463343 – Server-side key generation failed on DRM with nethsm

Bug 463343 - Server-side key generation failed on DRM with nethsm

Summary: Server-side key generation failed on DRM with nethsm

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Dogtag Certificate System
Classification:	Retired
Component:	DRM
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Christina Fu
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	443788 445247
TreeView+	depends on / blocked

Reported:	2008-09-22 23:03 UTC by Christina Fu
Modified:	2015-01-04 23:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-07-22 23:29:54 UTC
Embargoed:

Attachments	(Terms of Use)
ServerSide keygen on drm with nethsm fix (3.00 KB, text/plain) 2008-09-23 16:54 UTC, Christina Fu	no flags	Details
pki-kra.spec diff (890 bytes, text/plain) 2008-09-23 16:56 UTC, Christina Fu	no flags	Details
View All

Description Christina Fu 2008-09-22 23:03:38 UTC

key generation failed when doing srver-side key generation with nethsm (on DRM).
Here is a snippet of the relevant DRM log:

[09/Sep/2008:14:25:14][http-10443-Processor25]: NetkeyKeygenService: wrapped_des_key specialDecoded
[09/Sep/2008:14:25:14][http-10443-Processor25]: NetkeyKeygenService: got keygenToken
[09/Sep/2008:14:25:14][http-10443-Processor25]: EncryptionUnit::unwrap_sym() on slot: nethsm
[09/Sep/2008:14:25:14][http-10443-Processor25]: EncryptionUnit::unwrap_sym() private key algo: RSA
[09/Sep/2008:14:25:15][http-10443-Processor25]: NetkeyKeygenService: about to generate key pair
[09/Sep/2008:14:25:15][http-10443-Processor25]: NetkeyKeygenService: key pair is to be generated on slot: nethsm
[09/Sep/2008:14:25:15][http-10443-Processor25]: getConn: mNumConns now 2
[09/Sep/2008:14:25:15][http-10443-Processor25]: returnConn: mNumConns now 3
[09/Sep/2008:14:25:15][http-10443-Processor25]: processServerSideKeygen finished
[09/Sep/2008:14:25:15][http-10443-Processor25]: processServerSideKeyGen:outputString.encode status=2
[09/Sep/2008:14:25:15][http-10443-Processor25]: GenerateKeyPairServlet:outputString.length 8
[09/Sep/2008:14:25:15][http-10443-Processor25]: CMSServlet: curDate=Tue Sep 09 14:25:15 PDT 2008 id=kraGenerateKeyPair time=1587 

Further investigation showed that it failed on key generation.  Also, this bug was caused by an earlier fix to allow lunasa2 to work.

Comment 1 Christina Fu 2008-09-23 16:54:59 UTC

Created attachment 317492 [details]
ServerSide keygen on drm with nethsm fix

this fix allows servierside keygen to work on both nethsm and lunasa2.
New config parameters are added:
           netHSM works with
              kra.keygen.temporaryPairs = true

           LunaSA2 works with
              kra.keygen.temporary == true
              kra.keygen.sensitive == true
              kra.keygen.extractable == true

By default, if none of the above parameters are specified, then it sets
kra.keygen.temporaryPairs to true and allows nethsm to work.

Comment 2 Christina Fu 2008-09-23 16:56:03 UTC

Created attachment 317493 [details]
pki-kra.spec diff

jmagne please review above changes.

Comment 3 Jack Magne 2008-09-23 17:20:27 UTC

attachments (id=317493,id=317492) jmagne+

Comment 4 Christina Fu 2008-09-23 17:57:40 UTC

fixed checked in.

[cfu@jaw kra]$ cd /home/cfu/dogtag/src4/pki/base/kra
[cfu@jaw kra]$ svn update src/com/netscape/kra/NetkeyKeygenService.java
At revision 111.
[cfu@jaw kra]$ svn commit src/com/netscape/kra/NetkeyKeygenService.java
Sending        src/com/netscape/kra/NetkeyKeygenService.java
Transmitting file data .
Committed revision 112.
[cfu@jaw kra]$ cd -
/home/cfu/dogtag/src4/pki/linux/kra
[cfu@jaw kra]$ svn update pki-kra.spec
At revision 112.
[cfu@jaw kra]$ vim pki-kra.spec
[cfu@jaw kra]$ svn commit pki-kra.spec
Sending        pki-kra.spec
Transmitting file data .
Committed revision 113.

Note You need to log in before you can comment on or make changes to this bug.