Bug 1535540

Summary: Not able to issue the certificate when kra.allowEncDecrypt.{archive, recovery}=false.
Product: Red Hat Enterprise Linux 7 Reporter: Amol K <akahat>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED NOTABUG QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: alee, ftweedal, mharmsen
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-23 00:06:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amol K 2018-01-17 15:21:39 UTC 
Description of problem:

To archive the key we need to set this attributes in the KRA instance's CS.cfg file on HSM machine.
kra.allowEncDecrypt.archive = false
kra.allowEncDecrypt.recovery = false


Version-Release number of selected component (if applicable):
10.5.1-5.el7

How reproducible:
Always

Steps to Reproduce:
1. pki -d /root/nssdb/ -c SECret.123 -p 20080 client-cert-request "UID=testuser1,CN=testuser1" --type crmf
2. pki -d /root/nssdb/ -c SECret.123 -p 20080 -n "PKI CA Administrator for Example.Org" -v ca-cert-request-review --action approve 17
3.

Actual results:

BadRequestException: Request Sending DRM request failed check KRA log for detail Rejected - {1}

Expected results:
It should be successful. And key gets archived in the HSM.


Additional info:
Comment 3 Ade Lee 2018-01-19 21:41:33 UTC 
I'm a little confused.  I though that when using the HSM, you had to set the parameters to True (not false).

I added a bit more of a description of the feature here:

http://pki.fedoraproject.org/wiki/Aes-feature-description
Comment 4 Matthew Harmsen 2018-01-23 00:06:32 UTC 
Per CS/DS Meeting of 20180122, closing as NOTABUG.
Comment 5 Amol K 2018-01-24 15:44:03 UTC 
I open this Bugzilla as Fraser suggested in comment[1].

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1460019#c18
Comment 6 Ade Lee 2018-01-24 15:51:49 UTC 
Fraser is confused I think:

See the link I mentioned:

http://pki.fedoraproject.org/wiki/Aes-feature-description
Comment 7 Fraser Tweedale 2018-01-24 22:09:16 UTC 
I was confused :)

Was not aware that the HSMs did not support key wrapping with AES.
But one day they will, surely...?