Bug 1448521
| Summary: | kra unable to extract symmetric keys generated on thales hsm | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Matthew Harmsen <mharmsen> |
| Component: | pki-core | Assignee: | Ade Lee <alee> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | alee, ssidhaye |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pki-core-10.4.1-4.el7 | Doc Type: | No Doc Update |
| Doc Text: |
This is something that would have been encountered in an intermediate build that was never released. So it should not ever be encountered in the wild, so no doc required.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 22:50:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Matthew Harmsen
2017-05-05 16:04:13 UTC
commit 00c17b3e2f81c9df12e1a89fc85dc2e3d4c3a2b1
Author: Ade Lee <alee>
Date: Fri May 5 21:30:15 2017 -0400
Fix symmetic key retrieval in HSM
When using an HSM, AES KeyWrapping is not available and so
some different code paths were exercised. Fixing bugs in those
paths uncovered a case where we were calling unwrapSymmetric()
with bits and not bytes for the key length.
This does not matter for 3DES, where JSS expects a length of 0,
but very much matters for AES. Fixing this - and the KeyClient
to actually use the returned wrapping algorithm to unwrap, allows
us now to return generated symmetric keys correctly.
Bugzilla BZ#1448521
Pagure: 2690
Change-Id: I2c5c87e28f6f36798b16de238bbaa21da90e7890
Build used for verification : [root@csqa4-guest01 hsm_setup]# rpm -qi pki-base Name : pki-base Version : 10.4.1 Release : 4.el7 Architecture: noarch Install Date: Monday 15 May 2017 12:35:11 AM EDT Group : System Environment/Base Size : 2086209 License : GPLv2 Signature : RSA/SHA256, Tuesday 09 May 2017 11:33:58 PM EDT, Key ID 199e2f91fd431d51 Source RPM : pki-core-10.4.1-4.el7.src.rpm Build Date : Tuesday 09 May 2017 09:23:16 PM EDT Build Host : ppc-021.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - PKI Framework RHCS setup used: CA and KRA instances have been setup on a system connected to HSM [root@csqa4-guest01 hsm_setup]# certutil -L -d /var/lib/pki/rhcs92-KRA-ssidhaye-May15-2/alias -h NHSM-SSIDHAYE-SOFTCARD -f /tmp/password.txt Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI NHSM-SSIDHAYE-SOFTCARD:transportCert cert-rhcs92-KRA-ssidhaye-May15-2 KRA u,u,u NHSM-SSIDHAYE-SOFTCARD:storageCert cert-rhcs92-KRA-ssidhaye-May15-2 KRA u,u,u NHSM-SSIDHAYE-SOFTCARD:Server-Cert cert-rhcs92-KRA-ssidhaye-May15-2 u,u,u NHSM-SSIDHAYE-SOFTCARD:subsystemCert cert-rhcs92-KRA-ssidhaye-May15-2 u,u,u NHSM-SSIDHAYE-SOFTCARD:auditSigningCert cert-rhcs92-KRA-ssidhaye-May15-2 KRA u,u,Pu NHSM-SSIDHAYE-SOFTCARD:caSigningCert cert-rhcs92-CA-ssidhaye-May15-2 CA CTu,Cu,Cu NHSM-SSIDHAYE-SOFTCARD:ocspSigningCert cert-rhcs92-CA-ssidhaye-May15-2 CA u,u,u NHSM-SSIDHAYE-SOFTCARD:Server-Cert cert-rhcs92-CA-ssidhaye-May15-2 u,u,u NHSM-SSIDHAYE-SOFTCARD:subsystemCert cert-rhcs92-CA-ssidhaye-May15-2 u,u,u NHSM-SSIDHAYE-SOFTCARD:auditSigningCert cert-rhcs92-CA-ssidhaye-May15-2 CA u,u,u [root@csqa4-guest01 hsm_setup]# pki -d nssdb -c SECret.123 -h localhost -p 20080 -P https -n "PKI Administrator for idm.lab.eng.rdu.redhat.com" key-generate "test_symkey1" --key-algorithm AES --key-size 256 --usages encrypt,decrypt WARNING: BAD_CERT_DOMAIN encountered on 'CN=csqa4-guest01.idm.lab.eng.rdu.redhat.com,OU=rhcs92-KRA-ssidhaye-May15-2,O=idm.lab.eng.rdu.redhat.com Security Domain' indicates a common-name mismatch --------------------------- Key generation request info --------------------------- Request ID: 0x1 Key ID: 0x1 Type: symkeyGenRequest Status: complete [root@csqa4-guest01 hsm_setup]# pki -d nssdb -c SECret.123 -h localhost -p 20080 -P https -n "PKI Administrator for idm.lab.eng.rdu.redhat.com" key-retrieve --keyID 0x1 WARNING: BAD_CERT_DOMAIN encountered on 'CN=csqa4-guest01.idm.lab.eng.rdu.redhat.com,OU=rhcs92-KRA-ssidhaye-May15-2,O=idm.lab.eng.rdu.redhat.com Security Domain' indicates a common-name mismatch ------------------------ Retrieve Key Information ------------------------ Key Algorithm: AES Key Size: 256 Nonce data: yFQ+TLJl+TDu6LPZtvAslw== Actual archived data: XtmDkhC7mNbZTdlX28vsnZl6UcUoyn0FiAQ6tnOkibM= [root@csqa4-guest01 hsm_setup]# Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |