Red Hat Bugzilla – Bug 1460028
In keywrap mode, key recovery on KRA with HSM causes KRA to crash
Last modified: 2017-09-01 11:14:41 EDT
This bug is created as a clone of upstream ticket:
Originally, because the AES KEY_WRAP algorithm was not suported by the HSM, we needed to put the KRA in encrypt mode.
Recent code has allowed us to specify the AES-CBC-128 mode for key wrapping algorithm, and to allow the KRA to be in key wrap mode. However, in this mode, when a key recovery is attempted,
the KRA crashes due to a null pointer derefernece in the HSM (on a FIPS machine(.
Author: Fraser Tweedale <email@example.com>
Date: Thu Jun 8 14:25:23 2017 +1000
KRA PKCS #12 export: add config to use 3DES PBE encryption
Restore the 3DES PKCS #12 key recovery code path, alongside the new
AES variant, which is broken on Thales nethsm. Add the
'kra.legacyPKCS12' config for selecting which version to use, with
the default value of 'true' (i.e., use 3DES).
Part of: https://pagure.io/dogtagpki/issue/2728
[root@nocp1 ~]# rpm -qi pki-kra
Name : pki-kra
Version : 10.4.1
Release : 10.el7
Install Date: Wed 21 Jun 2017 11:00:26 AM EDT
Group : System Environment/Daemons
Size : 562173
License : GPLv2
Signature : (none)
Source RPM : pki-core-10.4.1-10.el7.src.rpm
Build Date : Tue 20 Jun 2017 01:23:22 AM EDT
Build Host : ppc-046.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor : Red Hat, Inc.
URL : http://pki.fedoraproject.org/
Summary : Certificate System - Key Recovery Authority
Key recovery on token using external registration works with HSM and FIPS enabled enviroment with AES encryption. This was tested successfully usng SCP01 and SCP03 cards.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
*** Bug 1460029 has been marked as a duplicate of this bug. ***