Fix for Bug 745278 - [RFE] ECC encryption keys cannot be archived.

For the ECC plan and the different phases, please refer to http://pki.fedoraproject.org/wiki/ECC_in_Dogtag Design for each phase is on the same wiki page. Note: the designs beyond phase 2 were more like a brain dump. Although I said "Do Not Review," you are free to take a peak at what's intended down the road. I will go back and take a closer look and refine/adjust the designs when I begin implementation for each new phase. What you need to know: * Problem 1 - nethsm issue: On the server side, if you turn on FIPS mode, in addition to nethsm, you need to attach certicom as well to have ECC SSL working on the server side. This problem has already been reported to Thales last year and they said they'd look into putting the item on their next release. Recently through a different contact, we learned there might be a way to "turn it on" (still waiting for their further instruction) * Problem 2- Certicom issue: This is a show-stopper for deployment. Initially, on the client side, I used Kai's special version of Xulrunner/Firefox, attached to Certicom token, so that the CRMF requests can be generated with key archival option. However, I encountered (or, re-encountered) an issue with certicom token. Certicom generates ECC keys with the wrong format (not PKCS7 conforming), which makes ECC key archival impossible on the server side if you use non-certicom token with DRM (but we expect an HSM in most product deployment). I have contacted Certicom for this issue, and they confirmed that they indeed have such issue. We are hoping they will fix it. But then you might ask, "I thought I saw some ECC enrollment profiles/javascripts being checked in? How were the tests done?" The tests for those profiles were done against this ECC key archival/recovery DRM prototype I implemented last year (needs to be turned on manually in 8.1), where I "cheated" (yeah, that's why it's called a prototype) by decrypting the private key in the CRMF on DRM, and then manipulating the byte array to strip off the offending bytes before archival. In the real, non-prototype implementation, which is what's in this patch, for security reasons, private keys are unwrapped directly onto the token during key archival, so there is no way to manipulate the keys in memory and bypass the Certicom issue. A word about Kai's special version of Xulrunner/Firefox. It is not yet publicly available (due out in Firefox 10.0.4 on RHEL 5.8). * Problem 3- Firefox with nethsm issue: Another option was to connect Kai's special version firefox with an HSM to test my DRM/JSS code. However, for whatever reason, I could not get SSL going between such Firefox and ECC CA ( I did not try very hard though, as I have one other option -- writing my own ECC CRMF generation tool. I might come back to try the nethsm Firefox idea later) My solution (how I work on this official implementation): * I hacked up a ECC CRMF tool by taking the CRMFPopClient (existing in current releases), gutting out the RSA part of the code, and replacing it with ECC code. I call it CRMFPopClientEC. Two types of ECC key pairs could be generated: ECDSA or ECDH (That's another benefit of writing my own tool -- I don't know if you can select which type to generate in the Javascript... maybe you can, I just don't know). I'm in no way condoning archival of signing keys!! This is just a test tool. This tool takes a curve name as option (along with others), generates an ECC key pair, crafts up an CRMF request with key archival option, and sends request directly to the specified CA. You will see a "Deferred" message in the HTML response (see attachment for example) Once CA agent approves the request, the archival request goes to DRM and the user private key is archived. For recovery, DRM agent selects key recovery, etc, and you get your pkcs12. I did some sanity test with the pkcs12 recovered: * Import the recovered pkcs12 into a certicom library: pk12util -d . -h "Certicom FIPS Cert/Key Services" -i userEC.p12 I also tested by retrieving a p12, importing it into a browser, and adding the user as an agent and the user could act as agent via ssl client auth to the CA. Finally, much of the RSA-centric code had been cleared out of the way at the time when I worked on the DRM ECC prototype, so you don't see much of that in this round. How do you test? Well, unless you want to use my CRMFPopClientEC tool hooked up with a nethsm (like I did), or write your own tool, you can't really test it until Certicom fixes their issue. (BTW CRMFPopClientEC can also be changed to work with ceriticom, although you would run into the same issue I mentioned above)
author: Christina Fu <cfu@redhat.com> 2012-04-10 11:50:13 -0700
committer: Christina Fu <cfu@redhat.com> 2012-04-10 11:50:13 -0700
commit: a6879237a4623778edb1d3b507fd575d116428fe (patch)
tree: ccdcb5665f27932a2cb9ed8ab892acc8ec3689d1 /specs
parent: 4a7ec07c942544b7ca27718a11dac00505c4de7b (diff)
download: pki-a6879237a4623778edb1d3b507fd575d116428fe.tar.gz
pki-a6879237a4623778edb1d3b507fd575d116428fe.tar.xz
pki-a6879237a4623778edb1d3b507fd575d116428fe.zip
7 files changed, 47 insertions, 26 deletions
diff --git a/specs/dogtag-pki-theme.spec b/specs/dogtag-pki-theme.spec
index 5df653c52..e0844beba 100644
--- a/specs/dogtag-pki-theme.spec
+++ b/specs/dogtag-pki-theme.spec
@@ -1,6 +1,6 @@
 Name:             dogtag-pki-theme
 Version:          9.0.11
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Certificate System - Dogtag PKI Theme Components
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -350,6 +350,9 @@ chmod 755 %{buildroot}%{_datadir}/pki/tps-ui/cgi-bin/sow/cfg.pl
 
