Bug 1465566
Summary: | Fix HmacTest code for AES encrypt/unwrap | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> | ||||
Component: | jss | Assignee: | Jack Magne <jmagne> | ||||
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 7.4 | CC: | aakkiang, cfu, edewata, extras-qa, jmagne, kwright, mharmsen, msauton, nkinder, rmeggins, rpattath | ||||
Target Milestone: | rc | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | No Doc Update | |||||
Doc Text: |
This is an obscure test modification that no users will care about.
|
Story Points: | --- | ||||
Clone Of: | 1465565 | ||||||
: | 1488846 (view as bug list) | Environment: | |||||
Last Closed: | 2018-04-10 17:56:52 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1465565 | ||||||
Bug Blocks: | 1488846 | ||||||
Attachments: |
|
Description
Matthew Harmsen
2017-06-27 16:14:00 UTC
Upstream checkin: changeset: 2197:eec15518fd61 tag: tip user: Jack Magne <jmagne> date: Fri Sep 01 16:15:54 2017 -0700 files: org/mozilla/jss/pkcs11/PK11KeyWrapper.java org/mozilla/jss/pkcs11/PK11MessageDigest.c org/mozilla/jss/tests/HmacTest.java org/mozilla/jss/tests/all.pl description: unwrapping of HMAC-SHA1 secret keys using AES wrapping and unwrapping cfu on behalf of jmagne QE Testing instructions: We want to make sure this fix allows TPS to continue to function normally under the following circumstances. 1. General TPS sanity testing, can we do simple format and enrollments using the software token. 2. The following is one specific case that we want to verify which is the following: a) We must exercise the scenario where we are using the SP800 key derivation function while using a master key on the hsm of type HMAC. We should already have a test case for that. This as we recall requires generating the given HMAC master key on the hsm using the build in commands. Once we have verified that the HMAC master key on the HSM work properly, we should be good to go. Noticed the attached TKS debug log messages and the following TKS audit messages when trying to test https://bugzilla.redhat.com/show_bug.cgi?id=1186896#c30 with tks.defKeySet.nistSP800-108KdfOnKeyVersion=0 tks.defKeySet.nistSP800-108KdfUseCuidAsKdd=true in TKS CS.cfg. 0.http-bio-23443-exec-23 - [12/Sep/2017:09:30:22 EDT] [14] [6] [AuditEvent=COMPUTE_SESSION_KEY_REQUEST][CUID_encoded=#40#90#61#45#75#C1#24#0E#03#27][KDD_encoded=#00#00#41#06#24#0E#03#27#75#C1][Outcome=Success][AgentID=TPS-nocp1.idm.lab.eng.rdu2.redhat.com-25443] TKS Compute session key request 0.http-bio-23443-exec-23 - [12/Sep/2017:09:30:23 EDT] [14] [6] [AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS][CUID_decoded=4090614575C1240E0327][KDD_decoded=00004106240E032775C1][Outcome=Success][status=0][AgentID=TPS-nocp1.idm.lab.eng.rdu2.redhat.com-25443][IsCryptoValidate=true][IsServerSideKeygen=true][SelectedToken=NHSM-RPATTATH-SOFTCARD][KeyNickName=hsm-master-scp01][TKSKeyset=defKeySet][KeyInfo_KeyVersion=0x2][NistSP800_108KdfOnKeyVersion=0x0][NistSP800_108KdfUseCuidAsKdd=false] TKS Compute session key request processed successfully Key change operation was successful though. I am not sure if the error messages in the TKS debug log and the audit message indicating NistSP800_108KdfUseCuidAsKdd=false when it is actually set to true is related to this bug or if it has anything to do with FIPS. Created attachment 1324904 [details]
TKS debug log when nist is set to true
Please ignore, the previous comment, noticed i had updated the wrong param in TKS CS.cfg. [root@nocp1 certdb]# rpm -qi jss Name : jss Version : 4.4.0 Release : 10.el7 Architecture: x86_64 Install Date: Tue 28 Nov 2017 02:30:31 PM EST Group : System Environment/Libraries Size : 1029659 License : MPLv1.1 or GPLv2+ or LGPLv2+ Signature : RSA/SHA256, Wed 01 Nov 2017 02:37:50 PM EDT, Key ID 199e2f91fd431d51 Source RPM : jss-4.4.0-10.el7.src.rpm Build Date : Wed 01 Nov 2017 02:19:14 PM EDT Build Host : x86-020.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://www.mozilla.org/projects/security/pki/jss/ Summary : Java Security Services (JSS) Verification steps as explained in https://bugzilla.redhat.com/show_bug.cgi?id=1488846#c16 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0958 |