Bug 624547

Summary: attrcrypt should query the given slot/token for supported ciphers
Product: [Retired] 389 Reporter: Marco Rhodes <mrhodes>
Component: Security - GeneralAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.2.8CC: amsharma, jgalipea, msauton, nhosoi, nkinder, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-10 18:38:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 639035, 656390    
Attachments:
Description Flags
git patch file (master)
none
git patch file (master) nkinder: review+

Comment 4 Noriko Hosoi 2011-01-25 01:35:21 UTC 
Created attachment 475097 [details]
git patch file (master)

The reported problem was caused by the bug in ldbm_attrcrypt.c which did not expect to have an external PKCS #11 token.  This patch successfully initializes ldbm_attrcrypt.

But ldbm_attrcrypt fails once trying to encrypt an attribute. e.g.:
dn: cn=givenname,cn=encrypted attributes,cn=userRoot,cn=ldbm database,cn=plugi
 ns,cn=config
objectClass: top
objectClass: nsAttributeEncryption
cn: givenname
nsEncryptionAlgorithm: AES [ or 3DES ]

error log:
[..] attrcrypt - _back_crypt_crypto_op: failed on cipher AES : -8192 - An I/O error occurred during security authorization.
[..] - Error: attrcrypt_crypto_op_values failed in attrcrypt_encrypt_entry
[..] - attrcrypt_encrypt_entry failed in id2entry_add
Comment 7 Noriko Hosoi 2011-01-27 20:01:46 UTC 
Created attachment 475673 [details]
git patch file (master)

Description:
1. To retrieve a certificate from an external token (i.e., not
   "internal (software)"), "<token>:<cert_nickname> should have
   been passed.  The <token> part was missing.
2. The key to be used for encryption and decryption internally
   needs to have ENCRYPT and DECRYPT attribute set, respectively.
   The correct attributes were not set.  Note: these attributes
   are automatically set for the softoken in nss, but not for the
   external token.  This is why attrcrypt worked for the softoken,
   but not for the external token.  The attributes need to be set
   when the key is generated as well as when the key is unwrapped.
3. Adding a code to check if the underlying system supports the
   cipher or not before generating a key.  If it is not supported,
   it issues a message not to choose the cipher for the attrcrypt/
   changelog encryption.  If none of the ciphers are supported and
   if attrcrypt/changelog encryption is enabled, the server fails
   to start.
Comment 8 Noriko Hosoi 2011-01-27 20:42:30 UTC 
Reviewed by Nathan (Thank you!!!)

Pushed to master.

$ git merge 624547
Updating 7ece306..57dcdf1
Fast-forward
 ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c |  141 ++++++++++++++++++++----
 ldap/servers/slapd/proto-slap.h               |    3 +
 ldap/servers/slapd/security_wrappers.c        |   36 ++++++-
 3 files changed, 151 insertions(+), 29 deletions(-)

$ git push
Counting objects: 17, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 3.26 KiB, done.
Total 9 (delta 7), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   7ece306..57dcdf1  master -> master
Comment 11 Chandrasekar Kannan 2011-07-19 14:07:01 UTC 
I tried to verify this bug. But I was not able to setup ds (use the wizard and generate key pair to setup ssl certs) with our newest nethsm6k.dsdev.sjc.redhat.com. that hardware token is in fips mode. my machine is selinux permissive. I'm still troubleshooting the problem.