1490487 – PKCS12: (JSS) upgrade to at least AES and SHA2 (FIPS)

Bug 1490487 - PKCS12: (JSS) upgrade to at least AES and SHA2 (FIPS)

Summary: PKCS12: (JSS) upgrade to at least AES and SHA2 (FIPS)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	jss
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Fraser Tweedale
QA Contact:	Asha Akkiangady
Docs Contact:	Petr Bokoc
URL:
Whiteboard:
Depends On:	1446786
Blocks:	1490241 1490489 1490494
TreeView+	depends on / blocked

Reported:	2017-09-11 18:05 UTC by Matthew Harmsen
Modified:	2018-04-10 17:57 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	This update adds the "EncryptedPrivateKeyInfo.createPBES2" method to JSS. This method provides a way to create PKCS #12 files using the PBES2 encryption scheme using modern ciphers and key derivation functions (KDFs). The new method can now be used to encrypt a PrivateKeyInfo datum using PBES2 with PBKDF2 key derivation and caller-specifier cipher.
Clone Of:	1446786
Clones:	1490489 1490494 (view as bug list)
Environment:
Last Closed:	2018-04-10 17:56:52 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Mozilla Foundation	1370778	0	--	RESOLVED	PBE and padded block cipher enhancements and fixes	2020-03-02 07:18:53 UTC
Red Hat Product Errata	RHBA-2018:0958	0	None	None	None	2018-04-10 17:57:58 UTC

Comment 2 Roshni 2017-09-14 20:54:04 UTC

Hi Fraser, 

Could you help with the test instructions for this bug?

A few scenarios I have in mind are:

1. Modify KRA CS.cfg with the following

kra.allowEncDecrypt.archival=true
kra.allowEncDecrypt.recovery=true

2. Enable only TLS/AES ciphers in server.xml all subsystem instances.

3. Execute pki pkcs12 clis successfully.

4. Enable server-side keygen on TPS with the above KRA. Format/Enroll SCP03 v7 smartcards (this card uses AES for encryption and decryption) when the following params in TKS are set

tks.defKeySet.prot3.devKeyType=AES
tks.defKeySet.prot3.divers=none
tks.defKeySet.prot3.diversVer1Keys=none
tks.defKeySet.prot3.masterKeyType=AES

tks.defKeySet.nistSP800-108KdfOnKeyVersion=00
tks.defKeySet.nistSP800-108KdfUseCuidAsKdd=true

These tests would be done with certificates on HSM and FIPS enabled environment.

Let me know if the above testing would be a good coverage for this bug.

Comment 3 Roshni 2017-09-14 21:01:23 UTC

Moving the NEED_INFO to the ON_QA bug https://bugzilla.redhat.com/show_bug.cgi?id=1490494

Comment 5 Roshni 2017-12-07 16:17:15 UTC

[root@nocp1 pki-kra-Dec6]# rpm -qi jss
Name        : jss
Version     : 4.4.0
Release     : 10.el7
Architecture: x86_64
Install Date: Tue 28 Nov 2017 02:30:31 PM EST
Group       : System Environment/Libraries
Size        : 1029659
License     : MPLv1.1 or GPLv2+ or LGPLv2+
Signature   : RSA/SHA256, Wed 01 Nov 2017 02:37:50 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : jss-4.4.0-10.el7.src.rpm
Build Date  : Wed 01 Nov 2017 02:19:14 PM EDT
Build Host  : x86-020.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.mozilla.org/projects/security/pki/jss/
Summary     : Java Security Services (JSS)

Verifications as explained in https://bugzilla.redhat.com/show_bug.cgi?id=1490494#c12. pk12util and pki pkcs12-import tools imported the key successfully

Comment 8 errata-xmlrpc 2018-04-10 17:56:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0958

Note You need to log in before you can comment on or make changes to this bug.