pki
pki copied to clipboard
cli: pki client should have some mechanism to set algorithm/AES encryption
This issue was migrated from Pagure Issue #2770. Originally filed by mharmsen (@mharmsen) on 2017-06-28 12:55:32:
- Assigned to dmoluguw (@SilleBille)
- Associated bugzillas
- https://bugzilla.redhat.com/show_bug.cgi?id=1465804
pki client should have some mechanism to set algorithm/AES encryption .
Like in crmfpopclient we have "-w" option
-w <keywrap algorithm> Algorithm to use for key wrapping
- default: "AES KeyWrap/Padding"
- "AES/CBC/PKCS5Padding"
- "DES3/CBC/Pad"
See additional info documented in the associated bug.
Comment from mharmsen (@mharmsen) at 2017-06-28 12:56:13
Metadata Update from @mharmsen:
- Custom field component adjusted to General
- Custom field feature adjusted to ''
- Custom field origin adjusted to Community
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1465804
- Custom field type adjusted to defect
- Custom field version adjusted to ''
- Issue priority set to: critical
- Issue set to the milestone: 10.5
Comment from edewata (@edewata) at 2017-06-28 13:35:52
Metadata Update from @edewata:
- Issue set to the milestone: 10.4 (was: 10.5)
Comment from mharmsen (@mharmsen) at 2017-08-16 15:51:55
Metadata Update from @mharmsen:
- Issue assigned to SilleBille
Comment from mharmsen (@mharmsen) at 2017-08-25 13:00:16
Per discussions within the PKI Team, moving to 10.5.
Comment from mharmsen (@mharmsen) at 2017-08-25 13:00:16
Metadata Update from @mharmsen:
- Issue set to the milestone: 10.5 (was: 10.4)
Comment from mharmsen (@mharmsen) at 2017-09-25 16:59:19
Metadata Update from @mharmsen:
- Issue priority set to: major (was: critical)
Comment from mharmsen (@mharmsen) at 2017-10-25 12:55:51
Metadata Update from @mharmsen:
- Issue set to the milestone: 10.6 (was: 10.5)
Just adding some more information from the BZ:
Additional info:
1. http://host:port/ca/rest/info
<CAInfo><Attributes/><ArchivalMechanism>keywrap</ArchivalMechanism></CAInfo>
2. http://host:port/kra/rest/info
<KRAInfo><Attributes/><ArchivalMechanism>encrypt</ArchivalMechanism><EncryptAlgorithm>AES/CBC/PKCS5Padding</EncryptAlgorithm><RecoveryMechanism>encrypt</RecoveryMechanism><WrapAlgorithm>AES/CBC/PKCS5Padding</WrapAlgorithm></KRAInfo>
3.
[root@pki1 certs_db]# pki -d dup -c SECret.123 -p 25080 client-cert-request "CN=Test11,UID=Testing,OU=test" --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
NullPointerException: null
[root@pki1 certs_db]# pki -v -d dup -c SECret.123 -p 25080 client-cert-request "CN=Test11,UID=Testing,OU=test" --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
PKI options: -v -d dup -c SECret.123
PKI command: 25080 -p 25080 client-cert-request CN=Test11,UID=Testing,OU=test --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
Java command: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -Djava.ext.dirs=/usr/share/pki/lib -Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties com.netscape.cmstools.cli.MainCLI -d dup -c SECret.123 --verbose -p 25080 client-cert-request CN=Test11,UID=Testing,OU=test --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
Server URI: http://pki1.example.com:25080
Client security database: /opt/rhqa_pki/certs_db/dup
Message format: null
Command: client-cert-request CN=Test11,UID=Testing,OU=test --profile caDualCert --type crmf --transport /opt/rhqa_pki/certs_db/kra.transport
Module: client
Module: cert-request
Initializing security database
Getting internal token
Logging into NSS FIPS 140-2 User Private Key
Initializing PKIClient
HTTP request: GET /pki/rest/info HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:25080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AFA00D6A3A1D2E0075C35107ECBB9598; Path=/pki; HttpOnly
Content-Type: application/xml
Content-Length: 106
Date: Wed, 28 Jun 2017 10:57:35 GMT
HTTP request: GET /ca/rest/info HTTP/1.1
Accept-Encoding: gzip, deflate
Accept: application/xml
Host: pki1.example.com:25080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.2.5 (java 1.5)
HTTP response: HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F5ED7FA9241C8261A0148C3134E2E8AE; Path=/ca; HttpOnly
Content-Type: application/xml
Content-Length: 131
Date: Wed, 28 Jun 2017 10:57:35 GMT
java.lang.NullPointerException
at org.mozilla.jss.crypto.KeyWrapAlgorithm.fromString(KeyWrapAlgorithm.java:44)
at com.netscape.cmstools.client.ClientCertRequestCLI.execute(ClientCertRequestCLI.java:251)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
at com.netscape.cmstools.cli.CLI.execute(CLI.java:345)
at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:626)
at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:662)
ERROR: Command '['/usr/lib/jvm/jre-1.8.0-openjdk/bin/java', '-Djava.ext.dirs=/usr/share/pki/lib', '-Djava.util.logging.config.file=/usr/share/pki/etc/logging.properties', 'com.netscape.cmstools.cli.MainCLI', '-d', 'dup', '-c', 'SECret.123', '--verbose', '-p', '25080', 'client-cert-request', 'CN=Test11,UID=Testing,OU=test', '--profile', 'caDualCert', '--type', 'crmf', '--transport', '/opt/rhqa_pki/certs_db/kra.transport']' returned non-zero exit status 255