diff options
46 files changed, 1556 insertions, 241 deletions
diff --git a/abrt_checker_23484.log b/abrt_checker_23484.log new file mode 100644 index 000000000..97d259eb9 --- /dev/null +++ b/abrt_checker_23484.log @@ -0,0 +1,9 @@ +Uncaught java.lang.ClassNotFoundException exception in thread "main" in a method java.lang.ClassLoader.loadClass() with signature (Ljava/lang/String;Z)Ljava/lang/Class; +Exception in thread "main" java.lang.ClassNotFoundException: .usr.lib64.eclipse..plugins.org.eclipse.equinox.launcher_1.3.0.v20130930-1720.jar + at java.net.URLClassLoader$1.run(URLClassLoader.java:366) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/net/URLClassLoader$1.class] + at java.net.URLClassLoader$1.run(URLClassLoader.java:355) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/net/URLClassLoader$1.class] + at java.security.AccessController.doPrivileged(Native Method) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/security/AccessController.class] + at java.net.URLClassLoader.findClass(URLClassLoader.java:354) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/net/URLClassLoader.class] + at java.lang.ClassLoader.loadClass(ClassLoader.java:424) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/lang/ClassLoader.class] + at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/sun/misc/Launcher$AppClassLoader.class] + at java.lang.ClassLoader.loadClass(ClassLoader.java:357) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/lang/ClassLoader.class] diff --git a/base/common/src/org/dogtagpki/tps/TPSConnection.java b/base/common/src/org/dogtagpki/tps/TPSConnection.java index 442d28dad..64f8cb906 100644 --- a/base/common/src/org/dogtagpki/tps/TPSConnection.java +++ b/base/common/src/org/dogtagpki/tps/TPSConnection.java @@ -53,12 +53,14 @@ public class TPSConnection { // read the first parameter while ((b = in.read()) >= 0) { - char c = (char)b; - if (c == '&') break; + char c = (char) b; + if (c == '&') + break; sb.append(c); } - if (b < 0) throw new IOException("Unexpected end of stream"); + if (b < 0) + throw new IOException("Unexpected end of stream"); // parse message size String nvp = sb.toString(); @@ -68,19 +70,20 @@ public class TPSConnection { sb.append('&'); // read the rest of message - for (int i=0; i<size; i++) { + for (int i = 0; i < size; i++) { b = in.read(); - if (b < 0) throw new IOException("Unexpected end of stream"); + if (b < 0) + throw new IOException("Unexpected end of stream"); - char c = (char)b; + char c = (char) b; sb.append(c); } CMS.debug("TPSMessage.read: Reading: " + sb.toString()); // parse the entire message - return TPSMessage.createMessage(sb.toString()); + return TPSMessage.createMessage(sb.toString()); } public void write(TPSMessage message) throws IOException { @@ -88,7 +91,6 @@ public class TPSConnection { CMS.debug("TPSMessage.write: Writing: " + s); - if (chunked) { // send message length + EOL out.print(Integer.toHexString(s.length())); @@ -98,11 +100,18 @@ public class TPSConnection { // send message out.print(s); + /* + * + * Right now, tpsclient is counting the final crlf as part of the message and ruining the MAC calculations + * For now do this and figure out later how to handle this for both tpsclient and esc. + * if (chunked) { // send EOL out.print("\r\n"); } + */ + out.flush(); } } diff --git a/base/common/src/org/dogtagpki/tps/apdu/APDU.java b/base/common/src/org/dogtagpki/tps/apdu/APDU.java index c4f2c1769..c1aa51716 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/APDU.java +++ b/base/common/src/org/dogtagpki/tps/apdu/APDU.java @@ -19,6 +19,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; import org.dogtagpki.tps.main.Util; +import org.mozilla.jss.pkcs11.PK11SymKey; + +import com.netscape.certsrv.base.EBaseException; public abstract class APDU { @@ -140,8 +143,59 @@ public abstract class APDU { return encoding; } - public void getDataToMAC(TPSBuffer data) { - //ToDO + public TPSBuffer getDataToMAC() { + TPSBuffer mac = new TPSBuffer(); + + mac.add(cla); + mac.add(ins); + mac.add(p1); + mac.add(p2); + mac.add((byte) (data.size() + 8)); + mac.add(data); + + return mac; + } + + public void secureMessage(PK11SymKey encKey) throws EBaseException { + + if (encKey == null) { + throw new EBaseException("APDU.secureData: No input encrytion session key!"); + } + + int padNeeded = 0; + + TPSBuffer dataToEnc = null; + TPSBuffer padding = null; + TPSBuffer dataEncrypted = null; + + dataToEnc = new TPSBuffer(); + dataToEnc.add((byte) data.size()); + dataToEnc.add(data); + + int dataSize = dataToEnc.size(); + int rem = dataSize % 8; + + if (rem == 0) { + padNeeded = 0; + } else if (dataSize < 8) { + padNeeded = 8 - dataSize; + } else { + padNeeded = 8 - rem; + } + + if (padNeeded > 0) { + dataToEnc.add((byte) 0x80); + padNeeded--; + + if (padNeeded > 0) { + padding = new TPSBuffer(padNeeded); + dataToEnc.add(padding); + } + } + + dataEncrypted = Util.encryptData(dataToEnc, encKey); + + data.set(dataEncrypted); } public Type getType() { diff --git a/base/common/src/org/dogtagpki/tps/apdu/APDUResponse.java b/base/common/src/org/dogtagpki/tps/apdu/APDUResponse.java index ef25cd204..9376a1f97 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/APDUResponse.java +++ b/base/common/src/org/dogtagpki/tps/apdu/APDUResponse.java @@ -88,7 +88,7 @@ public class APDUResponse extends APDU { } //Get the two byte apdu return code - byte[] getResultBytes() { + public byte[] getResultCodeBytes() { byte[] result = new byte[2]; result[0] = getSW1(); @@ -96,6 +96,20 @@ public class APDUResponse extends APDU { return result; } + public TPSBuffer getResultDataNoCode() { + + //Result code will be 2 bytes at the end. + TPSBuffer theData = getData(); + + TPSBuffer result = null; + int len = theData.size(); + if (len > 2) { + result = theData.substr(0, len - 2); + } + + return result; + } + public static void main(String args[]) { APDUResponse resp = new APDUResponse(); diff --git a/base/common/src/org/dogtagpki/tps/apdu/CreateObject.java b/base/common/src/org/dogtagpki/tps/apdu/CreateObjectAPDU.java index 04208aa3b..03ad05ff4 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/CreateObject.java +++ b/base/common/src/org/dogtagpki/tps/apdu/CreateObjectAPDU.java @@ -23,7 +23,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class CreateObject extends APDU { +public class CreateObjectAPDU extends APDU { /** * Constructs a Create Object APDU. This APDU is usually sent right * before Write_Buffer_APDU is sent. This APDU only creates an Object @@ -63,7 +63,7 @@ public class CreateObject extends APDU { * @see APDU */ - public CreateObject(byte[] object_id, byte[] permissions, int len) { + public CreateObjectAPDU(byte[] object_id, byte[] permissions, int len) { if (object_id.length != 4) return; @@ -108,7 +108,7 @@ public class CreateObject extends APDU { byte[] object_id = { 0x01, 0x02, 0x3, 0x4 }; byte[] permisisons = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x6 }; - CreateObject apdu = new CreateObject(object_id, permisisons, 56); + CreateObjectAPDU apdu = new CreateObjectAPDU(object_id, permisisons, 56); if (apdu != null) { diff --git a/base/common/src/org/dogtagpki/tps/apdu/CreatePin.java b/base/common/src/org/dogtagpki/tps/apdu/CreatePinAPDU.java index 3d7b9274c..c37d0d465 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/CreatePin.java +++ b/base/common/src/org/dogtagpki/tps/apdu/CreatePinAPDU.java @@ -22,9 +22,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class CreatePin extends APDU { +public class CreatePinAPDU extends APDU { - public CreatePin(byte theP1, byte theP2, TPSBuffer theData) { + public CreatePinAPDU(byte theP1, byte theP2, TPSBuffer theData) { setP1(theP1); setP2(theP2); diff --git a/base/common/src/org/dogtagpki/tps/apdu/DeleteFile.java b/base/common/src/org/dogtagpki/tps/apdu/DeleteFileAPDU.java index 475207dd6..9114b8af6 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/DeleteFile.java +++ b/base/common/src/org/dogtagpki/tps/apdu/DeleteFileAPDU.java @@ -19,14 +19,13 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class DeleteFile extends APDU { +public class DeleteFileAPDU extends APDU { - public DeleteFile( TPSBuffer aid) { + public DeleteFileAPDU(TPSBuffer aid) { setCLA((byte) 0x84); - setINS((byte)0xE4); - setP1((byte)0x00); - setP2((byte)0x00); - + setINS((byte) 0xE4); + setP1((byte) 0x00); + setP2((byte) 0x00); TPSBuffer AIDTLV = new TPSBuffer(); @@ -43,7 +42,7 @@ public class DeleteFile extends APDU { public APDU.Type getType() { return APDU.Type.APDU_DELETE_FILE; - } + } public static void main(String[] args) { // TODO Auto-generated method stub diff --git a/base/common/src/org/dogtagpki/tps/apdu/ExternalAuthenticate.java b/base/common/src/org/dogtagpki/tps/apdu/ExternalAuthenticate.java deleted file mode 100644 index d1337b886..000000000 --- a/base/common/src/org/dogtagpki/tps/apdu/ExternalAuthenticate.java +++ /dev/null @@ -1,51 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2013 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package org.dogtagpki.tps.apdu; - -import org.dogtagpki.tps.main.TPSBuffer; - -public class ExternalAuthenticate extends APDU { - - public ExternalAuthenticate(TPSBuffer theData, byte securityLevel) { - - setCLA((byte) 0x84); - setINS((byte) 0x82); - - setP1(securityLevel); - - setP2((byte) 0x00); - setData(theData); - } - - public TPSBuffer getHostCryptogram() - { - return getData(); - } - - @Override - public APDU.Type getType() - { - return APDU.Type.APDU_EXTERNAL_AUTHENTICATE; - } - - public static void main(String[] args) { - // TODO Auto-generated method stub - - } - -} diff --git a/base/common/src/org/dogtagpki/tps/apdu/ExternalAuthenticateAPDU.java b/base/common/src/org/dogtagpki/tps/apdu/ExternalAuthenticateAPDU.java new file mode 100644 index 000000000..d824e8ce7 --- /dev/null +++ b/base/common/src/org/dogtagpki/tps/apdu/ExternalAuthenticateAPDU.java @@ -0,0 +1,110 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package org.dogtagpki.tps.apdu; + +import org.dogtagpki.tps.main.TPSBuffer; + +public class ExternalAuthenticateAPDU extends APDU { + + public enum SecurityLevel { + SECURE_MSG_ANY, + SECURE_MSG_MAC, + SECURE_MSG_NONE, // not yet supported + SECURE_MSG_MAC_ENC, + + } + + public ExternalAuthenticateAPDU(TPSBuffer theData, SecurityLevel securityLevel) { + setCLA((byte) 0x84); + setINS((byte) 0x82); + + setP1(securityLevelToByte(securityLevel)); + setP2((byte) 0x0); + + setData(theData); + } + + public TPSBuffer getHostCryptogram() + { + return getData(); + } + + @Override + public APDU.Type getType() + { + return APDU.Type.APDU_EXTERNAL_AUTHENTICATE; + } + + public static byte securityLevelToByte(SecurityLevel level) { + byte result = 0; + + switch (level) { + case SECURE_MSG_ANY: + result = 0; + break; + case SECURE_MSG_MAC: + result = 1; + break; + case SECURE_MSG_NONE: + result = 2; + break; + case SECURE_MSG_MAC_ENC: + result = 3; + break; + + default: + result = 0; + break; + + } + + return result; + } + + public static SecurityLevel byteToSecurityLevel(byte level) { + + SecurityLevel result = SecurityLevel.SECURE_MSG_ANY; + + switch (level) { + + case 0: + result = SecurityLevel.SECURE_MSG_ANY; + break; + case 1: + result = SecurityLevel.SECURE_MSG_MAC; + break; + case 2: + result = SecurityLevel.SECURE_MSG_NONE; + break; + case 3: + result = SecurityLevel.SECURE_MSG_MAC_ENC; + break; + default: + result = SecurityLevel.SECURE_MSG_ANY; + break; + } + + return result; + } + + public static void main(String[] args) { + // TODO Auto-generated method stub + + } + +} diff --git a/base/common/src/org/dogtagpki/tps/apdu/FormatMuscleApplet.java b/base/common/src/org/dogtagpki/tps/apdu/FormatMuscleAppletAPDU.java index af4cec11a..3babdc1c5 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/FormatMuscleApplet.java +++ b/base/common/src/org/dogtagpki/tps/apdu/FormatMuscleAppletAPDU.java @@ -25,8 +25,8 @@ import org.dogtagpki.tps.main.TPSBuffer; /* Not sure this is used , provide stub right now. */ -public class FormatMuscleApplet extends APDU { - public FormatMuscleApplet(short memSize, +public class FormatMuscleAppletAPDU extends APDU { + public FormatMuscleAppletAPDU(short memSize, TPSBuffer PIN0, byte pin0Tries, TPSBuffer unblockPIN0, byte unblock0Tries, TPSBuffer PIN1, byte pin1Tries, diff --git a/base/common/src/org/dogtagpki/tps/apdu/GenerateKey.java b/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyAPDU.java index 47f45bb50..f11f132be 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GenerateKey.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyAPDU.java @@ -23,9 +23,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class GenerateKey extends APDU { +public class GenerateKeyAPDU extends APDU { - public GenerateKey(byte theP1, byte theP2, byte alg, + public GenerateKeyAPDU(byte theP1, byte theP2, byte alg, int keysize, byte option, byte type, TPSBuffer wrapped_challenge, TPSBuffer key_check) { diff --git a/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyECC.java b/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyECCAPDU.java index 3f9106723..6743822ad 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyECC.