From 6c199b8882fa1b2cb07f911d29d2a7eccf7e99c7 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Fri, 22 Nov 2019 13:03:18 -0500 Subject: [PATCH 1/2] Bug 1723008 - ECC Key recovery failure with CKR_TEMPLATE_INCONSISTENT The current settings irt key wrapping parameters were depending on the expection that the revised sw version for the nCipher HSM would be capable of handling the key wrapping/unwrapping algorithm "AES KeyWrap/Padding"; As it turned out it did not completely do that. This patch changes the default setting in the KRA CS.cfg as well as CRMFPopClient to that of a supported wrapping algorithm: AES/CBC/PKCS5Padding Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1723008 (cherry picked from commit 06fdf41b2f5947f90d84b3fc32def4c8346c9601) --- base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 6 +++--- base/kra/shared/conf/CS.cfg | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java index 72eca3e..4caf92f 100644 --- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java @@ -224,8 +224,8 @@ public class CRMFPopClient { System.out.println(" - POP_SUCCESS: with valid POP"); System.out.println(" - POP_FAIL: with invalid POP (for testing)"); System.out.println(" -w Algorithm to use for key wrapping"); - System.out.println(" - default: \"AES KeyWrap/Padding\""); - System.out.println(" - \"AES/CBC/PKCS5Padding\""); + System.out.println(" - default: \"AES/CBC/PKCS5Padding\""); + System.out.println(" - \"AES KeyWrap/Padding\""); System.out.println(" - \"DES3/CBC/Pad\""); System.out.println(" -b PEM transport certificate (default: transport.txt)"); System.out.println(" -v, --verbose Run in verbose mode."); @@ -324,7 +324,7 @@ public class CRMFPopClient { // get the keywrap algorithm KeyWrapAlgorithm keyWrapAlgorithm = null; - String kwAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD.toString(); + String kwAlg = KeyWrapAlgorithm.AES_CBC_PAD.toString(); if (cmd.hasOption("w")) { kwAlg = cmd.getOptionValue("w"); } else { diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index f21f305..9f54c40 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -286,7 +286,8 @@ kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm=AES kra.storageUnit.wrapping.1.payloadEncryptionAlgorithm=AES kra.storageUnit.wrapping.1.payloadEncryptionMode=CBC kra.storageUnit.wrapping.1.payloadEncryptionIVLen=16 -kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES KeyWrap/Padding +kra.storageUnit.wrapping.1.payloadWrapAlgorithm=AES/CBC/PKCS5Padding +kra.storageUnit.wrapping.1.payloadWrapIVLen=16 kra.storageUnit.wrapping.1.sessionKeyType=AES kra.storageUnit.wrapping.choice=1 kra.storageUnit.nickName=storageCert cert-[PKI_INSTANCE_NAME] -- 1.8.3.1 From 90105b85df48b2035e8c5fa1f0982f631964b011 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 20 Nov 2019 09:10:02 -0500 Subject: [PATCH 2/2] Remove non-breaking space from pki-server-nuxwdog In pki-server-nuxwdog, we had a non-breaking space at the end of a quoted string, causing the resulting directory to end with a non-breaking space. This results in paths with incorrect names: /var/log/pki/$INSTANCE/pids / instead of /var/log/pki/$INSTANCE/pids/ Resolves: rhbz#1774282 Signed-off-by: Alexander Scheel (cherry picked from commit 4f2b8aaf13b488558b7718d7967d42db4d23d172) --- base/server/sbin/pki-server-nuxwdog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog index ffdbc33..5244d57 100755 --- a/base/server/sbin/pki-server-nuxwdog +++ b/base/server/sbin/pki-server-nuxwdog @@ -43,7 +43,7 @@ chown ${TOMCAT_USER}: ${nux_fname} echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname -echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname +echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname echo "ChildSecurity 1" >> $nux_fname echo "ExeOut ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname echo "ExeErr ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname -- 1.8.3.1