diff options
| author | Jack Magne <jmagne@dhcp-16-213.sjc.redhat.com> | 2014-04-02 19:10:51 -0700 |
|---|---|---|
| committer | Jack Magne <jmagne@dhcp-16-213.sjc.redhat.com> | 2014-04-14 10:11:14 -0700 |
| commit | 7604304b755bc8d78889322bdf825a7ed907d683 (patch) | |
| tree | 7de8da75d6dfe447ab547db2b88ae3b34fb3ad88 | |
| parent | f0b112fa8d859056aaa729cda0761a1786987088 (diff) | |
| download | pki-7604304b755bc8d78889322bdf825a7ed907d683.tar.gz pki-7604304b755bc8d78889322bdf825a7ed907d683.tar.xz pki-7604304b755bc8d78889322bdf825a7ed907d683.zip | |
Further progress Format operation.
1. Read applet into memory to prepare to write to token.
2. With tpsclient create secure channel by implementing Initialize Update and ExternalAuthenticate messages.
3. Support for MAC and encryption for messages going on after secure channel has been created.
4. Implemented method to remove an aid file or instance from the token.
5. Added some symkey methods to allow TPS to manipulate session keys.
6. Performed some cfu feedback fixes such as changing al the names of APDU classes to have APDU in the name.
Have not tried this with real token as of yet. The tpsclient does verify of the MAC coming from the server and decrypts encrypted messages. Decrypted messages have to be correct for the MAC verification to work.
Next step will be to add the phone home servlet to the TPS and give it a try with a real token and esc.
46 files changed, 1556 insertions, 241 deletions
diff --git a/abrt_checker_23484.log b/abrt_checker_23484.log new file mode 100644 index 000000000..97d259eb9 --- /dev/null +++ b/abrt_checker_23484.log @@ -0,0 +1,9 @@ +Uncaught java.lang.ClassNotFoundException exception in thread "main" in a method java.lang.ClassLoader.loadClass() with signature (Ljava/lang/String;Z)Ljava/lang/Class; +Exception in thread "main" java.lang.ClassNotFoundException: .usr.lib64.eclipse..plugins.org.eclipse.equinox.launcher_1.3.0.v20130930-1720.jar + at java.net.URLClassLoader$1.run(URLClassLoader.java:366) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/net/URLClassLoader$1.class] + at java.net.URLClassLoader$1.run(URLClassLoader.java:355) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/net/URLClassLoader$1.class] + at java.security.AccessController.doPrivileged(Native Method) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/security/AccessController.class] + at java.net.URLClassLoader.findClass(URLClassLoader.java:354) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/net/URLClassLoader.class] + at java.lang.ClassLoader.loadClass(ClassLoader.java:424) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/lang/ClassLoader.class] + at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/sun/misc/Launcher$AppClassLoader.class] + at java.lang.ClassLoader.loadClass(ClassLoader.java:357) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/lang/ClassLoader.class] diff --git a/base/common/src/org/dogtagpki/tps/TPSConnection.java b/base/common/src/org/dogtagpki/tps/TPSConnection.java index 442d28dad..64f8cb906 100644 --- a/base/common/src/org/dogtagpki/tps/TPSConnection.java +++ b/base/common/src/org/dogtagpki/tps/TPSConnection.java @@ -53,12 +53,14 @@ public class TPSConnection { // read the first parameter while ((b = in.read()) >= 0) { - char c = (char)b; - if (c == '&') break; + char c = (char) b; + if (c == '&') + break; sb.append(c); } - if (b < 0) throw new IOException("Unexpected end of stream"); + if (b < 0) + throw new IOException("Unexpected end of stream"); // parse message size String nvp = sb.toString(); @@ -68,19 +70,20 @@ public class TPSConnection { sb.append('&'); // read the rest of message - for (int i=0; i<size; i++) { + for (int i = 0; i < size; i++) { b = in.read(); - if (b < 0) throw new IOException("Unexpected end of stream"); + if (b < 0) + throw new IOException("Unexpected end of stream"); - char c = (char)b; + char c = (char) b; sb.append(c); } CMS.debug("TPSMessage.read: Reading: " + sb.toString()); // parse the entire message - return TPSMessage.createMessage(sb.toString()); + return TPSMessage.createMessage(sb.toString()); } public void write(TPSMessage message) throws IOException { @@ -88,7 +91,6 @@ public class TPSConnection { CMS.debug("TPSMessage.write: Writing: " + s); - if (chunked) { // send message length + EOL out.print(Integer.toHexString(s.length())); @@ -98,11 +100,18 @@ public class TPSConnection { // send message out.print(s); + /* + * + * Right now, tpsclient is counting the final crlf as part of the message and ruining the MAC calculations + * For now do this and figure out later how to handle this for both tpsclient and esc. + * if (chunked) { // send EOL out.print("\r\n"); } + */ + out.flush(); } } diff --git a/base/common/src/org/dogtagpki/tps/apdu/APDU.java b/base/common/src/org/dogtagpki/tps/apdu/APDU.java index c4f2c1769..c1aa51716 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/APDU.java +++ b/base/common/src/org/dogtagpki/tps/apdu/APDU.java @@ -19,6 +19,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; import org.dogtagpki.tps.main.Util; +import org.mozilla.jss.pkcs11.PK11SymKey; + +import com.netscape.certsrv.base.EBaseException; public abstract class APDU { @@ -140,8 +143,59 @@ public abstract class APDU { return encoding; } - public void getDataToMAC(TPSBuffer data) { - //ToDO + public TPSBuffer getDataToMAC() { + TPSBuffer mac = new TPSBuffer(); + + mac.add(cla); + mac.add(ins); + mac.add(p1); + mac.add(p2); + mac.add((byte) (data.size() + 8)); + mac.add(data); + + return mac; + } + + public void secureMessage(PK11SymKey encKey) throws EBaseException { + + if (encKey == null) { + throw new EBaseException("APDU.secureData: No input encrytion session key!"); + } + + int padNeeded = 0; + + TPSBuffer dataToEnc = null; + TPSBuffer padding = null; + TPSBuffer dataEncrypted = null; + + dataToEnc = new TPSBuffer(); + dataToEnc.add((byte) data.size()); + dataToEnc.add(data); + + int dataSize = dataToEnc.size(); + int rem = dataSize % 8; + + if (rem == 0) { + padNeeded = 0; + } else if (dataSize < 8) { + padNeeded = 8 - dataSize; + } else { + padNeeded = 8 - rem; + } + + if (padNeeded > 0) { + dataToEnc.add((byte) 0x80); + padNeeded--; + + if (padNeeded > 0) { + padding = new TPSBuffer(padNeeded); + dataToEnc.add(padding); + } + } + + dataEncrypted = Util.encryptData(dataToEnc, encKey); + + data.set(dataEncrypted); } public Type getType() { diff --git a/base/common/src/org/dogtagpki/tps/apdu/APDUResponse.java b/base/common/src/org/dogtagpki/tps/apdu/APDUResponse.java index ef25cd204..9376a1f97 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/APDUResponse.java +++ b/base/common/src/org/dogtagpki/tps/apdu/APDUResponse.java @@ -88,7 +88,7 @@ public class APDUResponse extends APDU { } //Get the two byte apdu return code - byte[] getResultBytes() { + public byte[] getResultCodeBytes() { byte[] result = new byte[2]; result[0] = getSW1(); @@ -96,6 +96,20 @@ public class APDUResponse extends APDU { return result; } + public TPSBuffer getResultDataNoCode() { + + //Result code will be 2 bytes at the end. + TPSBuffer theData = getData(); + + TPSBuffer result = null; + int len = theData.size(); + if (len > 2) { + result = theData.substr(0, len - 2); + } + + return result; + } + public static void main(String args[]) { APDUResponse resp = new APDUResponse(); diff --git a/base/common/src/org/dogtagpki/tps/apdu/CreateObject.java b/base/common/src/org/dogtagpki/tps/apdu/CreateObjectAPDU.java index 04208aa3b..03ad05ff4 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/CreateObject.java +++ b/base/common/src/org/dogtagpki/tps/apdu/CreateObjectAPDU.java @@ -23,7 +23,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class CreateObject extends APDU { +public class CreateObjectAPDU extends APDU { /** * Constructs a Create Object APDU. This APDU is usually sent right * before Write_Buffer_APDU is sent. This APDU only creates an Object @@ -63,7 +63,7 @@ public class CreateObject extends APDU { * @see APDU */ - public CreateObject(byte[] object_id, byte[] permissions, int len) { + public CreateObjectAPDU(byte[] object_id, byte[] permissions, int len) { if (object_id.length != 4) return; @@ -108,7 +108,7 @@ public class CreateObject extends APDU { byte[] object_id = { 0x01, 0x02, 0x3, 0x4 }; byte[] permisisons = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x6 }; - CreateObject apdu = new CreateObject(object_id, permisisons, 56); + CreateObjectAPDU apdu = new CreateObjectAPDU(object_id, permisisons, 56); if (apdu != null) { diff --git a/base/common/src/org/dogtagpki/tps/apdu/CreatePin.java b/base/common/src/org/dogtagpki/tps/apdu/CreatePinAPDU.java index 3d7b9274c..c37d0d465 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/CreatePin.java +++ b/base/common/src/org/dogtagpki/tps/apdu/CreatePinAPDU.java @@ -22,9 +22,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class CreatePin extends APDU { +public class CreatePinAPDU extends APDU { - public CreatePin(byte theP1, byte theP2, TPSBuffer theData) { + public CreatePinAPDU(byte theP1, byte theP2, TPSBuffer theData) { setP1(theP1); setP2(theP2); diff --git a/base/common/src/org/dogtagpki/tps/apdu/DeleteFile.java b/base/common/src/org/dogtagpki/tps/apdu/DeleteFileAPDU.java index 475207dd6..9114b8af6 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/DeleteFile.java +++ b/base/common/src/org/dogtagpki/tps/apdu/DeleteFileAPDU.java @@ -19,14 +19,13 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class DeleteFile extends APDU { +public class DeleteFileAPDU extends APDU { - public DeleteFile( TPSBuffer aid) { + public DeleteFileAPDU(TPSBuffer aid) { setCLA((byte) 0x84); - setINS((byte)0xE4); - setP1((byte)0x00); - setP2((byte)0x00); - + setINS((byte) 0xE4); + setP1((byte) 0x00); + setP2((byte) 0x00); TPSBuffer AIDTLV = new TPSBuffer(); @@ -43,7 +42,7 @@ public class DeleteFile extends APDU { public APDU.Type getType() { return APDU.Type.APDU_DELETE_FILE; - } + } public static void main(String[] args) { // TODO Auto-generated method stub diff --git a/base/common/src/org/dogtagpki/tps/apdu/ExternalAuthenticate.java b/base/common/src/org/dogtagpki/tps/apdu/ExternalAuthenticate.java deleted file mode 100644 index d1337b886..000000000 --- a/base/common/src/org/dogtagpki/tps/apdu/ExternalAuthenticate.java +++ /dev/null @@ -1,51 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2013 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package org.dogtagpki.tps.apdu; - -import org.dogtagpki.tps.main.TPSBuffer; - -public class ExternalAuthenticate extends APDU { - - public ExternalAuthenticate(TPSBuffer theData, byte securityLevel) { - - setCLA((byte) 0x84); - setINS((byte) 0x82); - - setP1(securityLevel); - - setP2((byte) 0x00); - setData(theData); - } - - public TPSBuffer getHostCryptogram() - { - return getData(); - } - - @Override - public APDU.Type getType() - { - return APDU.Type.APDU_EXTERNAL_AUTHENTICATE; - } - - public static void main(String[] args) { - // TODO