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GenerateKeyECCAPDU.java @@ -23,9 +23,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class GenerateKeyECC extends APDU { +public class GenerateKeyECCAPDU extends APDU { - public GenerateKeyECC(byte theP1, byte theP2, byte alg, + public GenerateKeyECCAPDU(byte theP1, byte theP2, byte alg, int keysize, byte option, byte type, TPSBuffer wrapped_challenge, TPSBuffer key_check) { diff --git a/base/common/src/org/dogtagpki/tps/apdu/GetData.java b/base/common/src/org/dogtagpki/tps/apdu/GetDataAPDU.java index b7b8be02c..7cd52fcd1 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GetData.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GetDataAPDU.java @@ -22,9 +22,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class GetData extends APDU { +public class GetDataAPDU extends APDU { - public GetData() + public GetDataAPDU() { setCLA((byte) 0x80); setINS((byte) 0xCA); @@ -53,7 +53,7 @@ public class GetData extends APDU { } /* Encode */ public static void main(String[] args) { - GetData get_data = new GetData(); + GetDataAPDU get_data = new GetDataAPDU(); get_data.dump(); diff --git a/base/common/src/org/dogtagpki/tps/apdu/GetIssuerInfo.java b/base/common/src/org/dogtagpki/tps/apdu/GetIssuerInfoAPDU.java index 21fe1a77e..ede006a18 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GetIssuerInfo.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GetIssuerInfoAPDU.java @@ -22,7 +22,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class GetIssuerInfo extends APDU { +public class GetIssuerInfoAPDU extends APDU { /** * Constructs GetIssuer APDU. * @@ -45,7 +45,7 @@ public class GetIssuerInfo extends APDU { * @param data issuer info * @see APDU */ - public GetIssuerInfo() + public GetIssuerInfoAPDU() { setCLA((byte) 0x84); setINS((byte) 0xF6); diff --git a/base/common/src/org/dogtagpki/tps/apdu/GetStatus.java b/base/common/src/org/dogtagpki/tps/apdu/GetStatusAPDU.java index 3b8c68fca..2479cc674 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GetStatus.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GetStatusAPDU.java @@ -22,8 +22,8 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class GetStatus extends APDU { - public GetStatus() +public class GetStatusAPDU extends APDU { + public GetStatusAPDU() { setCLA((byte) 0xB0); setINS((byte) 0x3C); diff --git a/base/common/src/org/dogtagpki/tps/apdu/GetVersion.java b/base/common/src/org/dogtagpki/tps/apdu/GetVersionAPDU.java index 9bdc27fa1..6e10df985 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/GetVersion.java +++ b/base/common/src/org/dogtagpki/tps/apdu/GetVersionAPDU.java @@ -22,8 +22,8 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class GetVersion extends APDU { - public GetVersion() +public class GetVersionAPDU extends APDU { + public GetVersionAPDU() { setCLA((byte) 0xB0); setINS((byte) 0x70); diff --git a/base/common/src/org/dogtagpki/tps/apdu/ImportKey.java b/base/common/src/org/dogtagpki/tps/apdu/ImportKeyAPDU.java index c17bfb825..a37e52831 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/ImportKey.java +++ b/base/common/src/org/dogtagpki/tps/apdu/ImportKeyAPDU.java @@ -23,7 +23,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class ImportKey extends APDU { +public class ImportKeyAPDU extends APDU { /** * Constructs Import Key APDU. * @@ -46,7 +46,7 @@ public class ImportKey extends APDU { * Byte[] Additional parameters; // Optional * If KeyBlob's Encoding is BLOB_ENC_PLAIN(0x00), there are no additional parameters. */ - public ImportKey(byte p1) + public ImportKeyAPDU(byte p1) { setCLA((byte) 0x84); setINS((byte) 0x32); diff --git a/base/common/src/org/dogtagpki/tps/apdu/ImportKeyEnc.java b/base/common/src/org/dogtagpki/tps/apdu/ImportKeyEncAPDU.java index c87a76ac8..ff01c6600 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/ImportKeyEnc.java +++ b/base/common/src/org/dogtagpki/tps/apdu/ImportKeyEncAPDU.java @@ -23,7 +23,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class ImportKeyEnc extends APDU { +public class ImportKeyEncAPDU extends APDU { /** * Constructs Import Key Encrypted APDU. @@ -47,7 +47,7 @@ public class ImportKeyEnc extends APDU { * Import Parameters: * ...to be provided */ - public ImportKeyEnc(byte p1, byte p2, TPSBuffer theData) + public ImportKeyEncAPDU(byte p1, byte p2, TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0x0A); diff --git a/base/common/src/org/dogtagpki/tps/apdu/InitializeUpdate.java b/base/common/src/org/dogtagpki/tps/apdu/InitializeUpdateAPDU.java index 4016b96f4..4bc640108 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/InitializeUpdate.java +++ b/base/common/src/org/dogtagpki/tps/apdu/InitializeUpdateAPDU.java @@ -23,12 +23,13 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class InitializeUpdate extends APDU { +public class InitializeUpdateAPDU extends APDU { /** * Constructs Initialize Update APDU. */ - public InitializeUpdate(byte key_version, byte key_index, TPSBuffer theData) { + public InitializeUpdateAPDU(byte key_version, byte key_index, TPSBuffer theData) { + setCLA((byte) 0x80); setINS((byte) 0x50); setP1(key_version); setP2(key_index); @@ -47,16 +48,16 @@ public class InitializeUpdate extends APDU { public TPSBuffer getEncoding() { - TPSBuffer data = new TPSBuffer(); + TPSBuffer theData = new TPSBuffer(); - data.add(cla); - data.add(ins); - data.add(p1); - data.add(p2); - data.add((byte) data.size()); - data.add(data); + theData.add(cla); + theData.add(ins); + theData.add(p1); + theData.add(p2); + theData.add((byte) data.size()); + theData.add(data); - return data; + return theData; } /* Encode */ } diff --git a/base/common/src/org/dogtagpki/tps/apdu/InstallApplet.java b/base/common/src/org/dogtagpki/tps/apdu/InstallAppletAPDU.java index 9e6206ac7..8f164e9d4 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/InstallApplet.java +++ b/base/common/src/org/dogtagpki/tps/apdu/InstallAppletAPDU.java @@ -23,9 +23,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class InstallApplet extends APDU { +public class InstallAppletAPDU extends APDU { - public InstallApplet(TPSBuffer packageAID, TPSBuffer appletAID, + public InstallAppletAPDU(TPSBuffer packageAID, TPSBuffer appletAID, byte appPrivileges, int instanceSize, int appletMemorySize) { setCLA((byte) 0x84); @@ -79,7 +79,7 @@ public class InstallApplet extends APDU { /** * Constructs Install Applet APDU. */ - public InstallApplet(TPSBuffer theData) + public InstallAppletAPDU(TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0xE6); diff --git a/base/common/src/org/dogtagpki/tps/apdu/InstallLoad.java b/base/common/src/org/dogtagpki/tps/apdu/InstallLoadAPDU.java index dc6d2b049..cb84b9382 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/InstallLoad.java +++ b/base/common/src/org/dogtagpki/tps/apdu/InstallLoadAPDU.java @@ -23,9 +23,9 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class InstallLoad extends APDU { +public class InstallLoadAPDU extends APDU { - public InstallLoad(TPSBuffer packageAID, TPSBuffer sdAID, + public