Ticket #2569: Token memory not wiped after key deletion

This is the dogtag upstream side of the TPS portion of this ticket. This fix also involves an applet fix, handled in another bug.
author: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> 2016-12-16 16:25:48 -0800
committer: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> 2017-01-11 15:59:28 -0800
commit: 3e8bb9d0e42594afafdd0c0ac2a0f1b7a5d05aeb (patch)
tree: bd89828c109a6befc937e2e8e2f8ef87bc07d610 /base/tps/src
parent: 48090b00c3727c95ecd77b52272bd7596b3ff09b (diff)
download: pki-3e8bb9d0e42594afafdd0c0ac2a0f1b7a5d05aeb.tar.gz
pki-3e8bb9d0e42594afafdd0c0ac2a0f1b7a5d05aeb.tar.xz
pki-3e8bb9d0e42594afafdd0c0ac2a0f1b7a5d05aeb.zip
3 files changed, 120 insertions, 9 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
index 8860f48cc..f2e32368f 100644
--- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
+++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
@@ -23,6 +23,7 @@ import org.dogtagpki.server.tps.engine.TPSEngine;
 import org.dogtagpki.server.tps.processor.TPSProcessor;
 import org.dogtagpki.tps.apdu.APDU;
 import org.dogtagpki.tps.apdu.APDUResponse;
+import org.dogtagpki.tps.apdu.ClearKeySlotsAPDU;
 import org.dogtagpki.tps.apdu.CreateObjectAPDU;
 import org.dogtagpki.tps.apdu.CreatePinAPDU;
 import org.dogtagpki.tps.apdu.DeleteFileAPDU;
@@ -850,6 +851,38 @@ public class SecureChannel {
         return keyInfoData;
     }
 
+    //Call the applet to clear unused key slots
+    /// data is in the fomat of bytes, which is basically the payload of the apdu to be sent
+    // [privateKeyIndex] [publicKeyIndex] ... [final privateKeyIndex] [final publicKeyIndex]
+    public void clearAppletKeySlotData(TPSBuffer data) {
+        String method = "SecureChannel.clearAppletKeySlotData: ";
+
+        CMS.debug(method + " entering ...");
+
+        if(data == null) {
+            CMS.debug(method + " Invalid input data returning...");
+            return;
+        }
+
+        APDUResponse response;
+        try {
+            ClearKeySlotsAPDU  clearKey = new ClearKeySlotsAPDU(data.toBytesArray());
+            computeAPDU(clearKey);
+            response = processor.handleAPDURequest(clearKey);
+        } catch (TPSException | IOException e) {
+            CMS.debug(method + " bad apdu return!");
+            return;
+
+        }
+
+        if (!response.checkResult()) {
+            CMS.debug(method + " bad apdu return!");
+        }
+
+        CMS.debug(method + " Successful applet key data cleanup operation completed.");
+
+    }
+
     public void writeObject(TPSBuffer objectID, TPSBuffer objectData) throws TPSException, IOException {
         CMS.debug("SecureChannel.writeObject: entering ...");
 
diff --git a/base/tps/src/org/dogtagpki/server/tps/main/PKCS11Obj.java b/base/tps/src/org/dogtagpki/server/tps/main/PKCS11Obj.java
index 6af39a7bd..cc2e8c8b3 100644
--- a/base/tps/src/org/dogtagpki/server/tps/main/PKCS11Obj.java
+++ b/base/tps/src/org/dogtagpki/server/tps/main/PKCS11Obj.java
@@ -265,6 +265,76 @@ public class PKCS11Obj {
 
     }
 
+    //Returns a buffer of key index data written to the token in this format:
+    // [privateKeyIndex] [publicKeyIndex] ... [final privateKeyIndex] [final publicKeyIndex]
+    // ex: [2][3][4][5]
+    public TPSBuffer getKeyIndexList() {
+
+        TPSBuffer data = new TPSBuffer();
+        int objectCount = getObjectSpecCount();
+
+        CMS.debug("PKCS11Obj:getKeyIndexList: objectCount: " + objectCount);
+
+      //Add first byte for length, set to 0 for now
+
+        for (int i = 0; i < objectCount; i++) {
+            ObjectSpec spec = getObjectSpec(i);
+
+            char c = spec.getObjectType();
+            long fixedAttrs = spec.getFixedAttributes();
+            int xclass = (int) ((fixedAttrs & 0x70) >> 4);
+            long cont_id = spec.getObjectIndex();
+            long id = (int) (fixedAttrs & 0x0f);
+
+            /* locate all certificate objects */
+            if (c == 'c' && xclass == PKCS11Constants.CKO_CERTIFICATE) {
+
+                CMS.debug("PKCSObj:getKeyIndexList: found cert object: id: " + id );
+
+                //We need to use the container id, there may be more than one cert
+                //with the same CKA_ID byte
+
+                id = cont_id;
+
+                /* locate private object */
+                for (int y = 0; y < objectCount; y++) {
+                    ObjectSpec y_spec = getObjectSpec(y);
+                    long y_fixedAttrs =
+                            y_spec.getFixedAttributes();
+                    int y_xclass = (int) ((y_fixedAttrs & 0x70) >> 4);
+                    int y_id = (int) (y_fixedAttrs & 0x0f);
+                    if (y_xclass == PKCS11Constants.CKO_PRIVATE_KEY && y_id == id) {
+                        CMS.debug("PKCS11Obj::getKeyIndexList: found private key object: id: " + y_spec.getObjectIndex());
+
+                        data.add((byte) y_spec.getObjectIndex());
+
+                    }
+                }
+
+                /* locate public object */
+                for (int x = 0; x < objectCount; x++) {
+                    ObjectSpec x_spec = getObjectSpec(x);
+                    long x_fixedAttrs =
+                            x_spec.getFixedAttributes();
+                    int x_xclass = (int) ((x_fixedAttrs & 0x70) >> 4);
+                    int x_id = (int) (x_fixedAttrs & 0x0f);
+                    if (x_xclass == PKCS11Constants.CKO_PUBLIC_KEY && x_id == id) {
+                        CMS.debug("PKCSObj::getKeyIndexList: found public key object: id: " + x_spec.getObjectIndex());
+
+                        data.add((byte) x_spec.getObjectIndex());
+                    }
+                }
+
+            }
+        }
+
+        //This is ok, we have a TPSBuffer object. Even if it is empty, the toHexString will return en empty string
+        CMS.debug("PKCS11Obj::getKeyIndexList: returning: " + data.toHexString());
+
+        return data;
+
+    }
+
     private TPSBuffer getRawData() {
         TPSBuffer data = new TPSBuffer();
 
