Bug 624547
Summary: | attrcrypt should query the given slot/token for supported ciphers | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] 389 | Reporter: | Marco Rhodes <mrhodes> | ||||||
Component: | Security - General | Assignee: | Rich Megginson <rmeggins> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 1.2.8 | CC: | amsharma, jgalipea, msauton, nhosoi, nkinder, rmeggins | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2015-12-10 18:38:31 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 639035, 656390 | ||||||||
Attachments: |
|
Created attachment 475673 [details]
git patch file (master)
Description:
1. To retrieve a certificate from an external token (i.e., not
"internal (software)"), "<token>:<cert_nickname> should have
been passed. The <token> part was missing.
2. The key to be used for encryption and decryption internally
needs to have ENCRYPT and DECRYPT attribute set, respectively.
The correct attributes were not set. Note: these attributes
are automatically set for the softoken in nss, but not for the
external token. This is why attrcrypt worked for the softoken,
but not for the external token. The attributes need to be set
when the key is generated as well as when the key is unwrapped.
3. Adding a code to check if the underlying system supports the
cipher or not before generating a key. If it is not supported,
it issues a message not to choose the cipher for the attrcrypt/
changelog encryption. If none of the ciphers are supported and
if attrcrypt/changelog encryption is enabled, the server fails
to start.
Reviewed by Nathan (Thank you!!!) Pushed to master. $ git merge 624547 Updating 7ece306..57dcdf1 Fast-forward ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c | 141 ++++++++++++++++++++---- ldap/servers/slapd/proto-slap.h | 3 + ldap/servers/slapd/security_wrappers.c | 36 ++++++- 3 files changed, 151 insertions(+), 29 deletions(-) $ git push Counting objects: 17, done. Delta compression using up to 2 threads. Compressing objects: 100% (9/9), done. Writing objects: 100% (9/9), 3.26 KiB, done. Total 9 (delta 7), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 7ece306..57dcdf1 master -> master I tried to verify this bug. But I was not able to setup ds (use the wizard and generate key pair to setup ssl certs) with our newest nethsm6k.dsdev.sjc.redhat.com. that hardware token is in fips mode. my machine is selinux permissive. I'm still troubleshooting the problem. |
Created attachment 475097 [details] git patch file (master) The reported problem was caused by the bug in ldbm_attrcrypt.c which did not expect to have an external PKCS #11 token. This patch successfully initializes ldbm_attrcrypt. But ldbm_attrcrypt fails once trying to encrypt an attribute. e.g.: dn: cn=givenname,cn=encrypted attributes,cn=userRoot,cn=ldbm database,cn=plugi ns,cn=config objectClass: top objectClass: nsAttributeEncryption cn: givenname nsEncryptionAlgorithm: AES [ or 3DES ] error log: [..] attrcrypt - _back_crypt_crypto_op: failed on cipher AES : -8192 - An I/O error occurred during security authorization. [..] - Error: attrcrypt_crypto_op_values failed in attrcrypt_encrypt_entry [..] - attrcrypt_encrypt_entry failed in id2entry_add