Ticket #864 866 (part 1 symkey, common) NIST SP800-108 KDF

- this patch does not include TPS side of changes: (#865 needs to be rewritten in Java)
author: Christina Fu <cfu@redhat.com> 2014-12-02 14:38:08 -0800
committer: Christina Fu <cfu@redhat.com> 2014-12-19 11:17:34 -0800
commit: 4c910296a6c6c8bf74fbdace740680db2f1fecab (patch)
tree: 1d0d53e8f72c7f219830d387f228003074faf98a /base/server/cmsbundle
parent: 00b1c33272900613687448ccab7809ba794679f6 (diff)
download: pki-4c910296a6c6c8bf74fbdace740680db2f1fecab.tar.gz
pki-4c910296a6c6c8bf74fbdace740680db2f1fecab.tar.xz
pki-4c910296a6c6c8bf74fbdace740680db2f1fecab.zip
1 files changed, 80 insertions, 0 deletions
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index dfa23c15b..ef3872c8d 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2263,6 +2263,13 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4=<type=COMPU
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_3=<type=COMPUTE_SESSION_KEY_REQUEST>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][SubjectID={0}][Outcome={1}][AgentID={2}] TKS Compute session key request
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the 
+##   CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that
+##   encoded parameters are being logged.
+# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel
+# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQUEST>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}] TKS Compute session key request
+
 #
 #
 # LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
@@ -2277,6 +2284,19 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_3=<type=COMPUTE_SESSION_KEY_REQ
 # KeyNickName is the number keyset ex: #01#01
 #
 LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_8=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][IsCryptoValidate={4}][IsServerSideKeygen={5}][SelectedToken={6}][KeyNickName={7}] TKS Compute session key request processed successfully
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
+##   CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact
+##   that decoded parameters are now logged.
+##       Also added TKSKeyset, KeyInfo_KeyVersion,
+##            NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
+# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
+# TKSKeyset is the name of the TKS keyset being used for this request.
+# KeyInfo_KeyVersion is the key version number requested in hex.
+# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
+# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS][CUID_decoded={0}][KDD_decoded={1}][Outcome={2}][status={3}][AgentID={4}][IsCryptoValidate={5}][IsServerSideKeygen={6}][SelectedToken={7}][KeyNickName={8}][TKSKeyset={9}][KeyInfo_KeyVersion={10}][NistSP800_108KdfOnKeyVersion={11}][NistSP800_108KdfUseCuidAsKdd={12}] TKS Compute session key request processed successfully
+
 #
 #
 # LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
@@ -2293,6 +2313,16 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_8=<type=COMPU
 # Error gives the error message
 LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_9=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][IsCryptoValidate={4}][IsServerSideKeygen={5}][SelectedToken={7}][KeyNickName={7}][Error={8}] TKS Compute session key request failed 
 #
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
+##                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
+# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
+# TKSKeyset is the name of the TKS keyset being used for this request.
+# KeyInfo_KeyVersion is the key version number requested in hex.
+# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
+# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded={0}][KDD_decoded={1}][Outcome={2}][status={3}][AgentID={4}][IsCryptoValidate={5}][IsServerSideKeygen={6}][SelectedToken={7}][KeyNickName={8}][TKSKeyset={9}][KeyInfo_KeyVersion={10}][NistSP800_108KdfOnKeyVersion={11}][NistSP800_108KdfUseCuidAsKdd={12}][Error={13}] TKS Compute session key request failed
+
 
 # LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST
 # - request for TPS to TKS to do key change over
@@ -2303,6 +2333,11 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_9=<type=COMPU
 # newMasterKeyName is the new master key name
 LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5=<type=DIVERSIFY_KEY_REQUEST>:[AuditEvent=DIVERSIFY_KEY_REQUEST][SubjectID={0}][Outcome={1}][AgentID={2}][oldMasterKeyName={3}][newMasterKeyName={4}] TKS Key Change Over request
 #
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged.
+# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel
+# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[AuditEvent=DIVERSIFY_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}] TKS Key Change Over request
+
 ###########################
 # LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
 # - request for TPS to TKS to do key change over request processed
@@ -2314,6 +2349,17 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5=<type=DIVERSIFY_KEY_REQUEST>:[Audit
 # newMasterKeyName is the new master key name
 LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_6=<type=DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}] TKS Key Change Over request processed successfully
 #
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
+##                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
+# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
+# TKSKeyset is the name of the TKS keyset being used for this request.
+# OldKeyInfo_KeyVersion is the old key version number in hex.
+# NewKeyInfo_KeyVersion is the new key version number in hex.
+# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
+# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12=<type=DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS][CUID_decoded={0}][KDD_decoded={1}][Outcome={2}][status={3}][AgentID={4}][oldMasterKeyName={5}][newMasterKeyName={6}][TKSKeyset={7}][OldKeyInfo_KeyVersion={8}][NewKeyInfo_KeyVersion={9}][NistSP800_108KdfOnKeyVersion={10}][NistSP800_108KdfUseCuidAsKdd={11}] TKS Key Change Over request processed successfully
+
 #
 ###########################
 # LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
@@ -2327,6 +2373,16 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_6=<type=DIVERSIFY_K
 # Error gives the error message
 LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_7=<type=DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}][Error={6}] TKS Key Change Over request failed 
 #
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
+##                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
+# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
+# TKSKeyset is the name of the TKS keyset being used for this request.
+# OldKeyInfo_KeyVersion is the old key version number in hex.
+# NewKeyInfo_KeyVersion is the new key version number in hex.
+# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
+# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13=<type=DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded={0}][KDD_decoded={1}][Outcome={2}][status={3}][AgentID={4}][oldMasterKeyName={5}][newMasterKeyName={6}][TKSKeyset={7}][OldKeyInfo_KeyVersion={8}][NewKeyInfo_KeyVersion={9}][NistSP800_108KdfOnKeyVersion={10}][NistSP800_108KdfUseCuidAsKdd={11}][Error={12}] TKS Key Change Over request failed
 
 # LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST
 # - request from TPS to TKS to encrypt data 
@@ -2337,6 +2393,11 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_7=<type=DIVERSIFY_K
 # isRandom tells if the data is randomly generated on TKS
 LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request
 #
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged.
+# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel
+# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][CUID_encoded={0}][KDD_encoded={1}][status={2}][AgentID={3}][isRandom={4}] TKS encrypt data request
+
 #
 # LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
 # - request from TPS to TKS to encrypt data 
@@ -2350,6 +2411,16 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=<type=ENCRYPT_DATA_REQUEST>:[AuditEv
 # KeyNickName is the numeric keyset ex: #01#01
 LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_7=<type=ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][isRandom={4}][SelectedToken={5}][KeyNickName={6}] TKS encrypt data request processed successfully
 #
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
+##                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
+# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
+# TKSKeyset is the name of the TKS keyset being used for this request.
+# KeyInfo_KeyVersion is the key version number requested in hex.
+# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
+# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_12=<type=ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS][CUID_decoded={0}][KDD_decoded={1}][Outcome={2}][status={3}][AgentID={4}][isRandom={5}][SelectedToken={6}][KeyNickName={7}][TKSKeyset={8}][KeyInfo_KeyVersion={9}][NistSP800_108KdfOnKeyVersion={10}][NistSP800_108KdfUseCuidAsKdd={11}] TKS encrypt data request processed successfully
+
 #
 # LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
 # - request from TPS to TKS to encrypt data 
@@ -2364,6 +2435,15 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_7=<type=ENCRYPT_DATA
 # Error gives the error message
 LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_8=<type=ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][status={2}][AgentID={3}][isRandom={4}][SelectedToken={5}][KeyNickName={6}][Error={7}] TKS encrypt data request failed 
 #
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
+##                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
+# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
+# TKSKeyset is the name of the TKS keyset being used for this request.
+# KeyInfo_KeyVersion is the key version number requested in hex.
+# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
+# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_13=<type=ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE][CUID_decoded={0}][KDD_decoded={1}][Outcome={2}][status={3}][AgentID={4}][isRandom={5}][SelectedToken={6}][KeyNickName={7}][TKSKeyset={8}][KeyInfo_KeyVersion={9}][NistSP800_108KdfOnKeyVersion={10}][NistSP800_108KdfUseCuidAsKdd={11}][Error={12}] TKS encrypt data request failed
 #
 #
 # LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE
author	Christina Fu <cfu@redhat.com>	2014-12-02 14:38:08 -0800
committer	Christina Fu <cfu@redhat.com>	2014-12-19 11:17:34 -0800
commit	4c910296a6c6c8bf74fbdace740680db2f1fecab (patch)
tree	1d0d53e8f72c7f219830d387f228003074faf98a /base/server/cmsbundle
parent	00b1c33272900613687448ccab7809ba794679f6 (diff)
download	pki-4c910296a6c6c8bf74fbdace740680db2f1fecab.tar.gz pki-4c910296a6c6c8bf74fbdace740680db2f1fecab.tar.xz pki-4c910296a6c6c8bf74fbdace740680db2f1fecab.zip