Bug 1465804 - cli: pki client should have some mechanism to set algorithm/AES encryption
cli: pki client should have some mechanism to set algorithm/AES encryption
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.4
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: RHCS Maintainers
Asha Akkiangady
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-28 05:08 EDT by Geetika Kapoor
Modified: 2018-05-04 09:51 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
debug logs snip (7.73 KB, text/plain)
2017-09-27 15:22 EDT, Geetika Kapoor
no flags Details

  None (edit)
Description Geetika Kapoor 2017-06-28 05:08:05 EDT
Description of problem:

pki client should have some mechanism to set algorithm/AES encryption .
Like in crmfpopclient we have "-w" option 

 -w <keywrap algorithm>       Algorithm to use for key wrapping
                                - default: "AES KeyWrap/Padding"
                                - "AES/CBC/PKCS5Padding"
                               - "DES3/CBC/Pad"

Version-Release number of selected component (if applicable):

rpm -qa pki-ca
pki-ca-10.4.1-10.el7.noarch

How reproducible:
always 

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

1. http://host:port/ca/rest/info 

<CAInfo><Attributes/><ArchivalMechanism>keywrap</ArchivalMechanism></CAInfo>

2. http://host:port/kra/rest/info


<KRAInfo><Attributes/><ArchivalMechanism>encrypt</ArchivalMechanism><EncryptAlgorithm>AES/CBC/PKCS5Padding</EncryptAlgorithm><RecoveryMechanism>encrypt</RecoveryMechanism><WrapAlgorithm>AES/CBC/PKCS5Padding</WrapAlgorithm></KRAInfo>

3. 
[root@pki1 certs_db]# pki -d dup -c SECret.123 -p 25080 client-cert-request  "CN=Test11,UID=Testing,OU=test" --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport 
NullPointerException: null
[root@pki1 certs_db]# pki -v -d dup -c SECret.123 -p 25080 client-cert-request  "CN=Test11,UID=Testing,OU=test" --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport 
PKI options: -v -d dup -c SECret.123
PKI command: 25080 -p 25080 client-cert-request CN=Test11,UID=Testing,OU=test --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d dup -c SECret.123 --verbose -p 25080 client-cert-request CN=Test11,UID=Testing,OU=test --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
Server URI: http://pki1.example.com:25080
Client security database: /opt/rhqa_pki/certs_db/dup
Message format: null
Command: client-cert-request CN=Test11,UID=Testing,OU=test --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
Module: client
Module: cert-request
Initializing security database
Getting internal token
Logging into NSS FIPS 140-2 User Private Key
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:25080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Set-Cookie: JSESSIONID=AFA00D6A3A1D2E0075C35107ECBB9598; Path=/pki; HttpOnly
  Content-Type: application/xml
  Content-Length: 106
  Date: Wed, 28 Jun 2017 10:57:35 GMT
HTTP request: GET /ca/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:25080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Set-Cookie: JSESSIONID=F5ED7FA9241C8261A0148C3134E2E8AE; Path=/ca; HttpOnly
  Content-Type: application/xml
  Content-Length: 131
  Date: Wed, 28 Jun 2017 10:57:35 GMT
java.lang.NullPointerException
	at org.mozilla.jss.crypto.KeyWrapAlgorithm.fromString(KeyWrapAlgorithm.java:44)
	at com.netscape.cmstools.client.ClientCertRequestCLI.execute(ClientCertRequestCLI.java:251)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:626)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:662)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', 'dup', '-c', 'SECret.123', '--verbose', '-p', '25080', 'client-cert-request', 'CN=Test11,UID=Testing,OU=test', '--profile', 'caDualCert', '--type', 'crmf', '--transport', '/opt/rhqa_pki/certs_db/kra.transport']' returned non-zero exit status 255
Comment 2 Geetika Kapoor 2017-06-30 07:31:13 EDT
This changes the default behavior of CRMFPopClient too.

Setup:

1. KRA's CS.cfg have those two parameters.

kra.allowEncDecrypt.archival=true
kra.allowEncDecrypt.recovery=true

2. It's being restarted after this change.
3. KRA rest info:
<KRAInfo><Attributes/><ArchivalMechanism>encrypt</ArchivalMechanism><EncryptAlgorithm>AES/CBC/PKCS5Padding</EncryptAlgorithm><RecoveryMechanism>encrypt</RecoveryMechanism><WrapAlgorithm>AES/CBC/PKCS5Padding</WrapAlgorithm></KRAInfo>

4. Restarted CA.

5. CA rest info:
<CAInfo><Attributes/><ArchivalMechanism>encrypt</ArchivalMechanism><EncryptAlgorithm>AES/CBC/PKCS5Padding</EncryptAlgorithm><WrapAlgorithm>AES/CBC/PKCS5Padding</WrapAlgorithm></CAInfo>

