Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1425972

Summary: Simple problem unwrapping AES sym keys on token
Product: Red Hat Enterprise Linux 7 Reporter: Matthew Harmsen <mharmsen>
Component: jssAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: aakkiang, cfu, edewata, emaldona, extras-qa, jmagne, kwright, mharmsen, nkinder, rmeggins, rpattath, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: jss-4.2.6-44.el7 Doc Type: No Doc Update
Doc Text:
This problem was discovered in development. No need to alert people to a problem they never knew existed.
 Story Points: ---
Clone Of: 1425971 Environment:
Last Closed: 2017-08-01 22:32:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1425971, 1455617, 1458043    
Bug Blocks:    

Description Matthew Harmsen 2017-02-22 22:30:50 UTC 
+++ This bug was initially created as a clone of Bug #1425971 +++

Cloned from upstream Mozilla JSS:

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161114215916

Steps to reproduce:

I wrote some code that tries to unwrap an aes sym key on the token like this:

 aes128 = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.AES, 16);




Actual results:

When later getting the algorithm like this:

String alg = aes128.getAlgorithm();

It was returning RCS which is incorrect. 
The cause seems to be a simple switch statement that doesn't handle AES. This will be evident in the very simple patch to follow.


Expected results:

It should give us the AES type key.

--- Additional comment from Matthew Harmsen on 2017-02-22 17:29:20 EST ---

jmagne 2017-01-04 11:33:02 PST:

Very simple patch to address this:
diff -up ./jss-4.2.6.aes/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.aes ./jss-4.2.6.aes/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
--- ./jss-4.2.6.aes/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.aes	2017-01-03 17:14:57.642278989 -0800
+++ ./jss-4.2.6.aes/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java	2017-01-03 17:44:03.220626460 -0800
@@ -617,7 +617,9 @@ final class PK11KeyWrapper implements Ke
             return EncryptionAlgorithm.DES3_ECB;
         } else if( type == SymmetricKey.RC4 ) {
             return EncryptionAlgorithm.RC4;
-        } else {
+        } else if( type == SymmetricKey.AES ) {
+            return EncryptionAlgorithm.AES_128_ECB;
+        } else  {
             Assert._assert( type == SymmetricKey.RC2 );
             return EncryptionAlgorithm.RC2_CBC;
         }
Comment 2 Scott Poore 2017-04-13 14:11:11 UTC 
Matthew,

How can we test this?

Thanks,
Scott
Comment 3 Matthew Harmsen 2017-05-08 18:34:18 UTC 
(In reply to Scott Poore from comment #2)
> Matthew,
> 
> How can we test this?
> 
> Thanks,
> Scott

Soctt,

The JSS component is generally tested as a part of the Dogtag PKI tests, not standalone by itself.

CC'ing aakkiang on this bug so that she can provide you with the PKI test that should verify this.

-- Matt
Comment 4 Scott Poore 2017-05-08 20:54:43 UTC 
Asha,

It sounds like this should just be verified per your normal procedures?  I think I had misinterpreted it as something we needed to test with IPA and the Smart Card testing.

Thanks,
Scott
Comment 5 Asha Akkiangady 2017-05-18 19:27:54 UTC 
Scott,
Yeah, CS QE normal testing procedure should verify this. Changing QE contact info.
Thanks,
Asha
Comment 6 Roshni 2017-05-25 18:02:13 UTC 
This bug cannot be verified unless
Comment 7 Roshni 2017-06-02 14:57:23 UTC 
Can be verified only after https://bugzilla.redhat.com/show_bug.cgi?id=1458043 is verified
Comment 9 Roshni 2017-06-21 20:43:44 UTC 
[root@nocp1 ~]# rpm -qi jss
Name        : jss
Version     : 4.4.2
Release     : 2.fc27
Architecture: x86_64
Install Date: Wed 07 Jun 2017 10:37:30 PM EDT
Group       : System Environment/Libraries
Size        : 1030404
License     : MPLv1.1 or GPLv2+ or LGPLv2+
Signature   : (none)
Source RPM  : jss-4.4.2-2.fc27.src.rpm
Build Date  : Wed 07 Jun 2017 10:26:46 PM EDT
Build Host  : f25-2.ipa.local
Relocations : (not relocatable)
URL         : http://www.mozilla.org/projects/security/pki/jss/
Summary     : Java Security Services (JSS)


[root@nocp1 ~]# rpm -qi pki-tps
Name        : pki-tps
Version     : 10.4.1
Release     : 10.el7pki
Architecture: x86_64
Install Date: Wed 21 Jun 2017 11:05:25 AM EDT
Group       : System Environment/Daemons
Size        : 1866565
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-10.el7pki.src.rpm
Build Date  : Tue 20 Jun 2017 01:59:47 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Token Processing Service

Verification steps:

1. Verified automatic key recovery

Temporary token issued to a user had the encryption cert/key from lost token. Same behavior was observed when a token was physically damaged.

2. Cert/key recovery works with externalReg, delegateISE, userKey and delegateIE token types.
Comment 10 errata-xmlrpc 2017-08-01 22:32:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2090