Bug 995560
| Summary: | Issue with max number of keys on token | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Jack Magne <jmagne> |
| Component: | coolkey | Assignee: | Bob Relyea <rrelyea> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 5.10 | CC: | jherrman, lmiksik, rpattath |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | coolkey-1.1.0-17.el5 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, the number of encryption keys that the coolkey applet can process was increased from 8 to 24. However, this number was not increased in the coolkey library. As a consequence, a token running the coolkey application failed to recover the encryption key, when nine or more encryption keys were set by the coolkey applet. This update introduces the support for up to 24 encryption keys to the coolkey library and recovering more than 8 encryption keys now proceeds correctly.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-16 00:19:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1049888 | ||
|
Description
Jack Magne
2013-08-09 17:42:13 UTC
Simple fix to address this:
Index: slot.cpp
===================================================================
--- slot.cpp (revision 102)
+++ slot.cpp (working copy)
@@ -4282,7 +4282,7 @@
}
}
-#define MAX_NUM_KEYS 8
+#define MAX_NUM_KEYS 24
unsigned int
Slot::getRSAKeySize(CKYByte keyNum)
{
Jack, please clone this bug for RHEL 6 and RHEL 7 as well. Fixed in: coolkey-1.1.0-17.el5 Successfully recovering keys for upto 8 encryption certs (16 keys) using Gemalto 64K card on coolkey-1.1.0-17.el5 1. Enable External Registration: externalReg.authId=ldap3 externalReg.default.tokenType=externalRegAddToToken externalReg.delegation.enable=true externalReg.enable=true 2. Verify Applet version is set to 1.4.5265a65e op.enroll.externalRegAddToToken.update.applet.directory=/usr/share/pki/tps/applets op.enroll.externalRegAddToToken.update.applet.emptyToken.enable=true op.enroll.externalRegAddToToken.update.applet.enable=true op.enroll.externalRegAddToToken.update.applet.encryption=true op.enroll.externalRegAddToToken.update.applet.requiredVersion=1.4.5265a65e op.enroll.externalRegAddToToken.update.symmetricKeys.enable=false op.enroll.externalRegAddToToken.update.symmetricKeys.requiredVersion=1 3. Using EE DualCert Profile, Request User Encryption & Signing Certs with below Parameters: UID=group1,E=group1,CN=group1 UID=group2,E=group2,CN=group2 UID=group3,E=group3,CN=group3 UID=group4,E=group4,CN=group4 UID=group5,E=group5,CN=group5 UID=group6,E=group6,CN=group6 UID=group7,E=group7,CN=group7 UID=group8,E=group8,CN=group8 4. Verify request from CA Agent 0x7c valid UID=group1,E=group1,CN=group1 - 124 0x7e valid UID=group2,E=group2,CN=group2 - 126 0x80 valid UID=group3,E=group3,CN=group3 - 128 0x82 valid UID=group4,E=group4,CN=group4 - 130 0x84 valid UID=group5,E=group5,CN=group5 - 132 0x86 valid UID=group6,E=group6,CN=group6 - 134 0x88 valid UID=group7,E=group7,CN=group7 - 136 0x8a valid UID=group8,E=group8,CN=group8 - 138 5. Get the key identifer: group1: 51 group2: 52 group3: 53 group4: 54 group5: 55 group6: 56 group7: 57 group8: 58 6. Create user "uid=groupdmin1,dc=idm,dc=lab,dc=eng,dc=rdu,dc=redhat,dc=com" which will be used to register the token and Recover "group1 to group9" Encryption Cert on the token dn: uid=groupadmin1,dc=idm,dc=lab,dc=eng,dc=rdu,dc=redhat,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: top objectClass: extensibleobject cn: groupadmin1 sn: groupdmin1 uid: groupdmin1 givenName: groupadmin1 mail: groupadmin1 firstname: groupadmin1 edipi: 123456789 pcc: AA exec-edipi: 999999999 exec-pcc: BB exec-mail: groupadmin1 userPassword: redhat tokenType: externalRegAddToToken 7. Modify groupadmin1 Entry to include details of group1 to group9 Certs for recovery dn: uid=groupadmin1,dc=idm,dc=lab,dc=eng,dc=rdu,dc=redhat,dc=com changetype: modify add: certsToAdd certsToAdd: 124,ca1,51,drm1 certsToAdd: 126,ca1,52,drm1 certsToAdd: 128,ca1,53,drm1 certsToAdd: 130,ca1,54,drm1 certsToAdd: 132,ca1,55,drm1 certsToAdd: 134,ca1,56,drm1 certsToAdd: 136,ca1,57,drm1 certsToAdd: 138,ca1,58,drm1 8. On RHEL6.5 Enroll smartcard using groupadmin1 credentials Key Recovery fails with the following log messages for 9 certs and