summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java39
-rw-r--r--pki/base/tps/src/processor/RA_Enroll_Processor.cpp10
-rw-r--r--pki/base/tps/src/processor/RA_Processor.cpp45
-rw-r--r--pki/dogtag/common/pki-common.spec4
-rw-r--r--pki/dogtag/tps/pki-tps.spec4
5 files changed, 84 insertions, 18 deletions
diff --git a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
index fa0d7a683..9509d421c 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
@@ -760,8 +760,10 @@ public class TokenServlet extends CMSServlet {
private void processEncryptData(HttpServletRequest req,
HttpServletResponse resp) throws EBaseException {
- byte[] data,keyInfo, CUID, xCUID, encryptedData, xkeyInfo;
+ byte[] keyInfo, CUID, xCUID, encryptedData, xkeyInfo;
boolean missingParam = false;
+ byte[] data = null;
+ boolean isRandom = true; // randomly generate the data to be encrypted
IConfigStore sconfig = CMS.getConfigStore();
encryptedData = null;
@@ -774,8 +776,31 @@ public class TokenServlet extends CMSServlet {
}
CMS.debug("keySet selected: " + keySet);
- if ((rdata == null) || (rdata.equals(""))) {
- CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data");
+ String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true");
+ if (s_isRandom.equalsIgnoreCase("false")) {
+ CMS.debug("TokenServlet: processEncryptData(): Random number not to be generated");
+ isRandom = false;
+ } else {
+ CMS.debug("TokenServlet: processEncryptData(): Random number generation required");
+ isRandom = true;
+ }
+
+ if (isRandom) {
+ if ((rdata == null) || (rdata.equals(""))) {
+ CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data");
+ } else {
+ CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating...");
+ }
+ try {
+ SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
+ data = new byte[16];
+ random.nextBytes(data);
+ } catch (Exception e) {
+ CMS.debug("TokenServlet: processEncryptData():"+ e.toString());
+ throw new EBaseException("processEncryptData:"+ e.toString());
+ }
+ } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))){
+ CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data.");
missingParam = true;
}
@@ -807,7 +832,8 @@ public class TokenServlet extends CMSServlet {
useSoftToken_s = "false";
if (!missingParam) {
- data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata);
+ if (!isRandom)
+ data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata);
keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo);
CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
@@ -838,7 +864,10 @@ public class TokenServlet extends CMSServlet {
String value = "";
if (encryptedData != null && encryptedData.length > 0) {
String outputString = new String(encryptedData);
- value = "status=0&"+"encryptedData=" +
+ // sending both the pre-encrypted and encrypted data back
+ value = "status=0&"+"data="+
+ com.netscape.cmsutil.util.Utils.SpecialEncode(data)+
+ "&encryptedData=" +
com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData);
} else if (missingParam) {
value = "status=3";
diff --git a/pki/base/tps/src/processor/RA_Enroll_Processor.cpp b/pki/base/tps/src/processor/RA_Enroll_Processor.cpp
index b8a5580d0..f44e77132 100644
--- a/pki/base/tps/src/processor/RA_Enroll_Processor.cpp
+++ b/pki/base/tps/src/processor/RA_Enroll_Processor.cpp
@@ -1598,7 +1598,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue
#define WRAPPED_CHALLENGE_SIZE 16
Buffer *plaintext_challenge =
new Buffer(PLAINTEXT_CHALLENGE_SIZE, (BYTE)0);
- Buffer *wrapped_challenge = new Buffer(PLAINTEXT_CHALLENGE_SIZE, (BYTE)0);
+ Buffer *wrapped_challenge = new Buffer(WRAPPED_CHALLENGE_SIZE, (BYTE)0);
Buffer *key_check = new Buffer(0, (BYTE)0);
const char *tokenType = NULL;
@@ -1872,6 +1872,8 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue
/* generate challenge for enrollment */
RA::Debug(LL_PER_PDU, "RA_Enroll_Processor::Process",
"Generate Challenge");
+/*
+ random number generation moved to TKS
rc = Util::GetRandomChallenge(*plaintext_challenge);
if (rc == -1) {
RA::Error("RA_Enroll_Processor::Process",
@@ -1880,8 +1882,9 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue
RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "general challenge error", "");
goto loser;
}
- }
+*/
+ }
kdd = channel->GetKeyDiversificationData();
khex = kdd.toHex();
RA::Debug("RA_Enroll_Processor::Process", "cuid=%s", khex);
@@ -1898,7 +1901,6 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue
RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "challenge encryption error", "");
goto loser;
}
-
// read objects back
PR_snprintf((char *)configname, 256, "%s.%s.pkcs11obj.enable",
OP_PREFIX, tokenType);
@@ -2049,7 +2051,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue
/*
op.enroll.certificates.num=1
op.enroll.certificates.value.0=caCert
-op.enroll.certificates.caCert.nickName=caCert0 pki-tps
+op.enroll.certificates.caCert.nickName=caCert0 fpki-tps
op.enroll.certificates.caCert.certId=C5
op.enroll.certificates.caCert.certAttrId=c5
op.enroll.certificates.caCert.label=caCert Label
diff --git a/pki/base/tps/src/processor/RA_Processor.cpp b/pki/base/tps/src/processor/RA_Processor.cpp
