summaryrefslogtreecommitdiffstats
path: root/pki/base/common/src/com/netscape/cms
diff options
context:
space:
mode:
authorjmagne <jmagne@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2011-09-16 02:34:02 +0000
committerjmagne <jmagne@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>2011-09-16 02:34:02 +0000
commitf232790c48747fa5be3a75fbdfafa7f1a48d50ac (patch)
treed25f433977cd6f0464c51221cdf6d2c9af3d1782 /pki/base/common/src/com/netscape/cms
parentb40d1828acdc04a6651697afbb62682dabf04e61 (diff)
downloadpki-f232790c48747fa5be3a75fbdfafa7f1a48d50ac.tar.gz
pki-f232790c48747fa5be3a75fbdfafa7f1a48d50ac.tar.xz
pki-f232790c48747fa5be3a75fbdfafa7f1a48d50ac.zip
Fix bugzilla #730162 - TPS/TKS token enrollment failure in FIPS mode (hsm+NSS) .
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2205 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/common/src/com/netscape/cms')
-rw-r--r--pki/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java19
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java4
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java59
3 files changed, 48 insertions, 34 deletions
diff --git a/pki/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java b/pki/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java
index 05337bd96..b030759f7 100644
--- a/pki/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java
+++ b/pki/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java
@@ -34,6 +34,8 @@ import com.netscape.certsrv.selftests.*;
import com.netscape.cms.selftests.*;
import java.util.*;
import com.netscape.symkey.*;
+import org.mozilla.jss.crypto.*;
+
//////////////////////
@@ -132,7 +134,7 @@ extends ASelfTest
if (mSessionKey == null) {
mSessionKey = SessionKey.ComputeSessionKey (mToken, mKeyName,
mCardChallenge, mHostChallenge,
- mKeyInfo, mCUID, mMacKey, mUseSoftToken);
+ mKeyInfo, mCUID, mMacKey, mUseSoftToken, null, null);
if (mSessionKey == null || mSessionKey.length != 16) {
mSelfTestSubsystem.log (mSelfTestSubsystem.getSelfTestLogger(),
CMS.getLogMessage("SELFTESTS_MISSING_VALUES",
@@ -295,23 +297,21 @@ extends ASelfTest
throws ESelfTestException
{
String logMessage = null;
+ String keySet = "defKeySet";
byte[] sessionKey = SessionKey.ComputeSessionKey (mToken, mKeyName,
mCardChallenge, mHostChallenge,
- mKeyInfo, mCUID, mMacKey, mUseSoftToken);
+ mKeyInfo, mCUID, mMacKey, mUseSoftToken, keySet, null);
+
+ // Now we just see if we can successfully generate a session key.
+ // For FIPS compliance, the routine now returns a wrapped key, which can't be extracted and compared.
if (sessionKey == null) {
CMS.debug("TKSKnownSessionKey: generated no session key");
CMS.debug("TKSKnownSessionKey self test FAILED");
logMessage = CMS.getLogMessage ("SELFTESTS_TKS_FAILED", getSelfTestName(), getSelfTestName());
mSelfTestSubsystem.log (logger, logMessage);
throw new ESelfTestException( logMessage );
- } else if (!Arrays.equals(mSessionKey, sessionKey)) {
- CMS.debug("TKSKnownSessionKey: generated invalid session key");
- CMS.debug("TKSKnownSessionKey self test FAILED");
- logMessage = CMS.getLogMessage ("SELFTESTS_TKS_FAILED", getSelfTestName(), getSelfTestName());
- mSelfTestSubsystem.log (logger, logMessage);
- throw new ESelfTestException( logMessage );
- } else {
+ } else {
logMessage = CMS.getLogMessage ("SELFTESTS_TKS_SUCCEEDED", getSelfTestName(), getSelfTestName());
mSelfTestSubsystem.log (logger, logMessage);
CMS.debug("TKSKnownSessionKey self test SUCCEEDED");
@@ -320,4 +320,3 @@ extends ASelfTest
return;
}
}
-
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
index 842f87b5f..1a67cf129 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
@@ -623,8 +623,8 @@ public class CertRequestPanel extends WizardPanelBase {
