[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Pki-devel] [PATCH] disable backup keys and share master keys when using an HSM



On 05/22/15 12:51, John Magne wrote:
Good we can get this feature going.
A couple of comments:

1. I'm sure we have done a bunch of testing to get the hsm case working,
if not done, it might be good to try a basic software case to make sure that
still works.
Done.

Successfully build and installed software master/clone, and enrolled/approved all four possibilities:
  • master/master
  • clone/clone
  • master/clone
  • clone/master

2. In SystemConfigService.java line: 1120

I think we may replace:

throw new BadRequestException("HSM clones must share their HSM master's private keys");

with:
              if (data.getP12File() != null) {
                    throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys");
                }

                if (data.getP12Password() != null) {
                    throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys");
                }


Because I think the only time the situation is fatal is when we have a clone on the HSM, BUT provide the pkcs12 file data.
Fixed
3.

Ran a quck pycharm on the python and it reported a couple of PEP warnings at lines 563 and 579, something about indentation. Sounds like easy fix.
Fixed


----- Original Message -----
From: "Matthew Harmsen" <mharmsen redhat com>
To: "pki-devel" <pki-devel redhat com>
Sent: Thursday, May 21, 2015 4:40:21 PM
Subject: [Pki-devel] [PATCH] disable backup keys and share master keys when	using an HSM

Please review the attached patch which addresses the following ticket: 


    * PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys 


This was tested as a successful installation of a Master CA and Cloned CA using a LunaSA HSM. 




_______________________________________________
Pki-devel mailing list
Pki-devel redhat com
https://www.redhat.com/mailman/listinfo/pki-devel
New patch attached.


From b4a7d006c1927fef8ed246f89caa246f9a99eec6 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen redhat com>
Date: Fri, 22 May 2015 18:15:31 -0600
Subject: [PATCH] disable backup keys and share master keys when using an HSM

- PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an
  HSM (and provide recommendation); allow clones to share keys
---
 .../dogtagpki/server/rest/SystemConfigService.java | 12 ++++++++
 .../python/pki/server/deployment/pkihelper.py      | 36 ++++++++++++++++++----
 .../python/pki/server/deployment/pkimessages.py    |  9 ++++++
 3 files changed, 51 insertions(+), 6 deletions(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index c341d14..3e7ea5b 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -1116,6 +1116,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
                 if (data.getP12Password() == null) {
                     throw new BadRequestException("P12 password not provided");
                 }
+            } else {
+                if (data.getP12File() != null) {
+                    throw new BadRequestException("P12 filename should not be provided since HSM clones must share their HSM master's private keys");
+                }
+
+                if (data.getP12Password() != null) {
+                    throw new BadRequestException("P12 password should not be provided since HSM clones must share their HSM master's private keys");
+                }
             }
         } else {
             data.setClone("false");
@@ -1177,6 +1185,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou
         }
 