InstallLoadAPDU(TPSBuffer packageAID, TPSBuffer sdAID, int fileLen) { @@ -55,7 +55,7 @@ public class InstallLoad extends APDU { /** * Constructs Install Load APDU. Used when data was pre-constructed */ - public InstallLoad(TPSBuffer theData) + public InstallLoadAPDU(TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0xE6); diff --git a/base/common/src/org/dogtagpki/tps/apdu/Lifecycle.java b/base/common/src/org/dogtagpki/tps/apdu/LifecycleAPDU.java index e26a39ed9..051f663df 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/Lifecycle.java +++ b/base/common/src/org/dogtagpki/tps/apdu/LifecycleAPDU.java @@ -21,11 +21,11 @@ package org.dogtagpki.tps.apdu; -public class Lifecycle extends APDU { +public class LifecycleAPDU extends APDU { /** * Constructs Lifecycle APDU. */ - public Lifecycle(byte lifecycle) + public LifecycleAPDU(byte lifecycle) { setCLA((byte) 0x84); setINS((byte) 0xf0); diff --git a/base/common/src/org/dogtagpki/tps/apdu/ListObjects.java b/base/common/src/org/dogtagpki/tps/apdu/ListObjectsAPDU.java index b21cd111b..4d29506e6 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/ListObjects.java +++ b/base/common/src/org/dogtagpki/tps/apdu/ListObjectsAPDU.java @@ -23,8 +23,8 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class ListObjects extends APDU { - public ListObjects(byte seq) +public class ListObjectsAPDU extends APDU { + public ListObjectsAPDU(byte seq) { setCLA((byte) 0xB0); setINS((byte) 0x58); diff --git a/base/common/src/org/dogtagpki/tps/apdu/ListPins.java b/base/common/src/org/dogtagpki/tps/apdu/ListPinsAPDU.java index 7ced5a21a..e9a5f49bf 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/ListPins.java +++ b/base/common/src/org/dogtagpki/tps/apdu/ListPinsAPDU.java @@ -23,11 +23,11 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class ListPins extends APDU { +public class ListPinsAPDU extends APDU { private byte ret_size = 0; - public ListPins(byte theRet_size) + public ListPinsAPDU(byte theRet_size) { setCLA((byte) 0xB0); setINS((byte) 0x48); diff --git a/base/common/src/org/dogtagpki/tps/apdu/LoadFile.java b/base/common/src/org/dogtagpki/tps/apdu/LoadFileAPDU.java index 2b3f7e3f9..23e948c77 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/LoadFile.java +++ b/base/common/src/org/dogtagpki/tps/apdu/LoadFileAPDU.java @@ -22,11 +22,11 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class LoadFile extends APDU { +public class LoadFileAPDU extends APDU { /** * Constructs Load File APDU. */ - public LoadFile(byte refControl, byte blockNum, TPSBuffer theData) + public LoadFileAPDU(byte refControl, byte blockNum, TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0xE8); diff --git a/base/common/src/org/dogtagpki/tps/apdu/PutKey.java b/base/common/src/org/dogtagpki/tps/apdu/PutKeyAPDU.java index 3d6f2a022..6a939e7ba 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/PutKey.java +++ b/base/common/src/org/dogtagpki/tps/apdu/PutKeyAPDU.java @@ -22,11 +22,11 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class PutKey extends APDU { +public class PutKeyAPDU extends APDU { /** * Constructs Put Key APDU. */ - public PutKey(byte p1, byte p2, TPSBuffer theData) + public PutKeyAPDU(byte p1, byte p2, TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0xd8); diff --git a/base/common/src/org/dogtagpki/tps/apdu/ReadBuffer.java b/base/common/src/org/dogtagpki/tps/apdu/ReadBufferAPDU.java index 7e1ab00c5..7c8159bf4 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/ReadBuffer.java +++ b/base/common/src/org/dogtagpki/tps/apdu/ReadBufferAPDU.java @@ -22,11 +22,11 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class ReadBuffer extends APDU { +public class ReadBufferAPDU extends APDU { /** * Constructs Read Buffer APDU. */ - public ReadBuffer(int len, int offset) + public ReadBufferAPDU(int len, int offset) { setCLA((byte) 0x84); setINS((byte) 0x08); diff --git a/base/common/src/org/dogtagpki/tps/apdu/ReadObject.java b/base/common/src/org/dogtagpki/tps/apdu/ReadObjectAPDU.java index b78098305..f013a82aa 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/ReadObject.java +++ b/base/common/src/org/dogtagpki/tps/apdu/ReadObjectAPDU.java @@ -22,7 +22,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class ReadObject extends APDU { +public class ReadObjectAPDU extends APDU { /** * Constructs Read Object APDU. * @@ -52,7 +52,7 @@ public class ReadObject extends APDU { * @see APDU */ - public ReadObject(byte[] object_id, int offset, int len) + public ReadObjectAPDU(byte[] object_id, int offset, int len) { setCLA((byte) 0x84); setINS((byte) 0x56); diff --git a/base/common/src/org/dogtagpki/tps/apdu/Select.java b/base/common/src/org/dogtagpki/tps/apdu/SelectAPDU.java index f01c00147..d0b492590 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/Select.java +++ b/base/common/src/org/dogtagpki/tps/apdu/SelectAPDU.java @@ -22,8 +22,8 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class Select extends APDU { - public Select(byte p1, byte p2, TPSBuffer theData) +public class SelectAPDU extends APDU { + public SelectAPDU(byte p1, byte p2, TPSBuffer theData) { setCLA((byte) 0x00); setINS((byte) 0xa4); diff --git a/base/common/src/org/dogtagpki/tps/apdu/SetIssuerInfo.java b/base/common/src/org/dogtagpki/tps/apdu/SetIssuerInfoAPDU.java index 316a0fd52..40ea1b1ac 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/SetIssuerInfo.java +++ b/base/common/src/org/dogtagpki/tps/apdu/SetIssuerInfoAPDU.java @@ -22,7 +22,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class SetIssuerInfo extends APDU { +public class SetIssuerInfoAPDU extends APDU { /** * Constructs SetIssuer APDU. * @@ -45,7 +45,7 @@ public class SetIssuerInfo extends APDU { * @param data issuer info * @see APDU */ - public SetIssuerInfo(byte p1, byte p2, TPSBuffer theData) + public SetIssuerInfoAPDU(byte p1, byte p2, TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0xF4); diff --git a/base/common/src/org/dogtagpki/tps/apdu/SetPin.java b/base/common/src/org/dogtagpki/tps/apdu/SetPinAPDU.java index 8911c40dd..ddf46cd27 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/SetPin.java +++ b/base/common/src/org/dogtagpki/tps/apdu/SetPinAPDU.java @@ -22,7 +22,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class SetPin extends APDU { +public class SetPinAPDU extends APDU { /** * Constructs SetPin APDU. * @@ -45,7 +45,7 @@ public class SetPin extends APDU { * @param data pin * @see APDU */ - public SetPin(byte p1, byte p2, TPSBuffer theData) + public SetPinAPDU(byte p1, byte p2, TPSBuffer theData) { setCLA((byte) 0x84); setINS((byte) 0x04); diff --git a/base/common/src/org/dogtagpki/tps/apdu/UnblockPin.java b/base/common/src/org/dogtagpki/tps/apdu/UnblockPinAPDU.java index 620698c00..ae2486fa5 