diff options
author | Christina Fu <cfu@redhat.com> | 2014-12-02 14:38:08 -0800 |
---|---|---|
committer | Christina Fu <cfu@redhat.com> | 2014-12-19 11:17:34 -0800 |
commit | 4c910296a6c6c8bf74fbdace740680db2f1fecab (patch) | |
tree | 1d0d53e8f72c7f219830d387f228003074faf98a /base/server/cms/src/com/netscape/cms/servlet/tks | |
parent | 00b1c33272900613687448ccab7809ba794679f6 (diff) | |
download | pki-4c910296a6c6c8bf74fbdace740680db2f1fecab.tar.gz pki-4c910296a6c6c8bf74fbdace740680db2f1fecab.tar.xz pki-4c910296a6c6c8bf74fbdace740680db2f1fecab.zip |
Ticket #864 866 (part 1 symkey, common) NIST SP800-108 KDF
- this patch does not include TPS side of changes:
(#865 needs to be rewritten in Java)
Diffstat (limited to 'base/server/cms/src/com/netscape/cms/servlet/tks')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java | 665 |
1 files changed, 565 insertions, 100 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java index 9b0c2bcf2..2cca81bcf 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java @@ -72,25 +72,25 @@ public class TokenServlet extends CMSServlet { IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST = - "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_3"; + "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_8"; + "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_9"; + "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST = - "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5"; + "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_6"; + "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_7"; + "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd. private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST = - "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4"; + "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5"; // AC: KDF SPEC CHANGE: Need to log both KDD and CUID. private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS = "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_7"; @@ -216,9 +216,110 @@ public class TokenServlet extends CMSServlet { } + // AC: KDF SPEC CHANGE - read new setting value from config file + // (This value allows configuration of which master keys use the NIST SP800-108 KDF and which use the original KDF for backwards compatibility) + // CAREFUL: Result returned may be negative due to java's lack of unsigned types. + // Negative values need to be treated as higher key numbers than positive key numbers. + private static byte read_setting_nistSP800_108KdfOnKeyVersion(String keySet) throws Exception{ + String nistSP800_108KdfOnKeyVersion_map = "tks." + keySet + ".nistSP800-108KdfOnKeyVersion"; + // KDF phase1: default to 00 + String nistSP800_108KdfOnKeyVersion_value = + CMS.getConfigStore().getString(nistSP800_108KdfOnKeyVersion_map, "00" /*null*/); + short nistSP800_108KdfOnKeyVersion_short = 0; + // if value does not exist in file + if (nistSP800_108KdfOnKeyVersion_value == null){ + // throw + // (we want admins to pay attention to this configuration item rather than guessing for them) + throw new Exception("Required configuration value \"" + nistSP800_108KdfOnKeyVersion_map + "\" missing from configuration file."); + } + // convert setting value (in ASCII-hex) to short + try{ + nistSP800_108KdfOnKeyVersion_short = Short.parseShort(nistSP800_108KdfOnKeyVersion_value, 16); + if ((nistSP800_108KdfOnKeyVersion_short < 0) || (nistSP800_108KdfOnKeyVersion_short > (short)0x00FF)){ + throw new Exception("Out of range."); + } + } catch(Throwable t){ + throw new Exception("Configuration value \"" + nistSP800_108KdfOnKeyVersion_map + "\" is in incorrect format. " + + "Correct format is \"" + nistSP800_108KdfOnKeyVersion_map + "=xx\" where xx is key version specified in ASCII-HEX format.", t); + } + // convert to byte (anything higher than 0x7F is represented as a negative) + byte nistSP800_108KdfOnKeyVersion_byte = (byte)nistSP800_108KdfOnKeyVersion_short; + return nistSP800_108KdfOnKeyVersion_byte; + } + + // AC: KDF SPEC CHANGE - read new setting value from config file + // (This value allows configuration of the NIST SP800-108 KDF: + // If "true" we use the CUID parameter within the NIST SP800-108 KDF. + // If "false" we use the KDD parameter within the NIST SP800-108 KDF. + private static boolean read_setting_nistSP800_108KdfUseCuidAsKdd(String keySet) throws Exception{ + String setting_map = "tks." + keySet + ".nistSP800-108KdfUseCuidAsKdd"; + // KDF phase1: default to "false" + String setting_str = + CMS.getConfigStore().getString(setting_map, "false" /*null*/); + boolean setting_boolean = false; + // if value does not exist in file + if (setting_str == null){ + // throw + // (we want admins to pay attention to this configuration item rather than guessing for them) + throw new Exception("Required configuration value \"" + setting_map + "\" missing from configuration file."); + } + // convert setting value to boolean + try{ + setting_boolean = Boolean.parseBoolean(setting_str); + }catch(Throwable t){ + throw new Exception("Configuration value \"" + setting_map + "\" is in incorrect format. Should be either \"true\" or \"false\".", t); + } + return setting_boolean; + } + + // AC: KDF SPEC CHANGE - Audit logging helper functions. + // Converts a byte array to an ASCII-hex string. + // We implemented this ourselves rather than using this.pp.toHexArray() because + // the team preferred CUID and KDD strings to be without ":" separators every byte. + final char[] bytesToHex_hexArray = "0123456789ABCDEF".toCharArray(); + private String bytesToHex(byte[] bytes){ + char[] hexChars = new char[bytes.length * 2]; + for (int i = 0; i < bytes.length; i++){ + int thisChar = bytes[i] & 0x000000FF; + hexChars[i * 2] = bytesToHex_hexArray[thisChar >>> 4]; // div 16 + hexChars[i*2 + 1] = bytesToHex_hexArray[thisChar & 0x0F]; + } + return new String(hexChars); + } + + // AC: KDF SPEC CHANGE - Audit logging helper functions. + // Safely converts a keyInfo byte array to a Key version hex string in the format: 0xa + // Since key version is always the first byte, this function returns the unsigned hex string representation of parameter[0]. + // Returns "null" if parameter is null. + // Returns "invalid" if parameter.length < 1 + private String log_string_from_keyInfo(byte[] xkeyInfo){ + return (xkeyInfo == null) ? "null" : (xkeyInfo.length < 1 ? "invalid" : "0x" + Integer.toHexString((int)(xkeyInfo[0]) & 0x000000FF) ); + } + + // AC: KDF SPEC CHANGE - Audit logging helper functions. + // Safely converts a byte array containing specialDecoded information to an ASCII-hex string. + // Parameters: + // specialDecoded - byte array containing data. May be null. + // Returns: + // if specialDecoded is blank, returns "null" + // if specialDecoded != null, returns <ASCII-HEX string representation of specialDecoded> + private String log_string_from_specialDecoded_byte_array(byte[] specialDecoded){ + if (specialDecoded == null){ + return "null"; + }else{ + return bytesToHex(specialDecoded); + } + } + + private void processComputeSessionKey(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { - byte[] card_challenge, host_challenge, keyInfo, xCUID, CUID, session_key; + byte[] card_challenge ,host_challenge,keyInfo, xCUID, session_key, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD + + // AC: KDF SPEC CHANGE - new config file values (needed for symkey) + byte nistSP800_108KdfOnKeyVersion = (byte)0xff; + boolean nistSP800_108KdfUseCuidAsKdd = false; + byte[] card_crypto, host_cryptogram, input_card_crypto; byte[] xcard_challenge, xhost_challenge; byte[] enc_session_key, xkeyInfo; @@ -228,6 +329,15 @@ public class TokenServlet extends CMSServlet { String transportKeyName = ""; String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + String rKDD = req.getParameter("KDD"); + if ((rKDD == null) || (rKDD.length() == 0)) { + // KDF phase1: default to rCUID if not present + CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); + rKDD = rCUID; + } + String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); if (keySet == null || keySet.equals("")) { keySet = "defKeySet"; @@ -243,6 +353,10 @@ public class TokenServlet extends CMSServlet { IConfigStore sconfig = CMS.getConfigStore(); boolean isCryptoValidate = true; boolean missingParam = false; + + // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting + Exception missingSetting_exception = null; + session_key = null; card_crypto = null; host_cryptogram = null; @@ -257,9 +371,11 @@ public class TokenServlet extends CMSServlet { (String) sContext.get(SessionContext.USER_ID); } + // AC: KDF SPEC CHANGE: Need to log both KDD and CUID auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST, rCUID, + rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. ILogger.SUCCESS, agentId); @@ -299,6 +415,13 @@ public class TokenServlet extends CMSServlet { badParams += " CUID,"; missingParam = true; } + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + if ((rKDD == null) || (rKDD.length() == 0)) { + CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: KDD"); + badParams += " KDD,"; + missingParam = true; + } if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { badParams += " card_challenge,"; @@ -322,6 +445,11 @@ public class TokenServlet extends CMSServlet { String keyNickName = null; boolean sameCardCrypto = true; + // AC: KDF SPEC CHANGE + xCUID = null; // avoid errors about non-initialization + xKDD = null; // avoid errors about non-initialization + xkeyInfo = null; // avoid errors about non-initialization + if (!missingParam) { xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); @@ -330,6 +458,15 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet: Invalid CUID length"); missingParam = true; } + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); + if (xKDD == null || xKDD.length != 10) { + badParams += " KDD length,"; + CMS.debug("TokenServlet: Invalid KDD length"); + missingParam = true; + } + xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); if (xkeyInfo == null || xkeyInfo.length != 2) { badParams += " KeyInfo length,"; @@ -353,7 +490,9 @@ public class TokenServlet extends CMSServlet { } - CUID = null; + // AC: KDF SPEC CHANGE - Remove duplicative variable. + // CUID = null; + if (!missingParam) { card_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); @@ -361,7 +500,33 @@ public class TokenServlet extends CMSServlet { host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); - CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + // CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + // AC: KDF SPEC CHANGE: Removed duplicative variable/processing. + + // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) + try{ + nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); + nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); + + // log settings read in to debug log along with xkeyInfo + CMS.debug("TokenServlet: ComputeSessionKey(): xkeyInfo[0] = 0x" + + Integer.toHexString((int)(xkeyInfo[0]) & 0x0000000FF) + + ", xkeyInfo[1] = 0x" + + Integer.toHexString((int)(xkeyInfo[1]) & 0x0000000FF) + ); + CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= 0x" + + Integer.toHexString((int)(nistSP800_108KdfOnKeyVersion) & 0x0000000FF) + ); + if (nistSP800_108KdfUseCuidAsKdd == true){ + CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); + }else{ + CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD."); + } + // conform to the set-an-error-flag mentality + }catch(Exception e){ + missingSetting_exception = e; + CMS.debug("TokenServlet: ComputeSessionKey(): Exception reading Nist SP800-108 KDF config values: " + e.toString()); + } String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); @@ -377,7 +542,9 @@ public class TokenServlet extends CMSServlet { keyNickName = st.nextToken(); } - if (selectedToken != null && keyNickName != null) { + if (selectedToken != null && keyNickName != null + // AC: KDF SPEC CHANGE - check for error flag + && missingSetting_exception == null) { try { @@ -388,7 +555,12 @@ public class TokenServlet extends CMSServlet { + selectedToken + " keyNickName=" + keyNickName); session_key = SessionKey.ComputeSessionKey( selectedToken, keyNickName, card_challenge, - host_challenge, keyInfo, CUID, macKeyArray, useSoftToken_s, keySet, transportKeyName); + host_challenge,keyInfo, + nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value + nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value + xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' + xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use + macKeyArray, useSoftToken_s, keySet, transportKeyName ); if (session_key == null) { CMS.debug("TokenServlet:Tried ComputeSessionKey, got NULL "); @@ -401,7 +573,12 @@ public class TokenServlet extends CMSServlet { + keySet + ".auth_key")); enc_session_key = SessionKey.ComputeEncSessionKey( selectedToken, keyNickName, card_challenge, - host_challenge, keyInfo, CUID, encKeyArray, useSoftToken_s, keySet); + host_challenge,keyInfo, + nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value + nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value + xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' + xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use + encKeyArray, useSoftToken_s, keySet); if (enc_session_key == null) { CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); @@ -426,7 +603,12 @@ public class TokenServlet extends CMSServlet { kek_key = SessionKey.ComputeKekKey( selectedToken, keyNickName, card_challenge, - host_challenge, keyInfo, CUID, kekKeyArray, useSoftToken_s, keySet); + host_challenge,keyInfo, + nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value + nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value + xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' + xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use + kekKeyArray, useSoftToken_s,keySet); CMS.debug("TokenServlet: called ComputeKekKey"); @@ -462,10 +644,19 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); desKey = SessionKey.GenerateSymkey(selectedToken); } - if (desKey != null) - CMS.debug("TokenServlet: key encryption key generated for " + rCUID); - else { - CMS.debug("TokenServlet: key encryption key generation failed for " + rCUID); + if (desKey != null) { + // AC: KDF SPEC CHANGE - Output using CUID and KDD + CMS.debug("TokenServlet: key encryption key generated for CUID=" + + trim(pp.toHexString(xCUID)) + + ", KDD=" + + trim(pp.toHexString(xKDD))); + } else { + // AC: KDF SPEC CHANGE - Output using CUID and KDD + CMS.debug("TokenServlet: key encryption key generation failed for CUID=" + + trim(pp.toHexString(xCUID)) + + ", KDD=" + + trim(pp.toHexString(xKDD))); + throw new Exception("can't generate key encryption key"); } @@ -538,7 +729,12 @@ public class TokenServlet extends CMSServlet { + keySet + ".auth_key")); host_cryptogram = SessionKey.ComputeCryptogram( selectedToken, keyNickName, card_challenge, - host_challenge, keyInfo, CUID, 0, authKeyArray, useSoftToken_s, keySet); + host_challenge,keyInfo, + nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value + nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value + xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' + xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use + 0, authKeyArray, useSoftToken_s, keySet); if (host_cryptogram == null) { CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); @@ -547,7 +743,13 @@ public class TokenServlet extends CMSServlet { } card_crypto = SessionKey.ComputeCryptogram( selectedToken, keyNickName, card_challenge, - host_challenge, keyInfo, CUID, 1, authKeyArray, useSoftToken_s, keySet); + host_challenge,keyInfo, + nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value + nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value + xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' + xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use + 1, authKeyArray, useSoftToken_s, keySet); + if (card_crypto == null) { CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); @@ -575,10 +777,13 @@ public class TokenServlet extends CMSServlet { } } + // AC: KDF SPEC CHANGE - print both KDD and CUID CMS.getLogger().log(ILogger.EV_AUDIT, ILogger.S_TKS, ILogger.LL_INFO, "processComputeSessionKey for CUID=" + - trim(pp.toHexString(CUID))); + trim(pp.toHexString(xCUID)) + + ", KDD=" + + trim(pp.toHexString(xKDD))); } catch (Exception e) { CMS.debug(e); CMS.debug("TokenServlet Computing Session Key: " + e.toString()); @@ -625,18 +830,35 @@ public class TokenServlet extends CMSServlet { cryptogram = com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); } else { - status = "2"; + // AC: Bugfix: Don't override status's value if an error was already flagged + if (status.equals("0") == true){ + status = "2"; + } } if (selectedToken == null || keyNickName == null) { - status = "4"; + // AC: Bugfix: Don't override status's value if an error was already flagged + if (status.equals("0") == true){ + status = "4"; + } } if (!sameCardCrypto) { - status = "3"; + // AC: Bugfix: Don't override status's value if an error was already flagged + if (status.equals("0") == true){ + // AC: Bugfix: Don't mis-represent host cryptogram mismatch errors as TPS parameter issues + status = "5"; + } } + // AC: KDF SPEC CHANGE - check for settings file issue (flag) + if (missingSetting_exception != null){ + // AC: Intentionally override previous errors if config file settings were missing. + status = "6"; + } + if (missingParam) { + // AC: Intentionally override previous errors if parameters were missing. status = "3"; } @@ -650,10 +872,20 @@ public class TokenServlet extends CMSServlet { errorMsg = "Problem creating host_cryptogram."; } + // AC: Bugfix: Don't mis-represent card cryptogram mismatch errors as TPS parameter issues + if (status.equals("5")) { + errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; + } + if (status.equals("4")) { errorMsg = "Problem obtaining token information."; } + // AC: KDF SPEC CHANGE - handle missing configuration item + if (status.equals("6")) { + errorMsg = "Problem reading required configuration value."; + } + if (status.equals("3")) { if (badParams.endsWith(",")) { badParams = badParams.substring(0, badParams.length() - 1); @@ -706,31 +938,45 @@ public class TokenServlet extends CMSServlet { } if (status.equals("0")) { - - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, - rCUID, - ILogger.SUCCESS, - status, - agentId, - isCryptoValidate ? "true" : "false", - serversideKeygen ? "true" : "false", - selectedToken, - keyNickName); - + // AC: KDF SPEC CHANGE - Log both CUID and KDD. + // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd + // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.SUCCESS, // Outcome + status, // status + agentId, // AgentID + isCryptoValidate? "true":"false", // IsCryptoValidate + serversideKeygen? "true":"false", // IsServerSideKeygen + selectedToken, // SelectedToken + keyNickName, // KeyNickName + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion + "0x" + Integer.toHexString((int)nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd + }; + auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, logParams); } else { + // AC: KDF SPEC CHANGE - Log both CUID and KDD + // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd + // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.FAILURE, // Outcome + status, // status + agentId, // AgentID + isCryptoValidate? "true":"false", // IsCryptoValidate + serversideKeygen? "true":"false", // IsServerSideKeygen + selectedToken, // SelectedToken + keyNickName, // KeyNickName + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion + "0x" + Integer.toHexString((int)nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd + errorMsg // Error + }; + auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, logParams); - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, - rCUID, - ILogger.FAILURE, - status, - agentId, - isCryptoValidate ? "true" : "false", - serversideKeygen ? "true" : "false", - selectedToken, - keyNickName, - errorMsg); } audit(auditMessage); @@ -768,8 +1014,22 @@ public class TokenServlet extends CMSServlet { private void processDiversifyKey(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { - byte[] KeySetData, CUID, xCUID; - byte[] xkeyInfo, xnewkeyInfo; + byte[] KeySetData,KeysValues,xCUID,xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD + + // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. + String oldKeyNickName = null; + String newKeyNickName = null; + + // AC: KDF SPEC CHANGE - new config file values (needed for symkey) + byte nistSP800_108KdfOnKeyVersion = (byte)0xff; + boolean nistSP800_108KdfUseCuidAsKdd = false; + + // AC: BUGFIX for key versions higher than 09: We need to initialize these variables in order for the compiler not to complain when we pass them to DiversifyKey. + byte[] xkeyInfo = null,xnewkeyInfo = null; + + // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting + Exception missingSetting_exception = null; + boolean missingParam = false; String errorMsg = ""; String badParams = ""; @@ -779,6 +1039,15 @@ public class TokenServlet extends CMSServlet { String newMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); String oldMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + String rKDD = req.getParameter("KDD"); + if ((rKDD == null) || (rKDD.length() == 0)) { + // temporarily make it friendly before TPS change + CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); + rKDD = rCUID; + } + String auditMessage = ""; String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); @@ -795,9 +1064,11 @@ public class TokenServlet extends CMSServlet { (String) sContext.get(SessionContext.USER_ID); } + // AC: KDF SPEC CHANGE: Need to log both KDD and CUID auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST, rCUID, + rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. ILogger.SUCCESS, agentId, oldMasterKeyName, @@ -810,6 +1081,14 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID"); missingParam = true; } + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + if ((rKDD == null) || (rKDD.length() == 0)) { + CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); + badParams += " KDD,"; + missingParam = true; + } + if ((rnewKeyInfo == null) || (rnewKeyInfo.equals(""))) { badParams += " newKeyInfo,"; CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo"); @@ -821,6 +1100,12 @@ public class TokenServlet extends CMSServlet { missingParam = true; } + // AC: KDF SPEC CHANGE + xCUID = null; // avoid errors about non-initialization + xKDD = null; // avoid errors about non-initialization + xkeyInfo = null; // avoid errors about non-initialization + xnewkeyInfo = null; // avoid errors about non-initialization + if (!missingParam) { xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName); if (xkeyInfo == null || xkeyInfo.length != 2) { @@ -847,9 +1132,46 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet: Invalid CUID length"); missingParam = true; } + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); + if (xKDD == null || xKDD.length != 10) { + badParams += " KDD length,"; + CMS.debug("TokenServlet: Invalid KDD length"); + missingParam = true; + } } if (!missingParam) { - CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + // CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); // AC: KDF SPEC CHANGE: Removed duplicative variable/processing. + + // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) + try{ + nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); + nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); + + // log settings read in to debug log along with xkeyInfo and xnewkeyInfo + CMS.debug("TokenServlet: processDiversifyKey(): xkeyInfo[0] (old) = 0x" + + Integer.toHexString((int)(xkeyInfo[0]) & 0x0000000FF) + + ", xkeyInfo[1] (old) = 0x" + + Integer.toHexString((int)(xkeyInfo[1]) & 0x0000000FF) + + ", xnewkeyInfo[0] = 0x" + + Integer.toHexString((int)(xnewkeyInfo[0]) & 0x000000FF) + + ", xnewkeyInfo[1] = 0x" + + Integer.toHexString((int)(xnewkeyInfo[1]) & 0x000000FF) + ); + CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF will be used for key versions >= 0x" + + Integer.toHexString((int)(nistSP800_108KdfOnKeyVersion) & 0x0000000FF) + ); + if (nistSP800_108KdfUseCuidAsKdd == true){ + CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); + }else{ + CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use KDD."); + } + // conform to the set-an-error-flag mentality + }catch(Exception e){ + missingSetting_exception = e; + CMS.debug("TokenServlet: processDiversifyKey(): Exception reading Nist SP800-108 KDF config values: " + e.toString()); + } if (mKeyNickName != null) oldMasterKeyName = mKeyNickName; @@ -859,7 +1181,6 @@ public class TokenServlet extends CMSServlet { String oldKeyInfoMap = "tks." + keySet + ".mk_mappings." + req.getParameter(IRemoteRequest.TOKEN_KEYINFO); //#xx#xx String oldMappingValue = CMS.getConfigStore().getString(oldKeyInfoMap, null); String oldSelectedToken = null; - String oldKeyNickName = null; if (oldMappingValue == null) { oldSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", "internal"); oldKeyNickName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); @@ -872,7 +1193,6 @@ public class TokenServlet extends CMSServlet { String newKeyInfoMap = "tks.mk_mappings." + rnewKeyInfo; //#xx#xx String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); String newSelectedToken = null; - String newKeyNickName = null; if (newMappingValue == null) { newSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", "internal"); newKeyNickName = rnewKeyInfo; @@ -888,10 +1208,20 @@ public class TokenServlet extends CMSServlet { newKeyNickName); byte kekKeyArray[] = - com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); + com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); + + // AC: KDF SPEC CHANGE - check for error reading settings + if (missingSetting_exception == null){ KeySetData = SessionKey.DiversifyKey(oldSelectedToken, newSelectedToken, oldKeyNickName, - newKeyNickName, rnewKeyInfo, CUID, kekKeyArray, useSoftToken_s, keySet); + newKeyNickName, + xkeyInfo, // AC: KDF SPEC CHANGE - pass in old key info so symkey can make decision about which KDF version to use + xnewkeyInfo, // AC: BUGFIX for key versions higher than 09: We need to specialDecode keyInfo parameters before sending them into symkey! This means the parameters must be byte[] + nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value + nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value + xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' + xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use + kekKeyArray, useSoftToken_s, keySet); if (KeySetData == null || KeySetData.length <= 1) { CMS.getLogger().log(ILogger.EV_AUDIT, @@ -901,11 +1231,18 @@ public class TokenServlet extends CMSServlet { CMS.getLogger().log(ILogger.EV_AUDIT, ILogger.S_TKS, - ILogger.LL_INFO, "process DiversifyKey for CUID =" + trim(pp.toHexString(CUID)) + ILogger.LL_INFO, + "process DiversifyKey for CUID=" + + trim(pp.toHexString(xCUID)) + // AC: KDF SPEC CHANGE: Log both CUID and KDD + ", KDD=" + + trim(pp.toHexString(xKDD)) + ";from oldMasterKeyName=" + oldSelectedToken + ":" + oldKeyNickName + ";to newMasterKeyName=" + newSelectedToken + ":" + newKeyNickName); resp.setContentType("text/html"); + + } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file + } // ! missingParam //CMS.debug("TokenServlet:processDiversifyKey " +outputString); @@ -918,6 +1255,11 @@ public class TokenServlet extends CMSServlet { value = IRemoteRequest.RESPONSE_STATUS+"=0&" + IRemoteRequest.TKS_RESPONSE_KeySetData+"=" + com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData); CMS.debug("TokenServlet:process DiversifyKey.encode " + value); + // AC: KDF SPEC CHANGE - check for settings file issue (flag) + } else if (missingSetting_exception != null){ + status = "6"; + errorMsg = "Problem reading required configuration