Auto-generated method stub - - } - -} diff --git a/base/common/src/org/dogtagpki/tps/apdu/ExternalAuthenticateAPDU.java b/base/common/src/org/dogtagpki/tps/apdu/ExternalAuthenticateAPDU.java new file mode 100644 index 000000000..d824e8ce7 --- /dev/null +++ b/base/common/src/org/dogtagpki/tps/apdu/ExternalAuthenticateAPDU.java @@ -0,0 +1,110 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package org.dogtagpki.tps.apdu; + +import org.dogtagpki.tps.main.TPSBuffer; + +public class ExternalAuthenticateAPDU extends APDU { + + public enum SecurityLevel { + SECURE_MSG_ANY, + SECURE_MSG_MAC, + SECURE_MSG_NONE, // not yet supported + SECURE_MSG_MAC_ENC, + + } + + public ExternalAuthenticateAPDU(TPSBuffer theData, SecurityLevel securityLevel) { + setCLA((byte) 0x84); + setINS((byte) 0x82); + + setP1(securityLevelToByte(securityLevel)); + setP2((byte) 0x0); + + setData(theData); + } + + public TPSBuffer getHostCryptogram() + { + return getData(); + } + + @Override + public APDU.Type getType() + { + return APDU.Type.APDU_EXTERNAL_AUTHENTICATE; + } + + public static byte securityLevelToByte(SecurityLevel level) { + byte result = 0; + + switch (level) { + case SECURE_MSG_ANY: + result = 0; + break; + case SECURE_MSG_MAC: + result = 1; + break; + case SECURE_MSG_NONE: + result = 2; + break; + case SECURE_MSG_MAC_ENC: + result = 3; + break; + + default: + result = 0; + break; + + } + + return result; + } + + public static SecurityLevel byteToSecurityLevel(byte level) { + + SecurityLevel result = SecurityLevel.SECURE_MSG_ANY; + + switch (level) { + + case 0: + result = SecurityLevel.SECURE_MSG_ANY; + break; + case 1: + result = SecurityLevel.SECURE_MSG_MAC; + break; + case 2: + result = SecurityLevel.SECURE_MSG_NONE; + break; + case 3: + result = SecurityLevel.SECURE_MSG_MAC_ENC; + break; + default: + result = SecurityLevel.SECURE_MSG_ANY; + break; + } + + return result; + } + + public static void main(String[] args) { + // TODO Auto-generated method stub + + } + +} diff --git a/base/common/src/org/dogtagpki/tps/apdu/FormatMuscleApplet.java b/base/common/src/org/dogtagpki/tps/apdu/FormatMuscleAppletAPDU.java index af4cec11a..3babdc1c5 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/FormatMuscleApplet.java +++ b/base/common/src/org/dogtagpki/tps/apdu/FormatMuscleAppletAPDU.java @@ -25,8 +25,8 @@ import org.dogtagpki.tps.main.TPSBuffer; /* Not sure this is used , provide stub right now. */ -public class FormatMuscleApplet extends APDU { - public FormatMuscleApplet(short memSize, +public class FormatMuscleAppletAPDU extends APDU { + public FormatMuscleAppletAPDU(short memSize, TPSBuffer PIN0, byte pin0Tries, TPSBuffer unblockPIN0, byte unblock0Tries, TPSBuffer PIN1, byte pin1Tries, diff --git a/base/common/src/org/dogtagpki/tps/apdu/GenerateKey.java b/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyAPDU.java index 47f45bb50..f11f132be 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GenerateKey.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyAPDU.java @@ -23,9 +23,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class GenerateKey extends APDU { +public class GenerateKeyAPDU extends APDU { - public GenerateKey(byte theP1, byte theP2, byte alg, + public GenerateKeyAPDU(byte theP1, byte theP2, byte alg, int keysize, byte option, byte type, TPSBuffer wrapped_challenge, TPSBuffer key_check) { diff --git a/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyECC.java b/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyECCAPDU.java index 3f9106723..6743822ad 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyECC.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyECCAPDU.java @@ -23,9 +23,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class GenerateKeyECC extends APDU { +public class GenerateKeyECCAPDU extends APDU { - public GenerateKeyECC(byte theP1, byte theP2, byte alg, + public GenerateKeyECCAPDU(byte theP1, byte theP2, byte alg, int keysize, byte option, byte type, TPSBuffer wrapped_challenge, TPSBuffer key_check) { diff --git a/base/common/src/org/dogtagpki/tps/apdu/GetData.java b/base/common/src/org/dogtagpki/tps/apdu/GetDataAPDU.java index b7b8be02c..7cd52fcd1 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GetData.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GetDataAPDU.java @@ -22,9 +22,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class GetData extends APDU { +public class GetDataAPDU extends APDU { - public GetData() + public GetDataAPDU() { setCLA((byte) 0x80); setINS((byte) 0xCA); @@ -53,7 +53,7 @@ public class GetData extends APDU { } /* Encode */ public static void main(String[] args) { - GetData get_data = new GetData(); + GetDataAPDU get_data = new GetDataAPDU(); get_data.dump(); diff --git a/base/common/src/org/dogtagpki/tps/apdu/GetIssuerInfo.java b/base/common/src/org/dogtagpki/tps/apdu/GetIssuerInfoAPDU.java index 21fe1a77e..ede006a18 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GetIssuerInfo.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GetIssuerInfoAPDU.java @@ -22,7 +22,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class GetIssuerInfo extends APDU { +public class GetIssuerInfoAPDU extends APDU { /** * Constructs GetIssuer APDU. * @@ -45,7 +45,7 @@ public class GetIssuerInfo extends APDU { * @param data issuer info * @see APDU */ - public GetIssuerInfo() + public GetIssuerInfoAPDU() { setCLA((byte) 0x84); setINS((byte) 0xF6); diff --git a/base/common/src/org/dogtagpki/tps/apdu/GetStatus.java b/base/common/src/org/dogtagpki/tps/apdu/GetStatusAPDU.java index 3b8c68fca..2479cc674 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GetStatus.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GetStatusAPDU.java @@ -22,8 +22,8 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class GetStatus extends APDU { - public GetStatus() +public class GetStatusAPDU extends APDU { + public GetStatusAPDU() { setCLA((byte) 0xB0); setINS((byte) 0x3C); diff --git a/base/common/src/org/dogtagpki/tps/apdu/GetVersion.java b/base/common/src/org/dogtagpki/tps/apdu/GetVersionAPDU.java index 9bdc27fa1..6e10df985 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GetVersion.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GetVersionAPDU.java @@ -22,8 +22,8 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class GetVersion extends APDU { - public GetVersion() +public class GetVersionAPDU extends APDU { + public GetVersionAPDU() { setCLA((byte) 0xB0); setINS((byte) 0x70); diff --git a/base/common/src/org/dogtagpki/tps/apdu/ImportKey.java b/base/common/src/org/dogtagpki/tps/apdu/ImportKeyAPDU.java index c17bfb825..a37e52831 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/ImportKey.java +++ b/base/common/src/org/dogtagpki/tps/apdu/ImportKeyAPDU.java @@ -23,7 +23,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class ImportKey extends APDU { +public class ImportKeyAPDU extends APDU { /** * Constructs Import Key APDU. * @@ -46,7 +46,7 @@ public class ImportKey extends APDU { * Byte[] Additional parameters; // Optional * If KeyBlob's Encoding is BLOB_ENC_PLAIN(0x00), there are no additional parameters. */ - public ImportKey(byte p1) + public ImportKeyAPDU(byte p1) { setCLA((byte) 0x84); setINS((byte) 0x32); diff --git a/base/common/src/org/dogtagpki/tps/apdu/ImportKeyEnc.java b/base/common/src/org/dogtagpki/tps/apdu/ImportKeyEncAPDU.java index c87a76ac8..ff01c6600 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/ImportKeyEnc.java +++ b/base/common/src/org/dogtagpki/tps/apdu/ImportKeyEncAPDU.java @@ -23,7 +23,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class ImportKeyEnc extends APDU { +public class ImportKeyEncAPDU extends APDU { /** * Constructs Import Key Encrypted APDU. @@ -47,7 +47,7 @@ public class ImportKeyEnc extends APDU { * Import Parameters: * ...to be provided */ - public ImportKeyEnc(byte p1, byte p2, TPSBuffer theData) + public ImportKeyEncAPDU(byte p1, byte p2, TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0x0A); diff --git a/base/common/src/org/dogtagpki/tps/apdu/InitializeUpdate.java b/base/common/src/org/dogtagpki/tps/apdu/InitializeUpdateAPDU.java index 4016b96f4..4bc640108 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/InitializeUpdate.java +++ b/base/common/src/org/dogtagpki/tps/apdu/InitializeUpdateAPDU.java @@ -23,12 +23,13 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class InitializeUpdate extends APDU { +public class InitializeUpdateAPDU extends APDU { /** * Constructs Initialize Update APDU. */ - public InitializeUpdate(byte key_version, byte key_index, TPSBuffer theData) { + public InitializeUpdateAPDU(byte key_version, byte key_index, TPSBuffer theData) { + setCLA((byte) 0x80); setINS((byte) 0x50); setP1(key_version); setP2(key_index); @@ -47,16 +48,16 @@ public class InitializeUpdate extends APDU { public TPSBuffer getEncoding() { - TPSBuffer data = new TPSBuffer(); + TPSBuffer theData = new TPSBuffer(); - data.add(cla); - data.add(ins); - data.add(p1); - data.add(p2); - data.add((byte) data.size()); - data.add(data); + theData.add(cla); + theData.add(ins); + theData.add(p1); + theData.add(p2); + theData.add((byte) data.size()); + theData.add(data); - return data; + return theData; } /* Encode */ } diff --git a/base/common/src/org/dogtagpki/tps/apdu/InstallApplet.java b/base/common/src/org/dogtagpki/tps/apdu/InstallAppletAPDU.java index 9e6206ac7..8f164e9d4 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/InstallApplet.java +++ b/base/common/src/org/dogtagpki/tps/apdu/InstallAppletAPDU.java @@ -23,9 +23,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class InstallApplet extends APDU { +public class InstallAppletAPDU extends APDU { - public InstallApplet(TPSBuffer packageAID, TPSBuffer appletAID, + public InstallAppletAPDU(TPSBuffer packageAID, TPSBuffer appletAID, byte appPrivileges, int instanceSize, int appletMemorySize) { setCLA((byte) 0x84); @@ -79,7 +79,7 @@ public class InstallApplet extends APDU { /** * Constructs Install Applet APDU. */ - public InstallApplet(TPSBuffer theData) + public InstallAppletAPDU(TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0xE6); diff --git a/base/common/src/org/dogtagpki/tps/apdu/InstallLoad.java b/base/common/src/org/dogtagpki/tps/apdu/InstallLoadAPDU.java index dc6d2b049..cb84b9382 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/InstallLoad.java +++ b/base/common/src/org/dogtagpki/tps/apdu/InstallLoadAPDU.java @@ -23,9 +23,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class InstallLoad extends APDU { +public class InstallLoadAPDU extends APDU { - public InstallLoad(TPSBuffer packageAID, TPSBuffer sdAID, + public InstallLoadAPDU(TPSBuffer packageAID, TPSBuffer sdAID, int fileLen) { @@ -55,7 +55,7 @@ public class InstallLoad extends APDU { /** * Constructs Install Load APDU. Used when data was pre-constructed */ - public InstallLoad(TPSBuffer theData) + public InstallLoadAPDU(TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0xE6); diff --git a/base/common/src/org/dogtagpki/tps/apdu/Lifecycle.java b/base/common/src/org/dogtagpki/tps/apdu/LifecycleAPDU.java index e26a39ed9..051f663df 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/Lifecycle.java +++ b/base/common/src/org/dogtagpki/tps/apdu/LifecycleAPDU.java @@ -21,11 +21,11 @@ package org.dogtagpki.tps.apdu; -public class Lifecycle extends APDU { +public class LifecycleAPDU extends APDU { /** * Constructs Lifecycle APDU. */ - public Lifecycle(byte lifecycle) + public LifecycleAPDU(byte lifecycle) { setCLA((byte) 0x84); setINS((byte) 0xf0); diff --git a/base/common/src/org/dogtagpki/tps/apdu/ListObjects.java b/base/common/src/org/dogtagpki/tps/apdu/ListObjectsAPDU.java index b21cd111b..4d29506e6 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/ListObjects.java +++ b/base/common/src/org/dogtagpki/tps/apdu/ListObjectsAPDU.java @@ -23,8 +23,8 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class ListObjects extends APDU { - public ListObjects(byte seq) +public class ListObjectsAPDU extends APDU { + public ListObjectsAPDU(byte seq) { setCLA((byte) 0xB0); setINS((byte) 0x58); diff --git a/base/common/src/org/dogtagpki/tps/apdu/ListPins.java b/base/common/src/org/dogtagpki/tps/apdu/ListPinsAPDU.java index 7ced5a21a..e9a5f49bf 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/ListPins.java +++ b/base/common/src/org/dogtagpki/tps/apdu/ListPinsAPDU.java @@ -23,11 +23,11 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class ListPins extends APDU { +public class ListPinsAPDU extends APDU { private byte ret_size = 0; - public ListPins(byte theRet_size) + public ListPinsAPDU(byte theRet_size) { setCLA((byte) 0xB0); setINS((byte) 0x48); diff --git a/base/common/src/org/dogtagpki/tps/apdu/LoadFile.java b/base/common/src/org/dogtagpki/tps/apdu/LoadFileAPDU.java index 2b3f7e3f9..23e948c77 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/LoadFile.java +++ b/base/common/src/org/dogtagpki/tps/apdu/LoadFileAPDU.java @@ -22,11 +22,11 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class LoadFile extends APDU { +public class LoadFileAPDU extends APDU { /** * Constructs Load File APDU. */ - public LoadFile(byte refControl, byte blockNum, TPSBuffer theData) + public LoadFileAPDU(byte refControl, byte blockNum, TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0xE8); diff --git a/base/common/src/org/dogtagpki/tps/apdu/PutKey.java b/base/common/src/org/dogtagpki/tps/apdu/PutKeyAPDU.java index 3d6f2a022..6a939e7ba 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/PutKey.java +++ b/base/common/src/org/dogtagpki/tps/apdu/PutKeyAPDU.java @@ -22,11 +22,11 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class PutKey extends APDU { +public class PutKeyAPDU extends APDU { /** * Constructs Put Key APDU. */ - public PutKey(byte p1, byte p2, TPSBuffer theData) + public PutKeyAPDU(byte p1, byte p2, TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0xd8); diff --git a/base/common/src/org/dogtagpki/tps/apdu/ReadBuffer.java b/base/common/src/org/dogtagpki/tps/apdu/ReadBufferAPDU.java index 7e1ab00c5..7c8159bf4 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/ReadBuffer.java +++ b/base/common/src/org/dogtagpki/tps/apdu/ReadBufferAPDU.java @@ -22,11 +22,11 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class ReadBuffer extends APDU { +public class ReadBufferAPDU extends APDU { /** * Constructs Read Buffer APDU. */ - public ReadBuffer(int len, int offset) + public ReadBufferAPDU(int len, int offset) { setCLA((byte) 0x84); setINS((byte) 0x08); diff --git a/base/common/src/org/dogtagpki/tps/apdu/ReadObject.java b/base/common/src/org/dogtagpki/tps/apdu/ReadObjectAPDU.java index b78098305..f013a82aa 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/ReadObject.java +++ b/base/common/src/org/dogtagpki/tps/apdu/ReadObjectAPDU.java @@ -22,7 +22,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class ReadObject extends APDU { +public class ReadObjectAPDU extends APDU { /** * Constructs Read Object APDU. * @@ -52,7 +52,7 @@ public class ReadObject extends APDU { * @see APDU */ - public ReadObject(byte[] object_id, int offset, int len) + public ReadObjectAPDU(byte[] object_id, int offset, int len) { setCLA((byte) 0x84); setINS((byte) 0x56); diff --git a/base/common/src/org/dogtagpki/tps/apdu/Select.java b/base/common/src/org/dogtagpki/tps/apdu/SelectAPDU.java index f01c00147..d0b492590 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/Select.java +++ b/base/common/src/org/dogtagpki/tps/apdu/SelectAPDU.java @@ -22,8 +22,8 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class Select extends APDU { - public Select(byte p1, byte p2, TPSBuffer theData) +public class SelectAPDU extends APDU { + public SelectAPDU(byte p1, byte p2, TPSBuffer theData) { setCLA((byte) 0x00); setINS((byte) 0xa4); diff --git a/base/common/src/org/dogtagpki/tps/apdu/SetIssuerInfo.java b/base/common/src/org/dogtagpki/tps/apdu/SetIssuerInfoAPDU.java index 316a0fd52..40ea1b1ac 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/SetIssuerInfo.java +++ b/base/common/src/org/dogtagpki/tps/apdu/SetIssuerInfoAPDU.java @@ -22,7 +22,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class SetIssuerInfo extends APDU { +public class SetIssuerInfoAPDU extends APDU { /** * Constructs SetIssuer APDU. * @@ -45,7 +45,7 @@ public class SetIssuerInfo extends APDU { * @param data issuer info * @see APDU */ - public SetIssuerInfo(byte p1, byte p2, TPSBuffer theData) + public SetIssuerInfoAPDU(byte p1, byte p2, TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0xF4); diff --git a/base/common/src/org/dogtagpki/tps/apdu/SetPin.java b/base/common/src/org/dogtagpki/tps/apdu/SetPinAPDU.java index 8911c40dd..ddf46cd27 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/SetPin.java +++ b/base/common/src/org/dogtagpki/tps/apdu/SetPinAPDU.java @@ -22,7 +22,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class SetPin extends APDU { +public class SetPinAPDU extends APDU { /** * Constructs SetPin APDU. * @@ -45,7 +45,7 @@ public class SetPin extends APDU { * @param data pin * @see APDU */ - public SetPin(byte p1, byte p2, TPSBuffer theData) + public SetPinAPDU(byte p1, byte p2, TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0x04); diff --git a/base/common/src/org/dogtagpki/tps/apdu/UnblockPin.java b/base/common/src/org/dogtagpki/tps/apdu/UnblockPinAPDU.java index 620698c00..ae2486fa5 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/UnblockPin.java +++ b/base/common/src/org/dogtagpki/tps/apdu/UnblockPinAPDU.java @@ -20,11 +20,11 @@ */ package org.dogtagpki.tps.apdu; -public class UnblockPin extends APDU { +public class UnblockPinAPDU extends APDU { /** * Constructs Unblock Pin APDU. */ - public UnblockPin() + public UnblockPinAPDU() { setCLA((byte) 0x84); setINS((byte) 0x02); diff --git a/base/common/src/org/dogtagpki/tps/apdu/WriteObject.java b/base/common/src/org/dogtagpki/tps/apdu/WriteObjectAPDU.java index bf64949ae..e8e4d63fa 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/WriteObject.java +++ b/base/common/src/org/dogtagpki/tps/apdu/WriteObjectAPDU.java @@ -22,7 +22,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class WriteObject extends APDU { +public class WriteObjectAPDU extends APDU { /** * Constructs Write Buffer APDU. This APDU is usually sent right after * the Create_Object_APDU is sent. This APDU writes the actual object @@ -60,7 +60,7 @@ public class WriteObject extends APDU { * @param data * @see APDU */ - public WriteObject(byte[] object_id, int offset, TPSBuffer data) + public WriteObjectAPDU(byte[] object_id, int offset, TPSBuffer data) { if (object_id.length != 4) { return; diff --git a/base/common/src/org/dogtagpki/tps/main/TPSBuffer.java b/base/common/src/org/dogtagpki/tps/main/TPSBuffer.java index 1df8716fc..03ec46092 100644 --- a/base/common/src/org/dogtagpki/tps/main/TPSBuffer.java +++ b/base/common/src/org/dogtagpki/tps/main/TPSBuffer.java @@ -95,13 +95,20 @@ public class TPSBuffer { } public byte at(int i) { - if (i < 0 || i > size()) { + if (i < 0 || i >= size()) { return 0x0; } return buf[i]; } + public void setAt(int i, byte value) { + if (i < 0 || i >= size()) + return; + + buf[i] = value; + } + /** * Returns true if the two buffers are the same length and contain * the same byte at each offset. @@ -126,6 +133,13 @@ public class TPSBuffer { addBytes(addBytes); } + public void set(TPSBuffer newContents) { + if (newContents == null) + return; + + buf = newContents.toBytesArray(); + } + /** * Append operators. */ @@ -233,6 +247,7 @@ public class TPSBuffer { result.append(HEX_DIGITS.charAt((c & 0xF0) >> 4)); result.append(HEX_DIGITS.charAt(c & 0x0F)); + result.append("%"); } diff --git a/base/common/src/org/dogtagpki/tps/main/Util.java b/base/common/src/org/dogtagpki/tps/main/Util.java index aba6c6e1d..bef425215 100644 --- a/base/common/src/org/dogtagpki/tps/main/Util.java +++ b/base/common/src/org/dogtagpki/tps/main/Util.java @@ -23,23 +23,30 @@ package org.dogtagpki.tps.main; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.net.URLEncoder; +import java.security.spec.AlgorithmParameterSpec; -import com.netscape.cmsutil.util.Utils; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.Cipher; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.EncryptionAlgorithm; +import org.mozilla.jss.crypto.IVParameterSpec; +import org.mozilla.jss.pkcs11.PK11SymKey; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.cmsutil.util.Utils; public class Util { public Util() { } - public static byte[] str2ByteArray (String s) { + public static byte[] str2ByteArray(String s) { int len = s.length() / 2; + byte[] ret = new byte[len]; - byte[] ret = new byte[len]; - - for (int i = 0; i < len; i ++) { - ret[i] = (byte) ((byte) Util.hexToBin(s.charAt(i*2)) * 16 + Util.hexToBin(s.charAt(i*2+1))); + for (int i = 0; i < len; i++) { + ret[i] = (byte) ((byte) Util.hexToBin(s.charAt(i * 2)) * 16 + Util.hexToBin(s.charAt(i * 2 + 1))); } return ret; @@ -127,13 +134,152 @@ public class Util { return result.toString(); } + public static String specialURLEncode(TPSBuffer data) { + return specialURLEncode(data.toBytesArray()); + } + + public static String specialURLEncode(byte data[]) { + StringBuffer sb = new StringBuffer(); + for (int i = 0; i < data.length; i++) { + sb.append("#"); + if ((data[i] & 0xff) < 16) { + sb.append("0"); + } + sb.append(Integer.toHexString((data[i] & 0xff))); + } + + return sb.toString().toUpperCase(); + } + public static String specialEncode(TPSBuffer data) { return Utils.SpecialEncode(data.toBytesArray()); } + + public static TPSBuffer computeMAC(PK11SymKey symKey, TPSBuffer input, TPSBuffer icv) throws EBaseException { + TPSBuffer output = null; + TPSBuffer result = null; + + int inputLen = input.size(); + + if (symKey == null || input == null || icv == null || icv.size() != 8) { + throw new EBaseException("Util.computeMAC: invalid input data!"); + } + + TPSBuffer macPad = new TPSBuffer(8); + macPad.setAt(0, (byte) 0x80); + + CryptoToken token = null; + + try { + + token = CryptoManager.getInstance().getInternalKeyStorageToken(); + + Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_ECB); + result = new TPSBuffer(icv); + + /* Process whole blocks */ + int inputOffset = 0; + while (inputLen >= 8) + { + for (int i = 0; i < 8; i++) + { + //Xor implicitly converts bytes to ints, we convert answer back to byte. + byte a = (byte) (result.at(i) ^ input.at(inputOffset + i)); + result.setAt(i, a); + } + cipher.initEncrypt(symKey); + byte[] ciphResult = cipher.doFinal(result.toBytesArray()); + + if (ciphResult.length != result.size()) { + throw new EBaseException("Invalid cipher in Util.computeMAC"); + } + + result = new TPSBuffer(ciphResult); + + inputLen -= 8; + inputOffset += 8; + } + + /* + * Fold in remaining data (if any) + * Set i to number of bytes processed + */ + int i = 0; + for (i = 0; i < inputLen; i++) + { + byte a = (byte) (result.at(i) ^ input.at(i + inputOffset)); + result.setAt(i, a); + } + + /* + * Fill remainder of last block. There + * will be at least one byte handled here. + */ + + //Start at the beginning of macPad + // Keep going with i in result where we left off. + int padOffset = 0; + while (i < 8) + { + byte a = (byte) (result.at(i) ^ macPad.at(padOffset++)); + result.setAt(i, a); + i++; + } + + cipher.initEncrypt(symKey); + byte[] ciphResultFinal = cipher.doFinal(result.toBytesArray()); + + if (ciphResultFinal.length != result.size()) { + throw new EBaseException("Invalid cipher in Util.computeMAC"); + } + + output = new TPSBuffer(ciphResultFinal); + + } catch (Exception e) { + throw new EBaseException("Util.computeMAC: Cryptographic problem encountered! " + e.toString()); + } + + return output; + } + public static TPSBuffer specialDecode(String str) { - byte[] data = Utils.SpecialDecode(str); + byte[] data = uriDecodeFromHex(str); TPSBuffer tbuf = new TPSBuffer(data); return tbuf; } + + public static TPSBuffer encryptData(TPSBuffer dataToEnc, PK11SymKey encKey) throws EBaseException { + + TPSBuffer encrypted = null; + if (encKey == null || dataToEnc == null) { + throw new EBaseException("Util.encryptData: called with no sym key or no data!"); + } + + CryptoToken token = null; + try { + + token = CryptoManager.getInstance().getInternalKeyStorageToken(); + Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_CBC); + + AlgorithmParameterSpec algSpec = null; + + int len = EncryptionAlgorithm.DES3_CBC.getIVLength(); + byte[] iv = new byte[len]; // Assume iv set to 0's as in current TPS + + algSpec = new IVParameterSpec(iv); + cipher.initEncrypt(encKey, algSpec); + + byte[] encryptedBytes = cipher.doFinal(dataToEnc.toBytesArray()); + + encrypted = new TPSBuffer(encryptedBytes); + + } catch (Exception e) { + throw new EBaseException("Util.encryptData: problem encrypting data: " + e.toString()); + } + + return encrypted; + + } + } diff --git a/base/common/src/org/dogtagpki/tps/msg/TokenPDURequest.java b/base/common/src/org/dogtagpki/tps/msg/TokenPDURequest.java index 433338bc5..e27f98416 100644 --- a/base/common/src/org/dogtagpki/tps/msg/TokenPDURequest.java +++ b/base/common/src/org/dogtagpki/tps/msg/TokenPDURequest.java @@ -18,7 +18,7 @@ package org.dogtagpki.tps.msg; import org.dogtagpki.tps.apdu.APDU; -import org.dogtagpki.tps.apdu.Select; +import org.dogtagpki.tps.apdu.SelectAPDU; import org.dogtagpki.tps.main.TPSBuffer; import org.dogtagpki.tps.main.Util; @@ -44,13 +44,13 @@ public class TokenPDURequest extends TPSMessage { public static void main(String[] args) { - Select apdu = null; + SelectAPDU apdu = null; byte[] select_aid = { (byte) 0xa0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0 }; TPSBuffer select = new TPSBuffer(select_aid); - apdu = new Select((byte) 0x4, (byte) 0x0, select); + apdu = new SelectAPDU((byte) 0x4, (byte) 0x0, select); TokenPDURequest request = new TokenPDURequest(apdu); diff --git a/base/symkey/src/com/netscape/symkey/SessionKey.cpp b/base/symkey/src/com/netscape/symkey/SessionKey.cpp index 0878e26dd..9f3a353a3 100644 --- a/base/symkey/src/com/netscape/symkey/SessionKey.cpp +++ b/base/symkey/src/com/netscape/symkey/SessionKey.cpp @@ -1843,6 +1843,199 @@ finish: return handleBA; } +#ifdef __cplusplus +extern "C" +{ +#endif +/* + * Class: com_netscape_cms_servlet_tks_UnwrapSessionKeyWithSharedSecret + * Method: UnwrapSessionKeyWithSharedSecret + * Signature: ([B[B[B[B)[B + */ + JNIEXPORT jobject JNICALL + Java_com_netscape_symkey_SessionKey_ + (JNIEnv*, jclass, jstring, jobject,jbyteArray); +#ifdef __cplusplus +} +#endif +extern "C" JNIEXPORT jobject JNICALL +Java_com_netscape_symkey_SessionKey_UnwrapSessionKeyWithSharedSecret +(JNIEnv* env, jclass this2, jstring tokenName, jobject sharedSecretKey,jbyteArray sessionKeyBA) +{ + jobject keyObj = NULL; + PK11SymKey *sessionKey = NULL; + PK11SymKey *sharedSecret = NULL; + PK11SymKey *finalKey = NULL; + PK11SlotInfo *slot = NULL; + char *tokenNameChars = NULL; + PRStatus r = PR_FAILURE; + int sessionKeyLen = 0; + jbyte *sessionKeyBytes = NULL; + SECItem *SecParam = PK11_ParamFromIV(CKM_DES3_ECB, NULL); + SECItem wrappedItem = {siBuffer , NULL, 0 }; + + PR_fprintf(PR_STDOUT,"In SessionKey.UnwrapSessionKeyWithSharedSecret!\n"); + + if( sharedSecretKey == NULL || sessionKeyBA == NULL) { + goto loser; + } + + if (tokenName) + { + tokenNameChars = (char *)(env)->GetStringUTFChars(tokenName, NULL); + if ( tokenNameChars && !strcmp(tokenNameChars, "internal")) { + slot = PK11_GetInternalSlot(); + } else { + slot = ReturnSlot(tokenNameChars); + } + + PR_fprintf(PR_STDOUT,"SessionKey.UnwrapSessionKeyWithSharedSecret slot %p name %s tokenName %s \n",slot, PK11_GetSlotName(slot), PK11_GetTokenName(slot)); + (env)->ReleaseStringUTFChars(tokenName, (const char *)tokenNameChars); + } else { + slot = PK11_GetInternalKeySlot(); + } + + if(slot == NULL) { + goto loser; + } + + sessionKeyBytes = (jbyte *)(env)->GetByteArrayElements(sessionKeyBA, NULL); + sessionKeyLen = (env)->GetArrayLength(sessionKeyBA); + + if(sessionKeyBytes == NULL) { + goto loser; + } + + r = JSS_PK11_getSymKeyPtr(env, sharedSecretKey, &sharedSecret); + + if (r != PR_SUCCESS) { + PR_fprintf(PR_STDOUT,"SessionKey: UnwrapSessionKeyWithSharedSecret Unable to get input shared secret sym key! \n"); + goto loser; + } + + wrappedItem.data = (unsigned char *) sessionKeyBytes; + wrappedItem.len = sessionKeyLen; + + sessionKey = PK11_UnwrapSymKey(sharedSecret, + CKM_DES3_ECB,SecParam, &wrappedItem, + CKM_DES3_ECB, + CKA_UNWRAP, + 16); + + PR_fprintf(PR_STDOUT,"SessionKey: UnwrapSessionKeyWithSharedSecret symKey: %p \n",sessionKey); + + if(sessionKey == NULL) { + PR_fprintf(PR_STDOUT,"SessionKey:UnwrapSessionKeyWithSharedSecret Error unwrapping a session key! \n"); + goto loser; + } + + // Done to be compat with current system. Current TPS does this. + finalKey = CreateDesKey24Byte(slot, sessionKey); + + if(finalKey == NULL) { + PR_fprintf(PR_STDOUT,"SessionKey:UnwrapSessionKeyWithSharedSecret Error final unwrapped key! \n"); + goto loser; + + } + + /* wrap the sesssion in java object. */ + keyObj = JSS_PK11_wrapSymKey(env, &finalKey, NULL); + +loser: + + if ( slot != NULL ) { + PK11_FreeSlot( slot); + slot = NULL; + } + + if ( sessionKeyBA != NULL) { + (env)->ReleaseByteArrayElements( sessionKeyBA, sessionKeyBytes, 0); + } + + if(sessionKey) { + PK11_FreeSymKey(sessionKey); + sessionKey = NULL; + } + + // Don't free finalKey ptr because wrapping routine takes that out of our hands. + + return keyObj; +} + +#ifdef __cplusplus +extern "C" +{ +#endif +/* + * Class: com_netscape_cms_servlet_tks_GetSymKeyByName + * Method: GetSymKeyByName + * Signature: ([B[B[B[B)[B + */ + JNIEXPORT jobject JNICALL + Java_com_netscape_symkey_SessionKey_GetSymKeyByName + (JNIEnv*, jclass, jstring, jstring); +#ifdef __cplusplus +} +#endif +extern "C" JNIEXPORT jobject JNICALL +Java_com_netscape_symkey_SessionKey_GetSymKeyByName +(JNIEnv* env, jclass this2, jstring tokenName, jstring keyName) +{ + + jobject keyObj = NULL; + PK11SymKey *key = NULL; + char *tokenNameChars = NULL; + char *keyNameChars = NULL; + PK11SlotInfo *slot = NULL; + CK_OBJECT_HANDLE keyhandle = 0; + + PR_fprintf(PR_STDOUT,"In SessionKey GetSymKeyByName!\n"); + + if (keyName) { + keyNameChars = (char *)(env)->GetStringUTFChars(keyName,NULL); + } + + if (tokenName) + { + tokenNameChars = (char *)(env)->GetStringUTFChars(tokenName, NULL); + if ( tokenNameChars && !strcmp(tokenNameChars, "internal")) { + slot = PK11_GetInternalSlot(); + } else { + slot = ReturnSlot(tokenNameChars); + } + + PR_fprintf(PR_STDOUT,"SessionKey: GetSymKeyByName slot %p name %s tokenName %s keyName %s \n",slot, PK11_GetSlotName(slot), PK11_GetTokenName(slot),keyNameChars); + (env)->ReleaseStringUTFChars(tokenName, (const char *)tokenNameChars); + } else { + slot = PK11_GetInternalKeySlot(); + } + + if(slot == NULL) + goto finish; + + key = ReturnSymKey( slot, keyNameChars); + + PR_fprintf(PR_STDOUT,"SessionKey: GetSymKeyByName returned key %p \n",key); + if (key == NULL) { + goto finish; + } + + /* wrap the symkey in java object. */ + keyObj = JSS_PK11_wrapSymKey(env, &key, NULL); + +finish: + + if (keyName) { + (env)->ReleaseStringUTFChars(keyName, (const char *)keyNameChars); + } + + if(slot) { + PK11_FreeSlot(slot); + slot = NULL; + } + + return keyObj; +} #ifdef __cplusplus extern "C" diff --git a/base/symkey/src/com/netscape/symkey/SessionKey.java b/base/symkey/src/com/netscape/symkey/SessionKey.java index 47f9385f7..56782aad9 100644 --- a/base/symkey/src/com/netscape/symkey/SessionKey.java +++ b/base/symkey/src/com/netscape/symkey/SessionKey.java @@ -75,47 +75,47 @@ public class SessionKey { public static native byte[] ComputeKeyCheck(PK11SymKey desKey); /* byte data[] ); */ public static native byte[] ComputeSessionKey(String tokenName, - String keyName, - byte[] card_challenge, - byte[] host_challenge, - byte[] keyInfo, - byte[] CUID, - byte[] macKeyArray, - String useSoftToken, - String keySet, - String sharedSecretKeyName); + String keyName, + byte[] card_challenge, + byte[] host_challenge, + byte[] keyInfo, + byte[] CUID, + byte[] macKeyArray, + String useSoftToken, + String keySet, + String sharedSecretKeyName); public static native byte[] ComputeEncSessionKey(String tokenName, - String keyName, - byte[] card_challenge, - byte[] host_challenge, - byte[] keyInfo, - byte[] CUID, - byte[] encKeyArray, - String useSoftToken, - String keySet); + String keyName, + byte[] card_challenge, + byte[] host_challenge, + byte[] keyInfo, + byte[] CUID, + byte[] encKeyArray, + String useSoftToken, + String keySet); public static native PK11SymKey ComputeKekSessionKey(String tokenName, - String keyName, - byte[] card_challenge, - byte[] host_challenge, - byte[] keyInfo, - byte[] CUID, - byte[] kekKeyArray, - String useSoftToken, - String keySet); + String keyName, + byte[] card_challenge, + byte[] host_challenge, + byte[] keyInfo, + byte[] CUID, + byte[] kekKeyArray, + String useSoftToken, + String keySet); public static native PK11SymKey ComputeKekKey(String tokenName, - String keyName, - byte[] card_challenge, - byte[] host_challenge, - byte[] keyInfo, - byte[] CUID, - byte[] kekKeyArray, - String useSoftToken, String keySet); + String keyName, + byte[] card_challenge, + byte[] host_challenge, + byte[] keyInfo, + byte[] CUID, + byte[] kekKeyArray, + String useSoftToken, String keySet); public static native byte[] ECBencrypt(PK11SymKey key, - PK11SymKey desKey); //byte[] data ); + PK11SymKey desKey); //byte[] data ); public static native PK11SymKey GenerateSymkey(String tokenName); @@ -126,42 +126,52 @@ public class SessionKey { // public static native PK11SymKey bytes2PK11SymKey( byte[] symKeyBytes ); public static native byte[] ComputeCryptogram(String tokenName, - String keyName, - byte[] card_challenge, - byte[] host_challenge, - byte[] keyInfo, - byte[] CUID, - int type, - byte[] authKeyArray, - String useSoftToken, String keySet); + String keyName, + byte[] card_challenge, + byte[] host_challenge, + byte[] keyInfo, + byte[] CUID, + int type, + byte[] authKeyArray, + String useSoftToken, String keySet); public static native byte[] EncryptData(String tokenName, - String keyName, - byte[] in, - byte[] keyInfo, - byte[] CUID, - byte[] kekKeyArray, - String useSoftToken, String keySet); + String keyName, + byte[] in, + byte[] keyInfo, + byte[] CUID, + byte[] kekKeyArray, + String useSoftToken, String keySet); public static native byte[] DiversifyKey(String tokenName, - String newTokenName, - String oldMasterKeyName, - String newMasterKeyName, - String keyInfo, - byte[] CUIDValue, - byte[] kekKeyArray, - String useSoftToken, String keySet); + String newTokenName, + String oldMasterKeyName, + String newMasterKeyName, + String keyInfo, + byte[] CUIDValue, + byte[] kekKeyArray, + String useSoftToken, String keySet); // internal calls from config TKS keys tab public static native String GenMasterKey(String token, - String keyName); + String keyName); public static native String DeleteSymmetricKey(String token, - String keyName); + String keyName); public static native String ListSymmetricKeys(String token); // set when called from the config TKS tab to create master key // get when called from the RA to create session key public static native void SetDefaultPrefix(String masterPrefix); + + // Functions that the TPS may use during processing to manipulate sym keys in such a way not available in JSS + + // Return a names Sym Key, in this case will be the shared secret in practice. + public static native PK11SymKey GetSymKeyByName(String tokenName, String keyName); + + // TKS sends over the session key(s) wrapped with shared secret. TPS now does this unwrapping and creates the session keys + // with functionality only available now in NSS. This is all to preserve exact functional parity with the current TKS. + public static native PK11SymKey UnwrapSessionKeyWithSharedSecret(String tokenName, PK11SymKey sharedSecret, + byte[] sessionKeyArray); } diff --git a/base/symkey/src/com/netscape/symkey/SymKey.cpp b/base/symkey/src/com/netscape/symkey/SymKey.cpp index c300d1ada..758156677 100644 --- a/base/symkey/src/com/netscape/symkey/SymKey.cpp +++ b/base/symkey/src/com/netscape/symkey/SymKey.cpp @@ -140,7 +140,6 @@ PK11SymKey * ReturnSymKey( PK11SlotInfo *slot, char *keyname) pwdata.source = secuPWData::PW_NONE; pwdata.data = (char *) NULL; - PR_fprintf(PR_STDOUT,"In ReturnSymKey name %s \n",keyname); if (keyname == NULL) { goto cleanup; @@ -186,6 +185,102 @@ PK11SymKey * ReturnSymKey( PK11SlotInfo *slot, char *keyname) return foundSymKey; } +PK11SymKey *CreateDesKey24Byte(PK11SlotInfo *slot, PK11SymKey *origKey) { + + PK11SymKey *newKey = NULL; + + CK_OBJECT_HANDLE keyhandle = 0; + PK11SymKey *firstEight = NULL; + PK11SymKey *concatKey = NULL; + PK11SymKey *internalOrigKey = NULL; + CK_ULONG bitPosition = 0; + SECItem paramsItem = { siBuffer, NULL, 0 }; + + PK11SlotInfo *internal = PK11_GetInternalSlot(); + if ( slot == NULL || origKey == NULL || internal == NULL ) + goto loser; + + PR_fprintf(PR_STDOUT,"In SessionKey CreateDesKey24Bit!\n"); + + if( internal != slot ) { //Make sure we do this on the NSS Generic Crypto services because concatanation + PR_fprintf(PR_STDOUT,"CreateDesKey24Bit! Input key not on internal slot!\n"); + internalOrigKey = PK11_MoveSymKey( internal, CKA_ENCRYPT, 0, PR_FALSE, origKey ); + if(internalOrigKey == NULL) { + PR_fprintf(PR_STDOUT,"CreateDesKey24Bit! Can't move input key to internal!\n"); + goto loser; + } + } + + // Extract first eight bytes from generated key into another key. + bitPosition = 0; + paramsItem.data = (CK_BYTE *) &bitPosition; + paramsItem.len = sizeof bitPosition; + + + if ( internalOrigKey) + firstEight = PK11_Derive(internalOrigKey, CKM_EXTRACT_KEY_FROM_KEY, ¶msItem, CKA_ENCRYPT , CKA_DERIVE, EIGHT_BYTES); + else + firstEight = PK11_Derive(origKey, CKM_EXTRACT_KEY_FROM_KEY, ¶msItem, CKA_ENCRYPT , CKA_DERIVE, EIGHT_BYTES); + + if (firstEight == NULL ) { + PR_fprintf(PR_STDOUT,"CreateDesKey24Bit! Can't extract first 8 bits of input key!\n"); + goto loser; + } + + //Concatenate 8 byte key to the end of the original key, giving new 24 byte key + keyhandle = PK11_GetSymKeyHandle(firstEight); + + paramsItem.data=(unsigned char *) &keyhandle; + paramsItem.len=sizeof(keyhandle); + + if ( internalOrigKey ) { + concatKey = PK11_Derive ( internalOrigKey , CKM_CONCATENATE_BASE_AND_KEY , ¶msItem ,CKM_DES3_ECB , CKA_DERIVE , 0); + } else { + concatKey = PK11_Derive ( origKey , CKM_CONCATENATE_BASE_AND_KEY , ¶msItem ,CKM_DES3_ECB , CKA_DERIVE , 0); + } + + if ( concatKey == NULL ) { + PR_fprintf(PR_STDOUT,"CreateDesKey24Bit: error concatenating 8 bytes on end of key."); + goto loser; + } + + //Make sure we move this to the proper token, in case it got moved by NSS + //during the derive phase. + + newKey = PK11_MoveSymKey ( slot, CKA_ENCRYPT, 0, PR_FALSE, concatKey); + + if ( newKey == NULL ) { + PR_fprintf(PR_STDOUT,"CreateDesKey24Bit: error moving key to original slot."); + } + +loser: + + + if ( concatKey != NULL ) { + PK11_FreeSymKey( concatKey ); + concatKey = NULL; + } + + if ( firstEight != NULL ) { + PK11_FreeSymKey ( firstEight ); + firstEight = NULL; + } + + if ( internalOrigKey != NULL ) { + PK11_FreeSymKey ( internalOrigKey ); + internalOrigKey = NULL; + } + + //Caller will free the slot input slot object + + if ( internal != NULL ) { + PK11_FreeSlot( internal); + internal = NULL; + } + + return newKey; +} + extern "C" JNIEXPORT jstring JNICALL Java_com_netscape_symkey_SessionKey_DeleteKey(JNIEnv * env, jclass this2, jstring tokenName, jstring keyName) diff --git a/base/symkey/src/com/netscape/symkey/SymKey.h b/base/symkey/src/com/netscape/symkey/SymKey.h index 5a53d48c9..efe187075 100644 --- a/base/symkey/src/com/netscape/symkey/SymKey.h +++ b/base/symkey/src/com/netscape/symkey/SymKey.h @@ -47,6 +47,7 @@ PK11SlotInfo *ReturnSlot(char *tokenNameChars); PK11SymKey *ComputeCardKey(PK11SymKey *masterKey, unsigned char *data, PK11SlotInfo *slot); PK11SymKey *CreateUnWrappedSymKeyOnToken( PK11SlotInfo *slot, PK11SymKey * unWrappingKey, BYTE *keyToBeUnWrapped, int sizeOfKeyToBeUnWrapped, PRBool isPerm); PK11SymKey *ReturnDeveloperSymKey(PK11SlotInfo *slot, char *keyType, char *keySet, Buffer &inputKey); +PK11SymKey *CreateDesKey24Byte(PK11SlotInfo *slot, PK11SymKey *origKey); char *GetSharedSecretKeyName(char *newKeyName); diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/channel/SecureChannel.java index 6ebb93b67..e2976ca7f 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/channel/SecureChannel.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/channel/SecureChannel.java @@ -17,22 +17,178 @@ // --- END COPYRIGHT BLOCK --- package org.dogtagpki.server.tps.channel; +import java.io.IOException; + +import org.dogtagpki.server.tps.processor.TPSProcessor; +import org.dogtagpki.tps.apdu.APDU; +import org.dogtagpki.tps.apdu.APDUResponse; +import org.dogtagpki.tps.apdu.DeleteFileAPDU; +import org.dogtagpki.tps.apdu.ExternalAuthenticateAPDU; +import org.dogtagpki.tps.apdu.ExternalAuthenticateAPDU.SecurityLevel; +import org.dogtagpki.tps.main.TPSBuffer; +import org.dogtagpki.tps.main.TPSException; +import org.dogtagpki.tps.main.Util; +import org.dogtagpki.tps.msg.EndOp.TPSStatus; +import org.mozilla.jss.pkcs11.PK11SymKey; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; + public class SecureChannel { - public enum SecurityLevel { - SECURE_MSG_ANY , - SECURE_MSG_MAC , - SECURE_MSG_NONE , // not yet supported - SECURE_MSG_MAC_ENC - } + // Have not written all code to use all of these as of yet. + + private TPSProcessor processor; + private PK11SymKey sessionKey; + private PK11SymKey encSessionKey; + private TPSBuffer drmDesKey; + private TPSBuffer kekDesKey; + private TPSBuffer keyCheck; + private TPSBuffer keyDiversificationData; + private TPSBuffer cardChallenge; + private TPSBuffer cardCryptogram; + private TPSBuffer hostChallenge; + private TPSBuffer hostCryptogram; + private TPSBuffer icv; + private SecurityLevel secLevel; + + public SecureChannel(TPSProcessor processor, PK11SymKey sessionKey, PK11SymKey encSessionKey, TPSBuffer drmDesKey, + TPSBuffer kekDesKey, TPSBuffer keyCheck, TPSBuffer keyDiversificationData, TPSBuffer cardChallenge, + TPSBuffer cardCryptogram, TPSBuffer hostChallenge, TPSBuffer hostCryptogram) throws TPSException { - public SecureChannel() { + if (processor == null || sessionKey == null | encSessionKey == null || keyDiversificationData == null + || cardChallenge == null || cardCryptogram == null || hostChallenge == null || hostCryptogram == null) { + throw new TPSException("SecureChannel.SecureChannel: Invalid data in constructor!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + this.processor = processor; + this.sessionKey = sessionKey; + this.encSessionKey = encSessionKey; + this.drmDesKey = drmDesKey; + this.kekDesKey = kekDesKey; + this.keyCheck = keyCheck; + this.keyDiversificationData = keyDiversificationData; + this.cardChallenge = cardChallenge; + this.cardCryptogram = cardCryptogram; + this.hostChallenge = hostChallenge; + this.hostCryptogram = hostCryptogram; + this.icv = new TPSBuffer(8); + + this.secLevel = SecurityLevel.SECURE_MSG_MAC_ENC; + //ToDo: Write method that reads this from the config } public static void main(String[] args) { - // TODO Auto-generated method stub + } + + public void externalAuthenticate() throws TPSException, IOException { + + CMS.debug("SecureChannel.externalAuthenticate: entering."); + + ExternalAuthenticateAPDU externalAuth = new ExternalAuthenticateAPDU(hostCryptogram, + secLevel); + + computeAPDUMac(externalAuth); + + APDUResponse response = processor.handleAPDURequest(externalAuth); + + if (!response.checkResult()) { + throw new TPSException("SecureChannel.eternalAuthenticate. Failed to external authenticate to token.", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + CMS.debug("SecureChannel.externalAuthenticate: Successfully completed, exiting ..."); + + } + + //This method computes the mac AND encryption if needed. + private void computeAPDU(APDU apdu) throws TPSException { + + CMS.debug("SecureChannel.computeAPDU: entering.."); + + if (apdu == null) { + throw new TPSException("SecureChannel.computeAPDU: bad input apdu!