Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1710109

Summary: add RSA PSS support
Product: Red Hat Enterprise Linux 7 Reporter: Christina Fu <cfu>
Component: pki-coreAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.9CC: aakkiang, jmagne, mharmsen, msauton, prisingh, skhandel
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-10.5.18-7.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1824948 (view as bug list) Environment:
Last Closed: 2020-09-29 20:00:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1824948    

Description Christina Fu 2019-05-14 21:44:35 UTC 
Description of problem:
This bug is to capture the PKI side of the RSA PSS support (see
Bug 1710105 - JSS: add RSA PSS support
https://bugzilla.redhat.com/show_bug.cgi?id=1710105)

It was discovered that Thales HSM SW12.50 when in FIPS mode does not allow PKCS1 RSA signing.  Instead, RSA PSS (Probabilistic Signature Scheme) is required.

It is important that we support both mechanisms, as not all crypto modules support PSS.
Without this support, one would not be able to install RHCS/Dogtag with Thales HSM SW12.50 or higher in FIPS mode.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Please make sure the standard PKCS#1 RSA continues to work, as well as ECC.
Comment 3 Jack Magne 2019-09-06 01:00:45 UTC 
Moving feature to 7.9 to finish feature more completely.
Comment 4 Jack Magne 2020-03-29 19:26:02 UTC 
Patch reviewed and checked in:

* DOGTAG_10_5_BRANCH   ba48744 [ahead 1] First cut of pki part of RSA-PSS signing algorithm support. (#356)

commit ba48744b071fa5aa0dc04886745710699ca24139
Author: jmagne <jmagne>
Date:   Sat Mar 28 15:14:59 2020 -0400

    First cut of pki part of RSA-PSS signing algorithm support. (#356)
    
    This fix conincides with another ticket providing RSA PSS signature support for JSS,
    which is required for this to work.
    
    This is designed for simple usage. If one wants to say create a CA or KRA with RSA PSS signature
    support, simply place the following line in the pkispawn script file:
    
    pki_use_pss_rsa_signing_algorithm=True
    
    This will instruct the process to take whatever signing algorithm of the form (
    SHAxxxwithRSA signing algorithms are specified and promote them to the corresponding
    PSS algorithm such as: SHS256withRSA/PSS.
    
    If one ONLY puts that value in the script file, all the algs, which have a default of
    SHA256withRSA will be promoted to SHA256withRSA/PSS.
    
    This fix also provides support , if desired, for SHA384, and SHA512 versions of PSS.
    In order to get this to work, the pkispawn config will have to explcitly enumerate
    each applicable signing algorithm as such ex:  pki_ca_signing_signing_algorithm=SHA384withRSA.
    Also the explicit alg of say SHA384withRSA/PSS can be used for each setting.
    
    Tested with a basic CA and KRA. Also tested with a non PSS CA and a no PSS ca with ECC so far.
    The goal is to not interfere with any existing functionality if PSS support is not desired.
    
    For now there is duplication with JSS for the file AlgorithmId.java. It was too difficult to
    make pki use JUST the JSS version of this file due to many interlocking dependencies..
    
    There is an entire directory x509 that needs to be ported entirely over to use JSS, which should
    be done all at once withe a fiture ticket.
    
    Co-authored-by: root <root.lab.eng.rdu2.redhat.com>
Comment 8 Jack Magne 2020-03-31 00:48:26 UTC 
Found an issue with the IPA CI test, this patch fixes it:

Branch: DOGTAG_10_5_BRANCH


commit 53de751485b04fe2a1555228342ed642c9a9e347
Author: jmagne <jmagne>
Date:   Mon Mar 30 20:40:50 2020 -0400

    Minor fix to appease ipa install. The code in question was getting (#364)
    
    an algorithmId name with trailing whitespace, which was not recognized.
    