value."; + value = "status=" + status; } else if (missingParam) { status = "3"; if (badParams.endsWith(",")) { @@ -945,26 +1287,48 @@ public class TokenServlet extends CMSServlet { if (status.equals("0")) { - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, - rCUID, - ILogger.SUCCESS, - status, - agentId, - oldMasterKeyName, - newMasterKeyName); - + // AC: KDF SPEC CHANGE - Log both CUID and KDD + // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd + // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.SUCCESS, // Outcome + status, // status + agentId, // AgentID + + // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. + oldKeyNickName, // oldMasterKeyName + newKeyNickName, // newMasterKeyName + + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion + log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion + "0x" + Integer.toHexString((int)nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd + }; + auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams); } else { - - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, - rCUID, - ILogger.FAILURE, - status, - agentId, - oldMasterKeyName, - newMasterKeyName, - errorMsg); + // AC: KDF SPEC CHANGE - Log both CUID and KDD + // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd + // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.FAILURE, // Outcome + status, // status + agentId, // AgentID + + // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. + oldKeyNickName, // oldMasterKeyName + newKeyNickName, // newMasterKeyName + + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion + log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion + "0x" + Integer.toHexString((int)nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd + errorMsg // Error + }; + auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams); } audit(auditMessage); @@ -972,7 +1336,15 @@ public class TokenServlet extends CMSServlet { private void processEncryptData(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { - byte[] keyInfo, CUID, xCUID, encryptedData, xkeyInfo; + byte[] keyInfo, xCUID, encryptedData, xkeyInfo, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD + + // AC: KDF SPEC CHANGE - new config file values (needed for symkey) + byte nistSP800_108KdfOnKeyVersion = (byte)0xff; + boolean nistSP800_108KdfUseCuidAsKdd = false; + + // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting + Exception missingSetting_exception = null; + boolean missingParam = false; byte[] data = null; boolean isRandom = true; // randomly generate the data to be encrypted @@ -984,6 +1356,15 @@ public class TokenServlet extends CMSServlet { String rdata = req.getParameter(IRemoteRequest.TOKEN_DATA); String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + String rKDD = req.getParameter("KDD"); + if ((rKDD == null) || (rKDD.length() == 0)) { + // temporarily make it friendly before TPS change + CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); + rKDD = rCUID; + } + String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); if (keySet == null || keySet.equals("")) { keySet = "defKeySet"; @@ -1008,9 +1389,11 @@ public class TokenServlet extends CMSServlet { isRandom = true; } + // AC: KDF SPEC CHANGE: Need to log both KDD and CUID String auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST, rCUID, + rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. ILogger.SUCCESS, agentId, s_isRandom); @@ -1044,12 +1427,24 @@ public class TokenServlet extends CMSServlet { missingParam = true; } + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + if ((rKDD == null) || (rKDD.length() == 0)) { + CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); + badParams += " KDD,"; + missingParam = true; + } + if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { badParams += " KeyInfo,"; CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info"); missingParam = true; } + // AC: KDF SPEC CHANGE + xCUID = null; // avoid errors about non-initialization + xKDD = null; // avoid errors about non-initialization + xkeyInfo = null; // avoid errors about non-initialization + if (!missingParam) { xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); if (xCUID == null || xCUID.length != 10) { @@ -1057,6 +1452,15 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet: Invalid CUID length"); missingParam = true; } + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); + if (xKDD == null || xKDD.length != 10) { + badParams += " KDD length,"; + CMS.debug("TokenServlet: Invalid KDD length"); + missingParam = true; + } + xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); if (xkeyInfo == null || xkeyInfo.length != 2) { badParams += " KeyInfo length,"; @@ -1072,10 +1476,35 @@ public class TokenServlet extends CMSServlet { String selectedToken = null; String keyNickName = null; if (!missingParam) { + + // AC: KDF SPEC CHANGE - read new config file values (needed for symkey + try{ + nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); + nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); + + // log settings read in to debug log along with xkeyInfo + CMS.debug("TokenServlet: processEncryptData(): xkeyInfo[0] = 0x" + + Integer.toHexString((int)(xkeyInfo[0]) & 0x0000000FF) + + ", xkeyInfo[1] = 0x" + + Integer.toHexString((int)(xkeyInfo[1]) & 0x0000000FF) + ); + CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF will be used for key versions >= 0x" + + Integer.toHexString((int)(nistSP800_108KdfOnKeyVersion) & 0x0000000FF) + ); + if (nistSP800_108KdfUseCuidAsKdd == true){ + CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); + }else{ + CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use KDD."); + } + // conform to the set-an-error-flag mentality + }catch(Exception e){ + missingSetting_exception = e; + CMS.debug("TokenServlet: processEncryptData(): Exception reading Nist SP800-108 KDF config values: " + e.toString()); + } + if (!isRandom) data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata); keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); - CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); @@ -1090,12 +1519,30 @@ public class TokenServlet extends CMSServlet { byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); + // AC: KDF SPEC CHANGE - check for error reading settings + if (missingSetting_exception == null){ + encryptedData = SessionKey.EncryptData( - selectedToken, keyNickName, data, keyInfo, CUID, kekKeyArray, useSoftToken_s, keySet); + selectedToken,keyNickName,data,keyInfo, + nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value + nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value + xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' + xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use + kekKeyArray, useSoftToken_s, keySet); + + // AC: KDF SPEC CHANGE - Log both CUID and KDD + CMS.getLogger().log(ILogger.EV_AUDIT, ILogger.S_TKS, - ILogger.LL_INFO, "process EncryptData for CUID =" + trim(pp.toHexString(CUID))); + ILogger.LL_INFO,"process EncryptData for CUID="+ + trim(pp.toHexString(xCUID)) + + ", KDD=" + + trim(pp.toHexString(xKDD))); + + } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file + + } // !missingParam resp.setContentType("text/html"); @@ -1109,6 +1556,11 @@ public class TokenServlet extends CMSServlet { com.netscape.cmsutil.util.Utils.SpecialEncode(data) + "&"+IRemoteRequest.TKS_RESPONSE_EncryptedData+"=" + com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData); + // AC: KDF SPEC CHANGE - check for settings file issue (flag) + } else if (missingSetting_exception != null){ + status = "6"; + errorMsg = "Problem reading required configuration value."; + value = "status=" + status; } else if (missingParam) { if (badParams.endsWith(",")) { badParams = badParams.substring(0, badParams.length() - 1); @@ -1137,29 +1589,42 @@ public class TokenServlet extends CMSServlet { } if (status.equals("0")) { - - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, - rCUID, - ILogger.SUCCESS, - status, - agentId, - s_isRandom, - selectedToken, - keyNickName); - + // AC: KDF SPEC CHANGE - Log both CUID and KDD + // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd + // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.SUCCESS, // Outcome + status, // status + agentId, // AgentID + s_isRandom, // isRandom + selectedToken, // SelectedToken + keyNickName, // KeyNickName + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion + "0x" + Integer.toHexString((int)nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd + }; + auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams); } else { - - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, - rCUID, - ILogger.FAILURE, - status, - agentId, - s_isRandom, - selectedToken, - keyNickName, - errorMsg); + // AC: KDF SPEC CHANGE - Log both CUID and KDD + // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd + // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.FAILURE, // Outcome + status, // status + agentId, // AgentID + s_isRandom, // isRandom + selectedToken, // SelectedToken + keyNickName, // KeyNickName + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion + "0x" + Integer.toHexString((int)nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd + errorMsg // Error + }; + auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams); } audit(auditMessage); |