Bug 1490487

Summary: PKCS12: (JSS) upgrade to at least AES and SHA2 (FIPS)
Product: Red Hat Enterprise Linux 7 Reporter: Matthew Harmsen <mharmsen>
Component: jssAssignee: Fraser Tweedale <ftweedal>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: urgent Docs Contact: Petr Bokoc <pbokoc>
Priority: urgent    
Version: 7.4CC: aakkiang, alee, arubin, cfu, cheimes, edewata, ftweedal, jmagne, mharmsen, msauton, nkinder, pbokoc, rpattath
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
This update adds the "EncryptedPrivateKeyInfo.createPBES2" method to JSS. This method provides a way to create PKCS #12 files using the PBES2 encryption scheme using modern ciphers and key derivation functions (KDFs). The new method can now be used to encrypt a PrivateKeyInfo datum using PBES2 with PBKDF2 key derivation and caller-specifier cipher.
 Story Points: ---
Clone Of: 1446786
: 1490489 1490494 (view as bug list) Environment:
Last Closed: 2018-04-10 17:56:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1446786    
Bug Blocks: 1490241, 1490489, 1490494    

Comment 2 Roshni 2017-09-14 20:54:04 UTC 
Hi Fraser, 

Could you help with the test instructions for this bug?

A few scenarios I have in mind are:

1. Modify KRA CS.cfg with the following

kra.allowEncDecrypt.archival=true
kra.allowEncDecrypt.recovery=true

2. Enable only TLS/AES ciphers in server.xml all subsystem instances.

3. Execute pki pkcs12 clis successfully.

4. Enable server-side keygen on TPS with the above KRA. Format/Enroll SCP03 v7 smartcards (this card uses AES for encryption and decryption) when the following params in TKS are set

tks.defKeySet.prot3.devKeyType=AES
tks.defKeySet.prot3.divers=none
tks.defKeySet.prot3.diversVer1Keys=none
tks.defKeySet.prot3.masterKeyType=AES

tks.defKeySet.nistSP800-108KdfOnKeyVersion=00
tks.defKeySet.nistSP800-108KdfUseCuidAsKdd=true

These tests would be done with certificates on HSM and FIPS enabled environment.

Let me know if the above testing would be a good coverage for this bug.
Comment 3 Roshni 2017-09-14 21:01:23 UTC 
Moving the NEED_INFO to the ON_QA bug https://bugzilla.redhat.com/show_bug.cgi?id=1490494
Comment 5 Roshni 2017-12-07 16:17:15 UTC 
[root@nocp1 pki-kra-Dec6]# rpm -qi jss
Name        : jss
Version     : 4.4.0
Release     : 10.el7
Architecture: x86_64
Install Date: Tue 28 Nov 2017 02:30:31 PM EST
Group       : System Environment/Libraries
Size        : 1029659
License     : MPLv1.1 or GPLv2+ or LGPLv2+
Signature   : RSA/SHA256, Wed 01 Nov 2017 02:37:50 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : jss-4.4.0-10.el7.src.rpm
Build Date  : Wed 01 Nov 2017 02:19:14 PM EDT
Build Host  : x86-020.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.mozilla.org/projects/security/pki/jss/
Summary     : Java Security Services (JSS)

Verifications as explained in https://bugzilla.redhat.com/show_bug.cgi?id=1490494#c12. pk12util and pki pkcs12-import tools imported the key successfully
Comment 8 errata-xmlrpc 2018-04-10 17:56:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0958