    Co-authored-by: Jack Magne <jmagne.com>
Comment 9 Florence Blanc-Renaud 2020-04-01 12:30:22 UTC 
*** Bug 1819656 has been marked as a duplicate of this bug. ***
Comment 13 Asha Akkiangady 2020-05-18 21:30:11 UTC 
Marking the bug on assigned to fix the issue, https://bugzilla.redhat.com/show_bug.cgi?id=1832364#c3
Comment 15 Jack Magne 2020-05-19 00:43:09 UTC 
*** Bug 1832364 has been marked as a duplicate of this bug. ***
Comment 16 Pritam Singh 2020-05-21 12:31:06 UTC 
Hi Jack,

I tried Issuing certificate with CMC, but it is breaking on CMCResponse with below error:

"Error found in the response. Exception: java.security.cert.CertificateException: 
Unable to parse certificate data: java.lang.Exception: java.security.NoSuchProviderException: no such provider: Mozilla-JSS"

Tested on:

root@pki1 ~]# rpm -qa | grep pki
pki-symkey-10.5.18-6.el7.x86_64
pki-tks-10.5.18-6.el7pki.noarch
pki-tools-10.5.18-6.el7.x86_64
pki-tps-10.5.18-6.el7pki.x86_64
pki-ca-10.5.18-6.el7.noarch
pki-base-java-10.5.18-6.el7.noarch
redhat-pki-10.5.18-2.el7pki.noarch
pki-ocsp-10.5.18-6.el7pki.noarch
redhat-pki-server-theme-10.5.18-2.el7pki.noarch
pki-base-10.5.18-6.el7.noarch
pki-kra-10.5.18-6.el7.noarch
redhat-pki-console-theme-10.5.18-2.el7pki.noarch
pki-console-10.5.18-4.el7pki.noarch
pki-server-10.5.18-6.el7.noarch

[root@pki1 ~]# rpm -qa | grep jss
jss-4.4.9-3.el7.x86_64
tomcatjss-7.2.5-1.el7.noarch

Subsystem installed:
SHA256withRSA/PSS & SHA512withRSA/PSS

Test procedure:

============================================

1. Certificate requested with CRMFPopClient:

CRMFPopClient -d /root/nssdb -p SECret.123 -n CN=testuser2 -f caSigningUserCert -b transport2.txt -o testuser.b64

Keypair private key id: 6e070e2bd2778bcaa1de6a6da64fec7a027cf4fb
Storing CRMF request into testuser.b64
Storing CRMF request key id into testuser.b64.keyId

============================================

2. Prepared the config file for CMC request:

[root@pki1 ~]# cat cmc_request.cfg 
numRequests=1
input=testuser.b64
output=demo_rsauser.cmc
tokenname=internal
nickname=PKI CA Administrator for Example.Org
dbdir=/root/nssdb
password=SECret.123
format=crmf
request.privKeyId=6e070e2bd2778bcaa1de6a6da64fec7a027cf4fb


[root@pki1 ~]# CMCRequest cmc_request.cfg 

cert/key prefix = 
path = /root/nssdb
CryptoManger initialized
token internal logged in...
got signerCert: PKI CA Administrator for Example.Org
createPKIData: begins
k=0
createPKIData:  format: crmf
useSharedSecret is false...
signData: begins: 
getPrivateKey: got signing cert
signData:  got signer privKey
createSignedData: begins
getSigningAlgFromPrivate: begins.
getSigningAlgFromPrivate: found signingKeyType=RSA
getSigningAlgFromPrivate: using SignatureAlgorithm: RSASignatureWithSHA256Digest
createSignedData: digest created for pkidata
createSignedData: digest algorithm =RSASignatureWithSHA256Digest
createSignedData: building cert chain
signData: signed request generated.
getCMCBlob: begins
getCMCBlob: generating signed data

The CMC enrollment request in base-64 encoded format:

