Upstream Check-in:

cfu checked-in the following changes provided by ftweedal:

changeset:   2204:87dca07f7529
tag:         tip
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:56:04 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2203:b3b653faef84
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:53:36 2017 -0700
summary:     bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2202:0b8a6e84b6c7
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:50:21 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2201:d39e9b373798
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:32:32 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2200:890216599f21
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:21:22 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2199:bada1409d2bb
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:15:29 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2198:3629b598a9ce
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:09:23 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

Actually, the patches that were checked into JSS are related to the
other BZ.  This BZ has a different JSS ticket with a different patch
that has yet to be reviewed and checked in:
https://bugzilla.mozilla.org/show_bug.cgi?id=1371147

Moving this back to ASSIGNED.

(In reply to Matthew Harmsen from comment #3)
> Upstream Check-in:
> 
> cfu checked-in the following changes provided by ftweedal:
> 
> changeset:   2204:87dca07f7529
> tag:         tip
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:56:04 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2203:b3b653faef84
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:53:36 2017 -0700
> summary:     bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2202:0b8a6e84b6c7
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:50:21 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2201:d39e9b373798
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:32:32 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2200:890216599f21
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:21:22 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2199:bada1409d2bb
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:15:29 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2198:3629b598a9ce
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:09:23 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

INCORRECT CHECK-IN MESSAGE -- these check-ins apply to https://bugzilla.redhat.com/show_bug.cgi?id=1490487

cfu checked-in ftweedal's patch:

changeset:   2205:3e9a5ae2149d
tag:         tip
user:        Fraser Tweedale<ftweedale>
date:        Mon Sep 11 17:24:22 2017 -0700
summary:     Bug 1371147 PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails -

Asha, steps to reproduce/verify are here:
https://bugzilla.redhat.com/show_bug.cgi?id=1490740#c5.

Hi Fraser,

I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg:
```
kra.allowEncDecrypt.archival=false
kra.allowEncDecrypt.recovery=false
kra.legacyPKCS12=false
```
Restarted the instances.

After that, I perform PKCS #12 recovery. It did not crash, but I'm able to recover the PKCS #12 valid file.

Is it expected behavior?

Amol, this issue needs to be tested with Thales HSM.  Export should _fail_
but pki-tomcatd should not crash.

Amol, could you please paste the recovered pkcs #12 file,
and could you please give me an LDAP dump of the archived key data?

Was the key being recovered freshly archived, or has it been archived earlier.

I need this info to check:
1. that the key was indeed archived in a "wrap" mode
2. that the file produced is indeed using PBES2 encryption

Perhaps the conditions that caused the retrieval failures on the HSM
have been resolved (firmware update / configuration change / NSS changes?)

Secnario 1:

I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg:
```
kra.allowEncDecrypt.archival=false
kra.allowEncDecrypt.recovery=false
kra.legacyPKCS12=false
```
After restarting the instance I'm able to submit the certificate request but not able to approve it.


Secnario 2:

I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg:
```
kra.allowEncDecrypt.archival=true
kra.allowEncDecrypt.recovery=true
kra.legacyPKCS12=false
```
After restarting the instance, I'm able to issue the certificate.

Then, I mark `kra.allowEncDecrypt.{archival, recovery}=false` in CS.cfg.

I'm able to recover the p12 file, then it throws the exception, which is not expected.

So marking this bug on FaildQA.

As Fraser's suggestion I open new BZ[1].

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1535540#c5

Fraser, Amol

See the following for discussion of valid settings when using an HSM,


http://pki.fedoraproject.org/wiki/Aes-feature-description

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0958