1458043 – Key recovery on token fails with invalid public key error on KRA

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1458043 - Key recovery on token fails with invalid public key error on KRA

Summary: Key recovery on token fails with invalid public key error on KRA

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Ade Lee
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1425972 1455617
TreeView+	depends on / blocked

Reported:	2017-06-01 20:41 UTC by Roshni
Modified:	2020-10-04 21:31 UTC (History)
CC List:	3 users (show)
Fixed In Version:	pki-core-10.4.1-10.el7
Doc Type:	No Doc Update
Doc Text:	This is something that would have been encountered in an intermediate build that was never released. So it should not ever be encountered in the wild, so no doc required.
Clone Of:
Environment:
Last Closed:	2017-08-01 22:52:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2841	0	None	None	None	2020-10-04 21:31:28 UTC
Red Hat Product Errata	RHBA-2017:2110	0	normal	SHIPPED_LIVE	pki-core bug fix and enhancement update	2017-08-01 19:36:59 UTC

Description Roshni 2017-06-01 20:41:25 UTC

Description of problem:
Key recovery using externalReg fails with java null pointer exception on KRA

Version-Release number of selected component (if applicable):
pki-ca-10.4.1-7.el7.noarch

How reproducible:
always

Steps to Reproduce:
1. Enable externalReg and recover a cert/key onto a token (non-FIPS and non-HSM)
2.
3.

Actual results:
key recovery failed

Expected results:


Additional info:

Comment 2 Ade Lee 2017-06-02 17:51:30 UTC

commit 08bf26f786b8d233382c6fedfad5d33d8c11d78f
Author: Ade Lee <alee>
Date:   Thu Jun 1 17:46:27 2017 -0400

    Fix NPE in audit log invocation
    
    Some audit log objects take a RequestId or KeyId, on which we call
    toString().  In some cases, we were creating a KeyId or RequestId
    with null values, resulting in an NPE.  We fix these in this patch.
    
