This ticket will be split in two. This one will be for the critical issue of creating the master key with sufficient flags to make the key unextractable from the HSM.

After discussions with jmagne, it was determined that this ticket required no specific bug since the changes would be addressed during simple testing out of the tool.

commit ce83d2ae2b33cca1e8b035474142fcbe2369ccc4
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Thu May 12 14:46:39 2016 -0700

Enhance tkstool for capabilities and security

The key is now generated with the flags needed to keep the data from being displayed
with simple tools such as symkeyutil.

As per cfu's instructions,
I was able to test this with the nethsm only.

I also was able to make the key des3 and everything works fine with the master key.
This will help all the warnings we get about insecure des2 keys.

If there is a problem with luna, we can file another ticket.
Also there could be a built in tool for luna to generate keys such as is present on hsm.

QE: For testing we just need to try this with software and the various supported hsm's.
If key changeover works in TMS, this is good.

Also to see if the key data is visible try this:

/usr/lib64/nss/unsupported-tools/symkeyutil -d . -L

It should fail to print out the bytes for you and show you that the size is des3 / 24.

Closing:

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2200

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.