Bug 463343 - Server-side key generation failed on DRM with nethsm
Server-side key generation failed on DRM with nethsm
Product: Dogtag Certificate System
Classification: Community
Component: DRM (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Christina Fu
Chandrasekar Kannan
Depends On:
Blocks: 443788 445247
  Show dependency treegraph
Reported: 2008-09-22 19:03 EDT by Christina Fu
Modified: 2015-01-04 18:34 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:29:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
ServerSide keygen on drm with nethsm fix (3.00 KB, text/plain)
2008-09-23 12:54 EDT, Christina Fu
no flags Details
pki-kra.spec diff (890 bytes, text/plain)
2008-09-23 12:56 EDT, Christina Fu
no flags Details

  None (edit)
Description Christina Fu 2008-09-22 19:03:38 EDT
key generation failed when doing srver-side key generation with nethsm (on DRM).
Here is a snippet of the relevant DRM log:

[09/Sep/2008:14:25:14][http-10443-Processor25]: NetkeyKeygenService: wrapped_des_key specialDecoded
[09/Sep/2008:14:25:14][http-10443-Processor25]: NetkeyKeygenService: got keygenToken
[09/Sep/2008:14:25:14][http-10443-Processor25]: EncryptionUnit::unwrap_sym() on slot: nethsm
[09/Sep/2008:14:25:14][http-10443-Processor25]: EncryptionUnit::unwrap_sym() private key algo: RSA
[09/Sep/2008:14:25:15][http-10443-Processor25]: NetkeyKeygenService: about to generate key pair
[09/Sep/2008:14:25:15][http-10443-Processor25]: NetkeyKeygenService: key pair is to be generated on slot: nethsm
[09/Sep/2008:14:25:15][http-10443-Processor25]: getConn: mNumConns now 2
[09/Sep/2008:14:25:15][http-10443-Processor25]: returnConn: mNumConns now 3
[09/Sep/2008:14:25:15][http-10443-Processor25]: processServerSideKeygen finished
[09/Sep/2008:14:25:15][http-10443-Processor25]: processServerSideKeyGen:outputString.encode status=2
[09/Sep/2008:14:25:15][http-10443-Processor25]: GenerateKeyPairServlet:outputString.length 8
[09/Sep/2008:14:25:15][http-10443-Processor25]: CMSServlet: curDate=Tue Sep 09 14:25:15 PDT 2008 id=kraGenerateKeyPair time=1587 

Further investigation showed that it failed on key generation.  Also, this bug was caused by an earlier fix to allow lunasa2 to work.
Comment 1 Christina Fu 2008-09-23 12:54:59 EDT
Created attachment 317492 [details]
ServerSide keygen on drm with nethsm fix

this fix allows servierside keygen to work on both nethsm and lunasa2.
New config parameters are added:
           netHSM works with
              kra.keygen.temporaryPairs = true

           LunaSA2 works with
              kra.keygen.temporary == true
              kra.keygen.sensitive == true
              kra.keygen.extractable == true

By default, if none of the above parameters are specified, then it sets
kra.keygen.temporaryPairs to true and allows nethsm to work.
Comment 2 Christina Fu 2008-09-23 12:56:03 EDT
Created attachment 317493 [details]
pki-kra.spec diff

jmagne please review above changes.
Comment 3 Jack Magne 2008-09-23 13:20:27 EDT
attachments (id=317493,id=317492) jmagne+
Comment 4 Christina Fu 2008-09-23 13:57:40 EDT
fixed checked in.

[cfu@jaw kra]$ cd /home/cfu/dogtag/src4/pki/base/kra
[cfu@jaw kra]$ svn update src/com/netscape/kra/NetkeyKeygenService.java
At revision 111.
[cfu@jaw kra]$ svn commit src/com/netscape/kra/NetkeyKeygenService.java
Sending        src/com/netscape/kra/NetkeyKeygenService.java
Transmitting file data .
Committed revision 112.
[cfu@jaw kra]$ cd -
[cfu@jaw kra]$ svn update pki-kra.spec
At revision 112.
[cfu@jaw kra]$ vim pki-kra.spec
[cfu@jaw kra]$ svn commit pki-kra.spec
Sending        pki-kra.spec
Transmitting file data .
Committed revision 113.

Note You need to log in before you can comment on or make changes to this bug.