    Bugzilla BZ# 1458043
    
    Change-Id: I38d5a20e9920966c8414d56afd7690dc3c11a1db

Comment 4 Roshni 2017-06-13 16:02:39 UTC

Still seeing this failure on KRA during key recovery

[13/Jun/2017:11:26:21][http-bio-31042-exec-6]: TokenKeyRecoveryService: received des key
[13/Jun/2017:11:26:23][http-bio-31042-exec-6]: TokenKeyRecoveryService: got token slot:NHSM-RPATTATH-SOFTCARD
[13/Jun/2017:11:26:23][http-bio-31042-exec-6]: KRA reading key record
[13/Jun/2017:11:26:23][http-bio-31042-exec-6]: TokenKeyRecoveryService: recover by cert
[13/Jun/2017:11:26:23][http-bio-31042-exec-6]: In LdapBoundConnFactory::getConn()
[13/Jun/2017:11:26:23][http-bio-31042-exec-6]: masterConn is connected: true
[13/Jun/2017:11:26:23][http-bio-31042-exec-6]: getConn: conn is connected true
[13/Jun/2017:11:26:23][http-bio-31042-exec-6]: getConn: mNumConns now 2
[13/Jun/2017:11:26:23][http-bio-31042-exec-6]: filter= (publicKey=x509cert#"MIIC/zCCAeegAwIBAgIEDbcSJDANBgkqhkiG9w0BAQ0FADBaMSAwHgYDVQQKDBdw^M
a2ktY2EtSnVuMTItc2VjLWRvbWFpbjEVMBMGA1UECwwMcGtpLWNhLUp1bjEyMR8w^M
HQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTE3MDYxMzE1MTEzMloX^M
DTIyMDYxMjE1MTEzMlowMzEXMBUGA1UECgwOVG9rZW4gS2V5IFVzZXIxGDAWBgoJ^M
kiaJk/IsZAEBDAhzY3B1c2VyMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA^M
3tMYlrNbT9LlX3A2XkiIOsIT2+NjsHe4QfqZz0DpuoxTacgY0tYlwk2yruowZh9j^M
IYLD6NxlXnJqsu/d26LJPgbZWVjj6VDgbDiVvXd6Z/eN3hect19/80snPDHoWLWr^M
UMu16teyB8cmA7Yh3qLcqExzJLIUUiImHjaa8LyTNkkCAwEAAaN4MHYwDgYDVR0P^M
AQH/BAQDAgUgMBkGA1UdEQQSMBCBDiRyZXF1ZXN0Lm1haWwkMB0GA1UdDgQWBBTo^M
epJo2K8F2sFpGvHVJw3TghW/gTAfBgNVHSMEGDAWgBS6/4d1dU2VTYlZo0WdAbiA^M
W8GJ5TAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBDQUAA4IBAQDpeAyEfkbtMXPmi4W9^M
dZx42u/Ca/0N2tOfubq984sbdMW0f8GkKjdrBTctXniWC47V/3eUCRqEeddGbHyr^M
zkMeHtkFTCv2K8MpJJzyNlUYGWW0f0AeHw1Qr5/VQe6cT1L0g6GTQ5z7llYs7h1/^M
NgXzwqTLokkKF2ijIWMsQvvErLAMpdZSbVZHvEAnKV0zMQcGE+ybhrJgv+huK1a8^M
GdBr7eD6ahs1YJAChJpPbVepD03ZnhFQylvBhuAIcwDGgbrNqmcIL3IQ/sa15X83^M
Uy0fKzYz2C7KDzxqYgrRsDpu5HeDZj027gN4Tp6LRZ+Tp1N0oiW9MLPsYmPV7GQO^M
UqQp")
[13/Jun/2017:11:26:26][http-bio-31042-exec-6]: returnConn: mNumConns now 3
[13/Jun/2017:11:26:26][http-bio-31042-exec-6]: read key record
[13/Jun/2017:11:26:26][http-bio-31042-exec-6]: TokenKeyRecoveryService: owner name on record =40906145C76224192809:scpuser1
[13/Jun/2017:11:26:26][http-bio-31042-exec-6]: TokenKeyRecoveryService: owner name from TPS =40906145C76224192809:scpuser1
[13/Jun/2017:11:26:26][http-bio-31042-exec-6]: TokenKeyRecoveryService: owner name matches
[13/Jun/2017:11:26:26][http-bio-31042-exec-6]: TokenKeyRecoveryService: recoverKey() - with allowEncDecrypt_archival being true
[13/Jun/2017:11:26:26][http-bio-31042-exec-6]: EncryptionUnit.decryptInternalPrivate
[13/Jun/2017:11:26:26][http-bio-31042-exec-6]: decryptInternalPrivate(): getting key wrapper on slot:NHSM-RPATTATH-SOFTCARD
[13/Jun/2017:11:26:26][http-bio-31042-exec-6]: TokenKeyRecoveryService: got private key...about to verify
[13/Jun/2017:11:26:26][http-bio-31042-exec-6]: request.setExtData: iv_s: %3B%E4%0B%50%61%17%2B%A8
[13/Jun/2017:11:26:26][http-bio-31042-exec-6]: length different data length=64 real length=634
[13/Jun/2017:11:26:26][http-bio-31042-exec-6]: SignedAuditEventFactory: create() message created for eventType=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED

Invalid Public Key
        at com.netscape.kra.TokenKeyRecoveryService.serviceRequest(TokenKeyRecoveryService.java:488)
        at com.netscape.kra.KRAService.serviceRequest(KRAService.java:96)
        at com.netscape.cmscore.request.ARequestQueue.stateEngine(ARequestQueue.java:614)
        at com.netscape.cmscore.request.ARequestQueue.processRequest(ARequestQueue.java:381)
        at com.netscape.cms.servlet.connector.TokenKeyRecoveryServlet.processTokenKeyRecovery(TokenKeyRecoveryServlet.java:204)
        at com.netscape.cms.servlet.connector.TokenKeyRecoveryServlet.process(TokenKeyRecoveryServlet.java:353)
        at com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:510)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
        at sun.reflect.GeneratedMethodAccessor39.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
        at sun.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
[13/Jun/2017:11:26:27][http-bio-31042-exec-6]: ARequestNotifier  notify mIsPublishingQueueEnabled=false mMaxThreads=1
[13/Jun/2017:11:26:27][http-bio-31042-exec-6]: processTokenKeyRecovery finished
[13/Jun/2017:11:26:27][Thread-17]: RunListeners:: noQueue  SingleRequest
[13/Jun/2017:11:26:27][Thread-17]: RunListeners:  noQueue  SingleRequest
[13/Jun/2017:11:26:27][http-bio-31042-exec-6]: In LdapBoundConnFactory::getConn()
[13/Jun/2017:11:26:27][http-bio-31042-exec-6]: masterConn is connected: true
[13/Jun/2017:11:26:27][http-bio-31042-exec-6]: getConn: conn is connected true
[13/Jun/2017:11:26:27][http-bio-31042-exec-6]: getConn: mNumConns now 2
[13/Jun/2017:11:26:27][http-bio-31042-exec-6]: returnConn: mNumConns now 3
[13/Jun/2017:11:26:27][http-bio-31042-exec-6]: TokenKeyRecoveryServlet:outputString.length 8
[13/Jun/2017:11:26:27][http-bio-31042-exec-6]: CMSServlet: curDate=Tue Jun 13 11:26:27 EDT 2017 id=kraTokenKeyRecovery time=6990
[13/Jun/2017:11:26:27][http-bio-31042-exec-6]: SignedAuditEventFactory: create() message created for eventType=ACCESS_SESSION_TERMINATED