above. [2014-05-19 12:18:46] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=enrollment][AppletVersion=][KeyVersion=] token enabled [2014-05-19 12:18:46] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=enrollment][AppletVersion=1.4.5265A65E][KeyVersion=] applet upgraded successfully [2014-05-19 12:18:46] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=enrollment][AppletVersion=1.4.5265A65E][KeyVersion=] enrollment processing, key upgrade disabled [2014-05-19 12:18:46] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=enrollment][AppletVersion=1.4.5265A65E][KeyVersion=0101] RequestNewPin completed successfully [2014-05-19 12:18:46] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=enrollment][AppletVersion=1.4.5265A65E][KeyVersion=0101] CreatePin completed successfully [2014-05-19 12:18:47] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=enrollment][AppletVersion=1.4.5265A65E][KeyVersion=0101] ResetPin completed successfully [2014-05-19 12:18:50] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 75 stored on token [2014-05-19 12:18:52] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 77 stored on token [2014-05-19 12:18:55] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 79 stored on token [2014-05-19 12:18:57] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 81 stored on token [2014-05-19 12:18:59] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 83 stored on token [2014-05-19 12:19:02] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 85 stored on token [2014-05-19 12:19:04] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 87 stored on token [2014-05-19 12:19:06] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 89 stored on token [2014-05-19 12:19:09] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 91 stored on token [2014-05-19 12:19:09] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=external reg recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] External Registration certificates recovered successfully. [2014-05-19 12:19:09] e7c03f70 [AuditEvent=FORMAT][SubjectID=][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=format][AppletVersion=][KeyVersion=] token enabled [2014-05-19 12:19:09] e7c03f70 [AuditEvent=FORMAT][SubjectID=][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=format][AppletVersion=1.4.5265A65E][KeyVersion=] logged into token [2014-05-19 12:19:23] e7c03f70 [AuditEvent=APPLET_UPGRADE][SubjectID=][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=Success][op=format][KeyVersion=0101][OldAppletVersion=1.4.5265A65E][NewAppletVersion=1.4.5265a65e] setup secure channel [2014-05-19 12:19:23] e7c03f70 [AuditEvent=APPLET_UPGRADE][SubjectID=][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=Success][op=format][KeyVersion=0101][OldAppletVersion=1.4.5265A65E][NewAppletVersion=1.4.5265a65e] applet upgrade [2014-05-19 12:19:24] e7c03f70 [AuditEvent=FORMAT][SubjectID=][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=format][AppletVersion=1.4.5265a65e][KeyVersion=0101] format processing complete [2014-05-19 12:19:24] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=failure][op=enrollment][AppletVersion=1.4.5265A65E][KeyVersion=0101] channel createObject failed, contents of token possibly corrupted, formatting now. <rpattath> jmagne, enrollment and key recovery is successful when there are just 8 encryption keys to be recovered <jmagne> rpattath will take a look. <jmagne> rpattath, looks like you are trying to put 9 certs on there. <rpattath> yes <jmagne> rpattath, I suspect that possibly we have run out of memory on the card. Also, I suggest if you want to try it again. Format it first and then try to recover all those certs. <jmagne> rpattath, there may be something other than the coolkey bug causing this. To verify this bug just try 5 or so certs. This is because we have 2 keys per cert. <rpattath> jmagne, enrollments works fine for 8 certs <rpattath> it also works fine and all keys are recovered for 5 certs <jmagne> rpattath, ok, that's good. <rpattath> above 8 it is failing <jmagne> rpattath I think we are good on this. There is probably some other reason why 9 is failing :) Could just be memory space. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1233.html |