From 6c199b8882fa1b2cb07f911d29d2a7eccf7e99c7 Mon Sep 17 00:00:00 2001

From: Christina Fu <cfu@redhat.com>

Date: Fri, 22 Nov 2019 13:03:18 -0500

Subject: [PATCH 1/2] Bug 1723008 - ECC Key recovery failure with

 CKR_TEMPLATE_INCONSISTENT

The current settings irt key wrapping parameters were depending on the

expection that the revised sw version for the nCipher HSM would be capable

of handling the key wrapping/unwrapping algorithm "AES KeyWrap/Padding";

As it turned out it did not completely do that.

This patch changes the default setting in the KRA CS.cfg as well as

CRMFPopClient to that of a supported wrapping algorithm: AES/CBC/PKCS5Padding

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1723008

(cherry picked from commit 06fdf41b2f5947f90d84b3fc32def4c8346c9601)

---

 base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 6 +++---

 base/kra/shared/conf/CS.cfg                                  | 3 ++-

 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java

index 72eca3e..4caf92f 100644

--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java

+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java

@@ -224,8 +224,8 @@ public class CRMFPopClient {

         System.out.println("                               - POP_SUCCESS: with valid POP");

         System.out.println("                               - POP_FAIL: with invalid POP (for testing)");

         System.out.println("  -w <keywrap algorithm>       Algorithm to use for key wrapping");

-        System.out.println("                               - default: \"AES KeyWrap/Padding\"");

-        System.out.println("                               - \"AES/CBC/PKCS5Padding\"");

+        System.out.println("                               - default: \"AES/CBC/PKCS5Padding\"");

+        System.out.println("                               - \"AES KeyWrap/Padding\"");

         System.out.println("                               - \"DES3/CBC/Pad\"");

         System.out.println("  -b <transport cert>          PEM transport certificate (default: transport.txt)");

         System.out.println("  -v, --verbose                Run in verbose mode.");

@@ -324,7 +324,7 @@ public class CRMFPopClient {

         // get the keywrap algorithm

         KeyWrapAlgorithm keyWrapAlgorithm = null;

-        String kwAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString();

+        String kwAlg = KeyWrapAlgorithm.AES_CBC_PAD.toString();

         if (cmd.hasOption("w")) {

             kwAlg = cmd.getOptionValue("w");

         } else {

diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg

index f21f305..9f54c40 100644

--- a/base/kra/shared/conf/CS.cfg

+++ b/base/kra/shared/conf/CS.cfg

@@ -286,7 +286,8 @@ kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm=AES

 kra.storageUnit.wrapping.1.payloadEncryptionAlgorithm=AES

 kra.storageUnit.wrapping.1.payloadEncryptionMode=CBC

 kra.storageUnit.wrapping.1.payloadEncryptionIVLen=16

-kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES KeyWrap/Padding

+kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES/CBC/PKCS5Padding

+kra.storageUnit.wrapping.1.payloadWrapIVLen=16

 kra.storageUnit.wrapping.1.sessionKeyType=AES

 kra.storageUnit.wrapping.choice=1

 kra.storageUnit.nickName=storageCert cert-[PKI_INSTANCE_NAME]

-- 

1.8.3.1

From 90105b85df48b2035e8c5fa1f0982f631964b011 Mon Sep 17 00:00:00 2001

From: Alexander Scheel <ascheel@redhat.com>

Date: Wed, 20 Nov 2019 09:10:02 -0500

Subject: [PATCH 2/2] Remove non-breaking space from pki-server-nuxwdog

In pki-server-nuxwdog, we had a non-breaking space at the end of a

quoted string, causing the resulting directory to end with a

non-breaking space.

This results in paths with incorrect names:

/var/log/pki/$INSTANCE/pids /

instead of

/var/log/pki/$INSTANCE/pids/

Resolves: rhbz#1774282

Signed-off-by: Alexander Scheel <ascheel@redhat.com>

(cherry picked from commit 4f2b8aaf13b488558b7718d7967d42db4d23d172)

---

 base/server/sbin/pki-server-nuxwdog | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog

index ffdbc33..5244d57 100755

--- a/base/server/sbin/pki-server-nuxwdog

+++ b/base/server/sbin/pki-server-nuxwdog

@@ -43,7 +43,7 @@ chown ${TOMCAT_USER}: ${nux_fname}

 echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname

 echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname

-echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname

+echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname

 echo "ChildSecurity 1" >> $nux_fname

 echo "ExeOut ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname

 echo "ExeErr ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname

-- 

1.8.3.1