1345174 - Cannot create system certs when using LunaSA HSM in FIPS Mode and ECC algorithms

Status: RESOLVED FIXED

(JSS Graveyard :: Library, defect)

Description

[Elio Maldonado]

Description of problem: (From the original downstream bug report)
When a LunaSA is in FIPS mode, RHCS cannot configure if ECC algorithms higher than SHA1withEC are selected.  When the subsystem certs are to be created, CA throws exceptions.

This works in FIPS mode with RSA and SHA1withEC.  SHA256withEC is where the problems begin.

Version-Release number of selected component (if applicable):

RHCS8

How reproducible:


Steps to Reproduce:
1. set ecc up
2. set LUNA HSM in FIPS mode (this is destructive to data on the hsm)
3.

Comment 1

[Elio Maldonado]

Attachment: JSS patch to enable ECC functionality on HSMs in FIPS mode (where HSMs do not support ECDH)

This is the original downstream patch. For informational purpose, nor for review, I'll attach one adapted for the state of the current upstream sources soon.

Comment 2

[Elio Maldonado]

Attachment: Enable ECC functionality on HSMs in FIPS mode (where HSMs do not support ECDH)

Updated for the current state of the sources.

Comment 3

[Christina Fu]

Comment on attachment 8844558 [details] [diff] [review]
Enable ECC functionality on HSMs in FIPS mode (where HSMs do not support ECDH)

Review of attachment 8844558 [details] [diff] [review]:
-----------------------------------------------------------------

This patch seems to match my original Fedora JSS Downstream patch, jss-ECC-HSM-FIPS.patch.

Comment 4

[Elio Maldonado]

Pushed: https://hg.mozilla.org/projects/jss/rev/c320ca6b3fe81b58dc0de69fd14e194aeddb649c

Comment 5

[Elio Maldonado]

Historical Notes:

Patch12:        jss-ECC-HSM-FIPS.patch

* Wed May 18 2011 Christina Fu <cfu@redhat.com> - 4.2.6-17
- Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode
  and ECC algorithms (support tokens that don't do ECDH)