Bug 1460019
| Summary: | PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> | |
| Component: | jss | Assignee: | Fraser Tweedale <ftweedal> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | urgent | Docs Contact: | Petr Bokoc <pbokoc> | |
| Priority: | urgent | |||
| Version: | 7.4 | CC: | aakkiang, akahat, alee, cfu, edewata, extras-qa, ftweedal, kwright, mharmsen, msauton, nkinder, pbokoc, rmeggins | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Prior to this update, a failure to check that the result of a key wrapping operation was not NULL could in some cases cause PKI to crash due to a segmentation fault. This update adds a check that raises an exception in such cases, and a failed key wrapping operation now results in a Java exceptions instead of a crash.
|
Story Points: | --- | |
| Clone Of: | 1460016 | |||
| : | 1490740 (view as bug list) | Environment: | ||
| Last Closed: | 2018-04-10 17:56:52 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1460016 | |||
| Bug Blocks: | 1490740 | |||
|
Description
Matthew Harmsen
2017-06-08 20:46:14 UTC
Upstream Check-in: cfu checked-in the following changes provided by ftweedal: changeset: 2204:87dca07f7529 tag: tip user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:56:04 2017 -0700 summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - changeset: 2203:b3b653faef84 user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:53:36 2017 -0700 summary: bug 1370778 PBE and padded block cipher enhancements and fixes - changeset: 2202:0b8a6e84b6c7 user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:50:21 2017 -0700 summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - changeset: 2201:d39e9b373798 user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:32:32 2017 -0700 summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - changeset: 2200:890216599f21 user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:21:22 2017 -0700 summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - changeset: 2199:bada1409d2bb user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:15:29 2017 -0700 summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - changeset: 2198:3629b598a9ce user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:09:23 2017 -0700 summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - Actually, the patches that were checked into JSS are related to the other BZ. This BZ has a different JSS ticket with a different patch that has yet to be reviewed and checked in: https://bugzilla.mozilla.org/show_bug.cgi?id=1371147 Moving this back to ASSIGNED. (In reply to Matthew Harmsen from comment #3) > Upstream Check-in: > > cfu checked-in the following changes provided by ftweedal: > > changeset: 2204:87dca07f7529 > tag: tip > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:56:04 2017 -0700 > summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - > > changeset: 2203:b3b653faef84 > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:53:36 2017 -0700 > summary: bug 1370778 PBE and padded block cipher enhancements and fixes - > > changeset: 2202:0b8a6e84b6c7 > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:50:21 2017 -0700 > summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - > > changeset: 2201:d39e9b373798 > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:32:32 2017 -0700 > summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - > > changeset: 2200:890216599f21 > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:21:22 2017 -0700 > summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - > > changeset: 2199:bada1409d2bb > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:15:29 2017 -0700 > summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - > > changeset: 2198:3629b598a9ce > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:09:23 2017 -0700 > summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - INCORRECT CHECK-IN MESSAGE -- these check-ins apply to https://bugzilla.redhat.com/show_bug.cgi?id=1490487 cfu checked-in ftweedal's patch: changeset: 2205:3e9a5ae2149d tag: tip user: Fraser Tweedale<ftweedale> date: Mon Sep 11 17:24:22 2017 -0700 summary: Bug 1371147 PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails - Asha, steps to reproduce/verify are here: https://bugzilla.redhat.com/show_bug.cgi?id=1490740#c5. Hi Fraser, I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg: ``` kra.allowEncDecrypt.archival=false kra.allowEncDecrypt.recovery=false kra.legacyPKCS12=false ``` Restarted the instances. After that, I perform PKCS #12 recovery. It did not crash, but I'm able to recover the PKCS #12 valid file. Is it expected behavior? Amol, this issue needs to be tested with Thales HSM. Export should _fail_ but pki-tomcatd should not crash. Amol, could you please paste the recovered pkcs #12 file, and could you please give me an LDAP dump of the archived key data? Was the key being recovered freshly archived, or has it been archived earlier. I need this info to check: 1. that the key was indeed archived in a "wrap" mode 2. that the file produced is indeed using PBES2 encryption Perhaps the conditions that caused the retrieval failures on the HSM have been resolved (firmware update / configuration change / NSS changes?) Secnario 1:
I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg:
```
kra.allowEncDecrypt.archival=false
kra.allowEncDecrypt.recovery=false
kra.legacyPKCS12=false
```
After restarting the instance I'm able to submit the certificate request but not able to approve it.
Secnario 2:
I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg:
```
kra.allowEncDecrypt.archival=true
kra.allowEncDecrypt.recovery=true
kra.legacyPKCS12=false
```
After restarting the instance, I'm able to issue the certificate.
Then, I mark `kra.allowEncDecrypt.{archival, recovery}=false` in CS.cfg.
I'm able to recover the p12 file, then it throws the exception, which is not expected.
So marking this bug on FaildQA.
As Fraser's suggestion I open new BZ[1]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1535540#c5 Fraser, Amol See the following for discussion of valid settings when using an HSM, http://pki.fedoraproject.org/wiki/Aes-feature-description Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0958 |