Bug 1460019
Summary: | PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> | |
Component: | jss | Assignee: | Fraser Tweedale <ftweedal> | |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
Severity: | urgent | Docs Contact: | Petr Bokoc <pbokoc> | |
Priority: | urgent | |||
Version: | 7.4 | CC: | aakkiang, akahat, alee, cfu, edewata, extras-qa, ftweedal, kwright, mharmsen, msauton, nkinder, pbokoc, rmeggins | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: |
Prior to this update, a failure to check that the result of a key wrapping operation was not NULL could in some cases cause PKI to crash due to a segmentation fault. This update adds a check that raises an exception in such cases, and a failed key wrapping operation now results in a Java exceptions instead of a crash.
|
Story Points: | --- | |
Clone Of: | 1460016 | |||
: | 1490740 (view as bug list) | Environment: | ||
Last Closed: | 2018-04-10 17:56:52 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1460016 | |||
Bug Blocks: | 1490740 |
Description
Matthew Harmsen
2017-06-08 20:46:14 UTC
Upstream Check-in: cfu checked-in the following changes provided by ftweedal: changeset: 2204:87dca07f7529 tag: tip user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:56:04 2017 -0700 summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - changeset: 2203:b3b653faef84 user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:53:36 2017 -0700 summary: bug 1370778 PBE and padded block cipher enhancements and fixes - changeset: 2202:0b8a6e84b6c7 user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:50:21 2017 -0700 summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - changeset: 2201:d39e9b373798 user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:32:32 2017 -0700 summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - changeset: 2200:890216599f21 user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:21:22 2017 -0700 summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - changeset: 2199:bada1409d2bb user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:15:29 2017 -0700 summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - changeset: 2198:3629b598a9ce user: Fraser Tweedale<ftweedale> date: Fri Sep 08 11:09:23 2017 -0700 summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - Actually, the patches that were checked into JSS are related to the other BZ. This BZ has a different JSS ticket with a different patch that has yet to be reviewed and checked in: https://bugzilla.mozilla.org/show_bug.cgi?id=1371147 Moving this back to ASSIGNED. (In reply to Matthew Harmsen from comment #3) > Upstream Check-in: > > cfu checked-in the following changes provided by ftweedal: > > changeset: 2204:87dca07f7529 > tag: tip > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:56:04 2017 -0700 > summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - > > changeset: 2203:b3b653faef84 > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:53:36 2017 -0700 > summary: bug 1370778 PBE and padded block cipher enhancements and fixes - > > changeset: 2202:0b8a6e84b6c7 > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:50:21 2017 -0700 > summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - > > changeset: 2201:d39e9b373798 > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:32:32 2017 -0700 > summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - > > changeset: 2200:890216599f21 > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:21:22 2017 -0700 > summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - > > changeset: 2199:bada1409d2bb > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:15:29 2017 -0700 > summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - > > changeset: 2198:3629b598a9ce > user: Fraser Tweedale<ftweedale> > date: Fri Sep 08 11:09:23 2017 -0700 > summary: Bug 1370778 PBE and padded block cipher enhancements and fixes - INCORRECT CHECK-IN MESSAGE -- these check-ins apply to https://bugzilla.redhat.com/show_bug.cgi?id=1490487 cfu checked-in ftweedal's patch: changeset: 2205:3e9a5ae2149d tag: tip user: Fraser Tweedale<ftweedale> date: Mon Sep 11 17:24:22 2017 -0700 summary: Bug 1371147 PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails - Asha, steps to reproduce/verify are here: https://bugzilla.redhat.com/show_bug.cgi?id=1490740#c5. Hi Fraser, I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg: ``` kra.allowEncDecrypt.archival=false kra.allowEncDecrypt.recovery=false kra.legacyPKCS12=false ``` Restarted the instances. After that, I perform PKCS #12 recovery. It did not crash, but I'm able to recover the PKCS #12 valid file. Is it expected behavior? Amol, this issue needs to be tested with Thales HSM. Export should _fail_ but pki-tomcatd should not crash. Amol, could you please paste the recovered pkcs #12 file, and could you please give me an LDAP dump of the archived key data? Was the key being recovered freshly archived, or has it been archived earlier. I need this info to check: 1. that the key was indeed archived in a "wrap" mode 2. that the file produced is indeed using PBES2 encryption Perhaps the conditions that caused the retrieval failures on the HSM have been resolved (firmware update / configuration change / NSS changes?) Secnario 1: I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg: ``` kra.allowEncDecrypt.archival=false kra.allowEncDecrypt.recovery=false kra.legacyPKCS12=false ``` After restarting the instance I'm able to submit the certificate request but not able to approve it. Secnario 2: I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg: ``` kra.allowEncDecrypt.archival=true kra.allowEncDecrypt.recovery=true kra.legacyPKCS12=false ``` After restarting the instance, I'm able to issue the certificate. Then, I mark `kra.allowEncDecrypt.{archival, recovery}=false` in CS.cfg. I'm able to recover the p12 file, then it throws the exception, which is not expected. So marking this bug on FaildQA. As Fraser's suggestion I open new BZ[1]. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1535540#c5 Fraser, Amol See the following for discussion of valid settings when using an HSM, http://pki.fedoraproject.org/wiki/Aes-feature-description Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0958 |