Comment 5 Matthew Harmsen 2017-06-16 00:37:43 UTC

Libor,

Since we will be building snapshot-5 to address https://bugzilla.redhat.com/show_bug.cgi?id=1461533, we would appreciate if you would also provide a blocker flag for this bug since it blocks QE from testing key recovery on tokens in specific configurations.

-- Matt

Comment 6 Ade Lee 2017-06-16 23:35:17 UTC

commit a91b457abfd61c39e1e4318c2443e38b2dd93c5c
Author: Ade Lee <alee>
Date:   Fri Jun 16 19:25:05 2017 -0400

    Fix token enrollment and recovery ivs
    
    In encryption mode, the archival of the geenrated key uses the
    wrapIV, while the recovery uses the encryptIV.  To make sure
    these are consistent, they need to be set to be the same.
    
    Bugzilla BZ #1458043
    
    Change-Id: I1ecece74bd6e486c0f37b5e1df4929744fac262b

Comment 7 Matthew Harmsen 2017-06-19 22:44:14 UTC

commit 1d7117081ad3b623af3938595436a35873b0bac6
Author: Ade Lee <alee>
Date:   Fri Jun 16 14:48:27 2017 -0400

    Fix 3DES archival
    
    A previous commit mistakenly conflated the wrapping parameters for
    DES and DES3 cases, resulting in incorrect data being stored if the
    storage was successful at all.  This broke ipa vault and probably
    also token key archival and recovery.
    
    This patch sets the right parameters for the 3DES case again.
    Part of BZ# 1458043
    
    Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4
    (cherry picked from commit 89f14cc5b7858e60107dc0776a59394bdfb8edaf)


commit e5bd4436541b726f128afd18b113ff80ce18a6b5
Author: Ade Lee <alee>
Date:   Fri Jun 16 19:25:05 2017 -0400

    Fix token enrollment and recovery ivs
    
    In encryption mode, the archival of the geenrated key uses the
    wrapIV, while the recovery uses the encryptIV.  To make sure
    these are consistent, they need to be set to be the same.
    
    Bugzilla BZ #1458043
    
    Change-Id: I1ecece74bd6e486c0f37b5e1df4929744fac262b
    (cherry picked from commit a91b457abfd61c39e1e4318c2443e38b2dd93c5c)

Comment 9 Roshni 2017-06-21 20:44:30 UTC

[root@nocp1 ~]# rpm -qi pki-tps
Name        : pki-tps
Version     : 10.4.1
Release     : 10.el7pki
Architecture: x86_64
Install Date: Wed 21 Jun 2017 11:05:25 AM EDT
Group       : System Environment/Daemons
Size        : 1866565
License     : GPLv2
Signature   : (none)
Source RPM  : pki-core-10.4.1-10.el7pki.src.rpm
Build Date  : Tue 20 Jun 2017 01:59:47 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Token Processing Service

Verification steps:

1. Verified automatic key recovery

Temporary token issued to a user had the encryption cert/key from lost token. Same behavior was observed when a token was physically damaged.

2. Cert/key recovery works with externalReg, delegateISE, userKey and delegateIE token types.

Comment 10 errata-xmlrpc 2017-08-01 22:52:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2110

Note You need to log in before you can comment on or make changes to this bug.