cli: pki client should have some mechanism to set algorithm/AES encryption

[pki-bot]

This issue was migrated from Pagure Issue #2770. Originally filed by mharmsen (@mharmsen) on 2017-06-28 12:55:32:

• Assigned to dmoluguw (@SilleBille)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1465804

---

pki client should have some mechanism to set algorithm/AES encryption .

Like in crmfpopclient we have "-w" option

 -w <keywrap algorithm>       Algorithm to use for key wrapping
                                - default: "AES KeyWrap/Padding"
                                - "AES/CBC/PKCS5Padding"
                                - "DES3/CBC/Pad"

See additional info documented in the associated bug.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-06-28 12:56:13

Metadata Update from @mharmsen:

• Custom field component adjusted to General
• Custom field feature adjusted to ''
• Custom field origin adjusted to Community
• Custom field proposedmilestone adjusted to ''
• Custom field proposedpriority adjusted to ''
• Custom field reviewer adjusted to ''
• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1465804
• Custom field type adjusted to defect
• Custom field version adjusted to ''
• Issue priority set to: critical
• Issue set to the milestone: 10.5

[pki-bot]

Comment from edewata (@edewata) at 2017-06-28 13:35:52

Metadata Update from @edewata:

• Issue set to the milestone: 10.4 (was: 10.5)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-16 15:51:55

Metadata Update from @mharmsen:

• Issue assigned to SilleBille

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-25 13:00:16

Per discussions within the PKI Team, moving to 10.5.

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-08-25 13:00:16

Metadata Update from @mharmsen:

• Issue set to the milestone: 10.5 (was: 10.4)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-09-25 16:59:19

Metadata Update from @mharmsen:

• Issue priority set to: major (was: critical)

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-10-25 12:55:50

[20171025] - Offline Triage ==> 10.6

[pki-bot]

Comment from mharmsen (@mharmsen) at 2017-10-25 12:55:51

Metadata Update from @mharmsen:

• Issue set to the milestone: 10.6 (was: 10.5)

[pki-bot]

Comment from dmoluguw (@SilleBille) at 2018-04-30 17:25:23

Am I correctly assigned to this issue?

[cipherboy]

Just adding some more information from the BZ:

Additional info:

1. http://host:port/ca/rest/info 

<CAInfo><Attributes/><ArchivalMechanism>keywrap</ArchivalMechanism></CAInfo>

2. http://host:port/kra/rest/info


<KRAInfo><Attributes/><ArchivalMechanism>encrypt</ArchivalMechanism><EncryptAlgorithm>AES/CBC/PKCS5Padding</EncryptAlgorithm><RecoveryMechanism>encrypt</RecoveryMechanism><WrapAlgorithm>AES/CBC/PKCS5Padding</WrapAlgorithm></KRAInfo>

3. 
[root@pki1 certs_db]# pki -d dup -c SECret.123 -p 25080 client-cert-request  "CN=Test11,UID=Testing,OU=test" --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport 
NullPointerException: null
[root@pki1 certs_db]# pki -v -d dup -c SECret.123 -p 25080 client-cert-request  "CN=Test11,UID=Testing,OU=test" --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport 
PKI options: -v -d dup -c SECret.123
PKI command: 25080 -p 25080 client-cert-request CN=Test11,UID=Testing,OU=test --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d dup -c SECret.123 --verbose -p 25080 client-cert-request CN=Test11,UID=Testing,OU=test --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
Server URI: http://pki1.example.com:25080
Client security database: /opt/rhqa_pki/certs_db/dup
Message format: null
Command: client-cert-request CN=Test11,UID=Testing,OU=test --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
Module: client
Module: cert-request
Initializing security database
Getting internal token
Logging into NSS FIPS 140-2 User Private Key
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:25080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Set-Cookie: JSESSIONID=AFA00D6A3A1D2E0075C35107ECBB9598; Path=/pki; HttpOnly
  Content-Type: application/xml
  Content-Length: 106
  Date: Wed, 28 Jun 2017 10:57:35 GMT
HTTP request: GET /ca/rest/info HTTP/1.1
  Accept-Encoding: gzip, deflate
  Accept: application/xml
  Host: pki1.example.com:25080
  Connection: Keep-Alive
  User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
  Server: Apache-Coyote/1.1
  Set-Cookie: JSESSIONID=F5ED7FA9241C8261A0148C3134E2E8AE; Path=/ca; HttpOnly
  Content-Type: application/xml
  Content-Length: 131
  Date: Wed, 28 Jun 2017 10:57:35 GMT
java.lang.NullPointerException
	at org.mozilla.jss.crypto.KeyWrapAlgorithm.fromString(KeyWrapAlgorithm.java:44)
	at com.netscape.cmstools.client.ClientCertRequestCLI.execute(ClientCertRequestCLI.java:251)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
	at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
	at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:626)
	at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:662)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', 'dup', '-c', 'SECret.123', '--verbose', '-p', '25080', 'client-cert-request', 'CN=Test11,UID=Testing,OU=test', '--profile', 'caDualCert', '--type', 'crmf', '--transport', '/opt/rhqa_pki/certs_db/kra.transport']' returned non-zero exit status 255