Bug 995560 - Issue with max number of keys on token
Issue with max number of keys on token
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: coolkey (Show other bugs)
5.10
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Bob Relyea
Asha Akkiangady
:
Depends On:
Blocks: 1049888
  Show dependency treegraph
 
Reported: 2013-08-09 13:42 EDT by Jack Magne
Modified: 2014-09-15 20:19 EDT (History)
3 users (show)

See Also:
Fixed In Version: coolkey-1.1.0-17.el5
Doc Type: Bug Fix
Doc Text:
Previously, the number of encryption keys that the coolkey applet can process was increased from 8 to 24. However, this number was not increased in the coolkey library. As a consequence, a token running the coolkey application failed to recover the encryption key, when nine or more encryption keys were set by the coolkey applet. This update introduces the support for up to 24 encryption keys to the coolkey library and recovering more than 8 encryption keys now proceeds correctly.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-09-15 20:19:03 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jack Magne 2013-08-09 13:42:13 EDT
Description of problem:

Recent CS 8.1 development has presented an upcoming feature where we can recover multiple number of certs to the tokens. These certs also imply multiple different associated keys.

Right now we have a fake limitation in the code when we calculate the size in bits of a key.

There is a check for a constant MAX_NUM_TOKENS. If this value is greater than the current setting of "8", the routine will return some default value instead of the real value.

The coolkey applet now has the ability to process key numbers greater than 8. The max is set to a reasonable 24.

The fix here is to set the coolkey limit to the same value of 24.



Description: 

Packages to be added: 

Comps group:  

Default: 

Mandatory: 

Visible: 

Multi-lib: 

Need to be present for arches: 


Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Jack Magne 2013-08-09 13:46:25 EDT
Simple fix to address this:

Index: slot.cpp
===================================================================
--- slot.cpp    (revision 102)
+++ slot.cpp    (working copy)
@@ -4282,7 +4282,7 @@
     }
 }

-#define MAX_NUM_KEYS 8
+#define MAX_NUM_KEYS 24 
 unsigned int
 Slot::getRSAKeySize(CKYByte keyNum)
 {
Comment 2 Bob Relyea 2013-11-26 20:37:47 EST
Jack, please clone this bug for RHEL 6 and RHEL 7 as well.
Comment 3 Bob Relyea 2014-04-22 16:42:07 EDT
Fixed in: coolkey-1.1.0-17.el5
Comment 5 Roshni 2014-05-19 17:17:09 EDT
Successfully recovering keys for upto 8 encryption certs (16 keys) using Gemalto 64K card on coolkey-1.1.0-17.el5

1. Enable External Registration:

externalReg.authId=ldap3
externalReg.default.tokenType=externalRegAddToToken
externalReg.delegation.enable=true
externalReg.enable=true


2. Verify Applet version is set to 1.4.5265a65e

op.enroll.externalRegAddToToken.update.applet.directory=/usr/share/pki/tps/applets
op.enroll.externalRegAddToToken.update.applet.emptyToken.enable=true
op.enroll.externalRegAddToToken.update.applet.enable=true
op.enroll.externalRegAddToToken.update.applet.encryption=true
op.enroll.externalRegAddToToken.update.applet.requiredVersion=1.4.5265a65e
op.enroll.externalRegAddToToken.update.symmetricKeys.enable=false
op.enroll.externalRegAddToToken.update.symmetricKeys.requiredVersion=1

3. Using EE DualCert Profile, Request User Encryption & Signing Certs with below Parameters:

UID=group1,E=group1@example.org,CN=group1
UID=group2,E=group2@example.org,CN=group2
UID=group3,E=group3@example.org,CN=group3
UID=group4,E=group4@example.org,CN=group4
UID=group5,E=group5@example.org,CN=group5
UID=group6,E=group6@example.org,CN=group6
UID=group7,E=group7@example.org,CN=group7
UID=group8,E=group8@example.org,CN=group8

4. Verify request from CA Agent 

0x7c 	valid 	UID=group1,E=group1@example.org,CN=group1 - 124
0x7e 	valid 	UID=group2,E=group2@example.org,CN=group2 - 126
0x80 	valid 	UID=group3,E=group3@example.org,CN=group3 - 128
0x82 	valid 	UID=group4,E=group4@example.org,CN=group4 - 130
0x84 	valid 	UID=group5,E=group5@example.org,CN=group5 - 132
0x86 	valid 	UID=group6,E=group6@example.org,CN=group6 - 134
0x88 	valid 	UID=group7,E=group7@example.org,CN=group7 - 136
0x8a 	valid 	UID=group8,E=group8@example.org,CN=group8 - 138

5. Get the key identifer:

group1: 51
group2: 52
group3: 53
group4: 54
group5: 55
group6: 56
group7: 57
group8: 58


6. Create user "uid=groupdmin1,dc=idm,dc=lab,dc=eng,dc=rdu,dc=redhat,dc=com" which will be used to register the token and Recover "group1 to group9" Encryption Cert on the token 

dn: uid=groupadmin1,dc=idm,dc=lab,dc=eng,dc=rdu,dc=redhat,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: top
objectClass: extensibleobject
cn: groupadmin1
sn: groupdmin1
uid: groupdmin1
givenName: groupadmin1
mail: groupadmin1@example.org
firstname: groupadmin1
edipi: 123456789
pcc: AA
exec-edipi: 999999999
exec-pcc: BB
exec-mail: groupadmin1@EXAMPLE.ORG
userPassword: redhat
tokenType: externalRegAddToToken

