#2540 Creating symmetric key (sharedSecret) using tkstool is failing when operating system is in FIPS mode.
Closed: fixed 6 years ago Opened 7 years ago by aakkiang.

Creating shared keys for the TKS and TPS using tkstool is failing when the operating system
is in FIPS mode.

Steps to Reproduce:

1. Operating system is in FIPS mode.
2. CA, KRA and TKS is installed.
3. # tkstool -T -d /var/lib/pki/pki-tks/alias -n sharedSecret
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.


Type the word "proceed" and press enter to continue (or ^C to break):  proceed


The next screen generates the first session key share . . .


Type the word "proceed" and press enter to continue (or ^C to break):  proceed

Generating the first session key share . . .


    first session key share:      7352 70CB C713 98EA
                                  BFBC 4F86 1F8A 976B


ERROR:  Failed to import session key!


ERROR:  Failed to compute KCV of this first session key share!

tkstool -T:  unable to generate the key

Actual results:

Generating the symmetric key failed.

Expected results:

Generating symmetric key should be successful.

Per PKI Bug Council of 11/10/2016: 10.4 - critical

Metadata Update from @aakkiang:
- Issue set to the milestone: 10.4

7 years ago

Per Leads Meeting of 03/21/2017, raising Priority from critical ==> blocker

Metadata Update from @mharmsen:
- Custom field feature adjusted to ''
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None
- Issue priority set to: 1 (was: 2)

7 years ago

Metadata Update from @mharmsen:
- Issue assigned to jmagne

7 years ago

Checkin:

commit 84f3958dc9c1c5bfab4a8789e621d621a28cbdd6
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Mon Apr 10 11:27:12 2017 -0700

Now the program can create and import shared secret keys while under FIPS mode.

Metadata Update from @jmagne:
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @mharmsen:
- Issue close_status updated to: fixed
- Issue set to the milestone: 10.4.6 (was: 10.4)

6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4 (was: 10.4.6)
- Issue status updated to: Open (was: Closed)

6 years ago

One more minor fix to this coming.

commit 30fb7bf49ce0f4c726f937b3984a4e27abb39959
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Tue Jun 6 16:16:32 2017 -0700

Minor fix to already fixed issue:

The problem was that a tiny piece of the original patch didn't get checked in. This resolves this issue.

Re-closing

Metadata Update from @jmagne:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.8 (was: 10.4)

6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2660

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata