Bug 1710800

Summary: JSS: add PKCS#11standard AES KeyWrap for HSM support [rhel-7.6.z]
Product: Red Hat Enterprise Linux 7 Reporter: RAD team bot copy to z-stream <autobot-eus-copy>
Component: jssAssignee: Christina Fu <cfu>
Status: CLOSED WONTFIX QA Contact: PKI QE <bugzilla-pkiqe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.7CC: aakkiang, cfu, mharmsen, msauton, rhcs-maint
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: The following mechanisms defined by PKCS#11 standard are not defined and recognized by NSS. CKM_AES_KEY_WRAP CKM_AES_KEY_WRAP_PAD Instead, NSS defines its own mechanism IDs: CKM_NSS_AES_KEY_WRAP CKM_NSS_AES_KEY_WRAP_PAD Consequence: external crypto modules such as HSMs (e.g. Thales) do not recognize the NSS definitions. Note: Currently, the latest Thales HSM (SW 12.50) recognizes the PKCS#11 definitions, but do not yet support the key wrapping feature. We were told that SW 12..60 will. Fix: PKCS#11 standard defined in JSS Result: feature can't be fully tested yet until Thales relesed SW 12.60
 Story Points: ---
Clone Of: 1709551 Environment:
Last Closed: 2019-06-14 23:12:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1709551    
Bug Blocks:    

Description RAD team bot copy to z-stream 2019-05-16 10:55:21 UTC 
This bug has been copied from bug #1709551 and has been proposed to be backported to 7.6 z-stream (EUS).
Comment 2 Christina Fu 2019-05-16 18:41:47 UTC 
commit 727db7a182cc31d4447b09e23e5af57e07fbb4f2
Author: Christina Fu <cfu>
Date:   Fri May 10 19:02:36 2019 -0700

    Add HSM support for PKCS#11 AES KeyWrap/Padding (#176)
    
    * Add HSM support for PKCS#11 AES KeyWrap/Padding
    
    This patch adds  HSM support for the PKCS#11 standard defined KeyWrap/Paddin
    mechanism. Prior to this patch, only NSS (CKM_NSS_AES_KEY_WRAP_PAD) was supp
    Note that this is based on Thales's projection of having the following suppo
    in the next SW version, 12.60: CKM_AES_KEY_WRAP_PAD
    For completeness, CKM_AES_KEY_WRAP is also added, although it is not suitabl
    for private key wrapping.
    
    * Added test case for AES_KEY_WRAP_PAD; also a clarification comment
    
    This would actually test CKM_NSS_AES_KEY_WRAP_PAD if CKM_AES_KEY_WRAP_PAD
    is not supported by the crypto module.
    
    also added clarification comment in org/mozilla/jss/crypto/KeyWrapAlgorithm.
    
    * pulling repeated code into a method getSupportedWrappingMechanism
Comment 3 Christina Fu 2019-05-16 18:50:57 UTC 
As mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1709551#c5
"limited tests" could be conducted when the following bug fix is available
Bug 1709585 - PKI (test support) for PKCS#11standard AES KeyWrap for HSM support