rpms/jss
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import jss-4.8.1-2.module+el8.4.0+10451+3e5b5448

Browse Source
This commit is contained in:
CentOS Sources 2021-03-27 04:56:03 +00:00 committed by Andrew Lukoshko
parent 42df92d755
commit e5b59c7064
2 changed files with 110 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch Normal file
View File

@ -0,0 +1,105 @@
From 3cc2f62eaca0e616dadc3053919180615b48bf54 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alexander.m.scheel@gmail.com>
Date: Fri, 12 Mar 2021 20:41:51 -0500
Subject: [PATCH] Encrypt & unwrap symmetric key in FIPS mode (#678)
NSS doesn't generally allow keys to be imported in FIPS mode. However,
for portability with other JCA providers, we sometimes need to import
keys from byte arrays. Do this in the JNI layer by executing a PKCS#11
encrypt and then unwrap using the same key. This lets us effectively
"import" a key into a token, if the token supports using the given
mechanism for both encryption and unwrapping operations. Some HSMs are
getting stricter about this and forbid using the same key for encrypt
and unwrap operations.
Resolves: #334
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
---
org/mozilla/jss/pkcs11/PK11KeyWrapper.c | 62 ++++++++++++++++++++++++-
1 file changed, 60 insertions(+), 2 deletions(-)
diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
index f39a3796..e8e9da16 100644
--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
@@ -712,6 +712,61 @@ finish:
return keyObj;
}
+PK11SymKey *JSS_PK11_ImportSymKeyWithFlagsFIPS(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+ CK_ATTRIBUTE_TYPE operation, SECItem *key, CK_FLAGS flags,
+ PRBool isPerm, void *wincx)
+{
+ PK11SymKey *result = NULL;
+ PK11SymKey *wrapper = NULL;
+ SECStatus ret = SECFailure;
+ unsigned int wrapped_len = 0;
+ unsigned int wrapped_max = key->len + 64;
+ unsigned char *wrapped_key = calloc(wrapped_max, sizeof(unsigned char));
+ SECItem wrapped_item = { siBuffer, wrapped_key, 0 };
+ SECItem *param = NULL;
+
+ /* Steps:
+ * 1. Generate a temporary key to encrypt and unwrap with,
+ * 2. Encrypt our key to import using the wrapping key,
+ * 3. Unwrap into the token using the wrapping key.
+ */
+
+#define FIPS_KEYGEN_ALGO CKM_AES_KEY_GEN
+#define FIPS_ENCRYPT_UNWRAP_ALGO CKM_AES_KEY_WRAP_PAD
+
+ wrapper = PK11_KeyGen(slot, FIPS_KEYGEN_ALGO, NULL, 32, wincx);
+ if (wrapper == NULL) {
+ goto done;
+ }
+
+ param = PK11_GenerateNewParam(FIPS_ENCRYPT_UNWRAP_ALGO, wrapper);
+ if (param == NULL) {
+ goto done;
+ }
+
+ ret = PK11_Encrypt(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO, param,
+ wrapped_key, &wrapped_len, wrapped_max,
+ key->data, key->len);
+ if (ret != SECSuccess) {
+ goto done;
+ }
+
+ wrapped_item.len = wrapped_len;
+
+ result = PK11_UnwrapSymKeyWithFlagsPerm(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO,
+ param, &wrapped_item, type, operation, key->len, flags,
+ isPerm);
+
+done:
+ free(wrapped_key);
+ SECITEM_FreeItem(param, PR_TRUE);
+ if (wrapper != NULL) {
+ PK11_DeleteTokenSymKey(wrapper);
+ PK11_FreeSymKey(wrapper);
+ }
+ return result;
+}
+
/***********************************************************************
*
* PK11KeyWrapper.nativeUnwrapSymPlaintext
@@ -765,8 +820,11 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext
}
/* pull in the key */
- symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap,
- operation, wrappedKey, flags, isPerm, NULL);
+ if (PK11_IsFIPS()) {
+ symKey = JSS_PK11_ImportSymKeyWithFlagsFIPS(slot, keyTypeMech, operation, wrappedKey, flags, isPerm, NULL);
+ } else {
+ symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap, operation, wrappedKey, flags, isPerm, NULL);
+ }
if( symKey == NULL ) {
JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Failed to unwrap key");
goto finish;
--
2.26.2

6
SPECS/jss.spec
View File

@ -7,7 +7,7 @@ URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
Version: 4.8.1 Version: 4.8.1
Release: 1%{?_timestamp}%{?_commit_id}%{?dist} Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -a1 #global _phase -a1
# To generate the source tarball: # To generate the source tarball:
@ -25,6 +25,7 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
# <version tag> \ # <version tag> \
# > jss-VERSION-RELEASE.patch # > jss-VERSION-RELEASE.patch
# Patch: jss-VERSION-RELEASE.patch # Patch: jss-VERSION-RELEASE.patch
Patch1: 0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch
################################################################################ ################################################################################
# Build Dependencies # Build Dependencies
@ -160,6 +161,9 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
################################################################################ ################################################################################
%changelog %changelog
* Tue Mar 16 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-2
- Bug 1932803 - HSM + FIPS: CMCRequest with a shared secret resulting in error
* Thu Jan 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-1 * Thu Jan 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-1
- Rebase to upstream JSS v4.8.1 - Rebase to upstream JSS v4.8.1
- Red Hat Bugilla #1908541 - jss broke SCEP - missing PasswordChallenge class - Red Hat Bugilla #1908541 - jss broke SCEP - missing PasswordChallenge class