RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1460019 - PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails
Summary: PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: jss
Version: 7.4
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Fraser Tweedale
QA Contact: ipa-qe
Petr Bokoc
URL:
Whiteboard:
Depends On: 1460016
Blocks: 1490740
TreeView+ depends on / blocked
 
Reported: 2017-06-08 20:46 UTC by Matthew Harmsen
Modified: 2018-04-10 17:57 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Prior to this update, a failure to check that the result of a key wrapping operation was not NULL could in some cases cause PKI to crash due to a segmentation fault. This update adds a check that raises an exception in such cases, and a failed key wrapping operation now results in a Java exceptions instead of a crash.
Clone Of: 1460016
: 1490740 (view as bug list)
Environment:
Last Closed: 2018-04-10 17:56:52 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1371147 0 None None None 2019-03-06 07:17:46 UTC
Red Hat Product Errata RHBA-2018:0958 0 None None None 2018-04-10 17:57:58 UTC

Description Matthew Harmsen 2017-06-08 20:46:14 UTC 
+++ This bug was initially created as a clone of Bug #1460016 +++

PK11Store.getEncryptedPrivateKeyInfo() segfaults if export fails

Steps to reproduce:

    Use PK11Store.getEncryptedPrivateKeyInfo() with Thales nethsm.

Actual results:

    PK11_ExportEncryptedPrivKeyInfo returning NULL is not being handled
    properly, causing segfault.


Expected results:

    Detect this condition and raise a
    TokenException instead.

Additional Information:

    Patch is attached to upstream bug
    https://bugzilla.mozilla.org/show_bug.cgi?id=1371147
Comment 3 Matthew Harmsen 2017-09-08 21:41:48 UTC 
Upstream Check-in:

cfu checked-in the following changes provided by ftweedal:

changeset:   2204:87dca07f7529
tag:         tip
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:56:04 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2203:b3b653faef84
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:53:36 2017 -0700
summary:     bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2202:0b8a6e84b6c7
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:50:21 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2201:d39e9b373798
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:32:32 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2200:890216599f21
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:21:22 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2199:bada1409d2bb
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:15:29 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

changeset:   2198:3629b598a9ce
user:        Fraser Tweedale<ftweedale>
date:        Fri Sep 08 11:09:23 2017 -0700
summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
Comment 4 Fraser Tweedale 2017-09-09 05:55:40 UTC 
Actually, the patches that were checked into JSS are related to the
other BZ.  This BZ has a different JSS ticket with a different patch
that has yet to be reviewed and checked in:
https://bugzilla.mozilla.org/show_bug.cgi?id=1371147

Moving this back to ASSIGNED.
Comment 5 Matthew Harmsen 2017-09-11 19:02:18 UTC 
(In reply to Matthew Harmsen from comment #3)
> Upstream Check-in:
> 
> cfu checked-in the following changes provided by ftweedal:
> 
> changeset:   2204:87dca07f7529
> tag:         tip
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:56:04 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2203:b3b653faef84
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:53:36 2017 -0700
> summary:     bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2202:0b8a6e84b6c7
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:50:21 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2201:d39e9b373798
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:32:32 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2200:890216599f21
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:21:22 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2199:bada1409d2bb
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:15:29 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -
> 
> changeset:   2198:3629b598a9ce
> user:        Fraser Tweedale<ftweedale>
> date:        Fri Sep 08 11:09:23 2017 -0700
> summary:     Bug 1370778 PBE and padded block cipher enhancements and fixes -

INCORRECT CHECK-IN MESSAGE -- these check-ins apply to https://bugzilla.redhat.com/show_bug.cgi?id=1490487
Comment 6 Matthew Harmsen 2017-09-12 00:46:48 UTC 
cfu checked-in ftweedal's patch:

changeset:   2205:3e9a5ae2149d
tag:         tip
user:        Fraser Tweedale<ftweedale>
date:        Mon Sep 11 17:24:22 2017 -0700
summary:     Bug 1371147 PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails -
Comment 10 Fraser Tweedale 2017-11-21 06:14:48 UTC 
Asha, steps to reproduce/verify are here:
https://bugzilla.redhat.com/show_bug.cgi?id=1490740#c5.
Comment 11 Amol K 2018-01-09 09:44:33 UTC 
Hi Fraser,

I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg:
```
kra.allowEncDecrypt.archival=false
kra.allowEncDecrypt.recovery=false
kra.legacyPKCS12=false
```
Restarted the instances.

After that, I perform PKCS #12 recovery. It did not crash, but I'm able to recover the PKCS #12 valid file.

Is it expected behavior?
Comment 12 Fraser Tweedale 2018-01-09 12:20:38 UTC 
Amol, this issue needs to be tested with Thales HSM.  Export should _fail_
but pki-tomcatd should not crash.
Comment 13 Fraser Tweedale 2018-01-10 06:35:01 UTC 
Amol, could you please paste the recovered pkcs #12 file,
and could you please give me an LDAP dump of the archived key data?

Was the key being recovered freshly archived, or has it been archived earlier.

I need this info to check:
1. that the key was indeed archived in a "wrap" mode
2. that the file produced is indeed using PBES2 encryption

Perhaps the conditions that caused the retrieval failures on the HSM
have been resolved (firmware update / configuration change / NSS changes?)
Comment 19 Amol K 2018-01-17 15:07:12 UTC 
Secnario 1:

I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg:
```
kra.allowEncDecrypt.archival=false
kra.allowEncDecrypt.recovery=false
kra.legacyPKCS12=false
```
After restarting the instance I'm able to submit the certificate request but not able to approve it.


Secnario 2:

I set up the following configuration in the file /var/lib/pki/<instance>/kra/conf/CS.cfg:
```
kra.allowEncDecrypt.archival=true
kra.allowEncDecrypt.recovery=true
kra.legacyPKCS12=false
```
After restarting the instance, I'm able to issue the certificate.

Then, I mark `kra.allowEncDecrypt.{archival, recovery}=false` in CS.cfg.

I'm able to recover the p12 file, then it throws the exception, which is not expected.

So marking this bug on FaildQA.
Comment 20 Amol K 2018-01-24 15:45:39 UTC 
As Fraser's suggestion I open new BZ[1].

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1535540#c5
Comment 21 Ade Lee 2018-01-24 15:52:45 UTC 
Fraser, Amol

See the following for discussion of valid settings when using an HSM,


http://pki.fedoraproject.org/wiki/Aes-feature-description
Comment 28 errata-xmlrpc 2018-04-10 17:56:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0958
Note You need to log in before you can comment on or make changes to this bug.