diff options
| author | Jack Magne <jmagne@localhost.localdomain> | 2015-03-12 19:08:41 -0700 |
|---|---|---|
| committer | Jack Magne <jmagne@localhost.localdomain> | 2015-03-17 12:44:28 -0700 |
| commit | 87ffc7a341860f3f1ece434e90e4bc33a02b8155 (patch) | |
| tree | d833d1868284ce2c3865a674aca0bad66a0f7ebd /base/tps | |
| parent | f98e599b1e95572a589b8813bc6cb0c2e70fdd0b (diff) | |
| download | pki-87ffc7a341860f3f1ece434e90e4bc33a02b8155.tar.gz pki-87ffc7a341860f3f1ece434e90e4bc33a02b8155.tar.xz pki-87ffc7a341860f3f1ece434e90e4bc33a02b8155.zip | |
NISTSP8000 feature.
Implementation of the nistSP800 dervication feature.
Works for both supported scp01 cards and scp02 cards.
During the various session key and key upgrade functions, the nist dervication code is being called.
Review comments addressed
Cleanup of some input validation on the TKS.
Added some sanity checking on the TPS side for key versions and token cuid's and kdd's.
Final review comments.
Fixed issue with extracting the kdd from the AppletInfo class.
Fixed issue with sending the KDD to the encryptData TKS servlet.
Added requested entries to the CS.cfg .
Diffstat (limited to 'base/tps')
8 files changed, 515 insertions, 52 deletions
diff --git a/base/tps/shared/conf/CS.cfg.in b/base/tps/shared/conf/CS.cfg.in index 85c2f3549..b899e7d21 100644 --- a/base/tps/shared/conf/CS.cfg.in +++ b/base/tps/shared/conf/CS.cfg.in @@ -257,6 +257,12 @@ op.enroll.delegateIEtoken._003=# where Encryption cert/keys are "recovered" op.enroll.delegateIEtoken._004=# is controlled by registration user record op.enroll.delegateIEtoken._005=######################################### op.enroll.delegateIEtoken.auth.enable=true +op.enroll.delegateIEtoken.cuidMustMatchKDD=false +op.enroll.delegateIEtoken.enableBoundedGPKeyVersion=true +op.enroll.delegateIEtoken.minimumGPKeyVersion=01 +op.enroll.delegateIEtoken.maximumGPKeyVersion=FF +op.enroll.delegateIEtoken.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.delegateIEtoken.validateCardKeyInfoAgainstTokenDB=true op.enroll.delegateIEtoken.auth.id=ldap1 op.enroll.delegateIEtoken.cardmgr_instance=A0000000030000 op.enroll.delegateIEtoken.issuerinfo.enable=true @@ -391,6 +397,12 @@ op.enroll.delegateIEtoken.update.applet.requiredVersion=1.4.4d40a449 op.enroll.delegateIEtoken.update.symmetricKeys.enable=false op.enroll.delegateIEtoken.update.symmetricKeys.requiredVersion=1 op.format.delegateIEtoken.auth.enable=true +op.format.delegateIEtoken.cuidMustMatchKDD=false +op.format.delegateIEtoken.enableBoundedGPKeyVersion=true +op.format.delegateIEtoken.minimumGPKeyVersion=01 +op.format.delegateIEtoken.maximumGPKeyVersion=FF +op.format.delegateIEtoken.rollbackKeyVersionOnPutKeyFailure=false +op.format.delegateIEtoken.validateCardKeyInfoAgainstTokenDB=true op.format.delegateIEtoken.auth.id=ldap3 op.format.delegateIEtoken.ca.conn=ca1 op.format.delegateIEtoken.cardmgr_instance=A0000000030000 @@ -412,6 +424,12 @@ op.enroll.delegateISEtoken._003=# where Encryption cert/keys is "recovered" op.enroll.delegateISEtoken._004=# is controlled by registration user record op.enroll.delegateISEtoken._005=######################################### op.enroll.delegateISEtoken.auth.enable=true +op.enroll.delegateISEtoken.cuidMustMatchKDD=false +op.enroll.delegateISEtoken.enableBoundedGPKeyVersion=true +op.enroll.delegateISEtoken.minimumGPKeyVersion=01 +op.enroll.delegateISEtoken.maximumGPKeyVersion=FF +op.enroll.delegateISEtoken.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.delegateISEtoken.validateCardKeyInfoAgainstTokenDB=true op.enroll.delegateISEtoken.auth.id=ldap1 op.enroll.delegateISEtoken.cardmgr_instance=A0000000030000 op.enroll.delegateISEtoken.issuerinfo.enable=true @@ -640,6 +658,12 @@ op.enroll.externalRegAddToToken._000=######################################### op.enroll.externalRegAddToToken._001=# for externalReg recovering certs/keys only op.enroll.externalRegAddToToken._002=######################################### op.enroll.externalRegAddToToken.auth.enable=true +op.enroll.externalRegAddToToken.cuidMustMatchKDD=false +op.enroll.externalRegAddToToken.enableBoundedGPKeyVersion=true +op.enroll.externalRegAddToToken.minimumGPKeyVersion=01 +op.enroll.externalRegAddToToken.maximumGPKeyVersion=FF +op.enroll.externalRegAddToToken.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.externalRegAddToToken.validateCardKeyInfoAgainstTokenDB=true op.enroll.externalRegAddToToken.auth.id=ldap1 op.enroll.externalRegAddToToken.cardmgr_instance=A0000000030000 op.enroll.externalRegAddToToken.issuerinfo.enable=true @@ -687,6 +711,12 @@ op.enroll.externalRegAddToToken.update.applet.requiredVersion=1.4.4d40a449 op.enroll.externalRegAddToToken.update.symmetricKeys.enable=false op.enroll.externalRegAddToToken.update.symmetricKeys.requiredVersion=1 op.format.externalRegAddToToken.auth.enable=true +op.format.externalRegAddToToken.cuidMustMatchKDD=false +op.format.externalRegAddToToken.enableBoundedGPKeyVersion=true +op.format.externalRegAddToToken.minimumGPKeyVersion=01 +op.format.externalRegAddToToken.maximumGPKeyVersion=FF +op.format.externalRegAddToToken.rollbackKeyVersionOnPutKeyFailure=false +op.format.externalRegAddToToken.validateCardKeyInfoAgainstTokenDB=true op.format.externalRegAddToToken.cardmgr_instance=A0000000030000 op.format.externalRegAddToToken.issuerinfo.enable=true op.format.externalRegAddToToken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome @@ -733,6 +763,12 @@ op.enroll._033=# Web Store - 3B759400006202020201 op.enroll._034=######################################### op.enroll.allowUnknownToken=true op.enroll.tokenProfileResolver=enrollMappingResolver +op.enroll.soKey.cuidMustMatchKDD=false +op.enroll.soKey.enableBoundedGPKeyVersion=true +op.enroll.soKey.minimumGPKeyVersion=01 +op.enroll.soKey.maximumGPKeyVersion=FF +op.enroll.soKey.