Address- Investigate and fix CA installation is failing in exporting … #1018
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…the admin certificate at pk12util command in FIPS mode. https://issues.redhat.com/browse/RHCS-5222 The fix to follow addresses the part of the above issue with respect to how PKI through JSS creates p12 files. This patch modifies the procedure to include higher rated algs for things such as the MAC of the entire PFX and the HMAC and possible algs allowed when creating the encrypted private key info blob to place in the private key safe bag. Currently we support our own version of PK11_ExportEncryptedPrivKeyInfoV2 that , to this point has served two purposes: 1. Allow us to use the new AES key wrap KWP algs. 2. In the case of fips mode, we have added a routine that moves a key between slots when needed, which doesn't currently work in the current nss routine. The fix implements changes that alows the routine to support the various AES_CBC enc algs as well as KWP. KWP is called by the pki kra when creating p12 files, if so configured to do so. Alternatively we have a pkcs12 related comand utility that specifies AES_256_CBC. The fix to JSS simply upgrades some defaults at this point. If we want to get more involved, we could also modify the cmd line tools to be able to specify the algs in question through params.
|
ladycfu
reviewed
Aug 13, 2024
| TokenException, CharConversionException | ||
| { | ||
|
|
||
| //Make this alg the default mac alg. | ||
| AlgorithmIdentifier algID = new AlgorithmIdentifier(DigestAlgorithm.SHA256.toOID()); |
There was a problem hiding this comment.
I understand that you are changing the default mac alg, but is there not a need to allow caller of computeMacData() to specify algID for better future support?
| JSS_throwMsgPrErr( | ||
| algTag, /* PBE algorithm to encrypt the key with */ | ||
| SEC_OID_UNKNOWN, /* Encryption algorithm to Encrypt the key with */ | ||
| SEC_OID_HMAC_SHA256, /* Hash algorithm for PRF, make this upgraded to SHA256, we can make configurable in future. */ |
There was a problem hiding this comment.
it looks like you intentionally hard-code this. I somehow got the impression from your git commit comment that the fix would allow for more flexible specifications of the algorithms.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…the admin certificate at pk12util command in FIPS mode.
https://issues.redhat.com/browse/RHCS-5222
The fix to follow addresses the part of the above issue with respect to how PKI through JSS creates p12 files. This patch modifies the procedure to include higher rated algs for things such as the MAC of the entire PFX and the HMAC and possible algs allowed when creating the encrypted private key info blob to place in the private key safe bag.
Currently we support our own version of PK11_ExportEncryptedPrivKeyInfoV2 that , to this point has served two purposes:
The fix implements changes that alows the routine to support the various AES_CBC enc algs as well as KWP. KWP is called by the pki kra when creating p12 files, if so configured to do so. Alternatively we have a pkcs12 related comand utility that specifies AES_256_CBC.
The fix to JSS simply upgrades some defaults at this point. If we want to get more involved, we could also modify the cmd line tools to be able to specify the algs in question through params.