-exec-6]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED Libor, Since we will be building snapshot-5 to address https://bugzilla.redhat.com/show_bug.cgi?id=1461533, we would appreciate if you would also provide a blocker flag for this bug since it blocks QE from testing key recovery on tokens in specific configurations. -- Matt commit a91b457abfd61c39e1e4318c2443e38b2dd93c5c Author: Ade Lee <alee> Date: Fri Jun 16 19:25:05 2017 -0400 Fix token enrollment and recovery ivs In encryption mode, the archival of the geenrated key uses the wrapIV, while the recovery uses the encryptIV. To make sure these are consistent, they need to be set to be the same. Bugzilla BZ #1458043 Change-Id: I1ecece74bd6e486c0f37b5e1df4929744fac262b commit 1d7117081ad3b623af3938595436a35873b0bac6 Author: Ade Lee <alee> Date: Fri Jun 16 14:48:27 2017 -0400 Fix 3DES archival A previous commit mistakenly conflated the wrapping parameters for DES and DES3 cases, resulting in incorrect data being stored if the storage was successful at all. This broke ipa vault and probably also token key archival and recovery. This patch sets the right parameters for the 3DES case again. Part of BZ# 1458043 Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4 (cherry picked from commit 89f14cc5b7858e60107dc0776a59394bdfb8edaf) commit e5bd4436541b726f128afd18b113ff80ce18a6b5 Author: Ade Lee <alee> Date: Fri Jun 16 19:25:05 2017 -0400 Fix token enrollment and recovery ivs In encryption mode, the archival of the geenrated key uses the wrapIV, while the recovery uses the encryptIV. To make sure these are consistent, they need to be set to be the same. Bugzilla BZ #1458043 Change-Id: I1ecece74bd6e486c0f37b5e1df4929744fac262b (cherry picked from commit a91b457abfd61c39e1e4318c2443e38b2dd93c5c) [root@nocp1 ~]# rpm -qi pki-tps Name : pki-tps Version : 10.4.1 Release : 10.el7pki Architecture: x86_64 Install Date: Wed 21 Jun 2017 11:05:25 AM EDT Group : System Environment/Daemons Size : 1866565 License : GPLv2 Signature : (none) Source RPM : pki-core-10.4.1-10.el7pki.src.rpm Build Date : Tue 20 Jun 2017 01:59:47 AM EDT Build Host : x86-017.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - Token Processing Service Verification steps: 1. Verified automatic key recovery Temporary token issued to a user had the encryption cert/key from lost token. Same behavior was observed when a token was physically damaged. 2. Cert/key recovery works with externalReg, delegateISE, userKey and delegateIE token types. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |