Token enrollment fails for server side keygen with lunaSA HSM.
Steps to Reproduce:
1. Install and configure CA, KRA, TKS and TPS as separate tomcat instances and use lunSA HSM token. KRA is configured with kra.allowEncDecrypt.archival=true kra.allowEncDecrypt.recovery=true kra.keygen.temporaryPairs=true kra.keygen.sensitivePairs=true kra.keygen.extractablePairs=true 2. TPS is configured with server side keygen set to true. 3. CA restarted after KRA configuration in-order to get the correct value from kra for the encryption parameter. 4. Enroll a token using tpsclient.
Actual results:
Token enrollment fails. TPS debug log has this: [30/May/2017:23:48:33][http-bio-30022-exec-4]: TPSSession.process: Message processing failed: generateCertificates failed [30/May/2017:23:48:33][http-bio-30022-exec-4]: TPSConnection.write: Writing: s=43&msg_type=13&operation=1&result=1&message=35 [30/May/2017:23:48:33][http-bio-30022-exec-4]: TPSSession.process: leaving: result: 1 status: STATUS_ERROR_CONTACT_ADMIN KRA debug log has this: [30/May/2017:23:48:31][http-bio-31042-exec-2]: NetkeyKeygenService: serviceRequest archival requested for serverSideKeyGen [30/May/2017:23:48:31][http-bio-31042-exec-2]: SignedAuditEventFactory: create() message created for eventType=SERVER_SIDE_KEYGEN_REQUEST [30/May/2017:23:48:31][http-bio-31042-exec-2]: NetkeyKeygenService: wrapped_des_key specialDecoded [30/May/2017:23:48:31][http-bio-31042-exec-2]: NetkeyKeygenService: serviceRequest: key type = RSA [30/May/2017:23:48:31][http-bio-31042-exec-2]: NetkeyKeygenService: got keygenToken [30/May/2017:23:48:31][http-bio-31042-exec-2]: NetkeyKeygenService: about to generate key pair [30/May/2017:23:48:31][http-bio-31042-exec-2]: NetkeyKeygenService: key pair is to be generated on slot: lunasaQE [30/May/2017:23:48:31][http-bio-31042-exec-2]: NetkeyKeygenService: found config store: kra.keygen [30/May/2017:23:48:31][http-bio-31042-exec-2]: NetkeyKeygenService: setting temporaryPairs to true [30/May/2017:23:48:31][http-bio-31042-exec-2]: NetkeyKeygenService: setting sensitivePairs to true [30/May/2017:23:48:31][http-bio-31042-exec-2]: NetkeyKeygenService: setting extractablePairs to true [30/May/2017:23:48:31][http-bio-31042-exec-2]: NetkeyKeygenService: key pair generation begins [30/May/2017:23:48:31][http-bio-31042-exec-2]: KRAService serviceRequest EBaseException:Token Error: org.mozilla.jss.crypto.TokenException: Keypair Generation failed on token with error: -8152 : [30/May/2017:23:48:31][http-bio-31042-exec-2]: processServerSideKeygen finished
Expected results:
Token enrollment should be successful with server side keygen using lunaSA HSM.
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1457063 - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue priority set to: critical
Metadata Update from @mharmsen: - Issue priority set to: blocker (was: critical)
It was determined that too small a keysize (1024 bits) was being requested; LunaSA required a keysize of at least 2048 bits before it performed successfully.
The associated bug has been turned into a [DOC] bug.
Metadata Update from @mharmsen: - Issue close_status updated to: invalid - Issue set to the milestone: 10.4.8 (was: 10.4) - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue assigned to jmagne
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2840
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Log in to comment on this ticket.