6. CRMFPopClient -d . -p SECret.123  -n "cn=aakkiang, uid=asha"  -q
POP_SUCCESS -b kra_transport.txt  -y -v -o crmf.req
Initializing security database: .
Loading transport certificate
Parsing subject DN
RDN: UID=asha
RDN: CN=aakkiang
Generating key pair
Keypair private key id: 6581d0caf2e94bf7ef842339078c78552a29dab4
Using key wrap algorithm: AES KeyWrap/Padding
Creating certificate request
CRMFPopClient: self_sign true. Generating SubjectKeyIdentifier extension.
CryptoUtil: createKeyIdentifier: begins
Creating signer
Creating POP
Creating CRMF request
Storing CRMF requrest into crmf.req


If we run ,

CRMFPopClient -d . -p SECret.456 -h "NHSM-GKAPOOR-SOFTCARD" -n "cn=foobartest" -m pki1.example.com:25443 -u caadmin -r caadmin -q POP_SUCCESS -w "AES/CBC/PKCS5Padding"  -o test.csr

ERROR: Any value specified for the key wrap parameter (-w) will be overriden.  CRMFPopClient will contact the CA to determine the supported algorithm when hostport is specified
Try 'CRMFPopClient --help' for more information.
ERROR: File 'transport.txt' does not exist
Try 'CRMFPopClient --help' for more information.


Looks like it needs attention .Not sure what all it might break!!
Comment 3 Geetika Kapoor 2017-06-30 07:54:59 EDT
Additional information:

If we try to use -m option in CRMFPopClient is hanged so this is blocking QE testing.

CRMFPopClient -v -d . -p SECret.579 -h "NHSM6000-OCS" -n "cn=foobartest" -m nocp11.idm.lab.eng.rdu2.rhat.com:8443 -u caadmin -r caadmin -q POP_SUCCESS -b  kra_transport.txt -o test.csr
Initializing security database: .
Loading transport certificate
Parsing subject DN
RDN: CN=foobartest
Generating key pair
Keypair private key id: -39df806ca6a9a6bc41f9e9681e8c3a742294469c
Comment 4 Geetika Kapoor 2017-06-30 07:55:30 EDT
^C[root@nocp11 cmctest]# CRMFPopClient -v -d . -p SECret.579 -h "NHSM6000-OCS" -n "cn=foobartest" -m nocp11.idm.lab.eng.rdu2.rhat.com:8443 -u caadmin -r caadmin -q POP_SUCCESS -b  kra_transport.txt -o test.csr
Initializing security database: .
Loading transport certificate
Parsing subject DN
RDN: CN=foobartest
Generating key pair
Keypair private key id: -39df806ca6a9a6bc41f9e9681e8c3a742294469c

java.lang.Exception: Failed to retrieve archive wrapping information from the CA: javax.ws.rs.ProcessingException: Unable to invoke request
	at com.netscape.cmstools.CRMFPopClient.getKeyWrapAlgotihm(CRMFPopClient.java:592)
	at com.netscape.cmstools.CRMFPopClient.main(CRMFPopClient.java:498)
Caused by: javax.ws.rs.ProcessingException: Unable to invoke request
	at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287)
	at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
	at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)
	at com.sun.proxy.$Proxy22.getInfo(Unknown Source)
	at org.dogtagpki.common.CAInfoClient.getInfo(CAInfoClient.java:45)
	at com.netscape.cmstools.CRMFPopClient.getKeyWrapAlgotihm(CRMFPopClient.java:580)
	... 1 more
Caused by: org.apache.http.NoHttpResponseException: The target server failed to respond
	at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:95)
	at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:61)
	at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:254)
	at org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:289)
	at org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:252)
	at org.apache.http.impl.conn.ManagedClientConnectionImpl.receiveResponseHeader(ManagedClientConnectionImpl.java:191)
	at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:300)
	at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:127)
	at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:715)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:520)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
	at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
	at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
	... 7 more
ERROR: Failed to retrieve archive wrapping information from the CA: javax.ws.rs.ProcessingException: Unable to invoke request
Try 'CRMFPopClient --help' for more information.
Comment 5 Geetika Kapoor 2017-06-30 07:56:40 EDT
It needs attention so raising the priority of bug.You can lower it if it works or there is a workaround for it.
Comment 6 Matthew Harmsen 2017-07-05 17:35:28 EDT
During TRIAGE, moved back from 7.5 ==> 7.4.z
Comment 7 Matthew Harmsen 2017-08-25 12:59:44 EDT
Per discussions within the PKI Team, cancelling need for 7.4.z ZStream Batch Update 2.
Comment 8 Geetika Kapoor 2017-09-27 15:22 EDT
Created attachment 1331549 [details]
debug logs snip
Comment 9 Endi Sukma Dewata 2017-09-28 11:56:00 EDT
Ade, any idea how to address this issue?
Comment 10 Matthew Harmsen 2017-10-25 12:55:36 EDT
[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6
Comment 12 Matthew Harmsen 2018-05-02 18:51:12 EDT
alee: Not clear from the bug.  Is this blocking QE?  Or has this presumably been fixed?
Comment 13 Asha Akkiangady 2018-05-04 09:51:44 EDT
It should not be a blocker since CRMFPopClient has facility to set keywrap algorithm. The bug is requesting similar support for the pki client.

Note You need to log in before you can comment on or make changes to this bug.