KRA has the ability to generate an asymmetric key set (public and private key). When the key set is generated with a KRA that is backed by an NSS DB, there is no issue retrieving either the public or private key.
When the key set is generated by a KRA backed with a nethsm, we can only extract the public key.
This needs to be fixed for Barbican.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1386303
Not all HSMs support key extraction, and every HSM has different settings. Please provide HSM make and model. also please provide info such as if the system is in FIPS mode or not.
Per PKI Bug Council of 10/18/2016: 10.4
Metadata Update from @vakwetu: - Issue set to the milestone: UNTRIAGED
Metadata Update from @mharmsen: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: None - Issue set to the milestone: 10.4 (was: UNTRIAGED)
Metadata Update from @mharmsen: - Issue priority set to: 2 (was: 3)
Metadata Update from @vakwetu: - Issue assigned to vakwetu
commit bea446868e282955d9c70028be657530eaccbe29 Author: Ade Lee alee@redhat.com Date: Mon May 1 18:25:59 2017 -0400
Use AES-CBC in storage unit for archival in key wrapping When AES-KW or AES-KWP is not available, we need to be sure to use a key wrap algorithm that is available for keywrap. This would be AES-CBC. Removes some TODOs. Refactor so that getWrappingParams is only defined on the StorageUnit, which is where it makes sense in any case. Part of Bugzilla BZ# 1386303 Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51
commit f84bfab30647ae1492fcdca0a026bfa4d91350c9 Author: Ade Lee alee@redhat.com Date: Mon May 1 15:56:58 2017 -0400
Make sure generated asym keys are extractable In HSMs, we were not able to retrieve asym keys that were generated from the AsymKeyGenService, because the right flags were not set (ie. set like in the server side keygen case). To do this, I extracted the key generation function from NetKeygenService to KeyRecoveryAuthority, so that it could be used by both services. Bugzilla BZ# 1386303 Change-Id: I13b5f4b602217a685acada94091e91df75e25eff
Metadata Update from @vakwetu: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.4 (was: 10.4)
Metadata Update from @mharmsen: - Custom field fixedinversion adjusted to pki-core-10.4.1-4.el7
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2642
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.