dogtagpki

Clone
Source Code
GIT

#2522 cannot extract generated private key from KRA when HSM is used.
Closed: fixed 6 years ago Opened 7 years ago by vakwetu.

Closed: fixed
Reopen Issue

KRA has the ability to generate an asymmetric key set (public and private key).
When the key set is generated with a KRA that is backed by an NSS DB, there is no issue
retrieving either the public or private key.

When the key set is generated by a KRA backed with a nethsm, we can only extract the public key.

This needs to be fixed for Barbican.

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1386303

Not all HSMs support key extraction, and every HSM has different settings. Please provide HSM make and model. also please provide info such as if the system is in FIPS mode or not.

Per PKI Bug Council of 10/18/2016: 10.4

Metadata Update from @vakwetu:
- Issue set to the milestone: UNTRIAGED
7 years ago

Metadata Update from @mharmsen:
- Custom field feature adjusted to ''
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None
- Issue set to the milestone: 10.4 (was: UNTRIAGED)
7 years ago

Metadata Update from @mharmsen:
- Issue priority set to: 2 (was: 3)
7 years ago

Metadata Update from @vakwetu:
- Issue assigned to vakwetu
6 years ago

commit bea446868e282955d9c70028be657530eaccbe29
Author: Ade Lee alee@redhat.com
Date: Mon May 1 18:25:59 2017 -0400

Use AES-CBC in storage unit for archival in key wrapping

When AES-KW or AES-KWP is not available, we need to be sure to use
a key wrap algorithm that is available for keywrap.  This would
be AES-CBC.  Removes some TODOs.

Refactor so that getWrappingParams is only defined on the StorageUnit,
which is where it makes sense in any case.

Part of Bugzilla BZ# 1386303

Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51

commit f84bfab30647ae1492fcdca0a026bfa4d91350c9
Author: Ade Lee alee@redhat.com
Date: Mon May 1 15:56:58 2017 -0400

Make sure generated asym keys are extractable

In HSMs, we were not able to retrieve asym keys that were
generated from the AsymKeyGenService, because the right
flags were not set (ie. set like in the server side
keygen case).

To do this, I extracted the key generation function from
NetKeygenService to KeyRecoveryAuthority, so that it could
be used by both services.

Bugzilla BZ# 1386303

Change-Id: I13b5f4b602217a685acada94091e91df75e25eff

Metadata Update from @vakwetu:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.4 (was: 10.4)
6 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.4.1-4.el7
6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2642

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata
None
None
None
critical
None
None
defect
''
None
cheimes@redhat.com
None
''
Community
''
pki-core-10.4.1-4.el7
None
None
None
''
KRA
''
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.