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + computeAPDUMac(apdu); + + if (secLevel == SecurityLevel.SECURE_MSG_MAC_ENC) { + try { + // CMS.debug("SecureChannel.computeAPDU: Before encryption data value: " + apdu.getData().toHexString()); + apdu.secureMessage(encSessionKey); + // CMS.debug("SecureChannel.computeAPDU: After encryption data value: " + apdu.getData().toHexString()); + } catch (EBaseException e) { + throw new TPSException("SecureChannel.computeAPDU: Can't encrypt outgoing data! " + e); + } + + CMS.debug("SecureChannel.computeAPDU: Successfully encrypted apdu data."); + } + } + + // This method computes MAC only. + private void computeAPDUMac(APDU apdu) throws TPSException { + TPSBuffer newMac = null; + TPSBuffer data = null; + + if (apdu == null) { + throw new TPSException("SecureChannel.computeAPDUMac: bad input apdu!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + data = apdu.getDataToMAC(); + + CMS.debug("SecureChannel.computeAPDUMac: data To MAC: " + data.toHexString()); + + try { + newMac = Util.computeMAC(sessionKey, data, icv); + } catch (EBaseException e) { + CMS.debug("SecureChannel.compuatAPDUMac: Can't compute mac. " + e); + throw new TPSException("SecureChannel.compuatAPDUMac: Can't compute mac.", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + CMS.debug("SecureChannel.computeAPDUMac: computed MAC: " + newMac.toHexString()); + + apdu.setMAC(newMac); + + icv.set(newMac); + } + + public void deleteFileX(TPSBuffer aid) throws TPSException, IOException { + CMS.debug("SecureChannel.deleteFileX: entering..."); + if (aid == null) { + throw new TPSException("SecureChannel.deleteFileX: no input aid!"); + } + + DeleteFileAPDU deleteFile = new DeleteFileAPDU(aid); + + computeAPDU(deleteFile); + + processor.handleAPDURequest(deleteFile); + + } + + public TPSBuffer getKeyDiversificationData() { + return keyDiversificationData; + } + + public TPSBuffer getCardChallenge() { + return cardChallenge; + } + + public TPSBuffer getHostChallenge() { + return hostChallenge; + } + + public TPSBuffer getHostCryptogram() { + return hostCryptogram; + } + public TPSBuffer getCardCryptogram() { + return cardCryptogram; } } diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSComputeRandomDataResponse.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSComputeRandomDataResponse.java index 3d53b9333..f241c88ad 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSComputeRandomDataResponse.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSComputeRandomDataResponse.java @@ -35,6 +35,7 @@ public class TKSComputeRandomDataResponse extends RemoteResponse } public TPSBuffer getRandomData() { - return (TPSBuffer) nameValTable.get(IRemoteRequest.TKS_RESPONSE_RandomData); + byte [] random = (byte[]) nameValTable.get(IRemoteRequest.TKS_RESPONSE_RandomData); + return new TPSBuffer(random); } } diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java index 5e154b9f8..0aff29b92 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java @@ -75,7 +75,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler * @return response TKSComputeSessionKeyResponse class object */ public TKSComputeSessionKeyResponse computeSessionKey( - String cuid, + TPSBuffer cuid, TPSBuffer keyInfo, TPSBuffer card_challenge, TPSBuffer card_cryptogram, @@ -104,16 +104,22 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); HttpConnector conn = (HttpConnector) subsystem.getConnectionManager().getConnector(connid); - CMS.debug("TKSRemoteRequestHandler: computeSessionKey(): sending request to tks."); + + String requestString = IRemoteRequest.SERVER_SIDE_KEYGEN + "=" + serverKeygen + + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + + "&" + IRemoteRequest.TOKEN_CARD_CHALLENGE + "=" + Util.specialURLEncode(card_challenge) + + "&" + IRemoteRequest.TOKEN_HOST_CHALLENGE + "=" + Util.specialURLEncode(host_challenge) + + "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialURLEncode(keyInfo) + + "&" + IRemoteRequest.TOKEN_CARD_CRYPTOGRAM + "=" + + Util.specialURLEncode(card_cryptogram.toBytesArray()) + + "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet; + + CMS.debug("TKSRemoteRequestHandler.computeSessionKey: outgoing message: " + requestString); + HttpResponse resp = conn.send("computeSessionKey", - IRemoteRequest.SERVER_SIDE_KEYGEN + "=" + serverKeygen + - "&" + IRemoteRequest.TOKEN_CUID + "=" + cuid + - "&" + IRemoteRequest.TOKEN_CARD_CHALLENGE + "=" + Util.specialEncode(card_challenge) + - "&" + IRemoteRequest.TOKEN_HOST_CHALLENGE + "=" + Util.specialEncode(host_challenge) + - "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialEncode(keyInfo) + - "&" + IRemoteRequest.TOKEN_CARD_CRYPTOGRAM + "=" + Util.specialEncode(card_cryptogram) + - "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet); + requestString + ); String content = resp.getContent(); @@ -222,7 +228,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler public TKSCreateKeySetDataResponse createKeySetData( TPSBuffer NewMasterVer, TPSBuffer version, - String cuid) + TPSBuffer cuid) throws EBaseException { CMS.debug("TKSRemoteRequestHandler: createKeySetData(): begins."); if (cuid == null || NewMasterVer == null || version == null) { @@ -240,9 +246,9 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler CMS.debug("TKSRemoteRequestHandler: createKeySetData(): sending request to tks."); HttpResponse resp = conn.send("createKeySetData", - IRemoteRequest.TOKEN_NEW_KEYINFO + "=" + Util.specialEncode(NewMasterVer) + - "&" + IRemoteRequest.TOKEN_CUID + "=" + cuid + - "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialEncode(version) + + IRemoteRequest.TOKEN_NEW_KEYINFO + "=" + Util.specialURLEncode(NewMasterVer) + + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + + "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialURLEncode(version) + "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet); String content = resp.getContent(); @@ -349,7 +355,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler } else { CMS.debug("TKSRemoteRequestHandler: computeRandomData(): got IRemoteRequest.TKS_RESPONSE_RandomData = " + value); - response.put(IRemoteRequest.TKS_RESPONSE_RandomData, Util.specialDecode(value)); + response.put(IRemoteRequest.TKS_RESPONSE_RandomData, Util.uriDecodeFromHex(value)); } CMS.debug("TKSRemoteRequestHandler: computeRandomData(): ends."); @@ -378,7 +384,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler * @return response TKSEncryptDataResponse class object */ public TKSEncryptDataResponse encryptData( - String cuid, + TPSBuffer cuid, TPSBuffer version, TPSBuffer inData) throws EBaseException { @@ -399,9 +405,9 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler CMS.debug("TKSRemoteRequestHandler: encryptData(): sending request to tks."); HttpResponse resp = conn.send("encryptData", - IRemoteRequest.TOKEN_DATA + "=" + Util.specialEncode(inData) + - "&" + IRemoteRequest.TOKEN_CUID + "=" + cuid + - "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialEncode(version) + + IRemoteRequest.TOKEN_DATA + "=" + Util.specialURLEncode(inData) + + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + + "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialURLEncode(version) + "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet); String content = resp.getContent(); diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/engine/TPSEngine.java index 548e0cafa..ab422df6a 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/engine/TPSEngine.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/engine/TPSEngine.java @@ -17,6 +17,15 @@ // --- END COPYRIGHT BLOCK --- package org.dogtagpki.server.tps.engine; +import org.dogtagpki.server.tps.cms.TKSComputeSessionKeyResponse; +import org.dogtagpki.server.tps.cms.TKSRemoteRequestHandler; +import org.dogtagpki.tps.main.TPSBuffer; +import org.dogtagpki.tps.main.TPSException; +import org.dogtagpki.tps.msg.EndOp.TPSStatus; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; + public class TPSEngine { public static final String CFG_DEBUG_ENABLE = "logging.debug.enable"; @@ -67,6 +76,13 @@ public class TPSEngine { public static final String CFG_ALLOW_NO_APPLET = "update.applet.emptyToken.enable"; public static final String CFG_APPLET_UPDATE_REQUIRED_VERSION = "update.applet.requiredVersion"; public static final String CFG_APPLET_DIRECTORY = "update.applet.directory"; + public static final String CFG_APPLET_EXTENSION = "general.applet_ext"; + + public static final String CFG_CHANNEL_BLOCK_SIZE = "channel.blockSize"; + public static final String CFG_CHANNEL_INSTANCE_SIZE = "channel.instanceSize"; + public static final String CFG_CHANNEL_DEFKEY_VERSION = "channel.defKeyVersion"; + public static final String CFG_CHANNEL_APPLET_MEMORY_SIZE = "channel.appletMemorySize"; + public static final String CFG_CHANNEL_DEFKEY_INDEX = "channel.defKeyIndex"; /* default values */ public static final String CFG_DEF_CARDMGR_INSTANCE_AID = "A0000000030000"; @@ -75,7 +91,11 @@ public class TPSEngine { public static final String CFG_DEF_NETKEY_OLD_INSTANCE_AID = "A00000000101"; public static final String CFG_DEF_NETKEY_OLD_FILE_AID = "A000000001"; public static final String CFG_DEF_APPLET_SO_PIN = "000000000000"; - public static final String CFG_ENABLED="Enabled"; + public static final String CFG_ENABLED = "Enabled"; + + public static final int CFG_CHANNEL_DEF_BLOCK_SIZE = 242; + public static final int CFG_CHANNEL_DEF_INSTANCE_SIZE = 1800; + public static final int CFG_CHANNEL_DEF_APPLET_MEMORY_SIZE = 5000; /* External reg values */ @@ -99,6 +119,38 @@ public class TPSEngine { return rc; } + public TKSComputeSessionKeyResponse computeSessionKey(TPSBuffer cuid, + TPSBuffer keyInfo, + TPSBuffer card_challenge, + TPSBuffer host_challenge, + TPSBuffer card_cryptogram, + + String connId) throws TPSException { + + CMS.debug("TPSEngine.computeSessionKey"); + + TKSRemoteRequestHandler tks = null; + + TKSComputeSessionKeyResponse resp = null; + try { + tks = new TKSRemoteRequestHandler(connId); + resp = tks.computeSessionKey(cuid, keyInfo, card_challenge, card_cryptogram, host_challenge); + } catch (EBaseException e) { + throw new TPSException("SecureChannel.computeSessionKey: Error computing session key!" + e, + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + int status = resp.getStatus(); + if (status != 0) { + CMS.debug("SecureChannel.computeSessionKey: Non zero status result: " + status); + throw new TPSException("SecureChannel.computeSessionKey: invalid returned status: " + status); + + } + + return resp; + + } + public boolean isTokenPresent(String cuid) { boolean present = false; diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index 