MIITRgYJKoZIhvcNAQcCoIITNzCCEzMCAQMxDzANBglghkgBZQMEAgEFADCCCJwG
CCsGAQUFBwwCoIIIjgSCCIowggiGMAAwggh8oYIIeDCCB1wCAQEwggFBgAECpRYw
FDESMBAGA1UEAxMJdGVzdHVzZXIypoIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEApx4dzOidqJaWtWap5huirZKEvHW6xOyS6OwF90zXISpjgatT7vZmtGvH
G3wHsz0FwTVuyERIWaRIbWIByqYf5THuxd4V/9IK/49woGltf3KutU5wSzWu1fmu
0TBU01qWTN53vk5txCxOus6vigL2Si87aOINCFK3whVQJiNPwrXUq0zCX6mU38CZ
QEZzjCKRiNvlLzPtdq1TKwcQdlwq+CG3ghqTIqBPDeGzuX92RQETPDIkiTvWcthK
LUz6l88C3IUXereM/ndCixcmmbwwSOezaczDW0goAKEEdXOtnelUc2BxEUHJejbm
uaVaTmL2huVgcTxurPpw0L8MdzesjQIDAQABMIIGEDCCBgwGCSsGAQUFBwUBBKCC
Bf0wggX5oR0GCWCGSAFlAwQBAgQQAWGFhoRv0SxDg/CIb/R/voKCAQEAxZBXLOss
Yz4W7zZLP/qqQaXfBTCXVxAgP+MdHjwBD+N+xQLq8eytS7NaaePnkXyVcJNGJ6Wl
VXuywdNo1KaNFtkE/7peLr8bA32dQeVsngyUlAADzblmFPrzIoAiwD9wItxZbrYF
ua/iBexhdjh41V0Fyyw8Fk4FPQE8La+xVgqEcUSBzj2j0nFkAwj2okebx2FrGG6i
YzzcsOAnaQJEFHKwhC/yJ5LLuj94OsG8tAzXY5TVPgdIy61LkXuE60f3bcamYInO
ica+81V5p4QXK+TqzRF6vbX4JbqlWUtda1yJWJoyueJrnMcGGpeCvtGHQ3MonWiW
a5cZrza5dJYYbgOCBNEAwBhaBj+9+0YKHXipuWuVPSQSJL37YHNS95na4Z5YZj0D
L9QfF8N+5Dt5qNQooCxvrlUjkw3lt4XkU7LsLx7DKIKv/mD2tmTp3u37NiFjFXVC
Dzt9sD8ezjNfkQmYvICtRXW5UyctuK/to5tFPTDlm/aIKnsXsq8aoZUTCpnHWpD/
HWq1V4bd/4HyXfC5T4QM/T7eVab+IXWG16UC0YHJs4SWmhuom4S8qYyWahIb3MOD
YKcw9X4UDd2paTnEK/TO9OBm6JHmXpfmm4fYvlHzJ33liaC8mvtIG1s/tpocFCmG
C/t/jx47XyQRNZ3jsUxWbWmD72licrZTexL9rHjX4+x+mCyvyPMDEuYP3TcT3u2Y
IwZSrNznxjWoM96Cn4KpUbwks8qtiGLlVR2ChjOEKjOYOEbkcwUKyTfbMoN6zpp7
bYSrHIICNocABGV+0wYFERj61tZiCPihMDcPfrLI4rR8JqJUlI94FktvLGj26SQM
kbOG6v4Xjx4CWCSBifIbJWOD2gvnBT9wRwjQI7Bz8ZzszVvHxts+ETxuTeJjW6nR
dK23FCteFARCuSgpF8+DYBVY5beQtTc2ZQXjESo1zxbRVOfZkoj5ydoLzERKWtMx
Hr7CtPiiARfynwmxV8DwKpEuxvw76ZhxAifSGg/DrckyjGWvqzZL/wcKDt/q/Ny+
Y4ar65fAcAOlCWVra+WhmWJ7sGFqmzdXMiftdia8sNS5uo5t1OHThvREoQIpzovy
x5EXUg+Wifdk2Axl1P0O2a9+Inqg57SJADobSm6sZad5Cvjp50/IPaOXnesHQ/GV
nUUVWzYKGSRhlX6nmiqaBIWSaFOik+Uy2oBy2mOiAsGV/ej5Fu/YWSpae+lWj1p9
dJcXTFF4bd7KBcjUV7BWK6KXl9YMI9bMHopQ0AVr5xF1K5D/E05wEUYkm12spPns
/8NUupB93xic7x8zzHZPmzTIjHjeISsLIwYR7PreZw0T6NBeDBRDS0T/mIWkJr0x
DpGER0DfBeKSMXfEF3PtzOZuYkFHv78vMFLo2Af1E6PF0gtgAiOuQ96Z2sLYeDUU
Dfd01UpWwzrtpt4go4njSo4xFi5702jdAR0h2SKC4DxPjT01RsNTht/3Wfld9OR6
fgaz6ILx3Mzq1Ah04oW/Nz8aXHNtJ+WaDrmEOu4vOgPn1gp8BpJOpG1ReLQvhApo
t/QnOfiLimaqXy2CYkzUG+IDZ5Ywu+qWHnedXA06isYQ3RkRu4QEVwR7dqt1Uh/O
