[Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40

Mon, 08 Jun 2015 07:19:51 -0700 

Hello,

Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40.

SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with
Blowfish mechanisms.


Older code *cannot* work SoftHSM 2.0.0rc1 and newer.

Symptoms include errors like this:

On DNSSEC key master:
ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer
length: 0x70

On DNSSEC replicas:
ipa-dnskeysyncd: subprocess.CalledProcessError: Command
''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1

-- 
Petr^2 Spacek

From 92c023ae6c7154e41c5af74b30f695d77da2742d Mon Sep 17 00:00:00 2001
From: Petr Spacek <pspa...@redhat.com>
Date: Mon, 8 Jun 2015 16:14:24 +0200
Subject: [PATCH] Update PKCS#11 mechanism constants for AES key wrapping to
 PKCS#11 v2.40.

SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with
Blowfish mechanisms.
---
 freeipa.spec.in                    | 2 +-
 ipapython/ipap11helper/p11helper.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index a9757a194b1bf3bdcced4fd29e7fbae8b0211c94..ee8b161411822f0b1172863221bad2d8fd2de239 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -89,7 +89,7 @@ BuildRequires:  libunistring-devel
 BuildRequires:  python-lesscpy
 BuildRequires:  python-yubico >= 1.2.3
 BuildRequires:  python-backports-ssl_match_hostname
-BuildRequires:  softhsm-devel >= 2.0.0b1-3
+BuildRequires:  softhsm-devel >= 2.0.0rc1-1
 BuildRequires:  openssl-devel
 BuildRequires:  p11-kit-devel
 BuildRequires:  pki-base >= 10.2.4-1
diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c
index b05e17da24b94ea16f15f1663dc1dc4c1d683ea4..4a5ae8a6bf6039f26d70a6362441e31181a9e225 100644
--- a/ipapython/ipap11helper/p11helper.c
+++ b/ipapython/ipap11helper/p11helper.c
@@ -50,8 +50,8 @@
 #include "library.h"
 
 // compat TODO
-#define CKM_AES_KEY_WRAP           (0x1090)
-#define CKM_AES_KEY_WRAP_PAD       (0x1091)
+#define CKM_AES_KEY_WRAP           (0x2109)
+#define CKM_AES_KEY_WRAP_PAD       (0x210a)
 
 // TODO
 #define CKA_COPYABLE           (0x0017)
-- 
2.1.0


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to