 
 %changelog
+* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.11-2
+- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived
+
 * Fri Mar  9 2012 Matthew Harmsen <mharmsen@redhat.com> 9.0.11-1
 - Bugzilla Bug #796006 - Get DOGTAG_9_BRANCH GIT repository in-sync
   with DOGTAG_9_BRANCH SVN repository . . .
diff --git a/specs/dogtag-pki.spec b/specs/dogtag-pki.spec
index b5a1c5fb2..3894f4791 100644
--- a/specs/dogtag-pki.spec
+++ b/specs/dogtag-pki.spec
@@ -1,7 +1,7 @@
 Summary:          Dogtag Public Key Infrastructure (PKI) Suite
 Name:             dogtag-pki
 Version:          9.0.0
-Release:          10%{?dist}
+Release:          11%{?dist}
 # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2
 License:          GPLv2 and LGPLv2
 URL:              http://pki.fedoraproject.org/
@@ -13,7 +13,7 @@ BuildArch:        noarch
 %if 0%{?fedora} >= 17
 %define dogtag_pki_theme_version   9.0.11
 %define esc_version                1.1.0
-%define jss_version                4.2.6-21
+%define jss_version                4.2.6-24
 %define osutil_version             2.0.2
 %define pki_core_version           9.0.18
 %define pki_kra_version            9.0.10
@@ -27,7 +27,7 @@ BuildArch:        noarch
 %if 0%{?fedora} >= 16
 %define dogtag_pki_theme_version   9.0.11
 %define esc_version                1.1.0
-%define jss_version                4.2.6-19.1
+%define jss_version                4.2.6-24
 %define osutil_version             2.0.2
 %define pki_core_version           9.0.18
 %define pki_kra_version            9.0.10
@@ -41,7 +41,7 @@ BuildArch:        noarch
 %if 0%{?fedora} >= 15
 %define dogtag_pki_theme_version   9.0.11
 %define esc_version                1.1.0
-%define jss_version                4.2.6-17
+%define jss_version                4.2.6-24
 %define osutil_version             2.0.1
 %define pki_core_version           9.0.18
 %define pki_kra_version            9.0.10
@@ -194,23 +194,26 @@ rm -rf %{buildroot}
 %doc README
 
 %changelog
-* Fri Mar  9 2012 Matthew Harmsen <mharmsen@redhat.com> 9.0.10-1
+* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.0-11
+- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived
+
+* Fri Mar  9 2012 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-10
 - Bugzilla Bug #796006 - Get DOGTAG_9_BRANCH GIT repository in-sync
   with DOGTAG_9_BRANCH SVN repository . . .
 
-* Thu Jan  5 2012 Matthew Harmsen <mharmsen@redhat.com> 9.0.9-1
+* Thu Jan  5 2012 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-9
 - Bugzilla Bug #737761 - Update Dogtag Packages for Fedora 16
   (Update minimum packages to account for NSS bug change in
    Bugzilla Bug #771357 - sslget does not work after FEDORA-2011-17400
    update, breaking FreeIPA install)
 
-* Fri Oct 28 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.8-1
+* Fri Oct 28 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-8
 - Bugzilla Bug #749927 - Java class conflicts using Java 7 in Fedora 17
   (rawhide) . . .
 - Bugzilla Bug #749945 - Installation error reported during CA, DRM,
   OCSP, and TKS package installation . . .
 
