Bug 1709585
Summary: | PKI (test support) for PKCS#11standard AES KeyWrap for HSM support | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Christina Fu <cfu> | |
Component: | pki-core | Assignee: | Christina Fu <cfu> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | PKI QE <bugzilla-pkiqe> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | --- | CC: | aakkiang, ascheel, ftweedal, gkapoor, mharmsen, msauton | |
Target Milestone: | rc | Keywords: | TestCaseProvided, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | pki-core-10.5.17-3.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1711801 (view as bug list) | Environment: | ||
Last Closed: | 2021-02-01 07:40:51 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1489256 | |||
Bug Blocks: | 1711801 |
Description
Christina Fu
2019-05-13 21:35:45 UTC
commit 2044d7c260822c832b1569058a5a35393b118853 Author: Christina Fu <cfu> Date: Fri May 17 14:26:26 2019 -0400 bug-1709585-AesKeyWrap removed development debugging message commit dbd2d9b587f46b8af2f78b73d62715c1fd3344fc Author: Christina Fu <cfu> Date: Mon May 13 20:09:24 2019 -0400 Bug 1709585 PKI (test support) for PKCS#11standard AES KeyWrap for HSM support This patch adds test support to Bug 1709551 - JSS: add PKCS#11standard AES KeyWrap for HSM support specifically on the ability for CRMFPopClient to generate temporary RSA keys so that they can be extractable on HSM, as currently PSS is not yet supported by PKI so can't rely on KRA to test the feature. Also for the same reason, until Thales HSM SW 12.60 is available, tests are only limited to 1. not break existing functionality for CKM_NSS_AES_KEY_WRAP_PAD on nss 2. have the expected result to be documented in https://bugzilla.redhat.com/show Also, relevant OIDs in CryptoUtil are changed to referce the JSS definitions in KeyWrapAlgorithm instead, with the addition of AES_KEY_WRAP_OID. (This results in a dependency) See https://bugzilla.redhat.com/show_bug.cgi?id=1709551 for more detail. https://bugzilla.redhat.com/show_bug.cgi?id=1709585 This change seems to have introduced a regression that breaks key archival and retrieval using 3DES. Please see the pull request for DOGTAG_10_5_BRANCH: https://github.com/dogtagpki/pki/pull/258. There is also a PR for DOGTAG_10_6_BRANCH (https://github.com/dogtagpki/pki/pull/259) but no fix is needed on newer branches (or in JSS). Regression fixes merged to DOGTAG_10_5_BRANCH. Moving back to POST. commit 4d9b4f23d761621073eb7f858e654fc7aceb406d Author: Fraser Tweedale <ftweedal> Date: Thu Sep 19 20:54:17 2019 +1000 CryptoUtil.getKeywrapAlgorithmFromOID: Fix DES-EDE3-CBC selection Commit dbd2d9b587f46b8af2f78b73d62715c1fd3344fc contained the edit: - if (oid.equals(KW_DES_CBC_PAD)) + if (oid.equals(KeyWrapAlgorithm.DES_CBC_PAD_OID)) KW_DES_CBC_PAD was 1.2.840.113549.3.7 (DES-EDE3-CBC; this definition was removed in the same commit). But KeyWrapAlgorithm.DES_CBC_PAD_OID is 1.3.14.3.2.7. This is a behaviour change that breaks KRA archival (possibly recovery too). Test equality to KeyWrapAlgorithm.DES3_CBC_PAD_OID to restore the correct behaviour. Also fix a similar error in WrappingParams.java. Related: https://bugzilla.redhat.com/show_bug.cgi?id=1709585 commit c08b0cdbf069033d7ddc4e769890bf6281200659 Author: Fraser Tweedale <ftweedal> Date: Thu Sep 19 17:17:24 2019 +1000 CryptoUtil: include OID in NoSuchAlgorithmException commit df26b7e86b3341c2cc7c0d5d9c3d9f680496a071 Author: Fraser Tweedale <ftweedal> Date: Thu Sep 19 15:41:40 2019 +1000 SecurityDataProcess.archive: log decryption failure After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. |