Re: [Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40
On 06/10/2015 03:53 PM, Martin Basti wrote: On 08/06/15 16:18, Petr Spacek wrote: Hello, Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with Blowfish mechanisms. Older code *cannot* work SoftHSM 2.0.0rc1 and newer. Symptoms include errors like this: On DNSSEC key master: ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer length: 0x70 On DNSSEC replicas: ipa-dnskeysyncd: subprocess.CalledProcessError: Command ''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1 ACK Pushed to master: 40680fd2a95ba0b00c81f5e22241b3a16d6eee54 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40
On 08/06/15 16:18, Petr Spacek wrote: Hello, Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with Blowfish mechanisms. Older code *cannot* work SoftHSM 2.0.0rc1 and newer. Symptoms include errors like this: On DNSSEC key master: ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer length: 0x70 On DNSSEC replicas: ipa-dnskeysyncd: subprocess.CalledProcessError: Command ''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1 ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40
On Mon, 2015-06-08 at 16:30 +0200, Petr Spacek wrote: > On 8.6.2015 16:24, Simo Sorce wrote: > > On Mon, 2015-06-08 at 16:18 +0200, Petr Spacek wrote: > >> Hello, > >> > >> Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. > >> > >> SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with > >> Blowfish mechanisms. > >> > >> > >> Older code *cannot* work SoftHSM 2.0.0rc1 and newer. > >> > >> Symptoms include errors like this: > >> > >> On DNSSEC key master: > >> ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer > >> length: 0x70 > >> > >> On DNSSEC replicas: > >> ipa-dnskeysyncd: subprocess.CalledProcessError: Command > >> ''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1 > >> > > > > Does this affect domains where some replicas use older versions and some > > replicas newer versions ? Or is this a purely local issues confined to a > > specific replica ? > > This should be just a local issue because LDAP stores named constants instead > of numeric values. Excellent, thanks. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40
On 8.6.2015 16:24, Simo Sorce wrote: > On Mon, 2015-06-08 at 16:18 +0200, Petr Spacek wrote: >> Hello, >> >> Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. >> >> SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with >> Blowfish mechanisms. >> >> >> Older code *cannot* work SoftHSM 2.0.0rc1 and newer. >> >> Symptoms include errors like this: >> >> On DNSSEC key master: >> ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer >> length: 0x70 >> >> On DNSSEC replicas: >> ipa-dnskeysyncd: subprocess.CalledProcessError: Command >> ''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1 >> > > Does this affect domains where some replicas use older versions and some > replicas newer versions ? Or is this a purely local issues confined to a > specific replica ? This should be just a local issue because LDAP stores named constants instead of numeric values. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40
On Mon, 2015-06-08 at 16:18 +0200, Petr Spacek wrote: > Hello, > > Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. > > SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with > Blowfish mechanisms. > > > Older code *cannot* work SoftHSM 2.0.0rc1 and newer. > > Symptoms include errors like this: > > On DNSSEC key master: > ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer > length: 0x70 > > On DNSSEC replicas: > ipa-dnskeysyncd: subprocess.CalledProcessError: Command > ''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1 > Does this affect domains where some replicas use older versions and some replicas newer versions ? Or is this a purely local issues confined to a specific replica ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0031] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40
Hello, Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with Blowfish mechanisms. Older code *cannot* work SoftHSM 2.0.0rc1 and newer. Symptoms include errors like this: On DNSSEC key master: ipa-ods-exporter: _ipap11helper.Error: Error at key wrapping: get buffer length: 0x70 On DNSSEC replicas: ipa-dnskeysyncd: subprocess.CalledProcessError: Command ''/usr/libexec/ipa/ipa-dnskeysync-replica'' returned non-zero exit status 1 -- Petr^2 Spacek From 92c023ae6c7154e41c5af74b30f695d77da2742d Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Mon, 8 Jun 2015 16:14:24 +0200 Subject: [PATCH] Update PKCS#11 mechanism constants for AES key wrapping to PKCS#11 v2.40. SoftHSM 2.0.0rc1 was updates to these new constants to avoid collision with Blowfish mechanisms. --- freeipa.spec.in| 2 +- ipapython/ipap11helper/p11helper.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index a9757a194b1bf3bdcced4fd29e7fbae8b0211c94..ee8b161411822f0b1172863221bad2d8fd2de239 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -89,7 +89,7 @@ BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-yubico >= 1.2.3 BuildRequires: python-backports-ssl_match_hostname -BuildRequires: softhsm-devel >= 2.0.0b1-3 +BuildRequires: softhsm-devel >= 2.0.0rc1-1 BuildRequires: openssl-devel BuildRequires: p11-kit-devel BuildRequires: pki-base >= 10.2.4-1 diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c index b05e17da24b94ea16f15f1663dc1dc4c1d683ea4..4a5ae8a6bf6039f26d70a6362441e31181a9e225 100644 --- a/ipapython/ipap11helper/p11helper.c +++ b/ipapython/ipap11helper/p11helper.c @@ -50,8 +50,8 @@ #include "library.h" // compat TODO -#define CKM_AES_KEY_WRAP (0x1090) -#define CKM_AES_KEY_WRAP_PAD (0x1091) +#define CKM_AES_KEY_WRAP (0x2109) +#define CKM_AES_KEY_WRAP_PAD (0x210a) // TODO #define CKA_COPYABLE (0x0017) -- 2.1.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
