dogtagpki

Clone
Source Code
GIT

#791 Recovering Encryption Certs with Keysize 3072 and above fails.
Closed: migrated 3 years ago by dmoluguw. Opened 10 years ago by nkinder.

Closed: migrated
Reopen Issue

Description of problem:

Scenario-1:

Unable to Recover certs/keys generated using EE profile caDualCert with
keypair size 3072 .

Steps to reproduce:

  1. Generate user cert called "uid=t1,E=t1@example.org,CN=t1" using
    caDualCert profile with Keysize 3072

  2. Approve the request from CA Agent

  3. Enable External Registration
  4. use tpsclient to recover the t1 cert using admin3a user created in
    Reg DB.

dn: uid=admin3a,dc=gsslab,dc=pnq,dc=redhat,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: top
objectClass: extensibleobject
cn: admin3a
sn: admin3a
userPassword: redhat
uid: admin3a
givenName: admin3a
mail: admin3a@example.org
firstname: admin3a
edipi: 23456788
pcc: AA
exec-edipi: 111111110
exec-pcc: BB
exec-mail: admin3a@EXAMPLE.COM

  1. modify admin3a entry to include "t1" user cert and recover it using
    externalRegAddToToken:

dn: uid=admin3a,dc=gsslab,dc=pnq,dc=redhat,dc=com
changetype: modify
replace: tokenType
tokenType: externalRegAddToToken
-
replace: certsToAdd
certsToAdd: 22021660,ca1,169,drm1

  1. Create enrollment data as below:

op=var_set name=ra_host value=pkiserver.gsslab.pnq.redhat.com
op=var_set name=ra_port value=7888
op=var_set name=ra_uri value=/nk_service
op=token_set cuid=55555555555555555551 msn=01020304 app_ver=6FBBC105
key_info=0101 major_ver=0 minor_ver=0
op=token_set auth_key=404142434445464748494a4b4c4d4e4f
op=token_set mac_key=404142434445464748494a4b4c4d4e4f
op=token_set kek_key=404142434445464748494a4b4c4d4e4f
op=ra_enroll uid=admin3a pwd=redhat new_pin=Secret123 num_threads=1
op=exit

  1. tpsclient fails to enroll

tpsclient < enroll.tps

Output> Thread (0) status='0' time='40870 msec'
Result> Error - Operation 'ra_enroll' Failure (40870 msec)
Command>op=exit

Note: Increasing TCP Recv. Buffersize to 32768 doesn't help either.

Scenario-2: Unable to Enroll token using userKey profile with keysize increased
to 3072.

  1. Modify TPS CS.cfg as below:

op.enroll.userKey.keyGen.encryption.keySize=3072
op.enroll.userKey.keyGen.signing.keySize=3072

  1. Disable ExternalReg in TPS CS.cfg

externalReg.authId=ldap3
externalReg.delegation.enable=false
externalReg.delete.deleteFromDB=false
externalReg.enable=false

  1. Set TCP Recv. buffer size as shown below:
    tps.recvBufSize=32768
    tps.printBufFull=true

  2. Restart TPS service

  3. Create user fubar1 in Authentication DB.

dn: uid=fubar1,dc=gsslab,dc=pnq,dc=redhat,dc=com
uid: fubar1
cn: fubar1
sn: 1
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
ou: US
userPassword: redhat
mail: fubar1@example.org
st: North Carolina
l: Raleigh

$ ldapadd -x -D "cn=Directory Manager" -w redhat@123 -h localhost -f users.ldif
adding new entry "uid=fubar1,dc=gsslab,dc=pnq,dc=redhat,dc=com"

  1. Create an Enrollment data as below to Enroll token as fubar1

op=var_set name=ra_host value=pkiserver.gsslab.pnq.redhat.com
op=var_set name=ra_port value=7888
op=var_set name=ra_uri value=/nk_service
op=token_set cuid=66666666666666666661 msn=01020304 app_ver=6FBBC105
key_info=0101 major_ver=0 minor_ver=0
op=token_set auth_key=404142434445464748494a4b4c4d4e4f
op=token_set mac_key=404142434445464748494a4b4c4d4e4f
op=token_set kek_key=404142434445464748494a4b4c4d4e4f
op=ra_enroll uid=fubar1 pwd=redhat new_pin=Secret123 num_threads=1
op=exit

  1. Enroll the token using tpsclient

tpsclient < enroll.tps

Enrollment fails:

Output> Thread (0) status='0' time='70697 msec'
Result> Error - Operation 'ra_enroll' Failure (70697 msec)
Command>op=exit

Per PKI Bug Council of 06/30/2016: 10.4

Metadata Update from @nkinder:
- Issue set to the milestone: UNTRIAGED
7 years ago

Metadata Update from @mharmsen:
- Custom field feature adjusted to ''
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None
- Issue set to the milestone: 10.4 (was: UNTRIAGED)
7 years ago

Per CS/DS Meeting of August 7, 2017, it was determined to move this issue from 10.4 ==> FUTURE.

Metadata Update from @mharmsen:
- Issue set to the milestone: FUTURE (was: 10.4)
6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1358

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)
3 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
major
None
None
defect
''
None
None
None
''
QE
''
None
None
None
None
''
TPS
''
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.