Bug 463343

Summary: Server-side key generation failed on DRM with nethsm
Product: [Retired] Dogtag Certificate System Reporter: Christina Fu <cfu>
Component: DRMAssignee: Christina Fu <cfu>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: benl, jmagne
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:29:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788, 445247    
Attachments:
Description Flags
ServerSide keygen on drm with nethsm fix
none
pki-kra.spec diff none

Description Christina Fu 2008-09-22 23:03:38 UTC 
key generation failed when doing srver-side key generation with nethsm (on DRM).
Here is a snippet of the relevant DRM log:

[09/Sep/2008:14:25:14][http-10443-Processor25]: NetkeyKeygenService: wrapped_des_key specialDecoded
[09/Sep/2008:14:25:14][http-10443-Processor25]: NetkeyKeygenService: got keygenToken
[09/Sep/2008:14:25:14][http-10443-Processor25]: EncryptionUnit::unwrap_sym() on slot: nethsm
[09/Sep/2008:14:25:14][http-10443-Processor25]: EncryptionUnit::unwrap_sym() private key algo: RSA
[09/Sep/2008:14:25:15][http-10443-Processor25]: NetkeyKeygenService: about to generate key pair
[09/Sep/2008:14:25:15][http-10443-Processor25]: NetkeyKeygenService: key pair is to be generated on slot: nethsm
[09/Sep/2008:14:25:15][http-10443-Processor25]: getConn: mNumConns now 2
[09/Sep/2008:14:25:15][http-10443-Processor25]: returnConn: mNumConns now 3
[09/Sep/2008:14:25:15][http-10443-Processor25]: processServerSideKeygen finished
[09/Sep/2008:14:25:15][http-10443-Processor25]: processServerSideKeyGen:outputString.encode status=2
[09/Sep/2008:14:25:15][http-10443-Processor25]: GenerateKeyPairServlet:outputString.length 8
[09/Sep/2008:14:25:15][http-10443-Processor25]: CMSServlet: curDate=Tue Sep 09 14:25:15 PDT 2008 id=kraGenerateKeyPair time=1587 

Further investigation showed that it failed on key generation.  Also, this bug was caused by an earlier fix to allow lunasa2 to work.
Comment 1 Christina Fu 2008-09-23 16:54:59 UTC 
Created attachment 317492 [details]
ServerSide keygen on drm with nethsm fix

this fix allows servierside keygen to work on both nethsm and lunasa2.
New config parameters are added:
           netHSM works with
              kra.keygen.temporaryPairs = true

           LunaSA2 works with
              kra.keygen.temporary == true
              kra.keygen.sensitive == true
              kra.keygen.extractable == true

By default, if none of the above parameters are specified, then it sets
kra.keygen.temporaryPairs to true and allows nethsm to work.
Comment 2 Christina Fu 2008-09-23 16:56:03 UTC 
Created attachment 317493 [details]
pki-kra.spec diff

jmagne please review above changes.
Comment 3 Jack Magne 2008-09-23 17:20:27 UTC 
attachments (id=317493,id=317492) jmagne+
Comment 4 Christina Fu 2008-09-23 17:57:40 UTC 
fixed checked in.

[cfu@jaw kra]$ cd /home/cfu/dogtag/src4/pki/base/kra
[cfu@jaw kra]$ svn update src/com/netscape/kra/NetkeyKeygenService.java
At revision 111.
[cfu@jaw kra]$ svn commit src/com/netscape/kra/NetkeyKeygenService.java
Sending        src/com/netscape/kra/NetkeyKeygenService.java
Transmitting file data .
Committed revision 112.
[cfu@jaw kra]$ cd -
/home/cfu/dogtag/src4/pki/linux/kra
[cfu@jaw kra]$ svn update pki-kra.spec
At revision 112.
[cfu@jaw kra]$ vim pki-kra.spec
[cfu@jaw kra]$ svn commit pki-kra.spec
Sending        pki-kra.spec
Transmitting file data .
Committed revision 113.