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/UnblockPin.java +++ b/base/common/src/org/dogtagpki/tps/apdu/UnblockPinAPDU.java @@ -20,11 +20,11 @@ */ package org.dogtagpki.tps.apdu; -public class UnblockPin extends APDU { +public class UnblockPinAPDU extends APDU { /** * Constructs Unblock Pin APDU. */ - public UnblockPin() + public UnblockPinAPDU() { setCLA((byte) 0x84); setINS((byte) 0x02); diff --git a/base/common/src/org/dogtagpki/tps/apdu/WriteObject.java b/base/common/src/org/dogtagpki/tps/apdu/WriteObjectAPDU.java index bf64949ae..e8e4d63fa 100644 --- a/base/common/src/org/dogtagpki/tps/apdu/WriteObject.java +++ b/base/common/src/org/dogtagpki/tps/apdu/WriteObjectAPDU.java @@ -22,7 +22,7 @@ package org.dogtagpki.tps.apdu; import org.dogtagpki.tps.main.TPSBuffer; -public class WriteObject extends APDU { +public class WriteObjectAPDU extends APDU { /** * Constructs Write Buffer APDU. This APDU is usually sent right after * the Create_Object_APDU is sent. This APDU writes the actual object @@ -60,7 +60,7 @@ public class WriteObject extends APDU { * @param data * @see APDU */ - public WriteObject(byte[] object_id, int offset, TPSBuffer data) + public WriteObjectAPDU(byte[] object_id, int offset, TPSBuffer data) { if (object_id.length != 4) { return; diff --git a/base/common/src/org/dogtagpki/tps/main/TPSBuffer.java b/base/common/src/org/dogtagpki/tps/main/TPSBuffer.java index 1df8716fc..03ec46092 100644 --- a/base/common/src/org/dogtagpki/tps/main/TPSBuffer.java +++ b/base/common/src/org/dogtagpki/tps/main/TPSBuffer.java @@ -95,13 +95,20 @@ public class TPSBuffer { } public byte at(int i) { - if (i < 0 || i > size()) { + if (i < 0 || i >= size()) { return 0x0; } return buf[i]; } + public void setAt(int i, byte value) { + if (i < 0 || i >= size()) + return; + + buf[i] = value; + } + /** * Returns true if the two buffers are the same length and contain * the same byte at each offset. @@ -126,6 +133,13 @@ public class TPSBuffer { addBytes(addBytes); } + public void set(TPSBuffer newContents) { + if (newContents == null) + return; + + buf = newContents.toBytesArray(); + } + /** * Append operators. */ @@ -233,6 +247,7 @@ public class TPSBuffer { result.append(HEX_DIGITS.charAt((c & 0xF0) >> 4)); result.append(HEX_DIGITS.charAt(c & 0x0F)); + result.append("%"); } diff --git a/base/common/src/org/dogtagpki/tps/main/Util.java b/base/common/src/org/dogtagpki/tps/main/Util.java index aba6c6e1d..bef425215 100644 --- a/base/common/src/org/dogtagpki/tps/main/Util.java +++ b/base/common/src/org/dogtagpki/tps/main/Util.java @@ -23,23 +23,30 @@ package org.dogtagpki.tps.main; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.net.URLEncoder; +import java.security.spec.AlgorithmParameterSpec; -import com.netscape.cmsutil.util.Utils; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.Cipher; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.EncryptionAlgorithm; +import org.mozilla.jss.crypto.IVParameterSpec; +import org.mozilla.jss.pkcs11.PK11SymKey; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.cmsutil.util.Utils; public class Util { public Util() { } - public static byte[] str2ByteArray (String s) { + public static byte[] str2ByteArray(String s) { int len = s.length() / 2; + byte[] ret = new byte[len]; - byte[] ret = new byte[len]; - - for (int i = 0; i < len; i ++) { - ret[i] = (byte) ((byte) Util.hexToBin(s.charAt(i*2)) * 16 + Util.hexToBin(s.charAt(i*2+1))); + for (int i = 0; i < len; i++) { + ret[i] = (byte) ((byte) Util.hexToBin(s.charAt(i * 2)) * 16 + Util.hexToBin(s.charAt(i * 2 + 1))); } return ret; @@ -127,13 +134,152 @@ public class Util { return result.toString(); } + public static String specialURLEncode(TPSBuffer data) { + return specialURLEncode(data.toBytesArray()); + } + + public static String specialURLEncode(byte data[]) { + StringBuffer sb = new StringBuffer(); + for (int i = 0; i < data.length; i++) { + sb.append("#"); + if ((data[i] & 0xff) < 16) { + sb.append("0"); + } + sb.append(Integer.toHexString((data[i] & 0xff))); + } + + return sb.toString().toUpperCase(); + } + public static String specialEncode(TPSBuffer data) { return Utils.SpecialEncode(data.toBytesArray()); } + + public static TPSBuffer computeMAC(PK11SymKey symKey, TPSBuffer input, TPSBuffer icv) throws EBaseException { + TPSBuffer output = null; + TPSBuffer result = null; + + int inputLen = input.size(); + + if (symKey == null || input == null || icv == null || icv.size() != 8) { + throw new EBaseException("Util.computeMAC: invalid input data!"); + } + + TPSBuffer macPad = new TPSBuffer(8); + macPad.setAt(0, (byte) 0x80); + + CryptoToken token = null; + + try { + + token = CryptoManager.getInstance().getInternalKeyStorageToken(); + + Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_ECB); + result = new TPSBuffer(icv); + + /* Process whole blocks */ + int inputOffset = 0; + while (inputLen >= 8) + { + for (int i = 0; i < 8; i++) + { + //Xor implicitly converts bytes to ints, we convert answer back to byte. + byte a = (byte) (result.at(i) ^ input.at(inputOffset + i)); + result.setAt(i, a); + } + cipher.initEncrypt(symKey); + byte[] ciphResult = cipher.doFinal(result.toBytesArray()); + + if (ciphResult.length != result.size()) { + throw new EBaseException("Invalid cipher in Util.computeMAC"); + } + + result = new TPSBuffer(ciphResult); + + inputLen -= 8; + inputOffset += 8; + } + + /* + * Fold in remaining data (if any) + * Set i to number of bytes processed + */ + int i = 0; + for (i = 0; i < inputLen; i++) + { + byte a = (byte) (result.at(i) ^ input.at(i + inputOffset)); + result.setAt(i, a); + } + + /* + * Fill remainder of last block. There + * will be at least one byte handled here. + */ + + //Start at the beginning of macPad + // Keep going with i in result where we left off. + int padOffset = 0; + while (i < 8) + { + byte a = (byte) (result.at(i) ^ macPad.at(padOffset++)); + result.setAt(i, a); + i++; + } + + cipher.initEncrypt(symKey); + byte[] ciphResultFinal = cipher.doFinal(result.toBytesArray()); + + if (ciphResultFinal.length != result.size()) { + throw new EBaseException("Invalid cipher in Util.computeMAC"); + } + + output = new TPSBuffer(ciphResultFinal); + + } catch (Exception e) { + throw new EBaseException("Util.computeMAC: Cryptographic problem encountered! " + e.toString()); + } + + return output; + } + public static TPSBuffer specialDecode(String str) { - byte[] data = Utils.SpecialDecode(str); + byte[] data = uriDecodeFromHex(str); TPSBuffer tbuf = new TPSBuffer(data); return tbuf; } + + public static TPSBuffer encryptData(TPSBuffer dataToEnc, PK11SymKey encKey) throws EBaseException { + + TPSBuffer encrypted = null; + if (encKey == null || dataToEnc == null) { + throw new EBaseException("Util.encryptData: called with no sym key or no data!"); + } + + CryptoToken token = null; + try { + + token = CryptoManager.getInstance().getInternalKeyStorageToken(); + Cipher cipher = token.getCipherContext(EncryptionAlgorithm.DES3_CBC); + + AlgorithmParameterSpec algSpec = null; + + int len = EncryptionAlgorithm.DES3_CBC.getIVLength(); + byte[] iv = new byte[len]; // Assume iv set to 0's as in current TPS + + algSpec = new IVParameterSpec(iv); + cipher.initEncrypt(encKey, algSpec); + + byte[] encryptedBytes = cipher.doFinal(dataToEnc.toBytesArray()); + + encrypted = new TPSBuffer(encryptedBytes); + + } catch (Exception e) { + throw new EBaseException("Util.encryptData: problem encrypting data: " + e.toString()); + } + + return encrypted; + + } + } diff --git a/base/common/src/org/dogtagpki/tps/msg/TokenPDURequest.java b/base/common/src/org/dogtagpki/tps/msg/TokenPDURequest.java index 433338bc5..e27f98416 100644 --- a/base/common/src/org/dogtagpki/tps/msg/TokenPDURequest.java +++ b/base/common/src/org/dogtagpki/tps/msg/TokenPDURequest.java @@ -18,7 +18,7 @@ package org.dogtagpki.tps.msg; import org.dogtagpki.tps.apdu.APDU; -import org.dogtagpki.tps.apdu.Select; +import org.dogtagpki.tps.apdu.SelectAPDU; import org.dogtagpki.tps.main.TPSBuffer; import org.dogtagpki.tps.main.Util; @@ -44,13 +44,13 @@ public class TokenPDURequest extends TPSMessage { public static void main(String[] args) { - Select apdu = null; + SelectAPDU apdu = null; byte[] select_aid = { (byte) 0xa0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0 }; TPSBuffer select = new TPSBuffer(select_aid); - apdu = new Select((byte) 0x4, (byte) 0x0, select); + apdu = new SelectAPDU((byte) 0x4, (byte) 0x0, select); TokenPDURequest request = new TokenPDURequest(apdu); diff --git a/base/symkey/src/com/netscape/symkey/SessionKey.cpp b/base/symkey/src/com/netscape/symkey/SessionKey.cpp index 0878e26dd..9f3a353a3 100644 --- a/base/symkey/src/com/netscape/symkey/SessionKey.cpp +++ b/base/symkey/src/com/netscape/symkey/SessionKey.cpp @@ -1843,6 +1843,199 @@ finish: return handleBA; } +#ifdef __cplusplus +extern "C" +{ +#endif +/* + * Class: com_netscape_cms_servlet_tks_UnwrapSessionKeyWithSharedSecret + * Method: UnwrapSessionKeyWithSharedSecret + * Signature: ([B[B[B[B)[B + */ + JNIEXPORT jobject JNICALL + Java_com_netscape_symkey_SessionKey_ + (JNIEnv*, jclass, jstring, jobject,jbyteArray); +#ifdef __cplusplus +} +#endif +extern "C" JNIEXPORT jobject JNICALL +Java_com_netscape_symkey_SessionKey_UnwrapSessionKeyWithSharedSecret +(JNIEnv* env, jclass this2, jstring tokenName, jobject sharedSecretKey,jbyteArray sessionKeyBA) +{ + jobject keyObj = NULL; + PK11SymKey *sessionKey = NULL; + PK11SymKey *sharedSecret = NULL; + PK11SymKey *finalKey = NULL; + PK11SlotInfo *slot = NULL; + char *tokenNameChars = NULL; + PRStatus r = PR_FAILURE; + int sessionKeyLen = 0; + jbyte *sessionKeyBytes = NULL; + SECItem *SecParam = PK11_ParamFromIV(CKM_DES3_ECB, NULL); + SECItem wrappedItem = {siBuffer , NULL, 0 }; + + PR_fprintf(PR_STDOUT,"In SessionKey.UnwrapSessionKeyWithSharedSecret!\n"); + + if( sharedSecretKey == NULL || sessionKeyBA == NULL) { + goto loser; + } + + if (tokenName) + { + tokenNameChars = (char *)(env)->GetStringUTFChars(tokenName, NULL); + if ( tokenNameChars && !strcmp(tokenNameChars, "internal")) { + slot = PK11_GetInternalSlot(); + } else { + slot = ReturnSlot(tokenNameChars); + } + + PR_fprintf(PR_STDOUT,"SessionKey.UnwrapSessionKeyWithSharedSecret slot %p name %s tokenName %s \n",slot, PK11_GetSlotName(slot), PK11_GetTokenName(slot)); + (env)->ReleaseStringUTFChars(tokenName, (const char *)tokenNameChars); + } else { + slot = PK11_GetInternalKeySlot(); + } + + if(slot == NULL) { + goto loser; + } + + sessionKeyBytes = (jbyte *)(env)->GetByteArrayElements(sessionKeyBA, NULL); + sessionKeyLen = (env)->GetArrayLength(sessionKeyBA); + + if(sessionKeyBytes == NULL) { + goto loser; + } + + r = JSS_PK11_getSymKeyPtr(env, sharedSecretKey, &sharedSecret); + + if (r != PR_SUCCESS) { + PR_fprintf(PR_STDOUT,"SessionKey: UnwrapSessionKeyWithSharedSecret Unable to get input shared secret sym key! \n"); + goto loser; + } + + wrappedItem.data = (unsigned char *) sessionKeyBytes; + wrappedItem.len = sessionKeyLen; + + sessionKey = PK11_UnwrapSymKey(sharedSecret, + CKM_DES3_ECB,SecParam, &wrappedItem, + CKM_DES3_ECB, + CKA_UNWRAP, + 16); + + PR_fprintf(PR_STDOUT,"SessionKey: UnwrapSessionKeyWithSharedSecret symKey: %p \n",sessionKey); + + if(sessionKey == NULL) { + PR_fprintf(PR_STDOUT,"SessionKey:UnwrapSessionKeyWithSharedSecret Error unwrapping a session key! \n"); + goto loser; + } + + // Done to be compat with current system. Current TPS does this. + finalKey = CreateDesKey24Byte(slot, sessionKey); + + if(finalKey == NULL) { + PR_fprintf(PR_STDOUT,"SessionKey:UnwrapSessionKeyWithSharedSecret Error final unwrapped key! \n"); + goto loser; + + } + + /* wrap the sesssion in java object. */ + keyObj = JSS_PK11_wrapSymKey(env, &finalKey, NULL); + +loser: + + if ( slot != NULL ) { + PK11_FreeSlot( slot); + slot = NULL; + } + + if ( sessionKeyBA != NULL) { + (env)->ReleaseByteArrayElements( sessionKeyBA, sessionKeyBytes, 0); + } + + if(sessionKey) { + PK11_FreeSymKey(sessionKey); + sessionKey = NULL; + } + + // Don't free finalKey ptr because wrapping routine takes that out of our hands. + + return keyObj; +} + +#ifdef __cplusplus +extern "C" +{ +#endif +/* + * Class: com_netscape_cms_servlet_tks_GetSymKeyByName + * Method: GetSymKeyByName + * Signature: ([B[B[B[B)[B + */ + JNIEXPORT jobject JNICALL + Java_com_netscape_symkey_SessionKey_GetSymKeyByName + (JNIEnv*, jclass, jstring, jstring); +#ifdef __cplusplus +} +#endif +extern "C" JNIEXPORT jobject JNICALL +Java_com_netscape_symkey_SessionKey_GetSymKeyByName +(JNIEnv* env, jclass this2, jstring tokenName, jstring keyName) +{ + + jobject keyObj = NULL; + PK11SymKey *key = NULL; + char *tokenNameChars = NULL; + char *keyNameChars = NULL; + PK11SlotInfo *slot = NULL; + CK_OBJECT_HANDLE keyhandle = 0; + + PR_fprintf(PR_STDOUT,"In SessionKey GetSymKeyByName!\n"); + + if (keyName) { + keyNameChars = (char *)(env)->GetStringUTFChars(keyName,NULL); + } + + if (tokenName) + { + tokenNameChars = (char *)(env)->GetStringUTFChars(tokenName, NULL); + if ( tokenNameChars && !strcmp(tokenNameChars, "internal")) { + slot = PK11_GetInternalSlot(); + } else { + slot = ReturnSlot(tokenNameChars); + } + + PR_fprintf(PR_STDOUT,"SessionKey: GetSymKeyByName slot %p name %s tokenName %s keyName %s \n",slot, PK11_GetSlotName(slot), PK11_GetTokenName(slot),keyNameChars); + (env)->ReleaseStringUTFChars(tokenName, (const char *)tokenNameChars); + } else { + slot = PK11_GetInternalKeySlot(); + } + + if(slot == NULL) + goto finish; + + key = ReturnSymKey( slot, keyNameChars); + + PR_fprintf(PR_STDOUT,"SessionKey: GetSymKeyByName returned key %p \n",key); + if (key == NULL) { + goto finish; + } + + /* wrap the symkey in java object. */ + keyObj = JSS_PK11_wrapSymKey(env, &key, NULL); + +finish: + + if (keyName) { + (env)->ReleaseStringUTFChars(keyName, (const char *)keyNameChars); + } + + if(slot) { + PK11_FreeSlot(slot); + slot = NULL; + } + + return keyObj; +} #ifdef __cplusplus extern "C" diff --git a/base/symkey/src/com/netscape/symkey/SessionKey.java b/base/symkey/src/com/netscape/symkey/SessionKey.java index 47f9385f7..56782aad9 100644 --- a/base/symkey/src/com/netscape/symkey/SessionKey.java +++ b/base/symkey/src/com/netscape/symkey/SessionKey.java @@ -75,47 +75,47 @@ public class SessionKey { public static native byte[] ComputeKeyCheck(PK11SymKey desKey); /* byte data[] ); */ public static native byte[] ComputeSessionKey(String tokenName, - String keyName, - byte[] card_challenge, - byte[] host_challenge, - byte[] keyInfo, - byte[] CUID, - byte[] macKeyArray, - String useSoftToken, - String keySet, - String sharedSecretKeyName); + String keyName, + byte[] card_challenge, + byte[] host_challenge, + byte[] keyInfo, + byte[] CUID, + byte[] macKeyArray, + String useSoftToken, + String keySet, + String sharedSecretKeyName); public static native byte[] ComputeEncSessionKey(String tokenName, - String keyName, - byte[] card_challenge, - byte[] host_challenge, - byte[] keyInfo, - byte[] CUID, - byte[] encKeyArray, - String useSoftToken, - String keySet); + String keyName, + byte[] card_challenge, + byte[] host_challenge, + byte[] keyInfo, + byte[] CUID, + byte[] encKeyArray, + String useSoftToken, + String keySet); public static native PK11SymKey ComputeKekSessionKey(String tokenName, - String keyName, - byte[] card_challenge, - byte[] host_challenge, - byte[] keyInfo, - byte[] CUID, - byte[] kekKeyArray, - String useSoftToken, - String keySet); + String keyName, + byte[] card_challenge, + byte[] host_challenge, + byte[] keyInfo, + byte[] CUID, + byte[] kekKeyArray, + String useSoftToken, + String keySet); public static native PK11SymKey ComputeKekKey(String tokenName, - String keyName, - byte[] card_challenge, - byte[] host_challenge, - byte[] keyInfo, - byte[] CUID, - byte[] kekKeyArray, - String useSoftToken, String keySet); + String keyName, + byte[] card_challenge, + byte[] host_challenge, + byte[] keyInfo, + byte[] CUID, + byte[] kekKeyArray, + String useSoftToken, String keySet); public static native byte[] ECBencrypt(PK11SymKey key, - PK11SymKey desKey); //byte[] data ); + PK11SymKey desKey); //byte[] data ); public static native PK11SymKey GenerateSymkey(String tokenName); @@ -126,42 +126,52 @@ public class SessionKey { // public static native PK11SymKey bytes2PK11SymKey( byte[] symKeyBytes ); public static native byte[] ComputeCryptogram(String tokenName, - String keyName, - byte[] card_challenge, - byte[] host_challenge, - byte[] keyInfo, - byte[] CUID, - int type, - byte[] authKeyArray, - String useSoftToken, String keySet); + String keyName, + byte[] card_challenge, + byte[] host_challenge, + byte[] keyInfo, + byte[] CUID, + int type, + byte[] authKeyArray, + String useSoftToken, String keySet); public static native byte[] EncryptData(String tokenName, - String keyName, - byte[] in, - byte[] keyInfo, - byte[] CUID, - byte[] kekKeyArray, - String useSoftToken, String keySet); + String keyName, + byte[] in, + byte[] keyInfo, + byte[] CUID, + byte[] kekKeyArray, + String useSoftToken, String keySet); public static native byte[] DiversifyKey(String tokenName, - String newTokenName, - String oldMasterKeyName, - String newMasterKeyName, - String keyInfo, - byte[] CUIDValue, - byte[] kekKeyArray, - String useSoftToken, String keySet); + String newTokenName, + String oldMasterKeyName, + String newMasterKeyName, + String keyInfo, + byte[] CUIDValue, + byte[] kekKeyArray, + String useSoftToken, String keySet); // internal calls from config TKS keys tab public static native String GenMasterKey(String token, - String keyName); + String keyName); public static native String DeleteSymmetricKey(String token, - String keyName); + String keyName); public static native String ListSymmetricKeys(String token); // set when called from the config TKS tab to create master key // get when called from the RA to create session key public static native void SetDefaultPrefix(String masterPrefix); + + // Functions that the TPS may use during processing to manipulate sym keys in such a way not available in JSS + + // Return a names Sym Key, in this case will be the shared secret in practice. + public static native PK11SymKey GetSymKeyByName(String tokenName, String keyName); + + // TKS sends over the session key(s) wrapped with shared secret. TPS now does this unwrapping and creates the session keys + // with functionality only available now in NSS. This is all to preserve exact functional parity with the current TKS. + public static native PK11SymKey UnwrapSessionKeyWithSharedSecret(String tokenName, PK11SymKey sharedSecret, + byte[] sessionKeyArray); } diff --git a/base/symkey/src/com/netscape/symkey/SymKey.cpp b/base/symkey/src/com/netscape/symkey/SymKey.cpp index c300d1ada..758156677 100644 --- a/base/symkey/src/com/netscape/symkey/SymKey.cpp +++ b/base/symkey/src/com/netscape/symkey/SymKey.cpp @@ -140,7 +140,6 @@ PK11SymKey * ReturnSymKey( PK11SlotInfo *slot, char *keyname) pwdata.source = secuPWData::PW_NONE; pwdata.data = (char *) NULL; - PR_fprintf(PR_STDOUT,"In ReturnSymKey name %s \n",keyname); if (keyname == NULL) { goto cleanup; @@ -186,6 +185,102 @@ PK11SymKey * ReturnSymKey( PK11SlotInfo *slot, char *keyname) return foundSymKey; } +PK11SymKey *CreateDesKey24Byte(PK11SlotInfo *slot, PK11SymKey *origKey) { + + PK11SymKey *newKey = NULL; + + CK_OBJECT_HANDLE keyhandle = 0; + PK11SymKey *firstEight = NULL; + PK11SymKey *concatKey = NULL; + PK11SymKey *internalOrigKey = NULL; + CK_ULONG bitPosition = 0; + SECItem paramsItem = { siBuffer, NULL, 0 }; + + PK11SlotInfo *internal = PK11_GetInternalSlot(); + if ( slot == NULL || origKey == NULL || internal == NULL ) + goto loser; + + PR_fprintf(PR_STDOUT,"In SessionKey CreateDesKey24Bit!\n"); + + if( internal != slot ) { //Make sure we do this on the NSS Generic Crypto services because concatanation + PR_fprintf(PR_STDOUT,"CreateDesKey24Bit! Input key not on internal slot!\n"); + internalOrigKey = PK11_MoveSymKey( internal, CKA_ENCRYPT, 0, PR_FALSE, origKey ); + if(internalOrigKey == NULL) { + PR_fprintf(PR_STDOUT,"CreateDesKey24Bit! Can't move input key to internal!