One patch for JSS
one patch for KRA
These patches should address the KRA unwrap issues when the keys are on
lunaSA.
the KRA patch will required the JSS patch to function.
It is also required for the lunaSA to be of the following model: CKE –
Key Export Models
Christina
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2016-04-28 16:50:06.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2016-04-28 16:50:00.000000000 -0700
@@ -434,7 +434,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
isSensitive = PR_FALSE;
isExtractable = PR_FALSE;
} else if ( isLunasa) {
- isSensitive = PR_FALSE;
+ isSensitive = PR_TRUE;
isExtractable = PR_TRUE;
}
>From faadd5d9635fcf2c5ab2e02cc09a3f1caca1e0ad Mon Sep 17 00:00:00 2001
From: Christina Fu <c...@redhat.com>
Date: Fri, 6 May 2016 10:40:55 -0700
Subject: [PATCH] =?UTF-8?q?Ticket=20#2303=20Key=20recovery=20fails=20with?=
=?UTF-8?q?=20KRA=20on=20lunaSA=20=20This=20patch=20requires=20JSS=20with?=
=?UTF-8?q?=20the=20jss-lunasaUnwrap.patch=20to=20work=20properly=20on=20t?=
=?UTF-8?q?he=20lunaSA.=20=20It=20is=20also=20required=20for=20the=20lunaS?=
=?UTF-8?q?A=20to=20be=20of=20the=20following=20model:=20=20CKE=20?=
=?UTF-8?q?=E2=80=93=20Key=20Export=20Models?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
index a976169e3f0db92df1a1f3f633a1960a52bc0984..ef141dc66b6ef3a9d1de1c92af996f7694069c54 100644
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
@@ -264,7 +264,7 @@ public class TokenKeyRecoveryService implements IService {
(wrapped_des_key.length > 0)) {
// unwrap the des key
- sk = (PK11SymKey) mTransportUnit.unwrap_encrypt_sym(wrapped_des_key);
+ sk = (PK11SymKey) mTransportUnit.unwrap_sym(wrapped_des_key);
if (sk == null) {
CMS.debug("TokenKeyRecoveryService: no des key");
@@ -516,6 +516,7 @@ public class TokenKeyRecoveryService implements IService {
return false;
}
+ CMS.debug("TokenKeyRecoveryService: about to wrap...");
KeyWrapper wrapper = token.getKeyWrapper(
KeyWrapAlgorithm.DES3_CBC_PAD);
@@ -688,6 +689,7 @@ public class TokenKeyRecoveryService implements IService {
CMS.debug( "TokenKeyRecoveryService: recoverKey() - recovery failure");
throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "private key recovery/unwrapping failure"));
}
+ CMS.debug( "TokenKeyRecoveryService: recoverKey() - recovery completed, returning privKey");
return privKey;
} catch (Exception e) {
--
2.4.3
_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