index ca04b573e..e6e5dd0f8 100644
--- a/pki/base/tps/src/processor/RA_Processor.cpp
+++ b/pki/base/tps/src/processor/RA_Processor.cpp
@@ -2072,6 +2072,7 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer
{
char body[5000];
char configname[256];
+#define PLAINTEXT_CHALLENGE_SIZE 16
// khai, here we wrap the input with the KEK key
// in TKS
HttpConnection *tksConn = NULL;
@@ -2091,7 +2092,12 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer
} else {
int tks_curr = RA::GetCurrentIndex(tksConn);
int currRetries = 0;
- char *data = Util::SpecialURLEncode(in);
+ char *data = NULL;
+ Buffer *zerob = new Buffer(PLAINTEXT_CHALLENGE_SIZE, (BYTE)0);
+ if (!(in == *zerob))
+ data = Util::SpecialURLEncode(in);
+ else
+ RA::Debug(LL_PER_PDU, "RA_Processor::EncryptData","Challenge to be generated on TKS");
char *cuid = Util::SpecialURLEncode(CUID);
char *versionID = Util::SpecialURLEncode(version);
@@ -2099,14 +2105,10 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer
const char *keySet = RA::GetConfigStore()->GetConfigAsString(configname);
PR_snprintf((char *)body, 5000, "data=%s&CUID=%s&KeyInfo=%s&keySet=%s",
- data, cuid, versionID,keySet);
+ ((data != NULL)? data:""), cuid, versionID,keySet);
PR_snprintf((char *)configname, 256, "conn.%s.servlet.encryptData", connid);
const char *servletID = RA::GetConfigStore()->GetConfigAsString(configname);
- if( data != NULL ) {
- PR_Free( data );
- data = NULL;
- }
if( cuid != NULL ) {
PR_Free( cuid );
cuid = NULL;
@@ -2144,6 +2146,9 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer
}
Buffer *encryptedData = NULL;
+ // preEncData is only useful when data is null, and data is to be randomly
+ // generated on TKS
+ Buffer *preEncData = NULL;
status = 0;
if (response != NULL) {
RA::Debug(LL_PER_PDU, "EncryptData Response is not ","NULL");
@@ -2162,6 +2167,17 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer
} else {
status = 0;
char *p = &content[9];
+ // get pre-encryption data
+ char *preStr = strstr((char *)p, "data=");
+ if (preStr != NULL) {
+ p = &preStr[5];
+ char pstr[PLAINTEXT_CHALLENGE_SIZE];
+ strncpy(pstr, p, PLAINTEXT_CHALLENGE_SIZE*3);
+ preEncData = Util::URLDecode(pstr);
+ }
+
+ // get encrypted data
+ p = &content[9];
char *rcStr = strstr((char *)p, "encryptedData=");
if (rcStr != NULL) {
rcStr = &rcStr[14];
@@ -2176,10 +2192,14 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer
RA::Debug(LL_PER_PDU, "EncryptedData ", "status=%d", status);
RA::Debug(LL_PER_PDU, "finish EncryptedData", "");
- if (status > 0 || encryptedData == NULL) {
+ if ((status > 0) || (preEncData == NULL) || (encryptedData == NULL)) {
if (tksConn != NULL) {
RA::ReturnTKSConn(tksConn);
}
+ if( data != NULL ) {
+ PR_Free( data );
+ data = NULL;
+ }
return -1;
} else {
out = *encryptedData;
@@ -2187,6 +2207,17 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer
delete encryptedData;
encryptedData = NULL;
}
+ if (data != NULL) {
+ RA::Debug(LL_PER_PDU, "EncryptedData ", "challenge overwritten by TKS");
+ PR_Free( data );
+ data = NULL;
+ }
+ in = *preEncData;
+
+ if( preEncData != NULL ) {
+ delete preEncData;
+ preEncData = NULL;
+ }
}
if( response != NULL ) {
response->freeContent();
diff --git a/pki/dogtag/common/pki-common.spec b/pki/dogtag/common/pki-common.spec
index 3baa9677e..4f81aa846 100644
--- a/pki/dogtag/common/pki-common.spec
+++ b/pki/dogtag/common/pki-common.spec
@@ -34,7 +34,7 @@
## Package Header Definitions
%define base_name %{base_prefix}-%{base_component}
%define base_version 1.0.0
-%define base_release 28
+%define base_release 29
%define base_group System Environment/Base
%define base_vendor Red Hat, Inc.
%define base_license GPLv2 with exceptions
@@ -280,6 +280,8 @@ chmod 00755 %{_datadir}/%{base_prefix}/setup/postinstall
###############################################################################
%changelog
+* Fri Dec 5 2008 Christina Fu <cfu@redhat.com> 1.0.0-29
+- Buzilla Bug 474659 - moved public key challenge generation from TPS to TKS
* Fri Nov 28 2008 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-28
- Bugzilla Bug #445402 - changed "linux"/"fedora" to "dogtag"; changed
"pki-svn.fedora.redhat.com" to "pki.fedoraproject.org"
diff --git a/pki/dogtag/tps/pki-tps.spec b/pki/dogtag/tps/pki-tps.spec
index e46d3b640..ee7a697aa 100644
--- a/pki/dogtag/tps/pki-tps.spec
+++ b/pki/dogtag/tps/pki-tps.spec
@@ -34,7 +34,7 @@
## Package Header Definitions
%define base_name %{base_prefix}-%{base_component}
%define base_version 1.0.0
-%define base_release 8
+%define base_release 9
%define base_group System Environment/Daemons
%define base_vendor Red Hat, Inc.
%define base_license LGPLv2 with exceptions
@@ -293,6 +293,8 @@ fi
###############################################################################
%changelog
+* Fri Dec 5 2008 Christina Fu <cfu@redhat.com> 1.0.0-9
+- Buzilla Bug 474659 - moved public key challenge generation from TPS to TKS
* Thu Dec 4 2008 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-8
- Bugzilla Bug #474369 - Remove NSS dependency on "pkcs11-devel" and
upgrade NSS/NSPR version dependencies
generated by cgit (git 2.34.1) at 2024-07-05 07:57:47 +0000