KRA: force OAEP for some HSM-based installations

Not all HSMs support PKCS#1 v1.5. The nShield nFast is one we know
of so force the KRA to use OAEP in this case..

This can be seen in HSMs where the device doesn't support the
PKCS#1 v1.5 mechanism. It will error out with either "invalid
algorithm" or CKR_FUNCTION_FAILED.

There is currently no good way to test for this capability in
advance of configuration. Testing for mechanisms alone is
insufficient. The only real way to test would be to attempt a
wrap/unwrap but it is very complex.

If the list of affected HSMs increases we can use a table
instead based on "best guess" of some sort of property but
looking for a unique string inside the library path is a
pretty straigthforward way.

Note that this doesn't preclude someone from wanting to require
OAEP directly by modifying the KRA CS.cfg and it won't impact
FIPs mode which requires OAEP.

Related: https://pagure.io/freeipa/issue/9191

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

ipaserver/install/krainstance.py

@@ -35,7 +35,10 @@ from ipapython.dn import DN
 from ipaserver.install import cainstance
 from ipaserver.install import installutils
 from ipaserver.install.dogtaginstance import DogtagInstance
-from ipaserver.install.ca import lookup_random_serial_number_version
+from ipaserver.install.ca import (
+    lookup_random_serial_number_version,
+    lookup_hsm_configuration
+)
 
 
 logger = logging.getLogger(__name__)
@@ -190,6 +193,11 @@ class KRAInstance(DogtagInstance):
             cfg['pki_token_name'] = ca.token_name
             cfg['pki_token_password'] = self.token_password
             cfg['pki_sslserver_token'] = 'internal'
+            # Require OAEP for nfast devices as they do not support
+            # PKCS1v15.
+            (_unused, token_library_path) = lookup_hsm_configuration(api)
+            if 'nfast' in token_library_path:
+                cfg['pki_use_oaep_rsa_keywrap'] = True
 
         p12_tmpfile_name = None