BNJKg2foZzIqqmAdndjQz3SD0Zr719onioWPtn3sp1JWbcwuNvrY+oLTiGJwAkSr
x56bAQj2DM4jGwECHtpVfsDxO+nQUEElsvCEGPZYwR6KUrYWlZ+8+BSGwtMlwI2K
8J+sQxA0bQLfyMbnPaHE4Hx5U5syhr4nIWloIfVaGZsexNlALrI/LsqOBaRi96xs
7us7IuvcEgFSgsGFmKaBAxFlB/kZsNCbNBr+iHA4BMx/D96Ubf3hAKdukra7GzHh
P7KZDjjaV4OtCz5Pi+dyz8ypHMCloELZHbfu6NhIidpE9boxXrwmh9bzo/NZhV/h
emgC3LA8qGCKnCvc4Ixto8abyLWZpjaFU1iiDQrw6zIH6faWc3lNbtb8L+9MJv+h
ggEUMA0GCSqGSIb3DQEBCwUAA4IBAQBKvRCyKd8CgA/7KI80VKdmF0FhnyVvVTlU
YlMTjYKYkmXIhA++1NPDRUSxnnZoeu+0+PXj4hVVNlE5qeINkZ8p8Mffx7efk6oe
KcO64r+l4N2PSQFXHG0SDF0wl0QcsUdYGeNsxZEp02yoCvaQjz0BLlVzcs+64ilT
Ov8jxuWkG+QDTib6MljDb/9ZfyKrrhfl1x+A7f/p2ivsmjn29fY4Tx/mqpO890f+
uQS0BF8t1cpLWtN2qy+wticWqNfy1mTs5yHj41iaXJSx7abDh/XEc7ljG7S3CeaD
/OYtbpuXVhYDJ6/Xx2taGhAmHlSqcuVmcqs/gEkQZzqFypZKgmNCMAAwAKCCCJ4w
ggREMIIC+KADAgECAgEBMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIDBQCh
HDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIDBQCiAwIBQDBdMSUwIwYDVQQKDBx0
b3BvbG9neS0wMV9Gb29iYXJtYXN0ZXIub3JnMRMwEQYDVQQLDApwa2ktdG9tY2F0
MR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTIwMDUyMTA5MzM1
MFoXDTQwMDUyMTA5MzM1MFowXTElMCMGA1UECgwcdG9wb2xvZ3ktMDFfRm9vYmFy
bWFzdGVyLm9yZzETMBEGA1UECwwKcGtpLXRvbWNhdDEfMB0GA1UEAwwWQ0EgU2ln
bmluZyBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AMwgZZgX1pScwLRzpHzpNIl2TrVGYP1/ML3SI6OsNpRZ0lKYeGKlXsr20Ho/pgQS
GLAedzgLgdBUXxBX98w0UXW+oFPXKcjMVfphGs7/kSyHgo65LtQ2W3IKg24XoVs3
NpaNdZEalxUA05lreFz8V646Gqs3u6oHVwuWsiDfUsC38RVPCQcQAAlp5btq541e
l3BrzNOOjoEiWc3pXNODgskwKKTfgrYpwT99XFxcN4Z23saxY4Ue7p8/3nONsDhf
grUToEMRQ0+nm2cXLuUXl2ufIkOysKsimdn7sM68/41ktTCyU8WoQa6b06Ytw6++
Wxm3o7ViuZo/QsmP7/IZ04kCAwEAAaOBpjCBozAfBgNVHSMEGDAWgBSV9KoWZXxF
mBmeR3gLjlCejMohfDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAd
BgNVHQ4EFgQUlfSqFmV8RZgZnkd4C45QnozKIXwwQAYIKwYBBQUHAQEENDAyMDAG
CCsGAQUFBzABhiRodHRwOi8vcGtpMS5leGFtcGxlLmNvbTo4MDgwL2NhL29jc3Aw
QQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqGSIb3DQEBCDAN
BglghkgBZQMEAgMFAKIDAgFAA4IBAQAXiA6Lyy73mpr1SPBbb+9RrcnfCQCH49Hy
tUZ+z2pJ2EchHo8+WYT7D1QtDAm/DqGA0Yprp3gsLbUdqMYwwv6U8qcVBlPxoDVR
rCK90ZHZhuwKix9L5cvsvqpFkgR6QLt7xevvDbgoRbQ8N7sH3qkzcwH4450n1QLw
APXxDUQGYoXKClVjqgyTJ3tHG+f6VyTQGvC69oQ5kC/UqTY6jiBQPWE+qB6FmbKr
nHMaFysZk/Hdeq/v8f+8haCdX6QJUSLdx96AAfLp1Udo5um57dYZXP1Oq047TyVq
