rpms / pki-core

Clone
Source Code
GIT

Files

  1.   67803c9af9600f7c2dcfe89aea87a55203fc2c64
  2.   SOURCES
  3.   pki-core-rhel-7-8-rhcs-9-6-snapshot-2.patch
Blob Blame History Raw 
From 6c199b8882fa1b2cb07f911d29d2a7eccf7e99c7 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Fri, 22 Nov 2019 13:03:18 -0500
Subject: [PATCH 1/2] Bug 1723008 - ECC Key recovery failure with
 CKR_TEMPLATE_INCONSISTENT

The current settings irt key wrapping parameters were depending on the
expection that the revised sw version for the nCipher HSM would be capable
of handling the key wrapping/unwrapping algorithm "AES KeyWrap/Padding";
As it turned out it did not completely do that.
This patch changes the default setting in the KRA CS.cfg as well as
CRMFPopClient to that of a supported wrapping algorithm: AES/CBC/PKCS5Padding

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1723008

(cherry picked from commit 06fdf41b2f5947f90d84b3fc32def4c8346c9601)
---
 base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 6 +++---
 base/kra/shared/conf/CS.cfg                                  | 3 ++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 72eca3e..4caf92f 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -224,8 +224,8 @@ public class CRMFPopClient {
         System.out.println("                               - POP_SUCCESS: with valid POP");
         System.out.println("                               - POP_FAIL: with invalid POP (for testing)");
         System.out.println("  -w <keywrap algorithm>       Algorithm to use for key wrapping");
-        System.out.println("                               - default: \"AES KeyWrap/Padding\"");
-        System.out.println("                               - \"AES/CBC/PKCS5Padding\"");
+        System.out.println("                               - default: \"AES/CBC/PKCS5Padding\"");
+        System.out.println("                               - \"AES KeyWrap/Padding\"");
         System.out.println("                               - \"DES3/CBC/Pad\"");
         System.out.println("  -b <transport cert>          PEM transport certificate (default: transport.txt)");
         System.out.println("  -v, --verbose                Run in verbose mode.");
@@ -324,7 +324,7 @@ public class CRMFPopClient {
 
         // get the keywrap algorithm
         KeyWrapAlgorithm keyWrapAlgorithm = null;
-        String kwAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString();
+        String kwAlg = KeyWrapAlgorithm.AES_CBC_PAD.toString();
         if (cmd.hasOption("w")) {
             kwAlg = cmd.getOptionValue("w");
         } else {
diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
index f21f305..9f54c40 100644
--- a/base/kra/shared/conf/CS.cfg
+++ b/base/kra/shared/conf/CS.cfg
@@ -286,7 +286,8 @@ kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm=AES
 kra.storageUnit.wrapping.1.payloadEncryptionAlgorithm=AES
 kra.storageUnit.wrapping.1.payloadEncryptionMode=CBC
 kra.storageUnit.wrapping.1.payloadEncryptionIVLen=16
-kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES KeyWrap/Padding
+kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES/CBC/PKCS5Padding
+kra.storageUnit.wrapping.1.payloadWrapIVLen=16
 kra.storageUnit.wrapping.1.sessionKeyType=AES
 kra.storageUnit.wrapping.choice=1
 kra.storageUnit.nickName=storageCert cert-[PKI_INSTANCE_NAME]
-- 
1.8.3.1


From 90105b85df48b2035e8c5fa1f0982f631964b011 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 20 Nov 2019 09:10:02 -0500
Subject: [PATCH 2/2] Remove non-breaking space from pki-server-nuxwdog

In pki-server-nuxwdog, we had a non-breaking space at the end of a
quoted string, causing the resulting directory to end with a
non-breaking space.

This results in paths with incorrect names:

/var/log/pki/$INSTANCE/pids /

instead of

/var/log/pki/$INSTANCE/pids/

Resolves: rhbz#1774282

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
(cherry picked from commit 4f2b8aaf13b488558b7718d7967d42db4d23d172)
---
 base/server/sbin/pki-server-nuxwdog | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog
index ffdbc33..5244d57 100755
--- a/base/server/sbin/pki-server-nuxwdog
+++ b/base/server/sbin/pki-server-nuxwdog
@@ -43,7 +43,7 @@ chown ${TOMCAT_USER}: ${nux_fname}
 
 echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname
 echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname
-echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname
+echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname
 echo "ChildSecurity 1" >> $nux_fname
 echo "ExeOut ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname
 echo "ExeErr ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname
-- 
1.8.3.1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation