Bug 820684
| Summary: | certutil support for EC on HSMs - need to call PK11_GenerateKeyPairWithOpFlags() | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Christina Fu <cfu> | ||||||
| Component: | nss | Assignee: | Elio Maldonado Batiz <emaldona> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Aleš Mareček <amarecek> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 5.9 | CC: | amarecek, arubin, bgollahe, hkario, kengert, ksrot, nkinder, nobody+bgollahe, rrelyea, swadeley | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | nss-3.13.5-8.el5 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2013-01-08 07:38:52 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 820695, 910580 | ||||||||
| Attachments: |
|
||||||||
|
Description
Christina Fu
2012-05-10 16:59:01 UTC
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. This is the kind of bug that needs work to be done at the upstream project. I would like to ask that you please file an enhancement request at bugzilla.mozilla.org and add a reference here to that new upstream bug. And someone needs to contribute a patch. Christina, I believe you already understand what needs to be done, would you like to propose a patch in an upstream bug? I think this issue hasn't yet been worked on, so it won't make rhel 5.9, it needs to be moved forward to a future release. Please get the patch done first, only afterwards does it make sense to request new flags. You'll probably want to target 5.9.z after that's done. Created attachment 600161 [details]
a java tool that can do this
This is a java tool that can generate EC pkcs10 requests. It's converted from an RSA tool PKCS10Client, and it's a bit hacky.
Created attachment 600184 [details]
Adds ability to specify opFlags and attrFlags in certutil
Here's the patch I wrote do do this.
Christina, you'll still have to play with the flags, something like:
Certutil -R ..... --keyAttrFlags token,private
Verification failed. It seems both "extractable" and "unextractable" are treated as "extractable" and yield the same result ... Here was what I did : ===== [pkiuserecc5@glyph alias]$ certutil -d . -h "NHSM6000-OCS" -f passwd -R --keyAttrFlags "token,private,sensitive,unextractable" --keyOpFlagsOff derive -s "cn=cfutestHSM" -k ec -q nistp256 -a -z passwd > cfutestHSM.req parsing flags <derive> parsing flags <token,private,sensitive,unextractable> Generating key. This may take a few moments... 2012-08-09 07:58:41 [10136] t306c570d462b0000: pkcs11-sam: 000008cd Application error: Key type CKK_EC 2012-08-09 07:58:41 [10136] t306c570d462b0000: pkcs11-sam: 000008cd Application error: Insecure key should be marked as such; set CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness to allow extractable but sensititive certutil: unable to generate key(s) : security library: received bad data. ===== [pkiuserecc5@glyph alias]$ certutil -d . -h "NHSM6000-OCS" -f passwd -R --keyAttrFlags "token,private,sensitive,extractable" --keyOpFlagsOff derive -s "cn=cfutestHSM" -k ec -q nistp256 -a -z passwd > cfutestHSM.req parsing flags <derive> parsing flags <token,private,sensitive,extractable> Generating key. This may take a few moments... 2012-08-09 07:59:52 [10137] t308ceed17f2b0000: pkcs11-sam: 000008cd Application error: Key type CKK_EC 2012-08-09 07:59:52 [10137] t308ceed17f2b0000: pkcs11-sam: 000008cd Application error: Insecure key should be marked as such; set CKNFAST_OVERRIDE_SECURITY_ASSURANCES=explicitness to allow extractable but sensititive certutil: unable to generate key(s) : security library: received bad data. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0081.html |