Bug 1458047

Summary: change the way aes clients refer to aes keysets
Product: Red Hat Enterprise Linux 7 Reporter: Matthew Harmsen <mharmsen>
Component: pki-coreAssignee: Ade Lee <alee>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: lmiksik, pbokoc, rpattath
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.4.1-9.el7 Doc Type: No Doc Update
Doc Text:
Feature: This BZ tracks some changes on the client side for the AES feature in https://bugzilla.redhat.com/show_bug.cgi?id=1445535 Reason: See https://bugzilla.redhat.com/show_bug.cgi?id=1445535 Result: See https://bugzilla.redhat.com/show_bug.cgi?id=1445535 and the AES feature design page.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 22:52:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Harmsen 2017-06-01 21:02:44 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/dogtagpki/issue/2719

It will make migration much easier if we simply use the keyset concept only on the server side and pass the key algorithms needed to the clients.

Better to do this now while we don't have to worry about migration issues.
Comment 2 Ade Lee 2017-06-07 20:02:37 UTC 
Fixed in master:

commit d5c331a42955365b76a1549aec047e613d3185dc
Author: Ade Lee <alee>
Date:   Tue Jun 6 16:16:40 2017 -0400

    Server side changes to correctly parse the new PKIArchiveOptions
    
    The server is modified to read the new OIDs in the PKIArchiveOptions
    and handle them correctly.
    
    Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4

commit 38df4274214938ceece85627abb6d4fe77b960ff
Author: Ade Lee <alee>
Date:   Fri May 26 13:06:18 2017 -0400

    Refactor client to not use keysets
    
    It is simpler to simply tell the client which
    algorithm to use for key wrapping and encryption, rather
    than use key sets.  Therefore:
    
    * KRAInfo and CAInfo are refactored to provide the
      algorithms required for key wrapping and encryption.
    
    * Client is modified to use these parameters to determine
      which algorithms to use.
    
    * We specify the OIDs that will be used in the PKIARchiveOptions
      more correctly.  The options are basically:
      AES-128-CBC, DES3-CBC, AES KeyWrap/Pad
    
    Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
Comment 4 Roshni 2017-06-23 20:20:55 UTC 
[root@nocp1 ~]# rpm -q pki-kra
pki-kra-10.4.1-10.el7.noarch
[root@nocp1 ~]# rpm -qi pki-kra
Name        : pki-kra
Version     : 10.4.1
Release     : 10.el7
Architecture: noarch
Install Date: Wed 21 Jun 2017 11:00:26 AM EDT
Group       : System Environment/Daemons
Size        : 562173
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-10.el7.src.rpm
Build Date  : Tue 20 Jun 2017 01:23:22 AM EDT
Build Host  : ppc-046.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Key Recovery Authority

Key archival and recovery worked as expected wusing SCP03 V6(DES3) and V7(AES) tokens.
Comment 5 errata-xmlrpc 2017-08-01 22:52:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110