diff options
author | jmagne <jmagne@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-09-16 02:34:02 +0000 |
---|---|---|
committer | jmagne <jmagne@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-09-16 02:34:02 +0000 |
commit | f232790c48747fa5be3a75fbdfafa7f1a48d50ac (patch) | |
tree | d25f433977cd6f0464c51221cdf6d2c9af3d1782 /pki/base/common/src/com | |
parent | b40d1828acdc04a6651697afbb62682dabf04e61 (diff) | |
download | pki-f232790c48747fa5be3a75fbdfafa7f1a48d50ac.tar.gz pki-f232790c48747fa5be3a75fbdfafa7f1a48d50ac.tar.xz pki-f232790c48747fa5be3a75fbdfafa7f1a48d50ac.zip |
Fix bugzilla #730162 - TPS/TKS token enrollment failure in FIPS mode (hsm+NSS) .
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2205 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/common/src/com')
3 files changed, 48 insertions, 34 deletions
diff --git a/pki/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java b/pki/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java index 05337bd96..b030759f7 100644 --- a/pki/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java +++ b/pki/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java @@ -34,6 +34,8 @@ import com.netscape.certsrv.selftests.*; import com.netscape.cms.selftests.*; import java.util.*; import com.netscape.symkey.*; +import org.mozilla.jss.crypto.*; + ////////////////////// @@ -132,7 +134,7 @@ extends ASelfTest if (mSessionKey == null) { mSessionKey = SessionKey.ComputeSessionKey (mToken, mKeyName, mCardChallenge, mHostChallenge, - mKeyInfo, mCUID, mMacKey, mUseSoftToken); + mKeyInfo, mCUID, mMacKey, mUseSoftToken, null, null); if (mSessionKey == null || mSessionKey.length != 16) { mSelfTestSubsystem.log (mSelfTestSubsystem.getSelfTestLogger(), CMS.getLogMessage("SELFTESTS_MISSING_VALUES", @@ -295,23 +297,21 @@ extends ASelfTest throws ESelfTestException { String logMessage = null; + String keySet = "defKeySet"; byte[] sessionKey = SessionKey.ComputeSessionKey (mToken, mKeyName, mCardChallenge, mHostChallenge, - mKeyInfo, mCUID, mMacKey, mUseSoftToken); + mKeyInfo, mCUID, mMacKey, mUseSoftToken, keySet, null); + + // Now we just see if we can successfully generate a session key. + // For FIPS compliance, the routine now returns a wrapped key, which can't be extracted and compared. if (sessionKey == null) { CMS.debug("TKSKnownSessionKey: generated no session key"); CMS.debug("TKSKnownSessionKey self test FAILED"); logMessage = CMS.getLogMessage ("SELFTESTS_TKS_FAILED", getSelfTestName(), getSelfTestName()); mSelfTestSubsystem.log (logger, logMessage); throw new ESelfTestException( logMessage ); - } else if (!Arrays.equals(mSessionKey, sessionKey)) { - CMS.debug("TKSKnownSessionKey: generated invalid session key"); - CMS.debug("TKSKnownSessionKey self test FAILED"); - logMessage = CMS.getLogMessage ("SELFTESTS_TKS_FAILED", getSelfTestName(), getSelfTestName()); - mSelfTestSubsystem.log (logger, logMessage); - throw new ESelfTestException( logMessage ); - } else { + } else { logMessage = CMS.getLogMessage ("SELFTESTS_TKS_SUCCEEDED", getSelfTestName(), getSelfTestName()); mSelfTestSubsystem.log (logger, logMessage); CMS.debug("TKSKnownSessionKey self test SUCCEEDED"); @@ -320,4 +320,3 @@ extends ASelfTest return; } } - diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java index 842f87b5f..1a67cf129 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java @@ -623,8 +623,8 @@ public class CertRequestPanel extends WizardPanelBase { } if (/*(certchains.length <= 1) &&*/ - (b64chain != null)) { - CMS.debug("CertRequestPanel: cert might not have contained chain...calling importCertificateChain"); + (b64chain != null && b64chain.length() != 0)) { + CMS.debug("CertRequestPanel: cert might not have contained chain...calling importCertificateChain: " + b64chain); try { CryptoUtil.importCertificateChain( CryptoUtil.normalizeCertAndReq(b64chain)); diff --git a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java index 9e0901a2c..4cc2654b7 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java @@ -61,7 +61,7 @@ import com.netscape.symkey.*; */ public class TokenServlet extends CMSServlet { protected static final String PROP_ENABLED = "enabled"; - + protected static final String TRANSPORT_KEY_NAME ="sharedSecret"; private final static String INFO = "TokenServlet"; public static int ERROR = 1; private ITKSAuthority mTKS = null; @@ -251,6 +251,7 @@ public class TokenServlet extends CMSServlet { String auditMessage = null; String errorMsg = ""; String badParams = ""; + String transportKeyName = ""; String rCUID = req.getParameter("CUID"); String keySet = req.getParameter("keySet"); @@ -261,7 +262,7 @@ public class TokenServlet extends CMSServlet { boolean serversideKeygen = false; byte[] drm_trans_wrapped_desKey = null; - SymmetricKey desKey = null; + PK11SymKey desKey = null; // PK11SymKey kek_session_key; PK11SymKey kek_key; @@ -311,6 +312,14 @@ public class TokenServlet extends CMSServlet { } catch (EBaseException eee) { } + try { + transportKeyName = sconfig.getString("tks.tksSharedSymKeyName",TRANSPORT_KEY_NAME); + } catch (EBaseException e) { + } + + CMS.debug("TokenServlet: ComputeSessionKey(): tksSharedSymKeyName: " + transportKeyName); + + String rcard_challenge = req.getParameter("card_challenge"); String rhost_challenge = req.getParameter("host_challenge"); String rKeyInfo = req.getParameter("KeyInfo"); @@ -407,7 +416,7 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" + selectedToken + " keyNickName=" + keyNickName); session_key = SessionKey.ComputeSessionKey( selectedToken,keyNickName,card_challenge, - host_challenge,keyInfo,CUID, macKeyArray, useSoftToken_s); + host_challenge,keyInfo,CUID, macKeyArray, useSoftToken_s, keySet, transportKeyName ); if(session_key == null) { @@ -419,7 +428,7 @@ public class TokenServlet extends CMSServlet { byte encKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".auth_key")); enc_session_key = SessionKey.ComputeEncSessionKey( selectedToken,keyNickName,card_challenge, - host_challenge,keyInfo,CUID, encKeyArray, useSoftToken_s); + host_challenge,keyInfo,CUID, encKeyArray, useSoftToken_s, keySet); if(enc_session_key == null) { @@ -440,9 +449,13 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet: calling ComputeKekKey"); byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); + + kek_key = SessionKey.ComputeKekKey( selectedToken,keyNickName,card_challenge, - host_challenge,keyInfo,CUID, kekKeyArray, useSoftToken_s); + host_challenge,keyInfo,CUID, kekKeyArray, useSoftToken_s,keySet); + + CMS.debug("TokenServlet: called ComputeKekKey"); if(kek_key == null) @@ -470,14 +483,14 @@ public class TokenServlet extends CMSServlet { */ /*generate it on whichever token the master key is at*/ if (useSoftToken_s.equals("true")) { - CMS.debug("TokenServlet: key encryption key generated on internal"); + CMS.debug("TokenServlet: key encryption key generated on internal"); //cfu audit here? sym key gen - desKey = SessionKey.GenerateSymkey("internal"); + desKey = SessionKey.GenerateSymkey("internal"); //cfu audit here? sym key gen done - } else { - CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); - desKey = SessionKey.GenerateSymkey(selectedToken); - } + } else { + CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); + desKey = SessionKey.GenerateSymkey(selectedToken); + } if (desKey != null) CMS.debug("TokenServlet: key encryption key generated for "+rCUID); else { @@ -492,7 +505,7 @@ public class TokenServlet extends CMSServlet { */ byte[] encDesKey = SessionKey.ECBencrypt( kek_key, - desKey.getKeyData()); + desKey); /* CMS.debug("computeSessionKey:encrypted desKey size = "+encDesKey.length); CMS.debug(encDesKey); @@ -503,7 +516,7 @@ public class TokenServlet extends CMSServlet { // get keycheck byte[] keycheck = - SessionKey.ComputeKeyCheck(desKey.getKeyData()); + SessionKey.ComputeKeyCheck(desKey); /* CMS.debug("computeSessionKey:keycheck size = "+keycheck.length); CMS.debug(keycheck); @@ -525,11 +538,12 @@ public class TokenServlet extends CMSServlet { drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); // wrap kek session key with DRM transport public key CryptoToken token = null; - if (useSoftToken_s.equals("true")) { - token = CryptoManager.getInstance().getTokenByName("Internal Key Storage Token"); - } else { - token = CryptoManager.getInstance().getTokenByName(selectedToken); - } + if (useSoftToken_s.equals("true")) { + //token = CryptoManager.getInstance().getTokenByName(selectedToken); + token = CryptoManager.getInstance().getInternalCryptoToken(); + } else { + token = CryptoManager.getInstance().getTokenByName(selectedToken); + } PublicKey pubKey = drmTransCert.getPublicKey(); String pubKeyAlgo = pubKey.getAlgorithm(); CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); @@ -542,6 +556,7 @@ public class TokenServlet extends CMSServlet { keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); keyWrapper.initWrap(pubKey, null); } + CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName() ); drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); CMS.debug("computeSessionKey:desKey wrapped with drm transportation key."); @@ -550,7 +565,7 @@ public class TokenServlet extends CMSServlet { byte authKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".auth_key")); host_cryptogram = SessionKey.ComputeCryptogram( selectedToken,keyNickName,card_challenge, - host_challenge,keyInfo,CUID,0, authKeyArray, useSoftToken_s); + host_challenge,keyInfo,CUID,0, authKeyArray, useSoftToken_s, keySet); if(host_cryptogram == null) { @@ -560,7 +575,7 @@ public class TokenServlet extends CMSServlet { } card_crypto = SessionKey.ComputeCryptogram( selectedToken,keyNickName,card_challenge, - host_challenge,keyInfo,CUID,1, authKeyArray, useSoftToken_s); + host_challenge,keyInfo,CUID,1, authKeyArray, useSoftToken_s, keySet); if(card_crypto == null) { @@ -880,7 +895,7 @@ public class TokenServlet extends CMSServlet { byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); KeySetData = SessionKey.DiversifyKey(oldSelectedToken, newSelectedToken, oldKeyNickName, - newKeyNickName,rnewKeyInfo,CUID, kekKeyArray, useSoftToken_s); + newKeyNickName,rnewKeyInfo,CUID, kekKeyArray, useSoftToken_s, keySet); if (KeySetData == null || KeySetData.length<=1) { CMS.getLogger().log(ILogger.EV_AUDIT, @@ -1084,7 +1099,7 @@ public class TokenServlet extends CMSServlet { byte kekKeyArray[] = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); encryptedData = SessionKey.EncryptData( - selectedToken,keyNickName,data,keyInfo,CUID, kekKeyArray, useSoftToken_s); + selectedToken,keyNickName,data,keyInfo,CUID, kekKeyArray, useSoftToken_s, keySet); CMS.getLogger().log(ILogger.EV_AUDIT, ILogger.S_TKS, |