90c1a64e2..24571e234 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -18,29 +18,40 @@ package org.dogtagpki.server.tps.processor; import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; import java.util.Map; import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; -import org.dogtagpki.server.tps.channel.SecureChannel.SecurityLevel; +import org.dogtagpki.server.tps.channel.SecureChannel; +import org.dogtagpki.server.tps.cms.TKSComputeRandomDataResponse; +import org.dogtagpki.server.tps.cms.TKSComputeSessionKeyResponse; +import org.dogtagpki.server.tps.cms.TKSRemoteRequestHandler; import org.dogtagpki.server.tps.engine.TPSEngine; import org.dogtagpki.tps.apdu.APDU; import org.dogtagpki.tps.apdu.APDUResponse; -import org.dogtagpki.tps.apdu.GetData; -import org.dogtagpki.tps.apdu.GetStatus; -import org.dogtagpki.tps.apdu.GetVersion; -import org.dogtagpki.tps.apdu.Select; +import org.dogtagpki.tps.apdu.ExternalAuthenticateAPDU.SecurityLevel; +import org.dogtagpki.tps.apdu.GetDataAPDU; +import org.dogtagpki.tps.apdu.GetStatusAPDU; +import org.dogtagpki.tps.apdu.GetVersionAPDU; +import org.dogtagpki.tps.apdu.InitializeUpdateAPDU; +import org.dogtagpki.tps.apdu.SelectAPDU; import org.dogtagpki.tps.main.TPSBuffer; import org.dogtagpki.tps.main.TPSException; import org.dogtagpki.tps.msg.BeginOp; import org.dogtagpki.tps.msg.EndOp.TPSStatus; import org.dogtagpki.tps.msg.TokenPDURequest; import org.dogtagpki.tps.msg.TokenPDUResponse; +import org.mozilla.jss.CryptoManager.NotInitializedException; +import org.mozilla.jss.pkcs11.PK11SymKey; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.IConfigStore; +import com.netscape.symkey.SessionKey; public class TPSProcessor { @@ -51,15 +62,31 @@ public class TPSProcessor { public static final int CPLC_MSN_INDEX = 41; public static final int CPLC_MSN_SIZE = 4; + public static final int INIT_UPDATE_DATA_SIZE = 28; + public static final int DIVERSIFICATION_DATA_SIZE = 10; + public static final int CARD_CRYPTOGRAM_OFFSET = 20; + public static final int CARD_CRYPTOGRAM_SIZE = 8; + public static final int CARD_CHALLENGE_OFFSET = 12; + public static final int CARD_CHALLENGE_SIZE = 8; + private boolean isExternalReg; private TPSSession session; private String selectedTokenType; + private String currentTokenOperation; + + + + public TPSProcessor(TPSSession session) { setSession(session); } + protected void setCurrentTokenOperation(String op) { + currentTokenOperation = op; + } + protected void setSession(TPSSession session) { if (session == null) { throw new NullPointerException("TPS session is null"); @@ -148,7 +175,7 @@ public class TPSProcessor { TPSStatus.STATUS_ERROR_SECURE_CHANNEL); } - Select select_apdu = new Select(p1, p2, aid); + SelectAPDU select_apdu = new SelectAPDU(p1, p2, aid); //return the Response because the caller can //decide what to do, not every failure is fatal. @@ -161,12 +188,12 @@ public class TPSProcessor { CMS.debug("In TPS_Processor.GetStatus."); - GetStatus get_status_apdu = new GetStatus(); + GetStatusAPDU get_status_apdu = new GetStatusAPDU(); return handleAPDURequest(get_status_apdu).getData(); } - protected APDUResponse handleAPDURequest(APDU apdu) throws IOException, TPSException { + public APDUResponse handleAPDURequest(APDU apdu) throws IOException, TPSException { if (apdu == null) { throw new TPSException("TPSProcessor.handleAPDURequest: invalid incoming apdu!"); @@ -198,7 +225,7 @@ public class TPSProcessor { protected TPSBuffer getCplcData() throws IOException, TPSException { CMS.debug("In TPS_Processor.GetData"); - GetData get_data_apdu = new GetData(); + GetDataAPDU get_data_apdu = new GetDataAPDU(); APDUResponse respApdu = handleAPDURequest(get_data_apdu); @@ -220,7 +247,7 @@ public class TPSProcessor { CMS.debug("In TPSProcessor.getAppletVersion"); - GetVersion get_version_apdu = new GetVersion(); + GetVersionAPDU get_version_apdu = new GetVersionAPDU(); APDUResponse respApdu = handleAPDURequest(get_version_apdu); @@ -244,16 +271,245 @@ public class TPSProcessor { } + TPSBuffer computeRandomData(int dataSize, String connId) throws TPSException { + + TKSRemoteRequestHandler tks = null; + + TKSComputeRandomDataResponse data = null; + + try { + tks = new TKSRemoteRequestHandler(connId); + data = tks.computeRandomData(dataSize); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.computeRandomData: Erorr getting random data from TKS!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + int status = data.getStatus(); + + if (status != 0) { + throw new TPSException("TPSProcessor.computeRandomData: Erorr getting random data from TKS!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + return data.getRandomData(); + } + + protected TPSBuffer initializeUpdate(byte keyVersion, byte keyIndex, TPSBuffer randomData) throws IOException, + TPSException { + + CMS.debug("In TPS_Processor.initializeUpdate."); + InitializeUpdateAPDU initUpdate = new InitializeUpdateAPDU(keyVersion, keyIndex, randomData); + + APDUResponse resp = handleAPDURequest(initUpdate); + + if (!resp.checkResult()) { + CMS.debug("TPSProcessor.initializeUpdate: Failed intializeUpdate!"); + throw new TPSException("TPSBuffer.initializeUpdate: Failed initializeUpdate!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + + } + + TPSBuffer data = resp.getResultDataNoCode(); + + if (data.size() != INIT_UPDATE_DATA_SIZE) { + throw new TPSException("TPSBuffer.initializeUpdate: Invalid response from token!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + return data; + + } + + protected SecureChannel setupSecureChannel(byte keyVersion, byte keyIndex, SecurityLevel securityLevel, + String connId) + throws IOException, TPSException { + + //Assume generating host challenge on TKS, we no longer support not involving the TKS. + + TPSBuffer randomData = computeRandomData(8, connId); + CMS.debug("TPSProcessor.setupSecureChannel: obtained randomData: " + randomData.toHexString()); + + TPSBuffer initUpdateResp = initializeUpdate(keyVersion, keyIndex, randomData); + + TPSBuffer key_diversification_data = initUpdateResp.substr(0, DIVERSIFICATION_DATA_SIZE); + CMS.debug("TPSProcessor.setupSecureChannel: diversification data: " + key_diversification_data.toHexString()); + + TPSBuffer key_info_data = initUpdateResp.substr(DIVERSIFICATION_DATA_SIZE, 2); + CMS.debug("TPSProcessor.setupSecureChannel: key info data: " + key_info_data.toHexString()); + + TPSBuffer card_cryptogram = initUpdateResp.substr(CARD_CRYPTOGRAM_OFFSET, CARD_CRYPTOGRAM_SIZE); + CMS.debug("TPSProcessor.setupSecureChannel: card cryptogram: " + card_cryptogram.toHexString()); + + TPSBuffer card_challenge = initUpdateResp.substr(CARD_CHALLENGE_OFFSET, CARD_CHALLENGE_SIZE); + CMS.debug("TPSProcessor.setupSecureChannel: card challenge: " + card_challenge.toHexString()); + + SecureChannel channel = null; + + try { + channel = generateSecureChannel(connId, key_diversification_data, key_info_data, card_challenge, + card_cryptogram, + randomData); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.setupSecureChannel: Can't set up secure channel: " + e, + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + return channel; + + } + + protected SecureChannel generateSecureChannel(String connId, TPSBuffer keyDiversificationData, + TPSBuffer keyInfoData, TPSBuffer cardChallenge, TPSBuffer cardCryptogram, TPSBuffer hostChallenge) + throws EBaseException, TPSException { + + CMS.debug("TPSProcessor.generateSecureChannel: entering.."); + + TPSEngine engine = getTPSEngine(); + + SecureChannel channel = null; + TPSBuffer hostCryptogram = null; + + TKSComputeSessionKeyResponse resp = engine.computeSessionKey(keyDiversificationData, keyInfoData, + cardChallenge, hostChallenge, cardCryptogram, + connId); + + hostCryptogram = resp.getHostCryptogram(); + + if (hostCryptogram == null) { + new TPSException("TPSProcessor.generateSecureChannel: No host cryptogram returned from token!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + + } + + PK11SymKey sharedSecret = null; + + try { + sharedSecret = getSharedSecretTransportKey(connId); + } catch (Exception e) { + CMS.debug(e); + throw new TPSException("TPSProcessor.generateSecureChannel: Can't get shared secret key!: " + e, + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + PK11SymKey sessionKey = null; + PK11SymKey encSessionKey = null; + String tokenName = "Internal Key Storage Token"; + + try { + TPSBuffer sessionKeyWrapped = resp.getSessionKey(); + TPSBuffer encSessionKeyWrapped = resp.getEncSessionKey(); + + sessionKey = SessionKey.UnwrapSessionKeyWithSharedSecret(tokenName, sharedSecret, + sessionKeyWrapped.toBytesArray()); + + if (sessionKey == null) { + CMS.debug("TPSProcessor.generateSecureChannel: Can't extract session key!"); + throw new TPSException("TPSProcessor.generateSecureChannel: Can't extract session key!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + CMS.debug("TPSProcessor.generateSecureChannel: retrieved session key: " + sessionKey); + + encSessionKey = SessionKey.UnwrapSessionKeyWithSharedSecret(tokenName, sharedSecret, + encSessionKeyWrapped.toBytesArray()); + + if (encSessionKey == null) { + CMS.debug("TPSProcessor.generateSecureChannel: Can't extract enc session key!"); + throw new TPSException("TPSProcessor.generateSecureChannel: Can't extract enc session key!