|
|
67803c |
From 6c199b8882fa1b2cb07f911d29d2a7eccf7e99c7 Mon Sep 17 00:00:00 2001
|
|
|
67803c |
From: Christina Fu <cfu@redhat.com>
|
|
|
67803c |
Date: Fri, 22 Nov 2019 13:03:18 -0500
|
|
|
67803c |
Subject: [PATCH 1/2] Bug 1723008 - ECC Key recovery failure with
|
|
|
67803c |
CKR_TEMPLATE_INCONSISTENT
|
|
|
67803c |
|
|
|
67803c |
The current settings irt key wrapping parameters were depending on the
|
|
|
67803c |
expection that the revised sw version for the nCipher HSM would be capable
|
|
|
67803c |
of handling the key wrapping/unwrapping algorithm "AES KeyWrap/Padding";
|
|
|
67803c |
As it turned out it did not completely do that.
|
|
|
67803c |
This patch changes the default setting in the KRA CS.cfg as well as
|
|
|
67803c |
CRMFPopClient to that of a supported wrapping algorithm: AES/CBC/PKCS5Padding
|
|
|
67803c |
|
|
|
67803c |
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1723008
|
|
|
67803c |
|
|
|
67803c |
(cherry picked from commit 06fdf41b2f5947f90d84b3fc32def4c8346c9601)
|
|
|
67803c |
---
|
|
|
67803c |
base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 6 +++---
|
|
|
67803c |
base/kra/shared/conf/CS.cfg | 3 ++-
|
|
|
67803c |
2 files changed, 5 insertions(+), 4 deletions(-)
|
|
|
67803c |
|
|
|
67803c |
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
|
|
|
67803c |
index 72eca3e..4caf92f 100644
|
|
|
67803c |
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
|
|
|
67803c |
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
|
|
|
67803c |
@@ -224,8 +224,8 @@ public class CRMFPopClient {
|
|
|
67803c |
System.out.println(" - POP_SUCCESS: with valid POP");
|
|
|
67803c |
System.out.println(" - POP_FAIL: with invalid POP (for testing)");
|
|
|
67803c |
System.out.println(" -w <keywrap algorithm> Algorithm to use for key wrapping");
|
|
|
67803c |
- System.out.println(" - default: \"AES KeyWrap/Padding\"");
|
|
|
67803c |
- System.out.println(" - \"AES/CBC/PKCS5Padding\"");
|
|
|
67803c |
+ System.out.println(" - default: \"AES/CBC/PKCS5Padding\"");
|
|
|
67803c |
+ System.out.println(" - \"AES KeyWrap/Padding\"");
|
|
|
67803c |
System.out.println(" - \"DES3/CBC/Pad\"");
|
|
|
67803c |
System.out.println(" -b <transport cert> PEM transport certificate (default: transport.txt)");
|
|
|
67803c |
System.out.println(" -v, --verbose Run in verbose mode.");
|
|
|
67803c |
@@ -324,7 +324,7 @@ public class CRMFPopClient {
|
|
|
67803c |
|
|
|
67803c |
// get the keywrap algorithm
|
|
|
67803c |
KeyWrapAlgorithm keyWrapAlgorithm = null;
|
|
|
67803c |
- String kwAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString();
|
|
|
67803c |
+ String kwAlg = KeyWrapAlgorithm.AES_CBC_PAD.toString();
|
|
|
67803c |
if (cmd.hasOption("w")) {
|
|
|
67803c |
kwAlg = cmd.getOptionValue("w");
|
|
|
67803c |
} else {
|
|
|
67803c |
diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
|
|
|
67803c |
index f21f305..9f54c40 100644
|
|
|
67803c |
--- a/base/kra/shared/conf/CS.cfg
|
|
|
67803c |
+++ b/base/kra/shared/conf/CS.cfg
|
|
|
67803c |
@@ -286,7 +286,8 @@ kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm=AES
|
|
|
67803c |
kra.storageUnit.wrapping.1.payloadEncryptionAlgorithm=AES
|
|
|
67803c |
kra.storageUnit.wrapping.1.payloadEncryptionMode=CBC
|
|
|
67803c |
kra.storageUnit.wrapping.1.payloadEncryptionIVLen=16
|
|
|
67803c |
-kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES KeyWrap/Padding
|
|
|
67803c |
+kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES/CBC/PKCS5Padding
|
|
|
67803c |
+kra.storageUnit.wrapping.1.payloadWrapIVLen=16
|
|
|
67803c |
kra.storageUnit.wrapping.1.sessionKeyType=AES
|
|
|
67803c |
kra.storageUnit.wrapping.choice=1
|
|
|
67803c |
kra.storageUnit.nickName=storageCert cert-[PKI_INSTANCE_NAME]
|
|
|
67803c |
--
|
|
|
67803c |
1.8.3.1
|
|
|
67803c |
|
|
|
67803c |
|
|
|
67803c |
From 90105b85df48b2035e8c5fa1f0982f631964b011 Mon Sep 17 00:00:00 2001
|
|
|
67803c |
From: Alexander Scheel <ascheel@redhat.com>
|
|
|
67803c |
Date: Wed, 20 Nov 2019 09:10:02 -0500
|
|
|
67803c |
Subject: [PATCH 2/2] Remove non-breaking space from pki-server-nuxwdog
|
|
|
67803c |
|
|
|
67803c |
In pki-server-nuxwdog, we had a non-breaking space at the end of a
|
|
|
67803c |
quoted string, causing the resulting directory to end with a
|
|
|
67803c |
non-breaking space.
|
|
|
67803c |
|
|
|
67803c |
This results in paths with incorrect names:
|
|
|
67803c |
|
|
|
67803c |
/var/log/pki/$INSTANCE/pids /
|
|
|
67803c |
|
|
|
67803c |
instead of
|
|
|
67803c |
|
|
|
67803c |
/var/log/pki/$INSTANCE/pids/
|
|
|
67803c |
|
|
|
67803c |
Resolves: rhbz#1774282
|
|
|
67803c |
|
|
|
67803c |
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
|
67803c |
(cherry picked from commit 4f2b8aaf13b488558b7718d7967d42db4d23d172)
|
|
|
67803c |
---
|
|
|
67803c |
base/server/sbin/pki-server-nuxwdog | 2 +-
|
|
|
67803c |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
67803c |
|
|
|
67803c |
diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog
|
|
|
67803c |
index ffdbc33..5244d57 100755
|
|
|
67803c |
--- a/base/server/sbin/pki-server-nuxwdog
|
|
|
67803c |
+++ b/base/server/sbin/pki-server-nuxwdog
|
|
|
67803c |
@@ -43,7 +43,7 @@ chown ${TOMCAT_USER}: ${nux_fname}
|
|
|
67803c |
|
|
|
67803c |
echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname
|
|
|
67803c |
echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname
|
|
|
67803c |
-echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname
|
|
|
67803c |
+echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname
|
|
|
67803c |
echo "ChildSecurity 1" >> $nux_fname
|
|
|
67803c |
echo "ExeOut ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname
|
|
|
67803c |
echo "ExeErr ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname
|
|
|
67803c |
--
|
|
|
67803c |
1.8.3.1
|
|
|
67803c |
|