}
if (/*(certchains.length <= 1) &&*/
- (b64chain != null)) {
- CMS.debug("CertRequestPanel: cert might not have contained chain...calling importCertificateChain");
+ (b64chain != null && b64chain.length() != 0)) {
+ CMS.debug("CertRequestPanel: cert might not have contained chain...calling importCertificateChain: " + b64chain);
try {
CryptoUtil.importCertificateChain(
CryptoUtil.normalizeCertAndReq(b64chain));
diff --git a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
index 9e0901a2c..4cc2654b7 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
@@ -61,7 +61,7 @@ import com.netscape.symkey.*;
*/
public class TokenServlet extends CMSServlet {
protected static final String PROP_ENABLED = "enabled";
-
+ protected static final String TRANSPORT_KEY_NAME ="sharedSecret";
private final static String INFO = "TokenServlet";
public static int ERROR = 1;
private ITKSAuthority mTKS = null;
@@ -251,6 +251,7 @@ public class TokenServlet extends CMSServlet {
String auditMessage = null;
String errorMsg = "";
String badParams = "";
+ String transportKeyName = "";
String rCUID = req.getParameter("CUID");
String keySet = req.getParameter("keySet");
@@ -261,7 +262,7 @@ public class TokenServlet extends CMSServlet {
boolean serversideKeygen = false;
byte[] drm_trans_wrapped_desKey = null;
- SymmetricKey desKey = null;
+ PK11SymKey desKey = null;
// PK11SymKey kek_session_key;
PK11SymKey kek_key;
@@ -311,6 +312,14 @@ public class TokenServlet extends CMSServlet {
} catch (EBaseException eee) {
}
+ try {
+ transportKeyName = sconfig.getString("tks.tksSharedSymKeyName",TRANSPORT_KEY_NAME);
+ } catch (EBaseException e) {
+ }
+
+ CMS.debug("TokenServlet: ComputeSessionKey(): tksSharedSymKeyName: " + transportKeyName);
+
+
String rcard_challenge = req.getParameter("card_challenge");
String rhost_challenge = req.getParameter("host_challenge");
String rKeyInfo = req.getParameter("KeyInfo");
@@ -407,7 +416,7 @@ public class TokenServlet extends CMSServlet {
CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" + selectedToken + " keyNickName=" + keyNickName);
session_key = SessionKey.ComputeSessionKey(
selectedToken,keyNickName,card_challenge,
- host_challenge,keyInfo,CUID, macKeyArray, useSoftToken_s);
+ host_challenge,keyInfo,CUID, macKeyArray, useSoftToken_s, keySet, transportKeyName );
if(session_key == null)
{
@@ -419,7 +428,7 @@ public class TokenServlet extends CMSServlet {
byte encKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".auth_key"));
enc_session_key = SessionKey.ComputeEncSessionKey(
selectedToken,keyNickName,card_challenge,
- host_challenge,keyInfo,CUID, encKeyArray, useSoftToken_s);
+ host_challenge,keyInfo,CUID, encKeyArray, useSoftToken_s, keySet);
if(enc_session_key == null)
{
@@ -440,9 +449,13 @@ public class TokenServlet extends CMSServlet {
CMS.debug("TokenServlet: calling ComputeKekKey");
byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key"));
+
+
kek_key = SessionKey.ComputeKekKey(
selectedToken,keyNickName,card_challenge,
- host_challenge,keyInfo,CUID, kekKeyArray, useSoftToken_s);
+ host_challenge,keyInfo,CUID, kekKeyArray, useSoftToken_s,keySet);
+
+
CMS.debug("TokenServlet: called ComputeKekKey");
if(kek_key == null)
@@ -470,14 +483,14 @@ public class TokenServlet extends CMSServlet {
*/
/*generate it on whichever token the master key is at*/
if (useSoftToken_s.equals("true")) {
- CMS.debug("TokenServlet: key encryption key generated on internal");
+ CMS.debug("TokenServlet: key encryption key generated on internal");
//cfu audit here? sym key gen
- desKey = SessionKey.GenerateSymkey("internal");
+ desKey = SessionKey.GenerateSymkey("internal");
//cfu audit here? sym key gen done
