Bug 1566617

Summary: Key generation during token enrollment fails in FIPS/non-HSM environment
Product: Red Hat Enterprise Linux 8 Reporter: Roshni <rpattath>
Component: pki-coreAssignee: RHCS Maintainers <rhcs-maint>
Status: CLOSED WONTFIX QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: ascheel, cfu, jmagne, mharmsen, sveerank
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-08 07:28:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
KRA CS.cfg none

Description Roshni 2018-04-12 15:42:31 UTC 
Created attachment 1420916 [details]
KRA CS.cfg

Description of problem:
Key generation during token enrollment fails in FIPS/non-HSM environment

Version-Release number of selected component (if applicable):
[root@auto-hv-01-guest06 ~]# rpm -q pki-ca
pki-ca-10.5.1-11.el7.noarch
[root@auto-hv-01-guest06 ~]# rpm -q pki-tps
pki-tps-10.5.1-11.el7pki.x86_64

How reproducible:
always

Steps to Reproduce:
1. Enable FIPS on the machine
2. Create a TMS environment, TPS configured with server-side key generation enabled.
3. Enroll a tpsclient or smartcard token

Actual results:
Enrollment fails. Signing cert is generated but key generation for encryption cert fails.

KRA debug log snippet:

[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: authorization search base: cn=Data Recovery Manager Agents,ou=groups,o=topology-KRA-KRA
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: authorization search filter: (uniquemember=uid=TPS-auto-hv-01-guest06.idmqe.lab.eng.bos.redhat.com-25443,ou=people,o=topology-KRA-KRA)
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: authorization result: true
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: returnConn: mNumConns now 3
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: evaluated expression: group="Data Recovery Manager Agents" to be true
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: DirAclAuthz: authorization passed
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: SignedAuditLogger: event AUTHZ
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: SignedAuditLogger: event ROLE_ASSUME
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenerateKeyPairServlet: processServerSideKeyGen would be called
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: processServerSideKeyGen begins:
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: Repository: in getNextSerialNumber.
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: Repository: checkRange  mLastSerialNo=6
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: Repository: getNextSerialNumber: returning retSerial 6
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenericPolicyProcessor: apply begins
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenericPolicyProcessor: apply not ProfileRequest. op=netkeyKeygen
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenericPolicyProcessor: apply begins
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenericPolicyProcessor: apply not ProfileRequest. op=netkeyKeygen
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: SignedAuditLogger: event RANDOM_GENERATION
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: serviceRequest archival requested for serverSideKeyGen
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: SignedAuditLogger: event SERVER_SIDE_KEYGEN_REQUEST
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: wrapped_des_key specialDecoded
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: serviceRequest: key type = RSA
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: got keygenToken
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: about to generate key pair
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: key pair is to be generated on slot: NSS FIPS 140-2 User Private Key
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: found config store: kra.keygen
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: setting temporaryPairs to true
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: key pair generation begins
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: KRAService serviceRequest EBaseException:Token Error: org.mozilla.jss.crypto.TokenException: Keypair Generation failed on token with error: -8190 :
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: processServerSideKeygen finished


Expected results:
Token enrollment with server-side key generation should be successful

Additional info:
Attaching KRA CS.cfg
Using default TPS CS.cfg
Comment 2 Matthew Harmsen 2018-04-20 01:19:52 UTC 
Per RHEL 7.5.z/7.6/8.0 Triage:  7.6

jmagne: Important to get this working, because a customer might want this scenario.
Comment 3 Matthew Harmsen 2018-07-04 00:38:02 UTC 
Moved to RHEL 7.7.
Comment 10 RHEL Program Management 2021-01-08 07:28:44 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 11 Red Hat Bugzilla 2023-09-15 00:07:31 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days