HrThMuGapGr4BCZCnhuxeJKFTRjgYqfCk2OvCk213yYm60QaRFvGMIIEUjCCAwag
AwIBAgIBBjBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAwUAoRwwGgYJKoZI
hvcNAQEIMA0GCWCGSAFlAwQCAwUAogMCAUAwXTElMCMGA1UECgwcdG9wb2xvZ3kt
MDFfRm9vYmFybWFzdGVyLm9yZzETMBEGA1UECwwKcGtpLXRvbWNhdDEfMB0GA1UE
AwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0yMDA1MjEwOTMzNTRaFw0yMjA1
MTEwOTMzNTRaMHwxJTAjBgNVBAoMHHRvcG9sb2d5LTAxX0Zvb2Jhcm1hc3Rlci5v
cmcxEzARBgNVBAsMCnBraS10b21jYXQxIjAgBgkqhkiG9w0BCQEWE2NhYWRtaW5A
ZXhhbXBsZS5jb20xGjAYBgNVBAMMEVBLSSBBZG1pbmlzdHJhdG9yMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5szxUrcqfSJaPxj/V6k7NZoT2eJZemHv
xgN0RE1wCVb5xwmSIJ/MMoGcQJF199n9L0Zs/Y8NKxQpfntrPHDAN17CLKrU96HV
3l7yx2o8jnujwhnmYeQ9IYtSwlVXFDsXTM2UILAso47u52choQosNAWoU633/47d
DkrXb3hNPAGpMojQHI4Sh+gGu6f/MJl6hHtqNe51n3uBrroQYyCO9UWiFxbUx5n2
E2EtDa1If7Bm5lbwhtIwxZJh2GI8K5cy6G8M1WLWzuRQxzSZQU9fuH8WxMEzG6ak
f3J54aLNZ8lI8J+jQ1LB22JUuCYloXg4fNIAFYbqiWBUp+k0E6LB1QIDAQABo4GV
MIGSMB8GA1UdIwQYMBaAFJX0qhZlfEWYGZ5HeAuOUJ6MyiF8MEAGCCsGAQUFBwEB
BDQwMjAwBggrBgEFBQcwAYYkaHR0cDovL3BraTEuZXhhbXBsZS5jb206ODA4MC9j
YS9vY3NwMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB
BQUHAwQwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqGSIb3
DQEBCDANBglghkgBZQMEAgMFAKIDAgFAA4IBAQAWk635xSt9sbu1qtqyadNsRE25
BY6u7q6lVKWzg2w1rnQPsieazhMpDEpTK+9XUnvxP53fF6wqphqBqxvbXEPso8ob
KI2052xRr9lhrBQ/+zc3upedIjd9FiECXgWwcxdNWwsQ+pvCKEB5b5PfrseIGjXR
TQXH8akGajKgcD3tbJw+9CfFskyrpzngmmzyO7vrADpKXN/SUcr7bvQDFApbOBLj
kNZgd/B8AKa+xjYeVntGxNJqHetLJIczIdoM4gJB+S72KamH2Y7jHBwrCeUoljQF
ECk7+1+Befs+VUNUt1uP6yNeJfb70bMzoNLp3p4U36x2II5a+6UYj2fhFsTpMYIB
2TCCAdUCAQEwYjBdMSUwIwYDVQQKDBx0b3BvbG9neS0wMV9Gb29iYXJtYXN0ZXIu
b3JnMRMwEQYDVQQLDApwa2ktdG9tY2F0MR8wHQYDVQQDDBZDQSBTaWduaW5nIENl
cnRpZmljYXRlAgEGMA0GCWCGSAFlAwQCAQUAoEowFwYJKoZIhvcNAQkDMQoGCCsG
AQUFBwwCMC8GCSqGSIb3DQEJBDEiBCBftmTQCoW8zWx9657eNcarVPbJ5r2L7xvD
mpXgVoiOezANBgkqhkiG9w0BAQsFAASCAQBU5oiu1DFonzfPvYhbTCDRuCJwQvlH
aecsNFmAKe4OBTx1Gz9iNYvOTNUWc/UBdKpVYhK6a/eqVUFLR00/i2QjyfRcJrWo
Hn7/1ZqjhB18xnxZzTANlUAoegqehglCBRVhuXbkVQKZ0P9bBhnRhiILXMV5lG4R
tB6YieCpNuFzBOBCs6dLEj5ZrpagrG8nVtzkpGupWLv8oenuVoc3nyW2JZT5LhM9
9VP97JPnX4Rr6aIfScL5QJUEFSdoC4qpvQ6Dyq9XihmUkVRpv/kXMCQNYkBAId65
W7wXM9Wiy4/JxPZnCz0FErlRAHNupNWsb4LtbJ9WVFyMxi4WSuHYDF6h


