This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1465804 - cli: pki client should have some mechanism to set algorithm/AES encryption [NEEDINFO]
cli: pki client should have some mechanism to set algorithm/AES encryption
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.4
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Dinesh Prasanth
Asha Akkiangady
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-28 05:08 EDT by Geetika Kapoor
Modified: 2017-09-28 11:56 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
edewata: needinfo? (alee)


Attachments (Terms of Use)
debug logs snip (7.73 KB, text/plain)
2017-09-27 15:22 EDT, Geetika Kapoor
no flags Details

  None (edit)
Description Geetika Kapoor 2017-06-28 05:08:05 EDT
Description of problem:

pki client should have some mechanism to set algorithm/AES encryption .
Like in crmfpopclient we have "-w" option 

 -w <keywrap algorithm>       Algorithm to use for key wrapping
                                - default: "AES KeyWrap/Padding"
                                - "AES/CBC/PKCS5Padding"
                               - "DES3/CBC/Pad"

Version-Release number of selected component (if applicable):

rpm -qa pki-ca
pki-ca-10.4.1-10.el7.noarch

How reproducible:
always 

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

1. http://host:port/ca/rest/info 

<CAInfo><Attributes/><ArchivalMechanism>keywrap</ArchivalMechanism></CAInfo>

2. http://host:port/kra/rest/info


<KRAInfo><Attributes/><ArchivalMechanism>encrypt</ArchivalMechanism><EncryptAlgorithm>AES/CBC/PKCS5Padding</EncryptAlgorithm><RecoveryMechanism>encrypt</RecoveryMechanism><WrapAlgorithm>AES/CBC/PKCS5Padding</WrapAlgorithm></KRAInfo>

3. 
[root@pki1 certs_db]# pki -d dup -c SECret.123 -p 25080 client-cert-request  "CN=Test11,UID=Testing,OU=test" --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport 
NullPointerException: null
[root@pki1 certs_db]# pki -v -d dup -c SECret.123 -p 25080 client-cert-request  "CN=Test11,UID=Testing,OU=test" --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport 
PKI options: -v -d dup -c SECret.123
PKI command: 25080 -p 25080 client-cert-request CN=Test11,UID=Testing,OU=test --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d dup -c SECret.123 --verbose -p 25080 client-cert-request CN=Test11,UID=Testing,OU=test --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
Server URI: http://pki1.example.com:25080
Client security database: /opt/rhqa_pki/certs_db/dup
Message format: null
Command: client-cert-request CN=Test11,UID=Testing,OU=test --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
Module: client
Module: cert-request
Initializing security database
Getting internal token
Logging into NSS FIPS 140-2 User Private Key
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:25080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Set-Cookie: JSESSIONID=AFA00D6A3A1D2E0075C35107ECBB9598; Path=/pki; HttpOnly
  Content-Type: application/xml
  Content-Length: 106
  Date: Wed, 28 Jun 2017 10:57:35 GMT
HTTP request: GET /ca/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:25080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Set-Cookie: JSESSIONID=F5ED7FA9241C8261A0148C3134E2E8AE; Path=/ca; HttpOnly
  Content-Type: application/xml
  Content-Length: 131
  Date: Wed, 28 Jun 2017 10:57:35 GMT
java.lang.NullPointerException
	at org.mozilla.jss.crypto.KeyWrapAlgorithm.fromString(KeyWrapAlgorithm.java:44)
	at com.netscape.cmstools.client.ClientCertRequestCLI.execute(ClientCertRequestCLI.java:251)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:626)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:662)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', 'dup', '-c', 'SECret.123', '--verbose', '-p', '25080', 'client-cert-request', 'CN=Test11,UID=Testing,OU=test', '--profile', 'caDualCert', '--type', 'crmf', '--transport', '/opt/rhqa_pki/certs_db/kra.transport']' returned non-zero exit status 255
Comment 2 Geetika Kapoor 2017-06-30 07:31:13 EDT
This changes the default behavior of CRMFPopClient too.

Setup:

1. KRA's CS.cfg have those two parameters.

kra.allowEncDecrypt.archival=true
kra.allowEncDecrypt.recovery=true

2. It's being restarted after this change.
3. KRA rest info:
<KRAInfo><Attributes/><ArchivalMechanism>encrypt</ArchivalMechanism><EncryptAlgorithm>AES/CBC/PKCS5Padding</EncryptAlgorithm><RecoveryMechanism>encrypt</RecoveryMechanism><WrapAlgorithm>AES/CBC/PKCS5Padding</WrapAlgorithm></KRAInfo>

4. Restarted CA.

5. CA rest info:
<CAInfo><Attributes/><ArchivalMechanism>encrypt</ArchivalMechanism><EncryptAlgorithm>AES/CBC/PKCS5Padding</EncryptAlgorithm><WrapAlgorithm>AES/CBC/PKCS5Padding</WrapAlgorithm></CAInfo>