7. Modify groupadmin1 Entry to include details of group1 to group9 Certs for recovery

dn: uid=groupadmin1,dc=idm,dc=lab,dc=eng,dc=rdu,dc=redhat,dc=com
changetype: modify
add: certsToAdd
certsToAdd: 124,ca1,51,drm1
certsToAdd: 126,ca1,52,drm1
certsToAdd: 128,ca1,53,drm1
certsToAdd: 130,ca1,54,drm1
certsToAdd: 132,ca1,55,drm1
certsToAdd: 134,ca1,56,drm1
certsToAdd: 136,ca1,57,drm1
certsToAdd: 138,ca1,58,drm1


8. On RHEL6.5 Enroll smartcard using groupadmin1 credentials


Key Recovery fails with the following log messages for 9 certs and above.

[2014-05-19 12:18:46] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=enrollment][AppletVersion=][KeyVersion=] token enabled
[2014-05-19 12:18:46] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=enrollment][AppletVersion=1.4.5265A65E][KeyVersion=] applet upgraded successfully
[2014-05-19 12:18:46] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=enrollment][AppletVersion=1.4.5265A65E][KeyVersion=] enrollment processing, key upgrade disabled
[2014-05-19 12:18:46] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=enrollment][AppletVersion=1.4.5265A65E][KeyVersion=0101] RequestNewPin completed successfully
[2014-05-19 12:18:46] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=enrollment][AppletVersion=1.4.5265A65E][KeyVersion=0101] CreatePin completed successfully
[2014-05-19 12:18:47] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=enrollment][AppletVersion=1.4.5265A65E][KeyVersion=0101] ResetPin completed successfully
[2014-05-19 12:18:50] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 75 stored on token
[2014-05-19 12:18:52] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 77 stored on token
[2014-05-19 12:18:55] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 79 stored on token
[2014-05-19 12:18:57] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 81 stored on token
[2014-05-19 12:18:59] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 83 stored on token
[2014-05-19 12:19:02] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 85 stored on token
[2014-05-19 12:19:04] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 87 stored on token
[2014-05-19 12:19:06] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 89 stored on token
[2014-05-19 12:19:09] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=][Outcome=success][op=external registration recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] external registration recovery, certificate 91 stored on token
[2014-05-19 12:19:09] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=external reg recovery][AppletVersion=1.4.5265A65E][KeyVersion=0101] External Registration certificates recovered successfully.
[2014-05-19 12:19:09] e7c03f70 [AuditEvent=FORMAT][SubjectID=][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=format][AppletVersion=][KeyVersion=] token enabled
[2014-05-19 12:19:09] e7c03f70 [AuditEvent=FORMAT][SubjectID=][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=format][AppletVersion=1.4.5265A65E][KeyVersion=] logged into token
[2014-05-19 12:19:23] e7c03f70 [AuditEvent=APPLET_UPGRADE][SubjectID=][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=Success][op=format][KeyVersion=0101][OldAppletVersion=1.4.5265A65E][NewAppletVersion=1.4.5265a65e] setup secure channel
[2014-05-19 12:19:23] e7c03f70 [AuditEvent=APPLET_UPGRADE][SubjectID=][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=Success][op=format][KeyVersion=0101][OldAppletVersion=1.4.5265A65E][NewAppletVersion=1.4.5265a65e] applet upgrade
[2014-05-19 12:19:24] e7c03f70 [AuditEvent=FORMAT][SubjectID=][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=success][op=format][AppletVersion=1.4.5265a65e][KeyVersion=0101] format processing complete
[2014-05-19 12:19:24] e7c03f70 [AuditEvent=ENROLLMENT][SubjectID=groupadmin1][CUID=40906145CC0620181920][MSN=FFFFFFFF][Outcome=failure][op=enrollment][AppletVersion=1.4.5265A65E][KeyVersion=0101] channel createObject failed, contents of token possibly corrupted, formatting now.


<rpattath> jmagne, enrollment and key recovery is successful when there are just 8 encryption keys to be recovered
<jmagne> rpattath will take a look.
<jmagne> rpattath, looks like you are trying to put 9 certs on there.
<rpattath> yes
<jmagne> rpattath, I suspect that possibly we have run out of memory on the card. Also, I suggest if you want to try it again. Format it first and then try to recover all those certs.
<jmagne> rpattath, there may be something other than the coolkey bug causing this. To verify this bug just try 5 or so certs. This is because we have 2 keys per cert.
<rpattath> jmagne, enrollments works fine for 8 certs
<rpattath> it also works fine and all keys are recovered for 5 certs
<jmagne> rpattath, ok, that's good.
<rpattath> above 8 it is failing
<jmagne> rpattath I think we are good on this. There is probably some other reason why 9 is failing :) Could just be memory space.
Comment 7 errata-xmlrpc 2014-09-15 20:19:03 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1233.html

Note You need to log in before you can comment on or make changes to this bug.