diff options
| author | Jack Magne <jmagne@localhost.localdomain> | 2015-03-12 19:08:41 -0700 |
|---|---|---|
| committer | Jack Magne <jmagne@localhost.localdomain> | 2015-03-17 12:44:28 -0700 |
| commit | 87ffc7a341860f3f1ece434e90e4bc33a02b8155 (patch) | |
| tree | d833d1868284ce2c3865a674aca0bad66a0f7ebd /base/tps/shared | |
| parent | f98e599b1e95572a589b8813bc6cb0c2e70fdd0b (diff) | |
| download | pki-87ffc7a341860f3f1ece434e90e4bc33a02b8155.tar.gz pki-87ffc7a341860f3f1ece434e90e4bc33a02b8155.tar.xz pki-87ffc7a341860f3f1ece434e90e4bc33a02b8155.zip | |
NISTSP8000 feature.
Implementation of the nistSP800 dervication feature.
Works for both supported scp01 cards and scp02 cards.
During the various session key and key upgrade functions, the nist dervication code is being called.
Review comments addressed
Cleanup of some input validation on the TKS.
Added some sanity checking on the TPS side for key versions and token cuid's and kdd's.
Final review comments.
Fixed issue with extracting the kdd from the AppletInfo class.
Fixed issue with sending the KDD to the encryptData TKS servlet.
Added requested entries to the CS.cfg .
Diffstat (limited to 'base/tps/shared')
| -rw-r--r-- | base/tps/shared/conf/CS.cfg.in | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/base/tps/shared/conf/CS.cfg.in b/base/tps/shared/conf/CS.cfg.in index 85c2f3549..b899e7d21 100644 --- a/base/tps/shared/conf/CS.cfg.in +++ b/base/tps/shared/conf/CS.cfg.in @@ -257,6 +257,12 @@ op.enroll.delegateIEtoken._003=# where Encryption cert/keys are "recovered" op.enroll.delegateIEtoken._004=# is controlled by registration user record op.enroll.delegateIEtoken._005=######################################### op.enroll.delegateIEtoken.auth.enable=true +op.enroll.delegateIEtoken.cuidMustMatchKDD=false +op.enroll.delegateIEtoken.enableBoundedGPKeyVersion=true +op.enroll.delegateIEtoken.minimumGPKeyVersion=01 +op.enroll.delegateIEtoken.maximumGPKeyVersion=FF +op.enroll.delegateIEtoken.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.delegateIEtoken.validateCardKeyInfoAgainstTokenDB=true op.enroll.delegateIEtoken.auth.id=ldap1 op.enroll.delegateIEtoken.cardmgr_instance=A0000000030000 op.enroll.delegateIEtoken.issuerinfo.enable=true @@ -391,6 +397,12 @@ op.enroll.delegateIEtoken.update.applet.requiredVersion=1.4.4d40a449 op.enroll.delegateIEtoken.update.symmetricKeys.enable=false op.enroll.delegateIEtoken.update.symmetricKeys.requiredVersion=1 op.format.delegateIEtoken.auth.enable=true +op.format.delegateIEtoken.cuidMustMatchKDD=false +op.format.delegateIEtoken.enableBoundedGPKeyVersion=true +op.format.delegateIEtoken.minimumGPKeyVersion=01 +op.format.delegateIEtoken.maximumGPKeyVersion=FF +op.format.delegateIEtoken.rollbackKeyVersionOnPutKeyFailure=false +op.format.delegateIEtoken.validateCardKeyInfoAgainstTokenDB=true op.format.delegateIEtoken.auth.id=ldap3 op.format.delegateIEtoken.ca.conn=ca1 op.format.delegateIEtoken.cardmgr_instance=A0000000030000 @@ -412,6 +424,12 @@ op.enroll.delegateISEtoken._003=# where Encryption cert/keys is "recovered" op.enroll.delegateISEtoken._004=# is controlled by registration user record op.enroll.delegateISEtoken._005=######################################### op.enroll.delegateISEtoken.auth.enable=true +op.enroll.delegateISEtoken.cuidMustMatchKDD=false +op.enroll.delegateISEtoken.enableBoundedGPKeyVersion=true +op.enroll.delegateISEtoken.minimumGPKeyVersion=01 +op.enroll.delegateISEtoken.maximumGPKeyVersion=FF +op.enroll.delegateISEtoken.