         if ((data.getBackupKeys() != null) && data.getBackupKeys().equals("true")) {
+            if (! data.getToken().equals(ConfigurationRequest.TOKEN_DEFAULT)) {
+                throw new BadRequestException("HSMs cannot publish private keys to PKCS #12 files");
+            }
+
             if ((data.getBackupFile() == null) || (data.getBackupFile().length()<=0)) {
                 //TODO: also check for valid path, perhaps by touching file there
                 throw new BadRequestException("Invalid key backup file name");
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 696e3d7..0363b08 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -559,6 +559,16 @@ class ConfigurationFile:
         # Verify existence of Admin Password (except for Clones)
         if not self.clone:
             self.confirm_data_exists("pki_admin_password")
+        # If HSM, verify absence of all PKCS #12 backup parameters
+        if (config.str2bool(self.mdict['pki_hsm_enable']) and
+                (config.str2bool(self.mdict['pki_backup_keys']) or
+                ('pki_backup_password' in self.mdict and
+                len(self.mdict['pki_backup_password'])))):
+            config.pki_log.error(
+                log.PKIHELPER_HSM_KEYS_CANNOT_BE_BACKED_UP_TO_PKCS12_FILES,
+                extra=config.PKI_INDENTATION_LEVEL_2)
+            raise Exception(
+                log.PKIHELPER_HSM_KEYS_CANNOT_BE_BACKED_UP_TO_PKCS12_FILES)
         # If required, verify existence of Backup Password
         if config.str2bool(self.mdict['pki_backup_keys']):
             self.confirm_data_exists("pki_backup_password")
@@ -568,9 +578,19 @@ class ConfigurationFile:
             self.confirm_data_exists("pki_client_database_password")
         # Verify existence of Client PKCS #12 Password for Admin Cert
         self.confirm_data_exists("pki_client_pkcs12_password")
-        # Verify existence of PKCS #12 Password (ONLY for Clones)
         if self.clone:
-            self.confirm_data_exists("pki_clone_pkcs12_password")
+            # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones)
+            if not config.str2bool(self.mdict['pki_hsm_enable']):
+                self.confirm_data_exists("pki_clone_pkcs12_password")
+            # Verify absence of all PKCS #12 clone parameters for HSMs
+            elif (os.path.exists(self.mdict['pki_clone_pkcs12_path']) or
+                    ('pki_clone_pkcs12_password' in self.mdict and
+                    len(self.mdict['pki_clone_pkcs12_password']))):
+                config.pki_log.error(
+                    log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS,
+                    extra=config.PKI_INDENTATION_LEVEL_2)
+                raise Exception(
+                    log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS)
         # Verify existence of Security Domain Password
         # (ONLY for PKI KRA, PKI OCSP, PKI TKS, PKI TPS, Clones, or
         #  Subordinate CA that will be automatically configured and
@@ -675,8 +695,10 @@ class ConfigurationFile:
             self.confirm_data_exists("pki_http_port")
             self.confirm_data_exists("pki_https_port")
             self.confirm_data_exists("pki_tomcat_server_port")
-            self.confirm_data_exists("pki_clone_pkcs12_path")
-            self.confirm_file_exists("pki_clone_pkcs12_path")
+            if not config.str2bool(self.mdict['pki_hsm_enable']):
+                # Check clone parameters for non-HSM clone
+                self.confirm_data_exists("pki_clone_pkcs12_path")
+                self.confirm_file_exists("pki_clone_pkcs12_path")
             self.confirm_data_exists("pki_clone_replication_security")
         elif self.external:
             # External CA
@@ -4119,8 +4141,10 @@ class ConfigClient:
     def set_cloning_parameters(self, data):
         data.isClone = "true"
         data.cloneUri = self.mdict['pki_clone_uri']
-        data.p12File = self.mdict['pki_clone_pkcs12_path']
-        data.p12Password = self.mdict['pki_clone_pkcs12_password']
+        if not config.str2bool(self.mdict['pki_hsm_enable']):
+            # Set these clone parameters for non-HSM clones only
+            data.p12File = self.mdict['pki_clone_pkcs12_path']
+            data.p12Password = self.mdict['pki_clone_pkcs12_password']
         if config.str2bool(self.mdict['pki_clone_replicate_schema']):
             data.replicateSchema = "true"
         else:
diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py
index 321ea78..0e7d143 100644
--- a/base/server/python/pki/server/deployment/pkimessages.py
+++ b/base/server/python/pki/server/deployment/pkimessages.py
@@ -199,6 +199,15 @@ PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ."
 PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ."
 PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError:  pki_gid %s"
 PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError:  pki_group %s"
+PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS = \
+    "Since clones using Hardware Security Modules (HSMs) must share their "\
+    "master's private keys, the 'pki_clone_pkcs12_path' and "\
+    "'pki_clone_pkcs12_password' variables may not be utilized with HSMs."
+PKIHELPER_HSM_KEYS_CANNOT_BE_BACKED_UP_TO_PKCS12_FILES = \
+    "Since Hardware Security Modules (HSMs) do not allow their private keys "\
+    "to be extracted to PKCS #12 files, the 'pki_backup_keys' and "\
+    "'pki_backup_password' variables may not be utilized with HSMs.\n"\
+    "Please contact the HSM vendor regarding their specific backup mechanism."
 PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = \
     "port %s has invalid selinux context %s"
 PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory"
-- 
1.8.3.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]