Bug 1460019 - PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails
PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails
Status: ASSIGNED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: jss (Show other bugs)
7.4
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Fraser Tweedale
ipa-qe
Petr Bokoc
: ZStream
Depends On: 1460016
Blocks: 1490740
  Show dependency treegraph
 
Reported: 2017-06-08 16:46 EDT by Matthew Harmsen
Modified: 2018-01-17 10:07 EST (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Prior to this update, a failure to check that the result of a key wrapping operation was not NULL could in some cases cause PKI to crash due to a segmentation fault. This update adds a check that raises an exception in such cases, and a failed key wrapping operation now results in a Java exceptions instead of a crash.
Story Points: ---
Clone Of: 1460016
: 1490740 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Mozilla Foundation 1371147 None None None 2017-06-08 16:46 EDT

  None (edit)
Description Matthew Harmsen 2017-06-08 16:46:14 EDT
+++ This bug was initially created as a clone of Bug #1460016 +++

PK11Store.getEncryptedPrivateKeyInfo() segfaults if export fails

Steps to reproduce:

    Use PK11Store.getEncryptedPrivateKeyInfo() with Thales nethsm.

Actual results:

    PK11_ExportEncryptedPrivKeyInfo returning NULL is not being handled
    properly, causing segfault.


Expected results:

    Detect this condition and raise a
    TokenException instead.

Additional Information:

    Patch is attached to upstream bug
    https://bugzilla.mozilla.org/show_bug.cgi?id=1371147
Comment 3 Matthew Harmsen 2017-09-08 17:41:48 EDT
Upstream Check-in:

cfu checked-in the following changes provided by ftweedal:

changeset:   2204:87dca07f7529
tag:         tip
user:        Fraser Tweedale<ftweedale@redhat.com>
date:        Fri Sep 08 11:56:04 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2203:b3b653faef84
user:        Fraser Tweedale<ftweedale@redhat.com>
date:        Fri Sep 08 11:53:36 2017 -0700
summary:     bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2202:0b8a6e84b6c7
user:        Fraser Tweedale<ftweedale@redhat.com>
date:        Fri Sep 08 11:50:21 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2201:d39e9b373798
user:        Fraser Tweedale<ftweedale@redhat.com>
date:        Fri Sep 08 11:32:32 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2200:890216599f21
user:        Fraser Tweedale<ftweedale@redhat.com>
date:        Fri Sep 08 11:21:22 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2199:bada1409d2bb
user:        Fraser Tweedale<ftweedale@redhat.com>
date:        Fri Sep 08 11:15:29 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2198:3629b598a9ce
user:        Fraser Tweedale<ftweedale@redhat.com>
date:        Fri Sep 08 11:09:23 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
Comment 4 Fraser Tweedale 2017-09-09 01:55:40 EDT
Actually, the patches that were checked into JSS are related to the
other BZ.  This BZ has a different JSS ticket with a different patch
that has yet to be reviewed and checked in:
https://bugzilla.mozilla.org/show_bug.cgi?id=1371147

Moving this back to ASSIGNED.
Comment 5 Matthew Harmsen 2017-09-11 15:02:18 EDT
(In reply to Matthew Harmsen from comment #3)
> Upstream Check-in:
> 
> cfu checked-in the following changes provided by ftweedal:
> 
> changeset:   2204:87dca07f7529
> tag:         tip
> user:        Fraser Tweedale<ftweedale@redhat.com>
> date:        Fri Sep 08 11:56:04 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2203:b3b653faef84
> user:        Fraser Tweedale<ftweedale@redhat.com>
> date:        Fri Sep 08 11:53:36 2017 -0700
> summary:     bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2202:0b8a6e84b6c7
> user:        Fraser Tweedale<ftweedale@redhat.com>
> date:        Fri Sep 08 11:50:21 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2201:d39e9b373798
> user:        Fraser Tweedale<ftweedale@redhat.com>
> date:        Fri Sep 08 11:32:32 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2200:890216599f21
> user:        Fraser Tweedale<ftweedale@redhat.com>
> date:        Fri Sep 08 11:21:22 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2199:bada1409d2bb
> user:        Fraser Tweedale<ftweedale@redhat.com>
> date:        Fri Sep 08 11:15:29 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2198:3629b598a9ce
> user:        Fraser Tweedale<ftweedale@redhat.com>
> date:        Fri Sep 08 11:09:23 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

INCORRECT CHECK-IN MESSAGE -- these check-ins apply to https://bugzilla.redhat.com/show_bug.cgi?id=1490487
Comment 6 Matthew Harmsen 2017-09-11 20:46:48 EDT
cfu checked-in ftweedal's patch:

changeset:   2205:3e9a5ae2149d
tag:         tip
user:        Fraser Tweedale<ftweedale@redhat.com>
date:        Mon Sep 11 17:24:22 2017 -0700
summary:     Bug 1371147 PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails -
Comment 10 Fraser Tweedale 2017-11-21 01:14:48 EST
Asha, steps to reproduce/verify are here:
https://bugzilla.redhat.com/show_bug.cgi?id=1490740#c5.
Comment 11 Amol K 2018-01-09 04:44:33 EST
Hi Fraser,

I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg:
```
kra.allowEncDecrypt.archival=false
kra.allowEncDecrypt.recovery=false
kra.legacyPKCS12=false
```
Restarted the instances.

After that, I perform PKCS #12 recovery. It did not crash, but I'm able to recover the PKCS #12 valid file.

Is it expected behavior?
Comment 12 Fraser Tweedale 2018-01-09 07:20:38 EST
Amol, this issue needs to be tested with Thales HSM.  Export should _fail_
but pki-tomcatd should not crash.
Comment 13 Fraser Tweedale 2018-01-10 01:35:01 EST
Amol, could you please paste the recovered pkcs #12 file,
and could you please give me an LDAP dump of the archived key data?

Was the key being recovered freshly archived, or has it been archived earlier.

I need this info to check:
1. that the key was indeed archived in a "wrap" mode
2. that the file produced is indeed using PBES2 encryption

Perhaps the conditions that caused the retrieval failures on the HSM
have been resolved (firmware update / configuration change / NSS changes?)
Comment 19 Amol K 2018-01-17 10:07:12 EST
Secnario 1:

I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg:
```
kra.allowEncDecrypt.archival=false
kra.allowEncDecrypt.recovery=false
kra.legacyPKCS12=false
```
After restarting the instance I'm able to submit the certificate request but not able to approve it.


Secnario 2:

I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg:
```
kra.allowEncDecrypt.archival=true
kra.allowEncDecrypt.recovery=true
kra.legacyPKCS12=false
```
After restarting the instance, I'm able to issue the certificate.

Then, I mark `kra.allowEncDecrypt.{archival, recovery}=false` in CS.cfg.

I'm able to recover the p12 file, then it throws the exception, which is not expected.

So marking this bug on FaildQA.

Note You need to log in before you can comment on or make changes to this bug.