Bug 445313 - retrieve keys from the DRM in the same manner that keys are archived to the DRM
retrieve keys from the DRM in the same manner that keys are archived to the DRM
Status: CLOSED WONTFIX
Product: Dogtag Certificate System
Classification: Community
Component: DRM (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-06 00:31 EDT by Bob Lord
Modified: 2015-01-04 18:32 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-15 14:41:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bob Lord 2008-05-06 00:31:08 EDT
REQUEST THAT A KEY BE RETRIEVED FROM THE DRM, WRAPPED IN A KEY OF OUR CHOOSING.
 This will be needed to issue temporary tokens and replace lost tokens.

1.Log onto the DRM’s agent port.
2.Search for and select the key to be retrieved.
3.Copy a token’s public encryption key and algorithm id, and paste it into the
DRM agent’s form.  The wrapping algorithm must be 1024-bit RSA in the first go
around; must support Suite B algorithms soon.
4.The DRM retrieves the unencrypted private key.
5.The DRM generates a symmetric key.
6.The DRM wraps the private key (from step 4) in the new symmetric key (from
step 5).
7.The DRM wraps the symmetric key (from step 5) in the public key that was
uploaded in step 3 above.
8.Receive back from the DRM, a message (PKCS#12?) containing:
  a.the private key that was selected in step 2 (wrapped in the symmetric key
generated in step 5), 
  b.the symmetric key from step 5 (wrapped in the public key that was uploaded
to the DRM in step 3),  This can be unwrapped only by the token.
  c.the (unencrypted) certificate that corresponds to the retrieved private key.



REQUEST A NEWLY GENERATED KEY PAIR FROM THE DRM, WRAPPED IN A KEY OF OUR
CHOOSING.  This will be needed for token initialization.

1.Log onto the DRM’s agent port and click on “Generate Key Pair” (or equivalent).
2.Copy a token’s public encryption key (generated on token; never archived; used
only for requesting a key from the DRM) and algorithm id, and paste it into the
DRM’s agent form.  The wrapping algorithm must be 1024-bit RSA in the first go
around; must support Suite B algorithms soon.
3.The DRM generates an asymmetric key pair (key is not archived here).
4.The DRM generates a symmetric key.
5.The DRM wraps the new private key (from step 3) in the new symmetric key (from
step 4).
6.The DRM wraps the symmetric key (from step 4) in the public key that was
uploaded in step 2 above.
7.The DRM wraps the symmetric key (from step 4) in the DRM’s public transport
key (to be re-sent to the DRM during cert request and archival).
8.Receive back from the DRM, a message (PKCS#12?) containing:
  a.the private key that was generated in step 3 (wrapped in the symmetric key
generated in step 4),
  b.the symmetric key (from step 4) wrapped in the public key uploaded in step
2,  This can be unwrapped only by the token.
  c.the symmetric key (from step 4) wrapped in the DRM’s public transport key.
  d.the unencrypted public key that was generated in step 3.
  Keys a, b, and d are sent to the token; keys a, c, and d are sent to the CA in
a cert request.  The token’s key pair in step 2 above is deleted.

Note You need to log in before you can comment on or make changes to this bug.