Bug 1709585

Summary: PKI (test support) for PKCS#11standard AES KeyWrap for HSM support
Product: Red Hat Enterprise Linux 8 Reporter: Christina Fu <cfu>
Component: pki-coreAssignee: Christina Fu <cfu>
Status: CLOSED CURRENTRELEASE QA Contact: PKI QE <bugzilla-pkiqe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: ---CC: aakkiang, ascheel, ftweedal, gkapoor, mharmsen, msauton
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.17-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1711801 (view as bug list) Environment:
Last Closed: 2021-02-01 07:40:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1489256    
Bug Blocks: 1711801    

Description Christina Fu 2019-05-13 21:35:45 UTC 
Description of problem:
This bug means to add test support for Bug 1709551 - JSS: add PKCS#11standard AES KeyWrap for HSM support 

https://bugzilla.redhat.com/show_bug.cgi?id=1709551

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:
At current time, due to lack of PSS support, PKI instance cannot be installed with Thales SW12.50 and up (this is currently being worked on).
The potential fix for the JSS bug mentioned earlier could use CRMFPopClient to test AES KeyWrap/Padding if KeyPairGenerator is set properly.  There currently exists no such option for RSA key generation routine.

Expected results:


Additional info:
Comment 3 Christina Fu 2019-05-17 23:32:23 UTC 
commit 2044d7c260822c832b1569058a5a35393b118853
Author: Christina Fu <cfu>
Date:   Fri May 17 14:26:26 2019 -0400

    bug-1709585-AesKeyWrap removed development debugging message

commit dbd2d9b587f46b8af2f78b73d62715c1fd3344fc
Author: Christina Fu <cfu>
Date:   Mon May 13 20:09:24 2019 -0400

    Bug 1709585 PKI (test support) for PKCS#11standard AES KeyWrap for HSM support
    
    This patch adds test support to
    Bug 1709551 - JSS: add PKCS#11standard AES KeyWrap for HSM support
    
    specifically on the ability for CRMFPopClient to generate temporary RSA keys
     so that they can be extractable on HSM, as currently PSS is not yet supported
    by PKI so can't rely on KRA to test the feature.
    Also for the same reason, until Thales HSM SW 12.60 is available,
    tests are only limited to
    1. not break existing functionality for CKM_NSS_AES_KEY_WRAP_PAD on nss
    2. have the expected result to be documented in https://bugzilla.redhat.com/show
    
    Also, relevant OIDs in CryptoUtil are changed to referce the JSS definitions
    in KeyWrapAlgorithm instead, with the addition of AES_KEY_WRAP_OID.
    (This results in a dependency)
    
    See https://bugzilla.redhat.com/show_bug.cgi?id=1709551 for more detail.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1709585
Comment 8 Fraser Tweedale 2019-09-19 11:56:13 UTC 
This change seems to have introduced a regression that breaks key archival and retrieval using 3DES.
Please see the pull request for DOGTAG_10_5_BRANCH: https://github.com/dogtagpki/pki/pull/258.

There is also a PR for DOGTAG_10_6_BRANCH (https://github.com/dogtagpki/pki/pull/259) but no fix
is needed on newer branches (or in JSS).
Comment 9 Fraser Tweedale 2019-09-19 23:45:22 UTC 
Regression fixes merged to DOGTAG_10_5_BRANCH.  Moving back to POST.

commit 4d9b4f23d761621073eb7f858e654fc7aceb406d
Author: Fraser Tweedale <ftweedal>
Date:   Thu Sep 19 20:54:17 2019 +1000

    CryptoUtil.getKeywrapAlgorithmFromOID: Fix DES-EDE3-CBC selection
    
    Commit dbd2d9b587f46b8af2f78b73d62715c1fd3344fc contained the edit:
    
    -        if (oid.equals(KW_DES_CBC_PAD))
    +        if (oid.equals(KeyWrapAlgorithm.DES_CBC_PAD_OID))
    
    KW_DES_CBC_PAD was 1.2.840.113549.3.7 (DES-EDE3-CBC; this definition
    was removed in the same commit). But
    KeyWrapAlgorithm.DES_CBC_PAD_OID is 1.3.14.3.2.7.  This is a
    behaviour change that breaks KRA archival (possibly recovery too).
    
    Test equality to KeyWrapAlgorithm.DES3_CBC_PAD_OID to restore the
    correct behaviour.  Also fix a similar error in WrappingParams.java.
    
    Related: https://bugzilla.redhat.com/show_bug.cgi?id=1709585

commit c08b0cdbf069033d7ddc4e769890bf6281200659
Author: Fraser Tweedale <ftweedal>
Date:   Thu Sep 19 17:17:24 2019 +1000

    CryptoUtil: include OID in NoSuchAlgorithmException

commit df26b7e86b3341c2cc7c0d5d9c3d9f680496a071
Author: Fraser Tweedale <ftweedal>
Date:   Thu Sep 19 15:41:40 2019 +1000

    SecurityDataProcess.archive: log decryption failure
Comment 16 RHEL Program Management 2021-02-01 07:40:51 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.