key generation failed when doing srver-side key generation with nethsm (on DRM). Here is a snippet of the relevant DRM log: [09/Sep/2008:14:25:14][http-10443-Processor25]: NetkeyKeygenService: wrapped_des_key specialDecoded [09/Sep/2008:14:25:14][http-10443-Processor25]: NetkeyKeygenService: got keygenToken [09/Sep/2008:14:25:14][http-10443-Processor25]: EncryptionUnit::unwrap_sym() on slot: nethsm [09/Sep/2008:14:25:14][http-10443-Processor25]: EncryptionUnit::unwrap_sym() private key algo: RSA [09/Sep/2008:14:25:15][http-10443-Processor25]: NetkeyKeygenService: about to generate key pair [09/Sep/2008:14:25:15][http-10443-Processor25]: NetkeyKeygenService: key pair is to be generated on slot: nethsm [09/Sep/2008:14:25:15][http-10443-Processor25]: getConn: mNumConns now 2 [09/Sep/2008:14:25:15][http-10443-Processor25]: returnConn: mNumConns now 3 [09/Sep/2008:14:25:15][http-10443-Processor25]: processServerSideKeygen finished [09/Sep/2008:14:25:15][http-10443-Processor25]: processServerSideKeyGen:outputString.encode status=2 [09/Sep/2008:14:25:15][http-10443-Processor25]: GenerateKeyPairServlet:outputString.length 8 [09/Sep/2008:14:25:15][http-10443-Processor25]: CMSServlet: curDate=Tue Sep 09 14:25:15 PDT 2008 id=kraGenerateKeyPair time=1587 Further investigation showed that it failed on key generation. Also, this bug was caused by an earlier fix to allow lunasa2 to work.
Created attachment 317492 [details] ServerSide keygen on drm with nethsm fix this fix allows servierside keygen to work on both nethsm and lunasa2. New config parameters are added: netHSM works with kra.keygen.temporaryPairs = true LunaSA2 works with kra.keygen.temporary == true kra.keygen.sensitive == true kra.keygen.extractable == true By default, if none of the above parameters are specified, then it sets kra.keygen.temporaryPairs to true and allows nethsm to work.
Created attachment 317493 [details] pki-kra.spec diff jmagne please review above changes.
attachments (id=317493,id=317492) jmagne+
fixed checked in. [cfu@jaw kra]$ cd /home/cfu/dogtag/src4/pki/base/kra [cfu@jaw kra]$ svn update src/com/netscape/kra/NetkeyKeygenService.java At revision 111. [cfu@jaw kra]$ svn commit src/com/netscape/kra/NetkeyKeygenService.java Sending src/com/netscape/kra/NetkeyKeygenService.java Transmitting file data . Committed revision 112. [cfu@jaw kra]$ cd - /home/cfu/dogtag/src4/pki/linux/kra [cfu@jaw kra]$ svn update pki-kra.spec At revision 112. [cfu@jaw kra]$ vim pki-kra.spec [cfu@jaw kra]$ svn commit pki-kra.spec Sending pki-kra.spec Transmitting file data . Committed revision 113.