diff options
| author | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2017-06-29 14:23:47 -0700 |
|---|---|---|
| committer | Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com> | 2017-06-30 11:25:37 -0700 |
| commit | 7eb8ac9abb06d5a21c9d81d3f7fd08391a2a745e (patch) | |
| tree | 11319713a9f045f8438975979aa1790b53728f7a /base | |
| parent | a3047211390f268142a5c3554dbf59cd4b511d9d (diff) | |
| download | pki-7eb8ac9abb06d5a21c9d81d3f7fd08391a2a745e.tar.gz pki-7eb8ac9abb06d5a21c9d81d3f7fd08391a2a745e.tar.xz pki-7eb8ac9abb06d5a21c9d81d3f7fd08391a2a745e.zip | |
SCP03 support: fix Key Changeover with HSM (RHCS)
Ticket #2764.
This relatively simple fix involves making sure the correct crypto token is being used to search for the master key int the case of symmetric key changover where the master key resides on an HSM.
Diffstat (limited to 'base')
| -rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java | 29 |
1 files changed, 18 insertions, 11 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java index 054247088..c3b3952b6 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java @@ -25,12 +25,12 @@ import org.mozilla.jss.crypto.SymmetricKey.NotExtractableException; import org.mozilla.jss.crypto.SymmetricKeyDeriver; import org.mozilla.jss.crypto.TokenException; +import sun.security.pkcs11.wrapper.PKCS11Constants; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.cmsutil.crypto.CryptoUtil; -import sun.security.pkcs11.wrapper.PKCS11Constants; - public class SecureChannelProtocol { static String sharedSecretKeyName = null; @@ -1874,13 +1874,13 @@ public class SecureChannelProtocol { kekKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.kekType, keySet, null,"DES3"); } else if (protocol == PROTOCOL_THREE) { CMS.debug(method + " Special case or returning to the dev key set (or ver 1) for DiversifyKey, protocol 3!"); - encKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo, + encKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, newKeyInfo, SecureChannelProtocol.encType, kekKeyArray, keySet, CUIDValue, KDD, null, null, transportKeyName, params); - macKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo, + macKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, newKeyInfo, SecureChannelProtocol.macType, kekKeyArray, keySet, CUIDValue, KDD, null, null, transportKeyName, params); - kekKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo, + kekKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, newKeyInfo, SecureChannelProtocol.kekType, kekKeyArray, keySet, CUIDValue, KDD, null, null, transportKeyName, params); } @@ -1916,13 +1916,14 @@ public class SecureChannelProtocol { } else { // protocol 3 CMS.debug(method + " Generating new card keys to upgrade to, protocol 3."); - encKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, oldKeyInfo, + CMS.debug("tokenName: " + tokenName + " newTokenName: " + newTokenName); + encKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, oldKeyInfo, SecureChannelProtocol.encType, kekKeyArray, keySet, CUIDValue, KDD, null, null, transportKeyName, params); - macKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, oldKeyInfo, + macKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, oldKeyInfo, SecureChannelProtocol.macType, kekKeyArray, keySet, CUIDValue, KDD, null, null, transportKeyName, params); - kekKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, oldKeyInfo, + kekKey = this.computeSessionKey_SCP03(newTokenName, newMasterKeyName, oldKeyInfo, SecureChannelProtocol.kekType, kekKeyArray, keySet, CUIDValue, KDD, null, null, transportKeyName, params); @@ -1931,6 +1932,7 @@ public class SecureChannelProtocol { old_kek_sym_key = this.computeSessionKey_SCP03(tokenName, oldMasterKeyName, oldKeyInfo, SecureChannelProtocol.kekType, kekKeyArray, keySet, CUIDValue, KDD, null, null, transportKeyName, params); + } if (encKey == null || macKey == null || kekKey == null) { @@ -2076,9 +2078,14 @@ public class SecureChannelProtocol { encrypted_mac_key = this.wrapSessionKey(tokenName, macKey, wrappingKey); encrypted_kek_key = this.wrapSessionKey(tokenName, kekKey, wrappingKey); - keycheck_enc_key = this.computeKeyCheck_SCP03(encKey, tokenName); - keycheck_mac_key = this.computeKeyCheck_SCP03(macKey, tokenName); - keycheck_kek_key = this.computeKeyCheck_SCP03(kekKey, tokenName); + try { + keycheck_enc_key = this.computeKeyCheck_SCP03(encKey, encKey.getOwningToken().getName()); + keycheck_mac_key = this.computeKeyCheck_SCP03(macKey, macKey.getOwningToken().getName()); + keycheck_kek_key = this.computeKeyCheck_SCP03(kekKey, kekKey.getOwningToken().getName()); + } catch (TokenException e) { + throw new EBaseException(method + e); + } + } else { throw new EBaseException(method + " Invalid SCP version requested!"); |