b9ec2fb KRA: force OAEP for some HSM-based installations

Authored and Committed by rcritten 8 months ago
    KRA: force OAEP for some HSM-based installations
    
    Not all HSMs support PKCS#1 v1.5. The nShield nFast is one we know
    of so force the KRA to use OAEP in this case..
    
    This can be seen in HSMs where the device doesn't support the
    PKCS#1 v1.5 mechanism. It will error out with either "invalid
    algorithm" or CKR_FUNCTION_FAILED.
    
    There is currently no good way to test for this capability in
    advance of configuration. Testing for mechanisms alone is
    insufficient. The only real way to test would be to attempt a
    wrap/unwrap but it is very complex.
    
    If the list of affected HSMs increases we can use a table
    instead based on "best guess" of some sort of property but
    looking for a unique string inside the library path is a
    pretty straigthforward way.
    
    Note that this doesn't preclude someone from wanting to require
    OAEP directly by modifying the KRA CS.cfg and it won't impact
    FIPs mode which requires OAEP.
    
    Related: https://pagure.io/freeipa/issue/9191
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>