From 6c199b8882fa1b2cb07f911d29d2a7eccf7e99c7 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Fri, 22 Nov 2019 13:03:18 -0500
Subject: [PATCH 1/2] Bug 1723008 - ECC Key recovery failure with
CKR_TEMPLATE_INCONSISTENT
The current settings irt key wrapping parameters were depending on the
expection that the revised sw version for the nCipher HSM would be capable
of handling the key wrapping/unwrapping algorithm "AES KeyWrap/Padding";
As it turned out it did not completely do that.
This patch changes the default setting in the KRA CS.cfg as well as
CRMFPopClient to that of a supported wrapping algorithm: AES/CBC/PKCS5Padding
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1723008
(cherry picked from commit 06fdf41b2f5947f90d84b3fc32def4c8346c9601)
---
base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 6 +++---
base/kra/shared/conf/CS.cfg | 3 ++-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 72eca3e..4caf92f 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -224,8 +224,8 @@ public class CRMFPopClient {
System.out.println(" - POP_SUCCESS: with valid POP");
System.out.println(" - POP_FAIL: with invalid POP (for testing)");
System.out.println(" -w <keywrap algorithm> Algorithm to use for key wrapping");
- System.out.println(" - default: \"AES KeyWrap/Padding\"");
- System.out.println(" - \"AES/CBC/PKCS5Padding\"");
+ System.out.println(" - default: \"AES/CBC/PKCS5Padding\"");
+ System.out.println(" - \"AES KeyWrap/Padding\"");
System.out.println(" - \"DES3/CBC/Pad\"");
System.out.println(" -b <transport cert> PEM transport certificate (default: transport.txt)");
System.out.println(" -v, --verbose Run in verbose mode.");
@@ -324,7 +324,7 @@ public class CRMFPopClient {
// get the keywrap algorithm
KeyWrapAlgorithm keyWrapAlgorithm = null;
- String kwAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString();
+ String kwAlg = KeyWrapAlgorithm.AES_CBC_PAD.toString();
if (cmd.hasOption("w")) {
kwAlg = cmd.getOptionValue("w");
} else {
diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
index f21f305..9f54c40 100644
--- a/base/kra/shared/conf/CS.cfg
+++ b/base/kra/shared/conf/CS.cfg
@@ -286,7 +286,8 @@ kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm=AES
kra.storageUnit.wrapping.1.payloadEncryptionAlgorithm=AES
kra.storageUnit.wrapping.1.payloadEncryptionMode=CBC
kra.storageUnit.wrapping.1.payloadEncryptionIVLen=16
-kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES KeyWrap/Padding
+kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES/CBC/PKCS5Padding
+kra.storageUnit.wrapping.1.payloadWrapIVLen=16
kra.storageUnit.wrapping.1.sessionKeyType=AES
kra.storageUnit.wrapping.choice=1
kra.storageUnit.nickName=storageCert cert-[PKI_INSTANCE_NAME]
--
1.8.3.1
From 90105b85df48b2035e8c5fa1f0982f631964b011 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 20 Nov 2019 09:10:02 -0500
Subject: [PATCH 2/2] Remove non-breaking space from pki-server-nuxwdog
In pki-server-nuxwdog, we had a non-breaking space at the end of a
quoted string, causing the resulting directory to end with a
non-breaking space.
This results in paths with incorrect names:
/var/log/pki/$INSTANCE/pids /
instead of
/var/log/pki/$INSTANCE/pids/
Resolves: rhbz#1774282
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
(cherry picked from commit 4f2b8aaf13b488558b7718d7967d42db4d23d172)
---
base/server/sbin/pki-server-nuxwdog | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog
index ffdbc33..5244d57 100755
--- a/base/server/sbin/pki-server-nuxwdog
+++ b/base/server/sbin/pki-server-nuxwdog
@@ -43,7 +43,7 @@ chown ${TOMCAT_USER}: ${nux_fname}
echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname
echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname
-echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname
+echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname
echo "ChildSecurity 1" >> $nux_fname
echo "ExeOut ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname
echo "ExeErr ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname
--
1.8.3.1