@@ -335,7 +405,7 @@ public class PKCS11Obj {
                     int x_xclass = (int) ((x_fixedAttrs & 0x70) >> 4);
                     int x_id = (int) (x_fixedAttrs & 0x0f);
                     if (x_xclass == PKCS11Constants.CKO_PUBLIC_KEY && x_id == id) {
-                        CMS.debug("PKCSObj:getRawData: found public key object: id: " + id);
+                        CMS.debug("PKCSObj:getRawData: found public key object: id: " + x_spec.getObjectIndex());
                         data.add(x_spec.getData());
                     }
                 }
@@ -348,7 +418,7 @@ public class PKCS11Obj {
                     int y_xclass = (int) ((y_fixedAttrs & 0x70) >> 4);
                     int y_id = (int) (y_fixedAttrs & 0x0f);
                     if (y_xclass == PKCS11Constants.CKO_PRIVATE_KEY && y_id == id) {
-                        CMS.debug("PKCSObj:getRawData: found private key object: id: " + id);
+                        CMS.debug("PKCSObj:getRawData: found private key object: id: " + y_spec.getObjectIndex());
                         data.add(y_spec.getData());
                     }
                 }
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index aba0e99a3..8b6370337 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -15,6 +15,12 @@ import java.util.Map;
 import java.util.Random;
 import java.util.zip.DataFormatException;
 
+import netscape.security.provider.RSAPublicKey;
+//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
+import netscape.security.util.BigInt;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.X509CertImpl;
+
 import org.dogtagpki.server.tps.TPSSession;
 import org.dogtagpki.server.tps.TPSSubsystem;
 import org.dogtagpki.server.tps.TPSTokenPolicy;
@@ -53,6 +59,8 @@ import org.mozilla.jss.pkcs11.PK11PubKey;
 import org.mozilla.jss.pkcs11.PK11RSAPublicKey;
 import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
 
+import sun.security.pkcs11.wrapper.PKCS11Constants;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
@@ -60,13 +68,6 @@ import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.cmsutil.util.Utils;
 
-import netscape.security.provider.RSAPublicKey;
-//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
-import netscape.security.util.BigInt;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.X509CertImpl;
-import sun.security.pkcs11.wrapper.PKCS11Constants;
-
 public class TPSEnrollProcessor extends TPSProcessor {
 
     public TPSEnrollProcessor(TPSSession session) {
@@ -585,6 +586,13 @@ public class TPSEnrollProcessor extends TPSProcessor {
             throw new TPSException(logMsg);
         }
 
+      //Now let's clear off any key slots if the enrollment left any unused but occupied with key data on the applet
+
+        TPSBuffer keyList = pkcs11objx.getKeyIndexList();
+
+        channel.clearAppletKeySlotData(keyList);
+
+
         CMS.debug(method + " leaving ...");
 
         statusUpdate(100, "PROGRESS_DONE_ENROLLMENT");
author	Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>	2016-12-16 16:25:48 -0800
committer	Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>	2017-01-11 15:59:28 -0800
commit	3e8bb9d0e42594afafdd0c0ac2a0f1b7a5d05aeb (patch)
tree	bd89828c109a6befc937e2e8e2f8ef87bc07d610 /base/tps/src
parent	48090b00c3727c95ecd77b52272bd7596b3ff09b (diff)
download	pki-3e8bb9d0e42594afafdd0c0ac2a0f1b7a5d05aeb.tar.gz pki-3e8bb9d0e42594afafdd0c0ac2a0f1b7a5d05aeb.tar.xz pki-3e8bb9d0e42594afafdd0c0ac2a0f1b7a5d05aeb.zip