From bd9a923c567fc0a506045dbafa1cbbb0f4e0527f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 27 2021 04:56:03 +0000 Subject: import jss-4.8.1-2.module+el8.4.0+10451+3e5b5448 --- diff --git a/SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch b/SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch new file mode 100644 index 0000000..581f7cf --- /dev/null +++ b/SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch @@ -0,0 +1,105 @@ +From 3cc2f62eaca0e616dadc3053919180615b48bf54 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Fri, 12 Mar 2021 20:41:51 -0500 +Subject: [PATCH] Encrypt & unwrap symmetric key in FIPS mode (#678) + +NSS doesn't generally allow keys to be imported in FIPS mode. However, +for portability with other JCA providers, we sometimes need to import +keys from byte arrays. Do this in the JNI layer by executing a PKCS#11 +encrypt and then unwrap using the same key. This lets us effectively +"import" a key into a token, if the token supports using the given +mechanism for both encryption and unwrapping operations. Some HSMs are +getting stricter about this and forbid using the same key for encrypt +and unwrap operations. + +Resolves: #334 + +Signed-off-by: Alexander Scheel +Signed-off-by: Alexander Scheel +--- + org/mozilla/jss/pkcs11/PK11KeyWrapper.c | 62 ++++++++++++++++++++++++- + 1 file changed, 60 insertions(+), 2 deletions(-) + +diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c +index f39a3796..e8e9da16 100644 +--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ++++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c +@@ -712,6 +712,61 @@ finish: + return keyObj; + } + ++PK11SymKey *JSS_PK11_ImportSymKeyWithFlagsFIPS(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, ++ CK_ATTRIBUTE_TYPE operation, SECItem *key, CK_FLAGS flags, ++ PRBool isPerm, void *wincx) ++{ ++ PK11SymKey *result = NULL; ++ PK11SymKey *wrapper = NULL; ++ SECStatus ret = SECFailure; ++ unsigned int wrapped_len = 0; ++ unsigned int wrapped_max = key->len + 64; ++ unsigned char *wrapped_key = calloc(wrapped_max, sizeof(unsigned char)); ++ SECItem wrapped_item = { siBuffer, wrapped_key, 0 }; ++ SECItem *param = NULL; ++ ++ /* Steps: ++ * 1. Generate a temporary key to encrypt and unwrap with, ++ * 2. Encrypt our key to import using the wrapping key, ++ * 3. Unwrap into the token using the wrapping key. ++ */ ++ ++#define FIPS_KEYGEN_ALGO CKM_AES_KEY_GEN ++#define FIPS_ENCRYPT_UNWRAP_ALGO CKM_AES_KEY_WRAP_PAD ++ ++ wrapper = PK11_KeyGen(slot, FIPS_KEYGEN_ALGO, NULL, 32, wincx); ++ if (wrapper == NULL) { ++ goto done; ++ } ++ ++ param = PK11_GenerateNewParam(FIPS_ENCRYPT_UNWRAP_ALGO, wrapper); ++ if (param == NULL) { ++ goto done; ++ } ++ ++ ret = PK11_Encrypt(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO, param, ++ wrapped_key, &wrapped_len, wrapped_max, ++ key->data, key->len); ++ if (ret != SECSuccess) { ++ goto done; ++ } ++ ++ wrapped_item.len = wrapped_len; ++ ++ result = PK11_UnwrapSymKeyWithFlagsPerm(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO, ++ param, &wrapped_item, type, operation, key->len, flags, ++ isPerm); ++ ++done: ++ free(wrapped_key); ++ SECITEM_FreeItem(param, PR_TRUE); ++ if (wrapper != NULL) { ++ PK11_DeleteTokenSymKey(wrapper); ++ PK11_FreeSymKey(wrapper); ++ } ++ return result; ++} ++ + /*********************************************************************** + * + * PK11KeyWrapper.nativeUnwrapSymPlaintext +@@ -765,8 +820,11 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext + } + + /* pull in the key */ +- symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap, +- operation, wrappedKey, flags, isPerm, NULL); ++ if (PK11_IsFIPS()) { ++ symKey = JSS_PK11_ImportSymKeyWithFlagsFIPS(slot, keyTypeMech, operation, wrappedKey, flags, isPerm, NULL); ++ } else { ++ symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap, operation, wrappedKey, flags, isPerm, NULL); ++ } + if( symKey == NULL ) { + JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Failed to unwrap key"); + goto finish; +-- +2.26.2 + diff --git a/SPECS/jss.spec b/SPECS/jss.spec index 646b509..9fa89b0 100644 --- a/SPECS/jss.spec +++ b/SPECS/jss.spec @@ -7,7 +7,7 @@ URL: http://www.dogtagpki.org/wiki/JSS License: MPLv1.1 or GPLv2+ or LGPLv2+ Version: 4.8.1 -Release: 1%{?_timestamp}%{?_commit_id}%{?dist} +Release: 2%{?_timestamp}%{?_commit_id}%{?dist} #global _phase -a1 # To generate the source tarball: @@ -25,6 +25,7 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas # \ # > jss-VERSION-RELEASE.patch # Patch: jss-VERSION-RELEASE.patch +Patch1: 0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch ################################################################################ # Build Dependencies @@ -160,6 +161,9 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} ################################################################################ %changelog +* Tue Mar 16 2021 Red Hat PKI Team 4.8.1-2 +- Bug 1932803 - HSM + FIPS: CMCRequest with a shared secret resulting in error + * Thu Jan 14 2021 Red Hat PKI Team 4.8.1-1 - Rebase to upstream JSS v4.8.1 - Red Hat Bugilla #1908541 - jss broke SCEP - missing PasswordChallenge class