The CMC enrollment request in binary format is stored in demo_rsauser.cmc

============================================

3. Prepared HttpClient config file:

[root@pki1 ~]# cat http.cfg 
host=pki1.example.com
port=8443
secure=true
input=demo_rsauser.cmc
output=demo_rsauser.cmc.response
dbdir=/root/nssdb
clientmode=true
password=SECret.123
tokenname=internal
nickname=PKI CA Administrator for Example.Org
servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert


[root@pki1 ~]# HttpClient http.cfg 

Total number of bytes read = 4938
after SSLSocket created, thread token is Internal Key Storage Token
client cert is not null
handshake happened
writing to socket
Total number of bytes read = 2709
MIIKkQYJKoZIhvcNAQcCoIIKgjCCCn4CAQMxDzANBglghkgBZQMEAgMFADAxBggr
BgEFBQcMA6AlBCMwITAbMBkCAQEGCCsGAQUFBwcZMQowCAIBADADAgEBMAAwAKCC
CDYwggPqMIICnqADAgECAgETMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAID
BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIDBQCiAwIBQDBdMSUwIwYDVQQK
DBx0b3BvbG9neS0wMV9Gb29iYXJtYXN0ZXIub3JnMRMwEQYDVQQLDApwa2ktdG9t
Y2F0MR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlMB4XDTIwMDUyMTEy
MDgzNFoXDTIwMTExNzEzMDgzNFowFDESMBAGA1UEAxMJdGVzdHVzZXIyMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApx4dzOidqJaWtWap5huirZKEvHW6
xOyS6OwF90zXISpjgatT7vZmtGvHG3wHsz0FwTVuyERIWaRIbWIByqYf5THuxd4V
/9IK/49woGltf3KutU5wSzWu1fmu0TBU01qWTN53vk5txCxOus6vigL2Si87aOIN
CFK3whVQJiNPwrXUq0zCX6mU38CZQEZzjCKRiNvlLzPtdq1TKwcQdlwq+CG3ghqT
IqBPDeGzuX92RQETPDIkiTvWcthKLUz6l88C3IUXereM/ndCixcmmbwwSOezaczD
W0goAKEEdXOtnelUc2BxEUHJejbmuaVaTmL2huVgcTxurPpw0L8MdzesjQIDAQAB
o4GVMIGSMB8GA1UdIwQYMBaAFJX0qhZlfEWYGZ5HeAuOUJ6MyiF8MEAGCCsGAQUF
BwEBBDQwMjAwBggrBgEFBQcwAYYkaHR0cDovL3BraTEuZXhhbXBsZS5jb206ODA4
MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
KwYBBQUHAwQwQQYJKoZIhvcNAQEKMDSgDzANBglghkgBZQMEAgMFAKEcMBoGCSqG
SIb3DQEBCDANBglghkgBZQMEAgMFAKIDAgFAA4IBAQBrUp38T/uy4Db1anvCoKEW
SIVLa4Grs8NchFMPwJrhpFj0E+aAEx9OSxf7tJKj02qZ2OecHxmI+Kc4GSJQvNwX
YsVpPFj6t2qnNHDTNM9JViX7pjTQv0S9QPK0cDSHPB6zhIqTq/SRiEFj1u2q70oX
hlzxmrmbtlutOG9SZxvCa2YyTvvcZfgyY7zRCVltI6+BvtP+yNrS9RZ5lehITu+L
+8LGsbL2h37RJbGF4FdXHITZVlVeW2FifQoc9O7AED5CoJyEf96EXHqPInshJHy7
OWDaKIVhXo5TVHVrQIoxhrokIU8h3t+mRQXBM8562llQfCH7FMWU3xq3CXHeO8XS