6. CRMFPopClient -d . -p SECret.123  -n "cn=aakkiang, uid=asha"  -q
POP_SUCCESS -b kra_transport.txt  -y -v -o crmf.req
Initializing security database: .
Loading transport certificate
Parsing subject DN
RDN: UID=asha
RDN: CN=aakkiang
Generating key pair
Keypair private key id: 6581d0caf2e94bf7ef842339078c78552a29dab4
Using key wrap algorithm: AES KeyWrap/Padding
Creating certificate request
CRMFPopClient: self_sign true. Generating SubjectKeyIdentifier extension.
CryptoUtil: createKeyIdentifier: begins
Creating signer
Creating POP
Creating CRMF request
Storing CRMF requrest into crmf.req


If we run ,

CRMFPopClient -d . -p SECret.456 -h "NHSM-GKAPOOR-SOFTCARD" -n "cn=foobartest" -m pki1.example.com:25443 -u caadmin -r caadmin -q POP_SUCCESS -w "AES/CBC/PKCS5Padding"  -o test.csr

ERROR: Any value specified for the key wrap parameter (-w) will be overriden.  CRMFPopClient will contact the CA to determine the supported algorithm when hostport is specified
Try 'CRMFPopClient --help' for more information.
ERROR: File 'transport.txt' does not exist
Try 'CRMFPopClient --help' for more information.


Looks like it needs attention .Not sure what all it might break!!
Comment 3 Geetika Kapoor 2017-06-30 07:54:59 EDT
Additional information:

If we try to use -m option in CRMFPopClient is hanged so this is blocking QE testing.

CRMFPopClient -v -d . -p SECret.579 -h "NHSM6000-OCS" -n "cn=foobartest" -m nocp11.idm.lab.eng.rdu2.rhat.com:8443 -u caadmin -r caadmin -q POP_SUCCESS -b  kra_transport.txt -o test.csr
Initializing security database: .
Loading transport certificate
Parsing subject DN
RDN: CN=foobartest
Generating key pair
Keypair private key id: -39df806ca6a9a6bc41f9e9681e8c3a742294469c
Comment 4 Geetika Kapoor 2017-06-30 07:55:30 EDT
^C[root@nocp11 cmctest]# CRMFPopClient -v -d . -p SECret.579 -h "NHSM6000-OCS" -n "cn=foobartest" -m nocp11.idm.lab.eng.rdu2.rhat.com:8443 -u caadmin -r caadmin -q POP_SUCCESS -b  kra_transport.txt -o test.csr
Initializing security database: .
Loading transport certificate
Parsing subject DN
RDN: CN=foobartest
Generating key pair
Keypair private key id: -39df806ca6a9a6bc41f9e9681e8c3a742294469c

java.lang.Exception: Failed to retrieve archive wrapping information from the CA: javax.ws.rs.ProcessingException: Unable to invoke request
	at com.netscape.cmstools.CRMFPopClient.getKeyWrapAlgotihm(CRMFPopClient.java:592)
	at com.netscape.cmstools.CRMFPopClient.main(CRMFPopClient.java:498)
Caused by: javax.ws.rs.ProcessingException: Unable to invoke request
	at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287)
	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)
	at com.sun.proxy.$Proxy22.getInfo(Unknown Source)
	at org.dogtagpki.common.CAInfoClient.getInfo(CAInfoClient.java:45)
	at com.netscape.cmstools.CRMFPopClient.getKeyWrapAlgotihm(CRMFPopClient.java:580)
	... 1 more
Caused by: org.apache.http.NoHttpResponseException: The target server failed to respond
	at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:95)
	at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:61)
	at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:254)
	at org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:289)
	at org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:252)
	at org.apache.http.impl.conn.ManagedClientConnectionImpl.receiveResponseHeader(ManagedClientConnectionImpl.java:191)
	at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:300)
	at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:127)
	at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:715)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:520)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
	at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
	... 7 more
ERROR: Failed to retrieve archive wrapping information from the CA: javax.ws.rs.ProcessingException: Unable to invoke request
Try 'CRMFPopClient --help' for more information.
Comment 5 Geetika Kapoor 2017-06-30 07:56:40 EDT
It needs attention so raising the priority of bug.You can lower it if it works or there is a workaround for it.
Comment 6 Matthew Harmsen 2017-07-05 17:35:28 EDT
During TRIAGE, moved back from 7.5 ==> 7.4.z
Comment 7 Matthew Harmsen 2017-08-25 12:59:44 EDT
Per discussions within the PKI Team, cancelling need for 7.4.z ZStream Batch Update 2.
Comment 8 Geetika Kapoor 2017-09-27 15:22 EDT
Created attachment 1331549 [details]
debug logs snip
Comment 9 Endi Sukma Dewata 2017-09-28 11:56:00 EDT
Ade, any idea how to address this issue?

Note You need to log in before you can comment on or make changes to this bug.