-* Thu Sep 22 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.7-1
+* Thu Sep 22 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-7
 - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen)
 - Bugzilla Bug #699809 - Convert CS to use systemd (alee)
 
diff --git a/specs/pki-console.spec b/specs/pki-console.spec
index b22517404..d4fed2bdf 100644
--- a/specs/pki-console.spec
+++ b/specs/pki-console.spec
@@ -1,6 +1,6 @@
 Name:             pki-console
 Version:          9.0.5
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Certificate System - PKI Console
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -18,11 +18,11 @@ BuildRequires:    nspr-devel
 BuildRequires:    nss-devel
 %if 0%{?fedora} >= 16
 BuildRequires:    jpackage-utils >= 1.7.5-10
-BuildRequires:    jss >= 4.2.6-19.1
+BuildRequires:    jss >= 4.2.6-24
 BuildRequires:    pki-util >= 9.0.15
 %else
 BuildRequires:    jpackage-utils
-BuildRequires:    jss >= 4.2.6-17
+BuildRequires:    jss >= 4.2.6-24
 BuildRequires:    pki-util
 %endif
 
@@ -32,10 +32,10 @@ Requires:         ldapjdk
 Requires:         pki-console-theme >= 9.0.0
 %if 0%{?fedora} >= 16
 Requires:         jpackage-utils >= 1.7.5-10
-Requires:         jss >= 4.2.6-19.1
+Requires:         jss >= 4.2.6-24
 %else
 Requires:         jpackage-utils
-Requires:         jss >= 4.2.6-17
+Requires:         jss >= 4.2.6-24
 %endif
 
 Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz
@@ -84,6 +84,9 @@ cd build
 
 
 %changelog
+* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.5-2
+- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived
+
 * Thu Sep 22 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.5-1
 - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen)
 - Bugzilla Bug #699809 - Convert CS to use systemd (alee)
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 1b848fdfc..098aea646 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -1,6 +1,6 @@
 Name:             pki-core
 Version:          9.0.19
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Certificate System - PKI Core Components
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -28,14 +28,14 @@ BuildRequires:    xalan-j2
 BuildRequires:    xerces-j2
 %if 0%{?fedora} >= 16
 BuildRequires:    jpackage-utils >= 0:1.7.5-10
-BuildRequires:    jss >= 4.2.6-19.1
+BuildRequires:    jss >= 4.2.6-24
 BuildRequires:    osutil >= 2.0.2
 BuildRequires:    systemd-units
 BuildRequires:    tomcatjss >= 6.0.2
 %else
 %if 0%{?fedora} >= 15
 BuildRequires:    jpackage-utils
-BuildRequires:    jss >= 4.2.6-17
+BuildRequires:    jss >= 4.2.6-24
 BuildRequires:    osutil >= 2.0.1
 BuildRequires:    tomcatjss >= 6.0.0
 %else
@@ -749,6 +749,9 @@ fi
 
 
 %changelog
+* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.19-2
+- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived
+
 * Fri Mar 16 2012 Ade Lee <alee@redhat.com> 9.0.19-1
 - BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes
 - Corrected patch selected for selinux f17 rules
diff --git a/specs/pki-kra.spec b/specs/pki-kra.spec
index e5978fd9c..e055ba592 100644
--- a/specs/pki-kra.spec
+++ b/specs/pki-kra.spec
@@ -1,6 +1,6 @@
 Name:             pki-kra
 Version:          9.0.11
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Certificate System - Data Recovery Manager
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -21,13 +21,13 @@ BuildRequires:    nspr-devel
 BuildRequires:    nss-devel
 %if 0%{?fedora} >= 16
 BuildRequires:    jpackage-utils >= 0:1.7.5-10
-BuildRequires:    jss >= 4.2.6-19.1
+BuildRequires:    jss >= 4.2.6-24
 BuildRequires:    pki-common >= 9.0.18
 BuildRequires:    pki-util >= 9.0.18
 BuildRequires:    systemd-units
 %else
 BuildRequires:    jpackage-utils
-BuildRequires:    jss >= 4.2.6-17
+BuildRequires:    jss >= 4.2.6-24
 BuildRequires:    pki-common
 BuildRequires:    pki-util
 %endif
@@ -253,6 +253,9 @@ fi
 