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.delegateISEtoken.validateCardKeyInfoAgainstTokenDB=true op.enroll.delegateISEtoken.auth.id=ldap1 op.enroll.delegateISEtoken.cardmgr_instance=A0000000030000 op.enroll.delegateISEtoken.issuerinfo.enable=true @@ -640,6 +658,12 @@ op.enroll.externalRegAddToToken._000=######################################### op.enroll.externalRegAddToToken._001=# for externalReg recovering certs/keys only op.enroll.externalRegAddToToken._002=######################################### op.enroll.externalRegAddToToken.auth.enable=true +op.enroll.externalRegAddToToken.cuidMustMatchKDD=false +op.enroll.externalRegAddToToken.enableBoundedGPKeyVersion=true +op.enroll.externalRegAddToToken.minimumGPKeyVersion=01 +op.enroll.externalRegAddToToken.maximumGPKeyVersion=FF +op.enroll.externalRegAddToToken.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.externalRegAddToToken.validateCardKeyInfoAgainstTokenDB=true op.enroll.externalRegAddToToken.auth.id=ldap1 op.enroll.externalRegAddToToken.cardmgr_instance=A0000000030000 op.enroll.externalRegAddToToken.issuerinfo.enable=true @@ -687,6 +711,12 @@ op.enroll.externalRegAddToToken.update.applet.requiredVersion=1.4.4d40a449 op.enroll.externalRegAddToToken.update.symmetricKeys.enable=false op.enroll.externalRegAddToToken.update.symmetricKeys.requiredVersion=1 op.format.externalRegAddToToken.auth.enable=true +op.format.externalRegAddToToken.cuidMustMatchKDD=false +op.format.externalRegAddToToken.enableBoundedGPKeyVersion=true +op.format.externalRegAddToToken.minimumGPKeyVersion=01 +op.format.externalRegAddToToken.maximumGPKeyVersion=FF +op.format.externalRegAddToToken.rollbackKeyVersionOnPutKeyFailure=false +op.format.externalRegAddToToken.validateCardKeyInfoAgainstTokenDB=true op.format.externalRegAddToToken.cardmgr_instance=A0000000030000 op.format.externalRegAddToToken.issuerinfo.enable=true op.format.externalRegAddToToken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome @@ -733,6 +763,12 @@ op.enroll._033=# Web Store - 3B759400006202020201 op.enroll._034=######################################### op.enroll.allowUnknownToken=true op.enroll.tokenProfileResolver=enrollMappingResolver +op.enroll.soKey.cuidMustMatchKDD=false +op.enroll.soKey.enableBoundedGPKeyVersion=true +op.enroll.soKey.minimumGPKeyVersion=01 +op.enroll.soKey.maximumGPKeyVersion=FF +op.enroll.soKey.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.soKey.validateCardKeyInfoAgainstTokenDB=true op.enroll.soKey.auth.enable=true op.enroll.soKey.auth.id=ldap2 op.enroll.soKey.cardmgr_instance=A0000000030000 @@ -855,6 +891,12 @@ op.enroll.soKey.pinReset.pin.maxRetries=127 op.enroll.soKey.pinReset.pin.minLen=4 op.enroll.soKey.pkcs11obj.compress.enable=true op.enroll.soKey.pkcs11obj.enable=true +op.enroll.soKeyTemporary.cuidMustMatchKDD=false +op.enroll.soKeyTemporary.enableBoundedGPKeyVersion=true +op.enroll.soKeyTemporary.minimumGPKeyVersion=01 +op.enroll.soKeyTemporary.maximumGPKeyVersion=FF +op.enroll.soKeyTemporary.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.soKeyTemporary.validateCardKeyInfoAgainstTokenDB=true op.enroll.soKeyTemporary.auth.enable=true op.enroll.soKeyTemporary.auth.id=ldap2 op.enroll.soKeyTemporary.cardmgr_instance=A0000000030000 @@ -1014,6 +1056,12 @@ op.enroll.soKey.update.applet.encryption=true op.enroll.soKey.update.applet.requiredVersion=1.4.4d40a449 op.enroll.soKey.update.symmetricKeys.enable=false op.enroll.soKey.update.symmetricKeys.requiredVersion=1 +op.enroll.userKey.cuidMustMatchKDD=false +op.enroll.userKey.enableBoundedGPKeyVersion=true +op.enroll.userKey.minimumGPKeyVersion=01 +op.enroll.userKey.maximumGPKeyVersion=FF +op.enroll.userKey.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.userKey.validateCardKeyInfoAgainstTokenDB=true op.enroll.userKey.auth.enable=true op.enroll.userKey.auth.id=ldap1 op.enroll.userKey.cardmgr_instance=A0000000030000 @@ -1297,6 +1345,12 @@ op.enroll.userKeyTemporary.pinReset.pin.minLen=4 op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true op.enroll.userKeyTemporary.pkcs11obj.enable=true op.enroll.userKeyTemporary.tks.conn=tks1 +op.enroll.userKeyTemporary.cuidMustMatchKDD=false +op.enroll.userKeyTemporary.enableBoundedGPKeyVersion=true +op.enroll.userKeyTemporary.minimumGPKeyVersion=01 +op.enroll.userKeyTemporary.maximumGPKeyVersion=FF +op.enroll.userKeyTemporary.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.userKeyTemporary.validateCardKeyInfoAgainstTokenDB=true op.enroll.userKey.temporaryToken.tokenType=userKeyTemporary op.enroll.userKeyTemporary.update.applet.directory=[TPS_DIR]/applets op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true @@ -1315,6 +1369,12 @@ op.enroll.userKey.update.symmetricKeys.enable=false op.enroll.userKey.update.symmetricKeys.requiredVersion=1 op.format.allowUnknownToken=true op.format.tokenProfileResolver=formatMappingResolver +op.format.cleanToken.cuidMustMatchKDD=false +op.format.cleanToken.enableBoundedGPKeyVersion=true +op.format.cleanToken.minimumGPKeyVersion=01 +op.format.cleanToken.maximumGPKeyVersion=FF +op.format.cleanToken.rollbackKeyVersionOnPutKeyFailure=false +op.format.cleanToken.validateCardKeyInfoAgainstTokenDB=true op.format.cleanToken.auth.enable=false op.format.cleanToken.auth.id=ldap1 op.format.cleanToken.ca.conn=ca1 @@ -1330,6 +1390,12 @@ op.format.cleanToken.update.applet.encryption=true op.format.cleanToken.update.applet.requiredVersion=1.4.4d40a449 op.format.cleanToken.update.symmetricKeys.enable=false op.format.cleanToken.update.symmetricKeys.requiredVersion=1 +op.format.soCleanSOToken.cuidMustMatchKDD=false +op.format.soCleanSOToken.enableBoundedGPKeyVersion=true +op.format.soCleanSOToken.minimumGPKeyVersion=01 +op.format.soCleanSOToken.maximumGPKeyVersion=FF +op.format.soCleanSOToken.rollbackKeyVersionOnPutKeyFailure=false +op.format.soCleanSOToken.validateCardKeyInfoAgainstTokenDB=true op.format.soCleanSOToken.auth.enable=false op.format.soCleanSOToken.auth.id=ldap1 op.format.soCleanSOToken.ca.conn=ca1 @@ -1345,6 +1411,12 @@ op.format.soCleanSOToken.update.applet.encryption=true op.format.soCleanSOToken.update.applet.requiredVersion=1.4.4d40a449 op.format.soCleanSOToken.update.symmetricKeys.enable=false op.format.soCleanSOToken.update.symmetricKeys.requiredVersion=1 +op.format.soCleanUserToken.cuidMustMatchKDD=false +op.format.soCleanUserToken.enableBoundedGPKeyVersion=true +op.format.soCleanUserToken.minimumGPKeyVersion=01 +op.format.soCleanUserToken.maximumGPKeyVersion=FF +op.format.soCleanUserToken.rollbackKeyVersionOnPutKeyFailure=false +op.format.soCleanUserToken.validateCardKeyInfoAgainstTokenDB=true