Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

2017-04-06 Thread Christina Fu 

Hi Fraser,

Could you please do the following first?

1.  file a Mozilla bugzilla bug for this against Product JSS Release 
4.4.1, then assign to yourself:

https://bugzilla.mozilla.org/
2. After making sure your patch compiles well with the 4.4.1 base, 
attach the patch to that ticket, and mark reviewers


thanks!

Christina


On 04/04/2017 02:56 AM, Fraser Tweedale wrote:

Hi team,

Please review attached patches for JSS and Dogtag that:

- add some new EncryptedPrivateKeyInfo export and import functions
   to JSS

- update Dogtag's `pki pkcs12' command to use the new functions to
   achieve AES encryption of the key bags, with wrapping/unwrapping
   occurring on the token.

PKCS #12 files produced by current releases continue to import
properly (of course, this is an important test vector).

These patches do not address the PKCS #12 KRA recovery export; This
is my next task and separate patches will be produced.

Thanks,
Fraser


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 0179 KRA: do not accumulate recovered keys in token

2017-04-06 Thread Fraser Tweedale 
The attached patch fixes a regression (I think?) where recovered
keys accumulate in the key storage token.

Thanks,
Fraser
From ab470a00827673f327d5f171ff3fdf1baea4ae5e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Thu, 6 Apr 2017 16:07:07 +1000
Subject: [PATCH] KRA: do not accumulate recovered keys in token

When using token-based unwrapping of archived keys, the key is being
stored in the token.  We do not want to accumulate the keys here;
make them temporary.

Part of: https://pagure.io/dogtagpki/issue/2610
---
 base/kra/src/com/netscape/kra/RecoveryService.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java 
b/base/kra/src/com/netscape/kra/RecoveryService.java
index 
c89e2f388f037bb8608b24389b26f8076511adf7..817f3f01586e851007d25e0724c03d213f0b6c4a
 100644
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -409,7 +409,7 @@ public class RecoveryService implements IService {
 privKey = mStorageUnit.unwrap(
 keyRecord.getPrivateKeyData(),
 pubkey,
-false,
+true /* temporary */,
 
keyRecord.getWrappingParams(mKRA.getStorageKeyUnit().getOldWrappingParams()));
 } catch (Exception e) {
 mKRA.log(ILogger.LL_FAILURE, 
CMS.getLogMessage("CMSCORE_KRA_PRIVATE_KEY_NOT_FOUND"));
-- 
2.9.3

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel