Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1566617 - Key generation during token enrollment fails in FIPS/non-HSM environment [NEEDINFO]
Summary: Key generation during token enrollment fails in FIPS/non-HSM environment
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: RHCS Maintainers
QA Contact: Asha Akkiangady
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-12 15:42 UTC by Roshni
Modified: 2021-01-08 07:28 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-01-08 07:28:44 UTC
Type: Bug
Target Upstream Version:
cfu: needinfo? (sveerank)

Attachments (Terms of Use)
KRA CS.cfg (35.84 KB, text/plain)
2018-04-12 15:42 UTC, Roshni
no flags Details

System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 3112 0 None open Key generation during token enrollment fails in FIPS/non-HSM environment 2021-01-13 16:00:03 UTC

Description Roshni 2018-04-12 15:42:31 UTC
Created attachment 1420916 [details]
KRA CS.cfg

Description of problem:
Key generation during token enrollment fails in FIPS/non-HSM environment

Version-Release number of selected component (if applicable):
[root@auto-hv-01-guest06 ~]# rpm -q pki-ca
[root@auto-hv-01-guest06 ~]# rpm -q pki-tps

How reproducible:

Steps to Reproduce:
1. Enable FIPS on the machine
2. Create a TMS environment, TPS configured with server-side key generation enabled.
3. Enroll a tpsclient or smartcard token

Actual results:
Enrollment fails. Signing cert is generated but key generation for encryption cert fails.

KRA debug log snippet:

[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: authorization search base: cn=Data Recovery Manager Agents,ou=groups,o=topology-KRA-KRA
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: authorization search filter: (uniquemember=uid=TPS-auto-hv-01-guest06.idmqe.lab.eng.bos.redhat.com-25443,ou=people,o=topology-KRA-KRA)
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: authorization result: true
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: returnConn: mNumConns now 3
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: evaluated expression: group="Data Recovery Manager Agents" to be true
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: DirAclAuthz: authorization passed
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: SignedAuditLogger: event AUTHZ
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: SignedAuditLogger: event ROLE_ASSUME
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenerateKeyPairServlet: processServerSideKeyGen would be called
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: processServerSideKeyGen begins:
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: Repository: in getNextSerialNumber.
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: Repository: checkRange  mLastSerialNo=6
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: Repository: getNextSerialNumber: returning retSerial 6
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenericPolicyProcessor: apply begins
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenericPolicyProcessor: apply not ProfileRequest. op=netkeyKeygen
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenericPolicyProcessor: apply begins
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: GenericPolicyProcessor: apply not ProfileRequest. op=netkeyKeygen
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: SignedAuditLogger: event RANDOM_GENERATION
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: serviceRequest archival requested for serverSideKeyGen
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: SignedAuditLogger: event SERVER_SIDE_KEYGEN_REQUEST
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: wrapped_des_key specialDecoded
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: serviceRequest: key type = RSA
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: got keygenToken
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: about to generate key pair
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: key pair is to be generated on slot: NSS FIPS 140-2 User Private Key
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: found config store: kra.keygen
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: setting temporaryPairs to true
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: NetkeyKeygenService: key pair generation begins
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: KRAService serviceRequest EBaseException:Token Error: org.mozilla.jss.crypto.TokenException: Keypair Generation failed on token with error: -8190 :
[11/Apr/2018:15:01:19][http-bio-21443-exec-5]: processServerSideKeygen finished

Expected results:
Token enrollment with server-side key generation should be successful

Additional info:
Attaching KRA CS.cfg
Using default TPS CS.cfg

Comment 2 Matthew Harmsen 2018-04-20 01:19:52 UTC
Per RHEL 7.5.z/7.6/8.0 Triage:  7.6

jmagne: Important to get this working, because a customer might want this scenario.

Comment 3 Matthew Harmsen 2018-07-04 00:38:02 UTC
Moved to RHEL 7.7.

Comment 10 RHEL Program Management 2021-01-08 07:28:44 UTC
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.