op.format.soCleanUserToken.auth.enable=false op.format.soCleanUserToken.auth.id=ldap1 op.format.soCleanUserToken.ca.conn=ca1 @@ -1360,6 +1432,12 @@ op.format.soCleanUserToken.update.applet.encryption=true op.format.soCleanUserToken.update.applet.requiredVersion=1.4.4d40a449 op.format.soCleanUserToken.update.symmetricKeys.enable=false op.format.soCleanUserToken.update.symmetricKeys.requiredVersion=1 +op.format.soKey.cuidMustMatchKDD=false +op.format.soKey.enableBoundedGPKeyVersion=true +op.format.soKey.minimumGPKeyVersion=01 +op.format.soKey.maximumGPKeyVersion=FF +op.format.soKey.rollbackKeyVersionOnPutKeyFailure=false +op.format.soKey.validateCardKeyInfoAgainstTokenDB=true op.format.soKey.auth.enable=true op.format.soKey.auth.id=ldap2 op.format.soKey.ca.conn=ca1 @@ -1375,6 +1453,12 @@ op.format.soKey.update.applet.encryption=true op.format.soKey.update.applet.requiredVersion=1.4.4d40a449 op.format.soKey.update.symmetricKeys.enable=false op.format.soKey.update.symmetricKeys.requiredVersion=1 +op.format.soUserKey.cuidMustMatchKDD=false +op.format.soUserKey.enableBoundedGPKeyVersion=true +op.format.soUserKey.minimumGPKeyVersion=01 +op.format.soUserKey.maximumGPKeyVersion=FF +op.format.soUserKey.rollbackKeyVersionOnPutKeyFailure=false +op.format.soUserKey.validateCardKeyInfoAgainstTokenDB=true op.format.soUserKey.auth.enable=false op.format.soUserKey.auth.id=ldap1 op.format.soUserKey.ca.conn=ca1 @@ -1390,6 +1474,12 @@ op.format.soUserKey.update.applet.encryption=true op.format.soUserKey.update.applet.requiredVersion=1.4.4d40a449 op.format.soUserKey.update.symmetricKeys.enable=false op.format.soUserKey.update.symmetricKeys.requiredVersion=1 +op.format.tokenKey.cuidMustMatchKDD=false +op.format.tokenKey.enableBoundedGPKeyVersion=true +op.format.tokenKey.minimumGPKeyVersion=01 +op.format.tokenKey.maximumGPKeyVersion=FF +op.format.tokenKey.rollbackKeyVersionOnPutKeyFailure=false +op.format.tokenKey.validateCardKeyInfoAgainstTokenDB=true op.format.tokenKey.auth.enable=true op.format.tokenKey.auth.id=ldap1 op.format.tokenKey.ca.conn=ca1 @@ -1405,6 +1495,12 @@ op.format.tokenKey.update.applet.encryption=true op.format.tokenKey.update.applet.requiredVersion=1.4.4d40a449 op.format.tokenKey.update.symmetricKeys.enable=false op.format.tokenKey.update.symmetricKeys.requiredVersion=1 +op.format.userKey.cuidMustMatchKDD=false +op.format.userKey.enableBoundedGPKeyVersion=true +op.format.userKey.minimumGPKeyVersion=01 +op.format.userKey.maximumGPKeyVersion=FF +op.format.userKey.rollbackKeyVersionOnPutKeyFailure=false +op.format.userKey.validateCardKeyInfoAgainstTokenDB=true op.format.userKey.auth.enable=true op.format.userKey.auth.id=ldap1 op.format.userKey.ca.conn=ca1 @@ -1421,6 +1517,12 @@ op.format.userKey.update.applet.requiredVersion=1.4.4d40a449 op.format.userKey.update.symmetricKeys.enable=false op.format.userKey.update.symmetricKeys.requiredVersion=1 op.pinReset.tokenProfileResolver=pinResetMappingResolver +op.pinReset.userKey.cuidMustMatchKDD=false +op.pinReset.userKey.enableBoundedGPKeyVersion=true +op.pinReset.userKey.minimumGPKeyVersion=01 +op.pinReset.userKey.maximumGPKeyVersion=FF +op.pinReset.userKey.rollbackKeyVersionOnPutKeyFailure=false +op.pinReset.userKey.validateCardKeyInfoAgainstTokenDB=true op.pinReset.userKey.auth.enable=true op.pinReset.userKey.auth.id=ldap1 op.pinReset.userKey.cardmgr_instance=A0000000030000 |