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.soKey.validateCardKeyInfoAgainstTokenDB=true op.enroll.soKey.auth.enable=true op.enroll.soKey.auth.id=ldap2 op.enroll.soKey.cardmgr_instance=A0000000030000 @@ -855,6 +891,12 @@ op.enroll.soKey.pinReset.pin.maxRetries=127 op.enroll.soKey.pinReset.pin.minLen=4 op.enroll.soKey.pkcs11obj.compress.enable=true op.enroll.soKey.pkcs11obj.enable=true +op.enroll.soKeyTemporary.cuidMustMatchKDD=false +op.enroll.soKeyTemporary.enableBoundedGPKeyVersion=true +op.enroll.soKeyTemporary.minimumGPKeyVersion=01 +op.enroll.soKeyTemporary.maximumGPKeyVersion=FF +op.enroll.soKeyTemporary.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.soKeyTemporary.validateCardKeyInfoAgainstTokenDB=true op.enroll.soKeyTemporary.auth.enable=true op.enroll.soKeyTemporary.auth.id=ldap2 op.enroll.soKeyTemporary.cardmgr_instance=A0000000030000 @@ -1014,6 +1056,12 @@ op.enroll.soKey.update.applet.encryption=true op.enroll.soKey.update.applet.requiredVersion=1.4.4d40a449 op.enroll.soKey.update.symmetricKeys.enable=false op.enroll.soKey.update.symmetricKeys.requiredVersion=1 +op.enroll.userKey.cuidMustMatchKDD=false +op.enroll.userKey.enableBoundedGPKeyVersion=true +op.enroll.userKey.minimumGPKeyVersion=01 +op.enroll.userKey.maximumGPKeyVersion=FF +op.enroll.userKey.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.userKey.validateCardKeyInfoAgainstTokenDB=true op.enroll.userKey.auth.enable=true op.enroll.userKey.auth.id=ldap1 op.enroll.userKey.cardmgr_instance=A0000000030000 @@ -1297,6 +1345,12 @@ op.enroll.userKeyTemporary.pinReset.pin.minLen=4 op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true op.enroll.userKeyTemporary.pkcs11obj.enable=true op.enroll.userKeyTemporary.tks.conn=tks1 +op.enroll.userKeyTemporary.cuidMustMatchKDD=false +op.enroll.userKeyTemporary.enableBoundedGPKeyVersion=true +op.enroll.userKeyTemporary.minimumGPKeyVersion=01 +op.enroll.userKeyTemporary.maximumGPKeyVersion=FF +op.enroll.userKeyTemporary.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.userKeyTemporary.validateCardKeyInfoAgainstTokenDB=true op.enroll.userKey.temporaryToken.tokenType=userKeyTemporary op.enroll.userKeyTemporary.update.applet.directory=[TPS_DIR]/applets op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true @@ -1315,6 +1369,12 @@ op.enroll.userKey.update.symmetricKeys.enable=false op.enroll.userKey.update.symmetricKeys.requiredVersion=1 op.format.allowUnknownToken=true op.format.tokenProfileResolver=formatMappingResolver +op.format.cleanToken.cuidMustMatchKDD=false +op.format.cleanToken.enableBoundedGPKeyVersion=true +op.format.cleanToken.minimumGPKeyVersion=01 +op.format.cleanToken.maximumGPKeyVersion=FF +op.format.cleanToken.rollbackKeyVersionOnPutKeyFailure=false +op.format.cleanToken.validateCardKeyInfoAgainstTokenDB=true op.format.cleanToken.auth.enable=false op.format.cleanToken.auth.id=ldap1 op.format.cleanToken.ca.conn=ca1 @@ -1330,6 +1390,12 @@ op.format.cleanToken.update.applet.encryption=true op.format.cleanToken.update.applet.requiredVersion=1.4.4d40a449 op.format.cleanToken.update.symmetricKeys.enable=false op.format.cleanToken.update.symmetricKeys.requiredVersion=1 +op.format.soCleanSOToken.cuidMustMatchKDD=false +op.format.soCleanSOToken.enableBoundedGPKeyVersion=true +op.format.soCleanSOToken.minimumGPKeyVersion=01 +op.format.soCleanSOToken.maximumGPKeyVersion=FF +op.format.soCleanSOToken.rollbackKeyVersionOnPutKeyFailure=false +op.format.soCleanSOToken.validateCardKeyInfoAgainstTokenDB=true op.format.soCleanSOToken.auth.enable=false op.format.soCleanSOToken.auth.id=ldap1 op.format.soCleanSOToken.ca.conn=ca1 @@ -1345,6 +1411,12 @@ op.format.soCleanSOToken.update.applet.encryption=true op.format.soCleanSOToken.update.applet.requiredVersion=1.4.4d40a449 op.format.soCleanSOToken.update.symmetricKeys.enable=false op.format.soCleanSOToken.update.symmetricKeys.requiredVersion=1 +op.format.soCleanUserToken.cuidMustMatchKDD=false +op.format.soCleanUserToken.enableBoundedGPKeyVersion=true +op.format.soCleanUserToken.minimumGPKeyVersion=01 +op.format.soCleanUserToken.maximumGPKeyVersion=FF +op.format.soCleanUserToken.rollbackKeyVersionOnPutKeyFailure=false +op.format.soCleanUserToken.validateCardKeyInfoAgainstTokenDB=true op.format.soCleanUserToken.auth.enable=false op.format.soCleanUserToken.auth.id=ldap1 op.format.soCleanUserToken.ca.conn=ca1 @@ -1360,6 +1432,12 @@ op.format.soCleanUserToken.update.applet.encryption=true op.format.soCleanUserToken.update.applet.requiredVersion=1.4.4d40a449 op.format.soCleanUserToken.update.symmetricKeys.enable=false op.format.soCleanUserToken.update.symmetricKeys.requiredVersion=1 +op.format.soKey.cuidMustMatchKDD=false +op.format.soKey.enableBoundedGPKeyVersion=true +op.format.soKey.minimumGPKeyVersion=01 +op.format.soKey.maximumGPKeyVersion=FF +op.format.soKey.rollbackKeyVersionOnPutKeyFailure=false +op.format.soKey.validateCardKeyInfoAgainstTokenDB=true op.format.soKey.auth.enable=true op.format.soKey.auth.id=ldap2 op.format.soKey.ca.conn=ca1 @@ -1375,6 +1453,12 @@ op.format.soKey.update.applet.encryption=true op.format.soKey.update.applet.requiredVersion=1.4.4d40a449 op.format.soKey.update.symmetricKeys.enable=false op.format.soKey.update.symmetricKeys.requiredVersion=1 +op.format.soUserKey.cuidMustMatchKDD=false +op.format.soUserKey.enableBoundedGPKeyVersion=true +op.format.soUserKey.minimumGPKeyVersion=01 +op.format.soUserKey.maximumGPKeyVersion=FF +op.format.soUserKey.rollbackKeyVersionOnPutKeyFailure=false +op.format.soUserKey.validateCardKeyInfoAgainstTokenDB=true op.format.soUserKey.auth.enable=false op.format.soUserKey.auth.id=ldap1 op.format.soUserKey.ca.conn=ca1 @@ -1390,6 +1474,12 @@ op.format.soUserKey.update.applet.encryption=true op.format.soUserKey.update.applet.requiredVersion=1.4.4d40a449 op.format.soUserKey.update.symmetricKeys.enable=false op.format.soUserKey.update.symmetricKeys.requiredVersion=1 +op.format.tokenKey.cuidMustMatchKDD=false +op.format.tokenKey.enableBoundedGPKeyVersion=true +op.format.tokenKey.minimumGPKeyVersion=01 +op.format.tokenKey.maximumGPKeyVersion=FF +op.format.tokenKey.rollbackKeyVersionOnPutKeyFailure=false +op.format.tokenKey.validateCardKeyInfoAgainstTokenDB=true op.format.tokenKey.auth.enable=true op.format.tokenKey.auth.id=ldap1 op.format.tokenKey.ca.conn=ca1 @@ -1405,6 +1495,12 @@ op.format.tokenKey.update.applet.encryption=true op.format.tokenKey.update.applet.requiredVersion=1.4.4d40a449 op.format.tokenKey.update.symmetricKeys.enable=false op.format.tokenKey.update.symmetricKeys.requiredVersion=1 +op.format.userKey.cuidMustMatchKDD=false +op.format.userKey.enableBoundedGPKeyVersion=true +op.format.userKey.minimumGPKeyVersion=01 +op.format.userKey.maximumGPKeyVersion=FF +op.format.userKey.rollbackKeyVersionOnPutKeyFailure=false +op.format.userKey.validateCardKeyInfoAgainstTokenDB=true op.format.userKey.auth.enable=true op.format.userKey.auth.id=ldap1 op.format.userKey.ca.conn=ca1 @@ -1421,6 +1517,12 @@ op.format.userKey.update.applet.requiredVersion=1.4.4d40a449 op.format.userKey.update.symmetricKeys.enable=false op.format.userKey.update.symmetricKeys.requiredVersion=1 op.pinReset.tokenProfileResolver=pinResetMappingResolver +op.pinReset.userKey.cuidMustMatchKDD=false +op.pinReset.userKey.enableBoundedGPKeyVersion=true +op.pinReset.userKey.minimumGPKeyVersion=01 +op.pinReset.userKey.maximumGPKeyVersion=FF +op.pinReset.userKey.rollbackKeyVersionOnPutKeyFailure=false +op.pinReset.userKey.validateCardKeyInfoAgainstTokenDB=true op.pinReset.userKey.auth.enable=true op.pinReset.userKey.auth.id=ldap1 op.pinReset.userKey.cardmgr_instance=A0000000030000 diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSPhoneHome.java b/base/tps/src/org/dogtagpki/server/tps/TPSPhoneHome.java index e0b3b6b87..33c9ecd07 100644 --- a/base/tps/src/org/dogtagpki/server/tps/TPSPhoneHome.java +++ b/base/tps/src/org/dogtagpki/server/tps/TPSPhoneHome.java @@ -34,6 +34,7 @@ public class TPSPhoneHome extends HttpServlet { ServletOutputStream stream = null; BufferedInputStream buf = null; FileInputStream input = null; + CMS.debug("TPSPhoneHome.renderPhoneHome entering."); try { @@ -42,8 +43,14 @@ public class TPSPhoneHome extends HttpServlet { String confPath = getConfigPath(); + if(confPath == null) { + throw new IOException("TPSPhoneHome.rederPhoneHome: Can not deteriming path to phone home data!"); + } + confPath += File.separator + phoneHomeName; + CMS.debug("TPSPhoneHome.renderPhoneHome: confPath" + confPath); + input = new FileInputStream(confPath); // InputStream input = ctx.getResourceAsStream(phoneHomeName); buf = new BufferedInputStream(input); @@ -73,6 +80,8 @@ public class TPSPhoneHome extends HttpServlet { private String getConfigPath() { + CMS.debug("TPSPhoneHome.getConfigPath: entering."); + String path = null; String context = getServletContext().getContextPath(); @@ -80,7 +89,18 @@ public class TPSPhoneHome extends HttpServlet { String subsystem = context.startsWith("/") ? context.substring(1) : context; // catalina.base points to instance dir - String instanceDir = System.getProperty("catalina.base"); + String instanceDir = null; + + try { + + instanceDir = System.getProperty("catalina.base"); + + } catch (Exception e) { + CMS.debug("TPSPhoneHome.getConfigPath: System.getProperty exception: " + e); + return null; + } + + CMS.debug("TPSPhoneHome.getConfigPath: instanceDir: " + instanceDir); //Finish off path of conf directory path = instanceDir + File.separator + "conf" + File.separator + diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java index c6537e4c2..b10ca772e 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java @@ -76,6 +76,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler * @return response TKSComputeSessionKeyResponse class object */ public TKSComputeSessionKeyResponse computeSessionKey( + TPSBuffer kdd, TPSBuffer cuid, TPSBuffer keyInfo, TPSBuffer card_challenge, @@ -85,7 +86,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler throws EBaseException { CMS.debug("TKSRemoteRequestHandler: computeSessionKey(): begins."); - if (cuid == null || keyInfo == null || card_challenge == null + if (cuid == null || kdd == null || keyInfo == null || card_challenge == null || card_cryptogram == null || host_challenge == null) { throw new EBaseException("TKSRemoteRequestHandler: computeSessionKey(): input parameter null."); } @@ -105,6 +106,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler (HttpConnector) subsystem.getConnectionManager().getConnector(connid); String requestString = IRemoteRequest.SERVER_SIDE_KEYGEN + "=" + serverKeygen + + "&" + IRemoteRequest.TOKEN_KDD + "=" + Util.specialURLEncode(kdd) + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + "&" + IRemoteRequest.TOKEN_CARD_CHALLENGE + "=" + Util.specialURLEncode(card_challenge) + "&" + IRemoteRequest.TOKEN_HOST_CHALLENGE + "=" + Util.specialURLEncode(host_challenge) + @@ -229,6 +231,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler * @return response TKSComputeSessionKeyResponse class object */ public TKSComputeSessionKeyResponse computeSessionKeySCP02( + TPSBuffer kdd, TPSBuffer cuid, TPSBuffer keyInfo, TPSBuffer sequenceCounter, @@ -237,7 +240,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler throws EBaseException { CMS.debug("TKSRemoteRequestHandler: computeSessionKeySCP02(): begins."); - if (cuid == null || keyInfo == null || + if (cuid == null || kdd == null || keyInfo == null || sequenceCounter == null || derivationConstant == null) { throw new EBaseException("TKSRemoteRequestHandler: computeSessionKeySCP02(): input parameter null."); @@ -258,6 +261,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler (HttpConnector) subsystem.getConnectionManager().getConnector(connid); String requestString = IRemoteRequest.SERVER_SIDE_KEYGEN + "=" + serverKeygen + + "&" + IRemoteRequest.TOKEN_KDD + "=" + Util.specialURLEncode(kdd) + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialURLEncode(keyInfo) + "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet + @@ -364,7 +368,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler public TKSCreateKeySetDataResponse createKeySetData( TPSBuffer NewMasterVer, TPSBuffer version, - TPSBuffer cuid, int protocol, TPSBuffer wrappedDekSessionKey) + TPSBuffer cuid, TPSBuffer kdd, int protocol, TPSBuffer wrappedDekSessionKey) throws EBaseException { CMS.debug("TKSRemoteRequestHandler: createKeySetData(): begins."); if (cuid == null || NewMasterVer == null || version == null) { @@ -382,16 +386,16 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler CMS.debug("TKSRemoteRequestHandler: createKeySetData(): sending request to tks."); String command = IRemoteRequest.TOKEN_NEW_KEYINFO + "=" + Util.specialURLEncode(NewMasterVer) + + "&" + IRemoteRequest.TOKEN_KDD + "=" + Util.specialURLEncode(kdd) + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialURLEncode(version) + "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet + "&" + IRemoteRequest.CHANNEL_PROTOCOL + "=" + protocol; - if(wrappedDekSessionKey != null) { // We have secure channel protocol 02 trying to upgrade the key set. + if (wrappedDekSessionKey != null) { // We have secure channel protocol 02 trying to upgrade the key set. command += "&" + IRemoteRequest.WRAPPED_DEK_SESSION_KEY + "=" + Util.specialURLEncode(wrappedDekSessionKey); } - HttpResponse resp = conn.send("createKeySetData", command); @@ -529,12 +533,13 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler * @return response TKSEncryptDataResponse class object */ public TKSEncryptDataResponse encryptData( + TPSBuffer kdd, TPSBuffer cuid, TPSBuffer version, TPSBuffer inData) throws EBaseException { CMS.debug("TKSRemoteRequestHandler: encryptData(): begins."); - if (cuid == null || version == null || inData == null) { + if (cuid == null || kdd == null || version == null || inData == null) { throw new EBaseException("TKSRemoteRequestHandler: encryptData(): input parameter null."); } @@ -552,6 +557,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler conn.send("encryptData", IRemoteRequest.TOKEN_DATA + "=" + Util.specialURLEncode(inData) + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + + "&" + IRemoteRequest.TOKEN_KDD + "=" + Util.specialURLEncode(kdd) + "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialURLEncode(version) + "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet); diff --git a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java index e7efcc031..609fc0367 100644 --- a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java +++ b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java @@ -159,6 +159,12 @@ public class TPSEngine { /* misc values */ + public static final String CFG_CUID_MUST_MATCH_KDD = "cuidMustMatchKDD"; + public static final String CFG_ENABLE_BOUNDED_GP_KEY_VERSION = "enableBoundedGPKeyVersion"; + public static final String CFG_MINIMUM_GP_KEY_VERSION = "minimumGPKeyVersion"; + public static final String CFG_MAXIMUM_GP_KEY_VERSION = "maximumGPKeyVersion"; + public static final String CFG_VALIDATE_CARD_KEY_INFO_AGAINST_DB = "validateCardKeyInfoAgainstTokenDB"; + public static final String ENROLL_OP = "enroll"; public static final String FORMAT_OP = "format"; public static final String RECOVERY_OP = "recovery"; @@ -208,6 +214,7 @@ public class TPSEngine { } public TKSComputeSessionKeyResponse computeSessionKeySCP02( + TPSBuffer kdd, TPSBuffer cuid, TPSBuffer keyInfo, TPSBuffer sequenceCounter, @@ -216,7 +223,7 @@ public class TPSEngine { String tokenType) throws TPSException { - if (cuid == null || keyInfo == null || sequenceCounter == null || derivationConstant == null + if (cuid == null || kdd == null || keyInfo == null || sequenceCounter == null || derivationConstant == null || tokenType == null) { throw new TPSException("TPSEngine.computeSessionKeySCP02: Invalid input data!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL); @@ -229,7 +236,7 @@ public class TPSEngine { TKSComputeSessionKeyResponse resp = null; try { tks = new TKSRemoteRequestHandler(connId); - resp = tks.computeSessionKeySCP02(cuid, keyInfo, sequenceCounter, derivationConstant, tokenType); + resp = tks.computeSessionKeySCP02(kdd,cuid, keyInfo, sequenceCounter, derivationConstant, tokenType); } catch (EBaseException e) { throw new TPSException("TPSEngine.computeSessionKeySCP02: Error computing session key!" + e, TPSStatus.STATUS_ERROR_SECURE_CHANNEL); @@ -246,7 +253,7 @@ public class TPSEngine { } - public TKSComputeSessionKeyResponse computeSessionKey(TPSBuffer cuid, + public TKSComputeSessionKeyResponse computeSessionKey(TPSBuffer kdd, TPSBuffer cuid, TPSBuffer keyInfo, TPSBuffer card_challenge, TPSBuffer host_challenge, @@ -254,7 +261,7 @@ public class TPSEngine { String connId, String tokenType) throws TPSException { - if (cuid == null || keyInfo == null || card_challenge == null || host_challenge == null + if (cuid == null || kdd == null || keyInfo == null || card_challenge == null || host_challenge == null || card_cryptogram == null || connId == null || tokenType == null) { throw new TPSException("TPSEngine.computeSessionKey: Invalid input data!", @@ -269,7 +276,7 @@ public class TPSEngine { TKSComputeSessionKeyResponse resp = null; try { tks = new TKSRemoteRequestHandler(connId); - resp = tks.computeSessionKey(cuid, keyInfo, card_challenge, card_cryptogram, host_challenge, tokenType); + resp = tks.computeSessionKey(kdd,cuid, keyInfo, card_challenge, card_cryptogram, host_challenge, tokenType); } catch (EBaseException e) { throw new TPSException("TPSEngine.computeSessionKey: Error computing session key!" + e, TPSStatus.STATUS_ERROR_SECURE_CHANNEL); @@ -372,11 +379,11 @@ public class TPSEngine { } - public TPSBuffer createKeySetData(TPSBuffer newMasterVersion, TPSBuffer oldVersion, int protocol, TPSBuffer cuid, TPSBuffer wrappedDekSessionKey, String connId) + public TPSBuffer createKeySetData(TPSBuffer newMasterVersion, TPSBuffer oldVersion, int protocol, TPSBuffer cuid, TPSBuffer kdd, TPSBuffer wrappedDekSessionKey, String connId) throws TPSException { CMS.debug("TPSEngine.createKeySetData. entering..."); - if (newMasterVersion == null || oldVersion == null || cuid == null || connId == null) { + if (newMasterVersion == null || oldVersion == null || cuid == null || kdd == null || connId == null) { throw new TPSException("TPSEngine.createKeySetData: Invalid input data", TPSStatus.STATUS_ERROR_KEY_CHANGE_OVER); } @@ -387,7 +394,7 @@ public class TPSEngine { try { tks = new