MIIERDCCAvigAwIBAgIBATBBBgkqhkiG9w0BAQowNKAPMA0GCWCGSAFlAwQCAwUA
oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAwUAogMCAUAwXTElMCMGA1UECgwc
dG9wb2xvZ3ktMDFfRm9vYmFybWFzdGVyLm9yZzETMBEGA1UECwwKcGtpLXRvbWNh
dDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0yMDA1MjEwOTMz
NTBaFw00MDA1MjEwOTMzNTBaMF0xJTAjBgNVBAoMHHRvcG9sb2d5LTAxX0Zvb2Jh
cm1hc3Rlci5vcmcxEzARBgNVBAsMCnBraS10b21jYXQxHzAdBgNVBAMMFkNBIFNp
Z25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDMIGWYF9aUnMC0c6R86TSJdk61RmD9fzC90iOjrDaUWdJSmHhipV7K9tB6P6YE
EhiwHnc4C4HQVF8QV/fMNFF1vqBT1ynIzFX6YRrO/5Esh4KOuS7UNltyCoNuF6Fb
NzaWjXWRGpcVANOZa3hc/FeuOhqrN7uqB1cLlrIg31LAt/EVTwkHEAAJaeW7aueN
Xpdwa8zTjo6BIlnN6VzTg4LJMCik34K2KcE/fVxcXDeGdt7GsWOFHu6fP95zjbA4
X4K1E6BDEUNPp5tnFy7lF5drnyJDsrCrIpnZ+7DOvP+NZLUwslPFqEGum9OmLcOv
vlsZt6O1YrmaP0LJj+/yGdOJAgMBAAGjgaYwgaMwHwYDVR0jBBgwFoAUlfSqFmV8
RZgZnkd4C45QnozKIXwwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYw
HQYDVR0OBBYEFJX0qhZlfEWYGZ5HeAuOUJ6MyiF8MEAGCCsGAQUFBwEBBDQwMjAw
BggrBgEFBQcwAYYkaHR0cDovL3BraTEuZXhhbXBsZS5jb206ODA4MC9jYS9vY3Nw
MEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIDBQChHDAaBgkqhkiG9w0BAQgw
DQYJYIZIAWUDBAIDBQCiAwIBQAOCAQEAF4gOi8su95qa9UjwW2/vUa3J3wkAh+PR
8rVGfs9qSdhHIR6PPlmE+w9ULQwJvw6hgNGKa6d4LC21HajGMML+lPKnFQZT8aA1
UawivdGR2YbsCosfS+XL7L6qRZIEekC7e8Xr7w24KEW0PDe7B96pM3MB+OOdJ9UC
8AD18Q1EBmKFygpVY6oMkyd7Rxvn+lck0BrwuvaEOZAv1Kk2Oo4gUD1hPqgehZmy
q5xzGhcrGZPx3Xqv7/H/vIWgnV+kCVEi3cfegAHy6dVHaObpue3WGVz9TqtOO08l
ah604TLhmqRq+AQmQp4bsXiShU0Y4GKnwpNjrwpNtd8mJutEGkRbxjGCAfkwggH1
AgEBMGIwXTElMCMGA1UECgwcdG9wb2xvZ3ktMDFfRm9vYmFybWFzdGVyLm9yZzET
MBEGA1UECwwKcGtpLXRvbWNhdDEfMB0GA1UEAwwWQ0EgU2lnbmluZyBDZXJ0aWZp
Y2F0ZQIBATANBglghkgBZQMEAgMFAKBqMBcGCSqGSIb3DQEJAzEKBggrBgEFBQcM
AzBPBgkqhkiG9w0BCQQxQgRAaLuJJDdhGgVsq8KTppvMeiNuSBPJdOfnyENdU7pb
Mi8uB67/nCp3b5GPNbrijL1jRqfVM+dC98E5AZckt/yu2jANBgkqhkiG9w0BAQoF
AASCAQByHHkXYM95td9E3qptwlBQCpJEmBgMcGZ9aqgymZI0wXpXkdjm4cljfl6h
RgC8MAzTzUdT0Val768+ilL0pC9jjCQCdvXTrkS/RJFaNpVc86W5zO9PmMS3of1X
RSGEcsz6bWvKq+NOQO2hosjipTrJ2cghCN4pqgILzHLROErYurtLuZSYK1Nc3ykq
ak+gqjcrnnyLFen8cL2/ki0f/T2nSYzs4aCFoCR70VxzePqArLfwZULXqXhTEmTP
WzuEUgt7Wriy4ZsOp6lbWFVGz2sK0gyGQo7bfVI96iwuufEboUAGeDHJj8Vwu9S0
A/UXeWwa6b6GwLrtt/nLMM7fvhqX


