[Pki-devel] [pki-devel][PATCH] 0052-KRA-key-archival-recovery-via-cli-should-honor-encry.patch
John Magne
jmagne at redhat.com
Fri Sep 25 21:48:15 UTC 2015
Approved by alee:
Pushed to master.
Closing ticket #1597.
Commit:
a5a50e95a691587e22335018538b4f578dfee6d1
----- Original Message -----
> From: "John Magne" <jmagne at redhat.com>
> To: "pki-devel" <pki-devel at redhat.com>
> Sent: Tuesday, September 22, 2015 11:12:49 AM
> Subject: [pki-devel][PATCH] 0052-KRA-key-archival-recovery-via-cli-should-honor-encry.patch
>
> [PATCH] KRA: key archival/recovery via cli - should honor
> encryption/decryption flags.
>
> Ticket # 1597
>
> Currently, KRA allows sites to opt for doing encryption/decryption instead of
> wrapping/unwrapping for key archival and recovery.
>
> The new cli code was later added without such support. We should honor the
> same flags when cli is called to do key archival and recovery.
>
> This feature was due to a specific customer request. Here is what is now
> supported:
>
> 1. When the pki cli tool is used to recover a asymmetric private key, support
> is there to do so with encrypt / decrypt.
> 2. The passphrase and generic data facility already uses encrypt / decrypt so
> nothing here was needed. Calling it out since this will possibly be a
> customer issue.
>
> 3. While under the hood, it made sense to add this functionality to the
> Symmetric key archival and recovery operations.
> 4. All tests in DRMTest.java worked successfully when the kra was configured
> to support this feature and configured to not observe this feature.
>
> What is missing:
>
> We have since added a method to do a server side key generation of a
> asymmetric key pair in the kra and also archive it there at the same time.
> In order to do encrypt / decrypt in this case we need to extract the key
> contents out of a key object that is used to generate this key. It proved
> problematic to extract said key. This should be ok since the customer only
> needs to recover an asymmetric key in their test cases. We could look into
> doing this later if a pressing need arises.
>
More information about the Pki-devel
mailing list