TKSRemoteRequestHandler(connId); - resp = tks.createKeySetData(newMasterVersion, oldVersion, cuid, protocol,wrappedDekSessionKey); + resp = tks.createKeySetData(newMasterVersion, oldVersion, cuid, kdd, protocol,wrappedDekSessionKey); } catch (EBaseException e) { throw new TPSException("TPSEngine.createKeySetData, failure to get key set data from TKS", diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java b/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java index bc46eaba8..b5574760e 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java @@ -12,6 +12,7 @@ public class AppletInfo { private TPSBuffer aid; private TPSBuffer cuid; + private TPSBuffer kdd; private TPSBuffer msn; private int totalMem; private int freeMem; @@ -25,6 +26,14 @@ public class AppletInfo { } + public void setKDD(TPSBuffer theKDD) { + kdd = new TPSBuffer(theKDD); + } + + public TPSBuffer getKDD() { + return kdd; + } + public void setCUID(TPSBuffer theCuid) { cuid = new TPSBuffer(theCuid); } @@ -33,6 +42,22 @@ public class AppletInfo { return cuid; } + public String getKDDhexString(){ + if(cuid != null) { + return kdd.toHexString(); + } + + return null; + } + + public String getKDDhexStringPlain() { + if(cuid != null) { + return kdd.toHexStringPlain(); + } + + return null; + } + public void setMSN(TPSBuffer theMsn) { msn = new TPSBuffer(theMsn); } diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index 5b8560a1d..265ce0491 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -301,7 +301,7 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug("TPSEnrollProcessor.enroll: Finished updating applet if needed."); //Check and upgrade keys if called for - SecureChannel channel = checkAndUpgradeSymKeys(); + SecureChannel channel = checkAndUpgradeSymKeys(appletInfo,tokenRecord); channel.externalAuthenticate(); //Reset the token's pin, create one if we don't have one already @@ -467,13 +467,13 @@ public class TPSEnrollProcessor extends TPSProcessor { pkcs11objx.setFormatVersion(pkcs11objx.getOldFormatVersion()); // Make sure we have a good secure channel before writing out the final objects - channel = setupSecureChannel(); + channel = setupSecureChannel(appletInfo); statusUpdate(92, "PROGRESS_WRITE_OBJECTS"); writeFinalPKCS11ObjectToToken(pkcs11objx, appletInfo, channel); statusUpdate(98, "PROGRESS_ISSUER_INFO"); - writeIssuerInfoToToken(channel); + writeIssuerInfoToToken(channel,appletInfo); statusUpdate(99, "PROGRESS_SET_LIFECYCLE"); channel.setLifeycleState((byte) 0x0f); diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java index 73085b19c..5d029a180 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java @@ -119,7 +119,7 @@ public class TPSPinResetProcessor extends TPSProcessor { //Check and upgrade keys if called for - SecureChannel channel = checkAndUpgradeSymKeys(); + SecureChannel channel = checkAndUpgradeSymKeys(appletInfo,tokenRecord); channel.externalAuthenticate(); checkAndHandlePinReset(channel); diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index ee8b7529f..f9a0445d6 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -291,7 +291,7 @@ public class TPSProcessor { } protected TPSBuffer getCplcData() throws IOException, TPSException { - CMS.debug("In TPS_Processor."); + CMS.debug("In TPS_Processor. getCplcData"); GetDataAPDU get_data_apdu = new GetDataAPDU(); @@ -366,7 +366,7 @@ public class TPSProcessor { try { tks = new TKSRemoteRequestHandler(connId); - data = tks.encryptData(appletInfo.getCUID(), keyInfo, plaintextChallenge); + data = tks.encryptData(appletInfo.getKDD(),appletInfo.getCUID(), keyInfo, plaintextChallenge); } catch (EBaseException e) { throw new TPSException("TPSProcessor.encryptData: Erorr getting wrapped data from TKS!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL); @@ -436,7 +436,7 @@ public class TPSProcessor { } - protected SecureChannel setupSecureChannel() throws TPSException, IOException { + protected SecureChannel setupSecureChannel(AppletInfo appletInfo) throws TPSException, IOException { SecureChannel channel = null; //Create a standard secure channel with current key set. @@ -446,7 +446,7 @@ public class TPSProcessor { int defKeyIndex = getChannelDefKeyIndex(); channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, - getTKSConnectorID()); + getTKSConnectorID(),appletInfo); channel.externalAuthenticate(); @@ -454,7 +454,7 @@ public class TPSProcessor { } protected SecureChannel setupSecureChannel(byte keyVersion, byte keyIndex, - String connId) + String connId,AppletInfo appletInfo) throws IOException, TPSException { //Assume generating host challenge on TKS, we no longer support not involving the TKS. @@ -462,6 +462,11 @@ public class TPSProcessor { CMS.debug("TPSProcessor.setupSecureChannel: keyVersion: " + keyVersion + " keyIndex: " + keyIndex ); + if(appletInfo == null) { + throw new TPSException("TPSProcessor.setupSecureChannel: invalid input data.", TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + TPSBuffer randomData = computeRandomData(8, connId); CMS.debug("TPSProcessor.setupSecureChannel: obtained randomData: " + randomData.toHexString()); @@ -470,6 +475,8 @@ public class TPSProcessor { TPSBuffer initUpdateResp = initializeUpdate(keyVersion, keyIndex, randomData); TPSBuffer key_diversification_data = initUpdateResp.substr(0, DIVERSIFICATION_DATA_SIZE); + appletInfo.setKDD(key_diversification_data); + CMS.debug("TPSProcessor.setupSecureChannel: diversification data: " + key_diversification_data.toHexString()); TPSBuffer key_info_data = initUpdateResp.substr(DIVERSIFICATION_DATA_SIZE, 2); @@ -512,6 +519,8 @@ public class TPSProcessor { key_info_data.setAt(1, (byte) 0x1); CMS.debug("TPSProcessor.setupSecureChannel 02: key Info , after massage: " + key_info_data.toHexString()); + tokenRecord.setKeyInfo(key_info_data.toHexStringPlain()); + } else { card_challenge = initUpdateResp.substr(CARD_CHALLENGE_OFFSET, CARD_CHALLENGE_SIZE); } @@ -522,7 +531,7 @@ public class TPSProcessor { try { channel = generateSecureChannel(connId, key_diversification_data, key_info_data, card_challenge, card_cryptogram, - randomData, sequenceCounter); + randomData, sequenceCounter,appletInfo); } catch (EBaseException e) { throw new TPSException("TPSProcessor.setupSecureChannel: Can't set up secure channel: " + e, TPSStatus.STATUS_ERROR_SECURE_CHANNEL); @@ -534,11 +543,11 @@ public class TPSProcessor { protected SecureChannel generateSecureChannel(String connId, TPSBuffer keyDiversificationData, TPSBuffer keyInfoData, TPSBuffer cardChallenge, TPSBuffer cardCryptogram, TPSBuffer hostChallenge, - TPSBuffer sequenceCounter) + TPSBuffer sequenceCounter,AppletInfo appletInfo) throws EBaseException, TPSException, IOException { if (connId == null || keyDiversificationData == null || keyInfoData == null || cardChallenge == null - || cardCryptogram == null || hostChallenge == null) { + || cardCryptogram == null || hostChallenge == null || appletInfo == null) { throw new TPSException("TPSProcessor.generateSecureChannel: Invalid input data!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL); } @@ -565,6 +574,30 @@ public class TPSProcessor { PK11SymKey sharedSecret = null; + //Sanity checking + + boolean cuidOK = checkCUIDMatchesKDD(appletInfo.getCUIDhexStringPlain(), appletInfo.getKDDhexStringPlain()); + + boolean isVersionInRange = checkCardGPKeyVersionIsInRange(appletInfo.getCUIDhexStringPlain(), appletInfo.getKDDhexStringPlain(), keyInfoData.toHexStringPlain()); + + boolean doesVersionMatchTokenDB = checkCardGPKeyVersionMatchesTokenDB(appletInfo.getCUIDhexStringPlain(), appletInfo.getKDDhexStringPlain(), keyInfoData.toHexStringPlain()); + + if(cuidOK == false) { + throw new TPSException("TPSProcessor.generateSecureChannel: cuid vs kdd matching policy not met!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + if(isVersionInRange == false) { + + throw new TPSException("TPSProcessor.generateSecureChannel: key version is not within acceptable range!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + if(doesVersionMatchTokenDB == false) { + throw new TPSException("TPSProcessor.generateSecureChannel: key version from token does not match that of the token db!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + try { sharedSecret = getSharedSecretTransportKey(connId); } catch (Exception e) { @@ -577,7 +610,7 @@ public class TPSProcessor { if (platProtInfo.isGP201() || platProtInfo.isSCP01()) { - resp = engine.computeSessionKey(keyDiversificationData, keyInfoData, + resp = engine.computeSessionKey(keyDiversificationData, appletInfo.getCUID(), keyInfoData, cardChallenge, hostChallenge, cardCryptogram, connId, getSelectedTokenType()); @@ -652,7 +685,7 @@ public class TPSProcessor { } CMS.debug("TPSProcessor.generateSecureChannel Trying secure channel protocol 02"); - respEnc02 = engine.computeSessionKeySCP02(keyDiversificationData, keyInfoData, + respEnc02 = engine.computeSessionKeySCP02(keyDiversificationData, appletInfo.getCUID(), keyInfoData, sequenceCounter, new TPSBuffer(SecureChannel.ENCDerivationConstant), connId, getSelectedTokenType()); @@ -666,7 +699,7 @@ public class TPSProcessor { TPSStatus.STATUS_ERROR_SECURE_CHANNEL); } - respCMac02 = engine.computeSessionKeySCP02(keyDiversificationData, keyInfoData, + respCMac02 = engine.computeSessionKeySCP02(keyDiversificationData, appletInfo.getCUID(), keyInfoData, sequenceCounter, new TPSBuffer(SecureChannel.C_MACDerivationConstant), connId, getSelectedTokenType()); @@ -681,7 +714,7 @@ public class TPSProcessor { TPSStatus.STATUS_ERROR_SECURE_CHANNEL); } - respRMac02 = engine.computeSessionKeySCP02(keyDiversificationData, keyInfoData, + respRMac02 = engine.computeSessionKeySCP02(keyDiversificationData, appletInfo.getCUID(), keyInfoData, sequenceCounter, new TPSBuffer(SecureChannel.R_MACDerivationConstant), connId, getSelectedTokenType()); @@ -696,7 +729,7 @@ public class TPSProcessor { TPSStatus.STATUS_ERROR_SECURE_CHANNEL); } - respDek02 = engine.computeSessionKeySCP02(keyDiversificationData, keyInfoData, + respDek02 = engine.computeSessionKeySCP02(keyDiversificationData, appletInfo.getCUID(), keyInfoData, sequenceCounter, new TPSBuffer(SecureChannel.DEKDerivationConstant), connId, getSelectedTokenType()); @@ -793,7 +826,7 @@ public class TPSProcessor { upgraded = 1; CMS.debug("TPSProcessor.checkAndUpgradeApplet: Upgrading applet to : " + targetAppletVersion); - upgradeApplet("op." + currentTokenOperation, targetAppletVersion, getBeginMessage() + upgradeApplet(appletInfo, "op." + currentTokenOperation, targetAppletVersion, getBeginMessage() .getExtensions(), tksConnId, 5, 12); } @@ -804,13 +837,13 @@ public class TPSProcessor { // We didn't need to upgrade the applet but create new channel for now. selectCardManager(); - setupSecureChannel(); + setupSecureChannel(appletInfo); } } - protected void upgradeApplet(String operation, String new_version, + protected void upgradeApplet(AppletInfo appletInfo, String operation, String new_version, Map<String, String> extensions, String connId, int startProgress, int endProgress) throws IOException, TPSException { @@ -850,7 +883,7 @@ public class TPSProcessor { throw new TPSException("TPSProcessor.upgradeApplet: Can't selelect the card manager!"); } - SecureChannel channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, connId); + SecureChannel channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, connId,appletInfo); channel.externalAuthenticate(); @@ -1866,14 +1899,15 @@ public class TPSProcessor { String tksConnId = getTKSConnectorID(); - upgradeApplet(TPSEngine.OP_FORMAT_PREFIX, appletRequiredVersion, + upgradeApplet(appletInfo,TPSEngine.OP_FORMAT_PREFIX, appletRequiredVersion, beginMsg.getExtensions(), tksConnId, 10, 90); CMS.debug("TPSProcessor.format: Completed applet upgrade."); + // Add issuer info to the token - writeIssuerInfoToToken(null); + writeIssuerInfoToToken(null,appletInfo); if (requiresStatusUpdate()) { statusUpdate(100, "PROGRESS_DONE"); @@ -1881,9 +1915,8 @@ public class TPSProcessor { // Upgrade Symm Keys if needed - SecureChannel channel = checkAndUpgradeSymKeys(); + SecureChannel channel = checkAndUpgradeSymKeys(appletInfo,tokenRecord); channel.externalAuthenticate(); - tokenRecord.setKeyInfo(channel.getKeyInfoData().toHexStringPlain()); if (isTokenPresent && revokeCertsAtFormat()) { // Revoke certificates on token, if so configured @@ -1922,7 +1955,7 @@ public class TPSProcessor { } - protected void writeIssuerInfoToToken(SecureChannel origChannel) throws TPSException, IOException, + protected void writeIssuerInfoToToken(SecureChannel origChannel,AppletInfo appletInfo) throws TPSException, IOException, UnsupportedEncodingException { if (checkIssuerInfoEnabled()) { @@ -1937,7 +1970,7 @@ public class TPSProcessor { channel = origChannel; } else { - channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, tksConnId); + channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, tksConnId,appletInfo); channel.externalAuthenticate(); } @@ -2566,7 +2599,7 @@ public class TPSProcessor { selectCardManager(); TPSBuffer cplc_data = getCplcData(); - CMS.debug("cplc_data: " + cplc_data.toString()); + CMS.debug("cplc_data: " + cplc_data.toHexString()); TPSBuffer token_cuid = extractTokenCUID(cplc_data); TPSBuffer token_msn = extractTokenMSN(cplc_data); @@ -2670,7 +2703,7 @@ public class TPSProcessor { return version; } - protected SecureChannel checkAndUpgradeSymKeys() throws TPSException, IOException { + protected SecureChannel checkAndUpgradeSymKeys(AppletInfo appletInfo,TokenRecord tokenRecord) throws TPSException, IOException { /* If the key of the required version is not found, create them. @@ -2690,6 +2723,10 @@ public class TPSProcessor { set it to be the new default] */ + if(tokenRecord == null || appletInfo == null) { + throw new TPSException("TPSProcessor.checkAndUpgradeSymKeys: invalid input data!"); + } + SecureChannel channel = null; int defKeyVersion = 0; @@ -2708,7 +2745,7 @@ public class TPSProcessor { try { channel = setupSecureChannel((byte) requiredVersion, (byte) defKeyIndex, - getTKSConnectorID()); + getTKSConnectorID(),appletInfo); } catch (TPSException e) { @@ -2721,7 +2758,7 @@ public class TPSProcessor { selectCardManager(); - channel = setupSecureChannel(); + channel = setupSecureChannel(appletInfo); /* Assemble the Buffer with the version information The second byte is the key offset, which is always 1 @@ -2745,8 +2782,30 @@ public class TPSProcessor { protocol = 2; } + //Sanity checking + + boolean cuidOK = checkCUIDMatchesKDD(appletInfo.getCUIDhexStringPlain(), appletInfo.getKDDhexStringPlain()); + boolean isVersionInRange = checkCardGPKeyVersionIsInRange(appletInfo.getCUIDhexStringPlain(), appletInfo.getKDDhexStringPlain(), curKeyInfo.toHexStringPlain()); + boolean doesVersionMatchTokenDB = checkCardGPKeyVersionMatchesTokenDB(appletInfo.getCUIDhexStringPlain(), appletInfo.getKDDhexStringPlain(), curKeyInfo.toHexStringPlain()); + + if(cuidOK == false) { + throw new TPSException("TPSProcessor.generateSecureChannel: cuid vs kdd matching policy not met!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + if(isVersionInRange == false) { + + throw new TPSException("TPSProcessor.generateSecureChannel: key version is not within acceptable range!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + if(doesVersionMatchTokenDB == false) { + throw new TPSException("TPSProcessor.generateSecureChannel: key version from token does not match that of the token db!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + TPSBuffer keySetData = engine.createKeySetData(newVersion, curKeyInfo, protocol, - channel.getKeyDiversificationData(), channel.getDekSessionKeyWrapped(), connId); + appletInfo.getCUID(),channel.getKeyDiversificationData(), channel.getDekSessionKeyWrapped(), connId); CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: new keySetData from TKS: " + keySetData.toHexString()); @@ -2768,7 +2827,7 @@ public class TPSProcessor { byte[] nv_dev = { (byte) 0x1, (byte) 0x1 }; TPSBuffer devKeySetData = engine.createKeySetData(new TPSBuffer(nv_dev), curKeyInfo, protocol, - channel.getKeyDiversificationData(), channel.getDekSessionKeyWrapped(), connId); + appletInfo.getCUID(), channel.getKeyDiversificationData(), channel.getDekSessionKeyWrapped(), connId); CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: about to get rid of keyset 0xFF and replace it with keyset 0x1 with developer key set"); channel.putKeys((byte) 0x0, (byte) 0x1, devKeySetData); @@ -2783,8 +2842,11 @@ public class TPSProcessor { String curVersionStr = curKeyInfo.toHexString(); String newVersionStr = newVersion.toHexString(); - TPSSession session = getSession(); - TokenRecord tokenRecord = session.getTokenRecord(); + + //Only change in db if we upgrade, thus we don't need to worry about rolling back on failure. + //Thus the setting, rollbackKeyVersionOnPutKeyFailure is not needed. + + CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: changing token db keyInfo to: " + newVersion.toHexStringPlain()); tokenRecord.setKeyInfo(newVersion.toHexStringPlain()); CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: curVersionStr: " + curVersionStr + " newVersionStr: " @@ -2792,12 +2854,14 @@ public class TPSProcessor { selectCoolKeyApplet(); channel = setupSecureChannel((byte) requiredVersion, (byte) defKeyIndex, - getTKSConnectorID()); + getTKSConnectorID(),appletInfo); } else { CMS.debug("TPSProcessor.checkAndUpgradeSymeKeys: We are already at the desired key set, returning secure channel."); } + // tokenRecord.setKeyInfo(channel.getKeyInfoData().toHexStringPlain()); + } else { //Create a standard secure channel with current key set. CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: Key changeover disabled in the configuration."); @@ -2805,7 +2869,7 @@ public class TPSProcessor { defKeyVersion = getChannelDefKeyVersion(); channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, - getTKSConnectorID()); + getTKSConnectorID(),appletInfo); } @@ -3234,6 +3298,245 @@ public class TPSProcessor { return platProtInfo; } + boolean checkCardGPKeyVersionIsInRange(String CUID, String KDD, String keyInfoData) throws TPSException { + boolean result = true; + + //ToDo : Add Audit messages . + + + String method = "checkCardGPKeyVersionIsInRange: "; + + CMS.debug(method + " entering: keyInfoData: " + keyInfoData); + + if (CUID == null || KDD == null || keyInfoData == null) { + throw new TPSException(method + " Invalid input data!"); + } + + IConfigStore configStore = CMS.getConfigStore(); + + String checkBoundedGPKeyVersionConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_ENABLE_BOUNDED_GP_KEY_VERSION; + + CMS.debug(method + " config to check: " + checkBoundedGPKeyVersionConfig); + + try { + result = configStore.getBoolean(checkBoundedGPKeyVersionConfig, true); + } catch (EBaseException e) { + throw new TPSException( + method + " error getting config value."); + } + + CMS.debug(method + " returning: " + result); + + // Check only if asked. + + if (result == true) { + + String minConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_MINIMUM_GP_KEY_VERSION; + String maxConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_MAXIMUM_GP_KEY_VERSION; + + CMS.debug(method + " config to check: minConfig: " + minConfig + " maxConfig: " + maxConfig); + + String maxVersion = null; + String minVersion = null; + + try { + minVersion = configStore.getString(minConfig, "01"); + maxVersion = configStore.getString(maxConfig, "FF"); + } catch (EBaseException e) { + throw new TPSException( + method + " error getting config value."); + } + + if (minVersion.length() != 2 || maxVersion.length() != 2) { + result = false; + } + + CMS.debug(method + " minVersion: " + minVersion + " maxVersion: " + maxVersion); + + if (keyInfoData.length() != 4) { + result = false; + } else { + // Actually check the version range; + + String keyInfoVer = keyInfoData.substring(0, 2); + + CMS.debug(method + " Version reported from key Info Data: " + keyInfoVer); + + int versionMinCompare = keyInfoVer.compareToIgnoreCase(minVersion); + int versionMaxCompare = keyInfoVer.compareToIgnoreCase(maxVersion); + + CMS.debug(method + " versionMinCompare: " + versionMinCompare + " versionMaxCompare: " + + versionMaxCompare); + + if (versionMinCompare >= 0 && versionMaxCompare <= 0) { + CMS.debug(method + " Version : " + keyInfoVer + " is in range of: " + minVersion + " and: " + + maxVersion); + result = true; + } else { + result = false; + CMS.debug(method + " Version : " + keyInfoVer + " is NOT in range of: " + minVersion + " and: " + + maxVersion); + } + } + + } else { + //Configured to ignore, report success. + result = true; + } + + CMS.debug(method + " Returning result of: " + result); + + return result; + } + + boolean checkCUIDMatchesKDD(String CUID, String KDD) throws TPSException { + boolean result = true; + + String method = "TPsProcessor.checkCUIDMatchesKDD: " ; + + CMS.debug(method + " CUID " + CUID + " KDD: " + KDD); + + if (CUID == null || KDD == null) { + throw new TPSException(method + " invalid input data!"); + } + + IConfigStore configStore = CMS.getConfigStore(); + + String checkCUIDMatchesKDDConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_CUID_MUST_MATCH_KDD; + + CMS.debug(method + " config to check: " + checkCUIDMatchesKDDConfig); + + try { + result = configStore.getBoolean(checkCUIDMatchesKDDConfig, false); + } catch (EBaseException e) { + throw new TPSException( + method + " error getting config value."); + } + + CMS.debug(method + " config result: " + result); + + // Check only if asked to + if (result == true) { + if (CUID.compareToIgnoreCase(KDD) == 0) { + CMS.debug(method + " CUID and KDD values match!"); + result = true; + } else { + CMS.debug(method + " CUID and KDD values differ!"); + result = false; + } + } else { + //Configured to ignore, report success. + result = true; + } + + CMS.debug(method + " returning result: " + result); + + return result; + } + + protected String getKeyInfoFromTokenDB(String cuid) throws TPSException { + String keyInfo = null; + + if (cuid == null) { + throw new TPSException("TPSProcessor.getKeyInfoFromTokenDB: invalid input data!", + TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } + + TokenRecord tokenRecord = getTokenRecord(); + + keyInfo = tokenRecord.getKeyInfo(); + + CMS.debug("TPProcessor.getKeyInfioFromTokenDB: returning: " + keyInfo); + + return keyInfo; + + } + + boolean checkCardGPKeyVersionMatchesTokenDB(String CUID, String KDD, + String keyInfoData) throws TPSException { + + String method = "checkCardGPKeyVersionMatchesTokenDB: "; + + if(CUID == null || KDD == null || keyInfoData == null) { + throw new TPSException(method + " Invalid input data!"); + } + + boolean result = true; + + IConfigStore configStore = CMS.getConfigStore(); + + String checkValidateVersion = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_VALIDATE_CARD_KEY_INFO_AGAINST_DB; + + CMS.debug(method + " config to check: " + checkValidateVersion); + + try { + result = configStore.getBoolean(checkValidateVersion, true); + } catch (EBaseException e) { + throw new TPSException( + method + " error getting config value."); + } + + CMS.debug(method + " config result: " + result); + + + if(result == true) { + //Check only if asked to. + + String keyInfoInDB = getKeyInfoFromTokenDB(CUID); + + CMS.debug(method + " keyInfoFromTokenDB: " + keyInfoInDB); + CMS.debug(method + " keyInfoFromToken: " + keyInfoData); + + + if(keyInfoData.compareToIgnoreCase(keyInfoInDB) != 0) { + CMS.debug(method + " Key Info in the DB is NOT the same as the one from the token!"); + result = false; + } else { + CMS.debug(method + " Key Info in the DB IS the same as the one from the token!"); + result = true; + } + + } else { + result = true; + } + + CMS.debug(method + " returning result: " + result); + + return result; + + } + + /* Only for debugging, extract bytes of a PK11SymKey + private String getSymKeyData(PK11SymKey key) { + String result = null; + + if(key == null) { + result = ""; + return result; + } + + try { + byte [] extracted = key.getKeyData(); + + TPSBuffer keyBuff = new TPSBuffer(extracted); + + result = keyBuff.toHexString(); + + } catch (Exception e) { + + //Probably can not extract this key due to policy + result = ""; + } + + return result; + } + */ + public static void main(String[] args) { } |