- } else {
- CMS.debug("TokenServlet: key encryption key generated on " + selectedToken);
- desKey = SessionKey.GenerateSymkey(selectedToken);
- }
+ } else {
+ CMS.debug("TokenServlet: key encryption key generated on " + selectedToken);
+ desKey = SessionKey.GenerateSymkey(selectedToken);
+ }
if (desKey != null)
CMS.debug("TokenServlet: key encryption key generated for "+rCUID);
else {
@@ -492,7 +505,7 @@ public class TokenServlet extends CMSServlet {
*/
byte[] encDesKey =
SessionKey.ECBencrypt( kek_key,
- desKey.getKeyData());
+ desKey);
/*
CMS.debug("computeSessionKey:encrypted desKey size = "+encDesKey.length);
CMS.debug(encDesKey);
@@ -503,7 +516,7 @@ public class TokenServlet extends CMSServlet {
// get keycheck
byte[] keycheck =
- SessionKey.ComputeKeyCheck(desKey.getKeyData());
+ SessionKey.ComputeKeyCheck(desKey);
/*
CMS.debug("computeSessionKey:keycheck size = "+keycheck.length);
CMS.debug(keycheck);
@@ -525,11 +538,12 @@ public class TokenServlet extends CMSServlet {
drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname);
// wrap kek session key with DRM transport public key
CryptoToken token = null;
- if (useSoftToken_s.equals("true")) {
- token = CryptoManager.getInstance().getTokenByName("Internal Key Storage Token");
- } else {
- token = CryptoManager.getInstance().getTokenByName(selectedToken);
- }
+ if (useSoftToken_s.equals("true")) {
+ //token = CryptoManager.getInstance().getTokenByName(selectedToken);
+ token = CryptoManager.getInstance().getInternalCryptoToken();
+ } else {
+ token = CryptoManager.getInstance().getTokenByName(selectedToken);
+ }
PublicKey pubKey = drmTransCert.getPublicKey();
String pubKeyAlgo = pubKey.getAlgorithm();
CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo);
@@ -542,6 +556,7 @@ public class TokenServlet extends CMSServlet {
keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
keyWrapper.initWrap(pubKey, null);
}
+ CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName() );
drm_trans_wrapped_desKey = keyWrapper.wrap(desKey);
CMS.debug("computeSessionKey:desKey wrapped with drm transportation key.");
@@ -550,7 +565,7 @@ public class TokenServlet extends CMSServlet {
byte authKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".auth_key"));
host_cryptogram = SessionKey.ComputeCryptogram(
selectedToken,keyNickName,card_challenge,
- host_challenge,keyInfo,CUID,0, authKeyArray, useSoftToken_s);
+ host_challenge,keyInfo,CUID,0, authKeyArray, useSoftToken_s, keySet);
if(host_cryptogram == null)
{
@@ -560,7 +575,7 @@ public class TokenServlet extends CMSServlet {
}
card_crypto = SessionKey.ComputeCryptogram(
selectedToken,keyNickName,card_challenge,
- host_challenge,keyInfo,CUID,1, authKeyArray, useSoftToken_s);
+ host_challenge,keyInfo,CUID,1, authKeyArray, useSoftToken_s, keySet);
if(card_crypto == null)
{
@@ -880,7 +895,7 @@ public class TokenServlet extends CMSServlet {
byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key"));
KeySetData = SessionKey.DiversifyKey(oldSelectedToken,
newSelectedToken, oldKeyNickName,
- newKeyNickName,rnewKeyInfo,CUID, kekKeyArray, useSoftToken_s);
+ newKeyNickName,rnewKeyInfo,CUID, kekKeyArray, useSoftToken_s, keySet);
if (KeySetData == null || KeySetData.length<=1) {
CMS.getLogger().log(ILogger.EV_AUDIT,
@@ -1084,7 +1099,7 @@ public class TokenServlet extends CMSServlet {
byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key"));
encryptedData = SessionKey.EncryptData(
- selectedToken,keyNickName,data,keyInfo,CUID, kekKeyArray, useSoftToken_s);
+ selectedToken,keyNickName,data,keyInfo,CUID, kekKeyArray, useSoftToken_s, keySet);
CMS.getLogger().log(ILogger.EV_AUDIT,
ILogger.S_TKS,
generated by cgit (git 2.34.1) at 2024-06-13 12:43:48 +0000