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + CMS.debug("TPSProcessor.generateSecureChannel: retrieved enc session key: " + encSessionKey); + } catch (Exception e) { + CMS.debug(e); + e.printStackTrace(); + throw new TPSException("TPSProcessor.generateSecureChannel: Problem extracting session keys! " + e, + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + TPSBuffer drmDesKey = null; + TPSBuffer kekDesKey = null; + TPSBuffer keyCheck = null; + + if (checkServerSideKeyGen(connId)) { + //ToDo handle server side keygen. + + } + + channel = new SecureChannel(this, sessionKey, encSessionKey, drmDesKey, + kekDesKey, keyCheck, keyDiversificationData, cardChallenge, + cardCryptogram, hostChallenge, hostCryptogram); + + return channel; + } + protected String upgradeApplet(String operation, String new_version, SecurityLevel securityLevel, - Map<String, String> extensions, int startProgress, int endProgress) throws TPSException { + Map<String, String> extensions, String connId, int startProgress, int endProgress) throws IOException, + TPSException { String newVersion = null; boolean appletUpgraded = false; + String NetKeyAID = null; + String NetKeyPAID = null; + + IConfigStore configStore = CMS.getConfigStore(); + + try { + //These defaults are well known, it is safe to use them. + + NetKeyAID = configStore.getString(TPSEngine.CFG_APPLET_NETKEY_INSTANCE_AID, + TPSEngine.CFG_DEF_NETKEY_INSTANCE_AID); + CMS.debug("In TPS_Processor.upgradeApplet. CardManagerAID: " + " NetKeyAID: " + NetKeyAID); + NetKeyPAID = configStore.getString(TPSEngine.CFG_APPLET_NETKEY_FILE_AID, TPSEngine.CFG_DEF_NETKEY_FILE_AID); + + } catch (EBaseException e1) { + CMS.debug("TPS_Processor.upgradeApplet: Internal Error obtaining mandatory config values. Error: " + e1); + throw new TPSException("TPS error getting config values from config store.", + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + } + + TPSBuffer netkeyAIDBuff = new TPSBuffer(NetKeyAID); + TPSBuffer netkeyPAIDBuff = new TPSBuffer(NetKeyPAID); + + //Not all of these used yet, but will be + //ToDo + int channelBlockSize = getChannelBlockSize(); + int channelInstanceSize = getChannelInstanceSize(); + int channelAppletMemSize = getAppletMemorySize(); + int defKeyVersion = getChannelDefKeyVersion(); + int defKeyIndex = getChannelDefKeyIndex(); + byte[] appletData = null; String directory = getAppletDirectory(operation); CMS.debug("TPSProcessor.upgradeApplet: applet target directory: " + directory); + String appletFileExt = getAppletExtension(); + + String appletFilePath = directory + "/" + new_version + "." + appletFileExt; + + CMS.debug("TPSProcessor.upgradeApplet: targe applet file name: " + appletFilePath); + + //Not ready to use this yet. + //ToDo + + appletData = getAppletFileData(appletFilePath); + + APDUResponse select = selectApplet((byte) 0x04, (byte) 0x00, netkeyAIDBuff); + + if (!select.checkResult()) { + throw new TPSException("TPSProcessor.format: Can't selelect the card manager!"); + } + + SecureChannel channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, securityLevel, connId); + + channel.externalAuthenticate(); + channel.deleteFileX(netkeyAIDBuff); + channel.deleteFileX(netkeyPAIDBuff); + + // Next step will be to load the applet file to token. + // ToDo: + //ToDo actually finish this later. if (appletUpgraded == false) { throw new TPSException("TPSProcessor.upgradeApplet: Error upgrading applet", @@ -263,6 +519,32 @@ public class TPSProcessor { return newVersion; } + protected byte[] getAppletFileData(String appletFilePath) throws IOException, TPSException { + + if (appletFilePath == null) { + throw new TPSException("TPSProcessor.getAppletFileData: Invalid applet file name.", + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + } + + byte[] contents = null; + try { + Path path = Paths.get(appletFilePath); + contents = Files.readAllBytes(path); + + } catch (IOException e) { + CMS.debug("TPSProcessor.getAppletFileData: IOException " + e); + throw e; + } catch (Exception e) { + CMS.debug("PSProcessor.getAppletFileData: Exception: " + e); + throw new TPSException("TPSProcessor.getAppletFileData: Exception: " + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + } + + CMS.debug("TPSProcessor.getAppletFileData: data: " + contents); + + return contents; + } + protected void format(BeginOp message) throws TPSException, IOException { IConfigStore configStore = CMS.getConfigStore(); @@ -277,6 +559,8 @@ public class TPSProcessor { String External_Reg_Cfg = TPSEngine.CFG_EXTERNAL_REG + "." + "enable"; boolean isExternalReg = false; + setCurrentTokenOperation("format"); + try { //These defaults are well known, it is safe to use them. CardManagerAID = configStore.getString(TPSEngine.CFG_APPLET_CARDMGR_INSTANCE_AID, @@ -376,8 +660,10 @@ public class TPSProcessor { SecurityLevel secLevel = SecurityLevel.SECURE_MSG_MAC_ENC; + String tksConnId = getTKSConnectorID(); + String newKeyVersion = upgradeApplet(TPSEngine.OP_FORMAT_PREFIX, appletRequiredVersion, secLevel, - message.getExtensions(), + message.getExtensions(), tksConnId, 10, 90); CMS.debug("TPSProcessor.format: upgraded aplet version: " + newKeyVersion); @@ -405,6 +691,22 @@ public class TPSProcessor { } + boolean checkServerSideKeyGen(String connId) throws TPSException { + + boolean result; + IConfigStore configStore = CMS.getConfigStore(); + + String profileConfig = "conn." + connId + "." + ".serverKeygen"; + + try { + result = configStore.getBoolean(profileConfig, false); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor: checkServerSideKeyGen: Internal error obtaining config value!"); + } + + return result; + } + void checkAllowNoAppletToken(String operation) throws TPSException { boolean allow = true; IConfigStore configStore = CMS.getConfigStore(); @@ -470,6 +772,42 @@ public class TPSProcessor { } + protected String getTKSConnectorID() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + String id = null; + + String config = "op." + currentTokenOperation + "." + selectedTokenType + ".tks.conn"; + + try { + id = configStore.getString(config, "tks1"); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getTKSConnectorID: Internal error finding config value."); + + } + + CMS.debug("TPSProcessor.getTKSConectorID: returning: " + id); + + + return id; + } + + protected String getAppletExtension() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + String extension = null; + String extensionConfig = TPSEngine.CFG_APPLET_EXTENSION; + + try { + extension = configStore.getString(extensionConfig, "ijc"); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getAppletExtension: Internal error finding config value."); + + } + + CMS.debug("TPSProcessor.getAppletExtension: returning: " + extension); + + return extension; + } + protected String getAppletDirectory(String operation) throws TPSException { IConfigStore configStore = CMS.getConfigStore(); @@ -492,6 +830,146 @@ public class TPSProcessor { return directory; } + protected int getChannelBlockSize() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + int blockSize = 0; + try { + blockSize = configStore.getInteger(TPSEngine.CFG_CHANNEL_BLOCK_SIZE, TPSEngine.CFG_CHANNEL_DEF_BLOCK_SIZE); + + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getChannelBlockSize: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + + } + + CMS.debug("TPSProcess.getChannelBlockSize: returning: " + blockSize); + return blockSize; + + } + + protected int getChannelInstanceSize() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + int instanceSize = 0; + try { + instanceSize = configStore.getInteger(TPSEngine.CFG_CHANNEL_INSTANCE_SIZE, + TPSEngine.CFG_CHANNEL_DEF_INSTANCE_SIZE); + + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getChannelInstanceSize: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + + } + + CMS.debug("TPSProcess.getChannelInstanceSize: returning: " + instanceSize); + + return instanceSize; + + } + + protected int getAppletMemorySize() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + int memSize = 0; + try { + memSize = configStore.getInteger(TPSEngine.CFG_CHANNEL_APPLET_MEMORY_SIZE, + TPSEngine.CFG_CHANNEL_DEF_APPLET_MEMORY_SIZE); + + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getAppletMemorySize: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + + } + CMS.debug("TPSProcess.getAppletMemorySize: returning: " + memSize); + + return memSize; + } + + protected int getChannelDefKeyVersion() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + int ver = 0; + try { + ver = configStore.getInteger(TPSEngine.CFG_CHANNEL_DEFKEY_VERSION, 0x0); + + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getChannelDefKeyVersion: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + + } + + CMS.debug("TPSProcessor.getChannelDefKeyVersion: " + ver); + + return ver; + + } + + protected int getChannelDefKeyIndex() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + int index = 0; + try { + index = configStore.getInteger(TPSEngine.CFG_CHANNEL_DEFKEY_INDEX, 0x0); + + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getChannelDefKeyVersion: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + + } + + CMS.debug("TPSProcessor.getChannelDefKeyIndex: " + index); + + return index; + + } + + protected PK11SymKey getSharedSecretTransportKey(String connId) throws TPSException, NotInitializedException { + + IConfigStore configStore = CMS.getConfigStore(); + String sharedSecretName = null; + try { + String configName = "conn." + connId + ".tksSharedSymKeyName"; + sharedSecretName = configStore.getString(configName, "sharedSecret"); + + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getSharedSecretTransportKey: Internal error finding config value: " + + e, + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + + } + + CMS.debug("TPSProcessor.getSharedSecretTransportKey: calculated key name: " + sharedSecretName); + + String symmKeys = null; + boolean keyPresent = false; + try { + symmKeys = SessionKey.ListSymmetricKeys("internal"); + CMS.debug("TPSProcessor.getSharedSecretTransportKey: symmKeys List: " + symmKeys); + } catch (Exception e) { + // TODO Auto-generated catch block + CMS.debug(e); + } + + for (String keyName : symmKeys.split(",")) { + if (sharedSecretName.equals(keyName)) { + CMS.debug("TPSProcessor.getSharedSecret: shared secret key found!"); + keyPresent = true; + break; + } + + } + + if (!keyPresent) { + throw new TPSException("TPSProcessor.getSharedSecret: Can't find shared secret!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + // We know for now that shared secret is on this token + String tokenName = "Internal Key Storage Token"; + PK11SymKey sharedSecret = SessionKey.GetSymKeyByName(tokenName, sharedSecretName); + + CMS.debug("TPSProcessor.getSharedSecret: SymKey returns: " + sharedSecret); + + return sharedSecret; + + } + public boolean getIsExternalReg() { return isExternalReg; } @@ -755,6 +1233,14 @@ public class TPSProcessor { } + public TPSEngine getTPSEngine() { + TPSSubsystem subsystem = + (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); + + return subsystem.getEngine(); + + } + public static void main(String[] args) { } diff --git a/base/tps/abrt_checker_21190.log b/base/tps/abrt_checker_21190.log new file mode 100644 index 000000000..97d259eb9 --- /dev/null +++ b/base/tps/abrt_checker_21190.log @@ -0,0 +1,9 @@ +Uncaught java.lang.ClassNotFoundException exception in thread "main" in a method java.lang.ClassLoader.loadClass() with signature (Ljava/lang/String;Z)Ljava/lang/Class; +Exception in thread "main" java.lang.ClassNotFoundException: .usr.lib64.eclipse..plugins.org.eclipse.equinox.launcher_1.3.0.v20130930-1720.jar + at java.net.URLClassLoader$1.run(URLClassLoader.java:366) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/net/URLClassLoader$1.class] + at java.net.URLClassLoader$1.run(URLClassLoader.java:355) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/net/URLClassLoader$1.class] + at java.security.AccessController.doPrivileged(Native Method) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/security/AccessController.class] + at java.net.URLClassLoader.findClass(URLClassLoader.java:354) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/net/URLClassLoader.class] + at java.lang.ClassLoader.loadClass(ClassLoader.java:424) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/lang/ClassLoader.class] + at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/sun/misc/Launcher$AppClassLoader.class] + at java.lang.ClassLoader.loadClass(ClassLoader.java:357) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/lang/ClassLoader.class] |