The response in binary format is stored in demo_rsauser.cmc.response

============================================

4. Validate the archived key:

[root@pki1 ~]# pki -d /root/nssdb -c SECret.123 -p 8080 -n 'PKI KRA Administrator for Example.Org' kra-key-find
----------------
2 key(s) matched
----------------
  Key ID: 0x1
  Algorithm: 1.2.840.113549.1.1.1
  Size: 2048
  Owner: CN=testuser

  Key ID: 0x2
  Algorithm: 1.2.840.113549.1.1.1
  Size: 2048
  Owner: CN=testuser2
----------------------------
Number of entries returned 2
----------------------------

5. Processing CMC Response:

[root@pki1 ~]# CMCResponse -v -i demo_rsauser.cmc.response 
Error found in the response. Exception: java.security.cert.CertificateException: Unable to parse certificate data: java.lang.Exception: java.security.NoSuchProviderException: no such provider: Mozilla-JSS

Thanks.
Comment 21 Jack Magne 2020-05-29 23:36:36 UTC 
Checkin for master branch:

commit 4adbf8c167cd93e6567f493d00f8df3f0ac2483f (HEAD -> my-pss-master, personal/my-pss-master)
Author: Jack Magne <jmagne>
Date:   Wed May 20 15:52:35 2020 -0700

    Address Bug 1710109 - add RSA PSS support.
    
    Upstream portion of pki part of RSA-PSS signing algorithm support. (#356)
    
        This fix conincides with another ticket providing RSA PSS signature support for JSS,
        which is required for this to work.
    
        This is designed for simple usage. If one wants to say create a CA or KRA with RSA PSS signature
        support, simply place the following line in the pkispawn script file:
    
        pki_use_pss_rsa_signing_algorithm=True
    
        This will instruct the process to take whatever signing algorithm of the form (
        SHAxxxwithRSA signing algorithms are specified and promote them to the corresponding
        PSS algorithm such as: SHS256withRSA/PSS.
    
        If one ONLY puts that value in the script file, all the algs, which have a default of
        SHA256withRSA will be promoted to SHA256withRSA/PSS.
    
        This fix also provides support , if desired, for SHA384, and SHA512 versions of PSS.
        In order to get this to work, the pkispawn config will have to explcitly enumerate
        each applicable signing algorithm as such ex:  pki_ca_signing_signing_algorithm=SHA384withRSA.
        Also the explicit alg of say SHA384withRSA/PSS can be used for each setting.
    
        Tested with a basic CA and KRA. Also tested with a non PSS CA and a no PSS ca with ECC so far.
        The goal is to not interfere with any existing functionality if PSS support is not desired.
    
    Added fix  to the CMCRespone tool.
    
    The tool currently does not initialize the CryptoManager.
    Doing so is necessary to register the JSS Provider which provides the
    encoding / parsing support for the RSAPSS algorithm parameters.
Comment 23 errata-xmlrpc 2020-09-29 20:00:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pki-core bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3941