RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1709551 - JSS: add PKCS#11 standard AES KeyWrap for HSM support
Summary: JSS: add PKCS#11 standard AES KeyWrap for HSM support
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: jss
Version: ---
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Christina Fu
QA Contact: PKI QE
URL:
Whiteboard:
Depends On: 1489256
Blocks: 1710800
TreeView+ depends on / blocked
 
Reported: 2019-05-13 19:16 UTC by Christina Fu
Modified: 2021-02-01 14:15 UTC (History)
5 users (show)

Fixed In Version: jss-4.4.7-1.el7
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1710800 (view as bug list)
Environment:
Last Closed: 2021-02-01 07:40:51 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Christina Fu 2019-05-13 19:16:30 UTC 
Description of problem:

This bug is to capture the effort to provide AES key wrapping mechanisms (with or without Padding) for HSM (specifically Thales HSM).  We have intention to support LunaSA as well. It is our hope that the eventual fix will work with both modules, but the initial attempt is focusing on Thales.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:

Here are the findings:
We discovered that Thales HSM SW 12.30 does not recognize the definitions defined by the PKCS#11 standard:
CKM_AES_KEY_WRAP 0x2109
CKM_AES_KEY_WRAP_PAD 0x210a
We were told at the time that the SW 12.50 would support it.

Testing with SW 12.50 reveals the following:
AES KeyWrap (NoPadding) yields the following error:
2019-05-07 08:20:41 [5298] t0067d2106c7f0000: pkcs11: 000008CC Application error: Mechanism 0x00002109 (CKM_AES_KEY_WRAP) not supported for wrapping private keys
2019-05-07 08:20:41 [5298] t0067d2106c7f0000: pkcs11: 000008CC <    rv 0x00000070 (CKR_MECHANISM_INVALID)

AES KeyWrap (with Padding) yields the following error:
2019-05-07 08:23:27 [5320] t00472998c37f0000: pkcs11: 000008CC Application error: 0x0000210A (CKM_AES_KEY_WRAP_PAD) not a wrapping mechanism
2019-05-07 08:23:27 [5320] t00472998c37f0000: pkcs11: 000008CC <    rv 0x00000070 (CKR_MECHANISM_INVALID)

According to Thales, the following is the reason why they will not support CKM_AES_KEY_WRAP for private key wrapping.
"
The answer is that the PKCS#11 specification is confused about how the mechanism handles inputs that do not exactly fit into the cipher blocks.  It says both that they should be zero-padded and that they should be rejected.
We don't believe that zero-padding is a good option and so we do not support the mechanism for private keys
"
Also: 
"
CKM_AES_KEY_WRAP_PAD will wrap private keys in V12.60
The AES_CBC and AES_CBC_PAD mechanisms will wrap private keys in V12.50.
Security World 12.60 is schedule for a late May/June release.
"
And:
"
V12.60 phase 1 release supporting windows and linux end of June 2019
V12.60 phase 2 release supporting other unix July 2019
"

Expected results:


Additional info:
Early on, I leaned from Bob Relyea that NSS has its own AES Key wrapping mechanism numbers, which are different from the PKCS#11 standard:
CKM_NSS_AES_KEY_WRAP
CKM_NSS_AES_KEY_WRAP_PAD
While waiting for Thales to respond to my inquiries, I tested out private key wrapping with CKM_NSS_AES_KEY_WRAP and found some odd behavior.  It would fail most of the time with the following error, but it would actually *sometimes work*:
    (-8188) security library has experienced an input length error.
I learned from Bob that "It works only when length is a multiple of the AES block length. In order to correctly wrap a private key with AES key wrap, you need to have the result padded. That's why CKM_NSS_AES_KEY_WRAP_PAD exists."

So the conclusion is to wait for Thales to support CKM_AES_KEY_WRAP_PAD in the next release.

As for now, I think there is no reason to add the PKCS#11 standard while waiting for Thales's new SW version.
Minimum test can still be conducted to at least see that the AES key wrapping mechanisms are recognized on 12.50, v.s. complete ignorance in 12.30.
Comment 2 Christina Fu 2019-05-13 20:45:07 UTC 
Correction to typo in the last paragraph in the Description:

"As for now, I think there is no reason to add the PKCS#11 standard while waiting for Thales's new SW version...."
should read:
"As for now, I think there is no reason to NOT add the PKCS#11 standard while waiting for Thales's new SW version...."
Comment 3 Christina Fu 2019-05-13 20:52:51 UTC 
commit ddc77ab82ca7062f7efd5c34ddb3e702061999ce
Author: Christina Fu <cfu>
Date:   Fri May 10 19:02:36 2019 -0700

    Add HSM support for PKCS#11 AES KeyWrap/Padding (#176)
    
    * Add HSM support for PKCS#11 AES KeyWrap/Padding
    
    This patch adds  HSM support for the PKCS#11 standard defined KeyWrap/Padding
    mechanism. Prior to this patch, only NSS (CKM_NSS_AES_KEY_WRAP_PAD) was support
    Note that this is based on Thales's projection of having the following supporte
    in the next SW version, 12.60: CKM_AES_KEY_WRAP_PAD
    For completeness, CKM_AES_KEY_WRAP is also added, although it is not suitable
    for private key wrapping.
    
    * Added test case for AES_KEY_WRAP_PAD; also a clarification comment
    
    This would actually test CKM_NSS_AES_KEY_WRAP_PAD if CKM_AES_KEY_WRAP_PAD
    is not supported by the crypto module.
    
    also added clarification comment in org/mozilla/jss/crypto/KeyWrapAlgorithm.jav
    
    * pulling repeated code into a method getSupportedWrappingMechanism
Comment 4 Christina Fu 2019-05-13 23:34:18 UTC 
Test procedure:
Since the full functionality could not be tested until Thales HSM sw 12.60 is available, a "limited test" ability will be provided in an updated CRMFPopClient too.

Such procedure will be provided in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1709585
Comment 5 Christina Fu 2019-05-13 23:40:21 UTC 
I should add that although the feature will not be tested completely until Thales SW 12.60 is available, this bug is to be put on "POST" as:
1. it is tested to not break existing functionality for CKM_NSS_AES_KEY_WRAP_PAD on nss
2. it is tested to have the expected result to be documented in https://bugzilla.redhat.com/show_bug.cgi?id=1709585

The should be another round of tests (Phase 2) on Thales SW 12.60 when it becomes available.
Comment 15 RHEL Program Management 2021-02-01 07:40:51 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Note You need to log in before you can comment on or make changes to this bug.