 
 %changelog
+* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.11-2
+- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived
+
 * Fri Mar 16 2012 Ade Lee <alee@redhat.com> 9.0.11-1
 - BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes
 
diff --git a/specs/pki-ocsp.spec b/specs/pki-ocsp.spec
index c6eb9f295..72bc9c03b 100644
--- a/specs/pki-ocsp.spec
+++ b/specs/pki-ocsp.spec
@@ -1,6 +1,6 @@
 Name:             pki-ocsp
 Version:          9.0.10
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Certificate System - Online Certificate Status Protocol Manager
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -21,13 +21,13 @@ BuildRequires:    nspr-devel
 BuildRequires:    nss-devel
 %if 0%{?fedora} >= 16
 BuildRequires:    jpackage-utils >= 0:1.7.5-10
-BuildRequires:    jss >= 4.2.6-19.1
+BuildRequires:    jss >= 4.2.6-24
 BuildRequires:    pki-common >= 9.0.15
 BuildRequires:    pki-util >= 9.0.15
 BuildRequires:    systemd-units
 %else
 BuildRequires:    jpackage-utils
-BuildRequires:    jss >= 4.2.6-17
+BuildRequires:    jss >= 4.2.6-24
 BuildRequires:    pki-common
 BuildRequires:    pki-util
 %endif
@@ -263,6 +263,9 @@ fi
 
 
 %changelog
+* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.10-2
+- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived
+
 * Fri Mar 16 2012 Ade Lee <alee@redhat.com> 9.0.10-1
 - BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes
 
diff --git a/specs/pki-tks.spec b/specs/pki-tks.spec
index a2e47e088..2ff8a394e 100644
--- a/specs/pki-tks.spec
+++ b/specs/pki-tks.spec
@@ -1,6 +1,6 @@
 Name:             pki-tks
 Version:          9.0.10
-Release:          1%{?dist}
+Release:          2%{?dist}
 Summary:          Certificate System - Token Key Service
 URL:              http://pki.fedoraproject.org/
 License:          GPLv2
@@ -21,13 +21,13 @@ BuildRequires:    nspr-devel
 BuildRequires:    nss-devel
 %if 0%{?fedora} >= 16
 BuildRequires:    jpackage-utils >= 0:1.7.5-10
-BuildRequires:    jss >= 4.2.6-19.1
+BuildRequires:    jss >= 4.2.6-24
 BuildRequires:    pki-common >= 9.0.15
 BuildRequires:    pki-util >= 9.0.15
 BuildRequires:    systemd-units
 %else
 BuildRequires:    jpackage-utils
-BuildRequires:    jss >= 4.2.6-17
+BuildRequires:    jss >= 4.2.6-24
 BuildRequires:    pki-common
 BuildRequires:    pki-util
 %endif
@@ -254,6 +254,9 @@ fi
 
 
 %changelog
+* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.10-2
+- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived
+
 * Fri Mar 16 2012 Ade Lee <alee@redhat.com> 9.0.10-1
 - BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes
author	Christina Fu <cfu@redhat.com>	2012-04-10 11:50:13 -0700
committer	Christina Fu <cfu@redhat.com>	2012-04-10 11:50:13 -0700
commit	a6879237a4623778edb1d3b507fd575d116428fe (patch)
tree	ccdcb5665f27932a2cb9ed8ab892acc8ec3689d1 /specs
parent	4a7ec07c942544b7ca27718a11dac00505c4de7b (diff)
download	pki-a6879237a4623778edb1d3b507fd575d116428fe.tar.gz pki-a6879237a4623778edb1d3b507fd575d116428fe.tar.xz pki-a6879237a4623778edb1d3b507fd575d116428fe.zip