\n"); + goto loser; + } + } + + // Extract first eight bytes from generated key into another key. + bitPosition = 0; + paramsItem.data = (CK_BYTE *) &bitPosition; + paramsItem.len = sizeof bitPosition; + + + if ( internalOrigKey) + firstEight = PK11_Derive(internalOrigKey, CKM_EXTRACT_KEY_FROM_KEY, ¶msItem, CKA_ENCRYPT , CKA_DERIVE, EIGHT_BYTES); + else + firstEight = PK11_Derive(origKey, CKM_EXTRACT_KEY_FROM_KEY, ¶msItem, CKA_ENCRYPT , CKA_DERIVE, EIGHT_BYTES); + + if (firstEight == NULL ) { + PR_fprintf(PR_STDOUT,"CreateDesKey24Bit! Can't extract first 8 bits of input key!\n"); + goto loser; + } + + //Concatenate 8 byte key to the end of the original key, giving new 24 byte key + keyhandle = PK11_GetSymKeyHandle(firstEight); + + paramsItem.data=(unsigned char *) &keyhandle; + paramsItem.len=sizeof(keyhandle); + + if ( internalOrigKey ) { + concatKey = PK11_Derive ( internalOrigKey , CKM_CONCATENATE_BASE_AND_KEY , ¶msItem ,CKM_DES3_ECB , CKA_DERIVE , 0); + } else { + concatKey = PK11_Derive ( origKey , CKM_CONCATENATE_BASE_AND_KEY , ¶msItem ,CKM_DES3_ECB , CKA_DERIVE , 0); + } + + if ( concatKey == NULL ) { + PR_fprintf(PR_STDOUT,"CreateDesKey24Bit: error concatenating 8 bytes on end of key."); + goto loser; + } + + //Make sure we move this to the proper token, in case it got moved by NSS + //during the derive phase. + + newKey = PK11_MoveSymKey ( slot, CKA_ENCRYPT, 0, PR_FALSE, concatKey); + + if ( newKey == NULL ) { + PR_fprintf(PR_STDOUT,"CreateDesKey24Bit: error moving key to original slot."); + } + +loser: + + + if ( concatKey != NULL ) { + PK11_FreeSymKey( concatKey ); + concatKey = NULL; + } + + if ( firstEight != NULL ) { + PK11_FreeSymKey ( firstEight ); + firstEight = NULL; + } + + if ( internalOrigKey != NULL ) { + PK11_FreeSymKey ( internalOrigKey ); + internalOrigKey = NULL; + } + + //Caller will free the slot input slot object + + if ( internal != NULL ) { + PK11_FreeSlot( internal); + internal = NULL; + } + + return newKey; +} + extern "C" JNIEXPORT jstring JNICALL Java_com_netscape_symkey_SessionKey_DeleteKey(JNIEnv * env, jclass this2, jstring tokenName, jstring keyName) diff --git a/base/symkey/src/com/netscape/symkey/SymKey.h b/base/symkey/src/com/netscape/symkey/SymKey.h index 5a53d48c9..efe187075 100644 --- a/base/symkey/src/com/netscape/symkey/SymKey.h +++ b/base/symkey/src/com/netscape/symkey/SymKey.h @@ -47,6 +47,7 @@ PK11SlotInfo *ReturnSlot(char *tokenNameChars); PK11SymKey *ComputeCardKey(PK11SymKey *masterKey, unsigned char *data, PK11SlotInfo *slot); PK11SymKey *CreateUnWrappedSymKeyOnToken( PK11SlotInfo *slot, PK11SymKey * unWrappingKey, BYTE *keyToBeUnWrapped, int sizeOfKeyToBeUnWrapped, PRBool isPerm); PK11SymKey *ReturnDeveloperSymKey(PK11SlotInfo *slot, char *keyType, char *keySet, Buffer &inputKey); +PK11SymKey *CreateDesKey24Byte(PK11SlotInfo *slot, PK11SymKey *origKey); char *GetSharedSecretKeyName(char *newKeyName); diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/channel/SecureChannel.java index 6ebb93b67..e2976ca7f 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/channel/SecureChannel.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/channel/SecureChannel.java @@ -17,22 +17,178 @@ // --- END COPYRIGHT BLOCK --- package org.dogtagpki.server.tps.channel; +import java.io.IOException; + +import org.dogtagpki.server.tps.processor.TPSProcessor; +import org.dogtagpki.tps.apdu.APDU; +import org.dogtagpki.tps.apdu.APDUResponse; +import org.dogtagpki.tps.apdu.DeleteFileAPDU; +import org.dogtagpki.tps.apdu.ExternalAuthenticateAPDU; +import org.dogtagpki.tps.apdu.ExternalAuthenticateAPDU.SecurityLevel; +import org.dogtagpki.tps.main.TPSBuffer; +import org.dogtagpki.tps.main.TPSException; +import org.dogtagpki.tps.main.Util; +import org.dogtagpki.tps.msg.EndOp.TPSStatus; +import org.mozilla.jss.pkcs11.PK11SymKey; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; + public class SecureChannel { - public enum SecurityLevel { - SECURE_MSG_ANY , - SECURE_MSG_MAC , - SECURE_MSG_NONE , // not yet supported - SECURE_MSG_MAC_ENC - } + // Have not written all code to use all of these as of yet. + + private TPSProcessor processor; + private PK11SymKey sessionKey; + private PK11SymKey encSessionKey; + private TPSBuffer drmDesKey; + private TPSBuffer kekDesKey; + private TPSBuffer keyCheck; + private TPSBuffer keyDiversificationData; + private TPSBuffer cardChallenge; + private TPSBuffer cardCryptogram; + private TPSBuffer hostChallenge; + private TPSBuffer hostCryptogram; + private TPSBuffer icv; + private SecurityLevel secLevel; + + public SecureChannel(TPSProcessor processor, PK11SymKey sessionKey, PK11SymKey encSessionKey, TPSBuffer drmDesKey, + TPSBuffer kekDesKey, TPSBuffer keyCheck, TPSBuffer keyDiversificationData, TPSBuffer cardChallenge, + TPSBuffer cardCryptogram, TPSBuffer hostChallenge, TPSBuffer hostCryptogram) throws TPSException { - public SecureChannel() { + if (processor == null || sessionKey == null | encSessionKey == null || keyDiversificationData == null + || cardChallenge == null || cardCryptogram == null || hostChallenge == null || hostCryptogram == null) { + throw new TPSException("SecureChannel.SecureChannel: Invalid data in constructor!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + this.processor = processor; + this.sessionKey = sessionKey; + this.encSessionKey = encSessionKey; + this.drmDesKey = drmDesKey; + this.kekDesKey = kekDesKey; + this.keyCheck = keyCheck; + this.keyDiversificationData = keyDiversificationData; + this.cardChallenge = cardChallenge; + this.cardCryptogram = cardCryptogram; + this.hostChallenge = hostChallenge; + this.hostCryptogram = hostCryptogram; + this.icv = new TPSBuffer(8); + + this.secLevel = SecurityLevel.SECURE_MSG_MAC_ENC; + //ToDo: Write method that reads this from the config } public static void main(String[] args) { - // TODO Auto-generated method stub + } + + public void externalAuthenticate() throws TPSException, IOException { + + CMS.debug("SecureChannel.externalAuthenticate: entering."); + + ExternalAuthenticateAPDU externalAuth = new ExternalAuthenticateAPDU(hostCryptogram, + secLevel); + + computeAPDUMac(externalAuth); + + APDUResponse response = processor.handleAPDURequest(externalAuth); + + if (!response.checkResult()) { + throw new TPSException("SecureChannel.eternalAuthenticate. Failed to external authenticate to token.", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + CMS.debug("SecureChannel.externalAuthenticate: Successfully completed, exiting ..."); + + } + + //This method computes the mac AND encryption if needed. + private void computeAPDU(APDU apdu) throws TPSException { + + CMS.debug("SecureChannel.computeAPDU: entering.."); + + if (apdu == null) { + throw new TPSException("SecureChannel.computeAPDU: bad input apdu!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + computeAPDUMac(apdu); + + if (secLevel == SecurityLevel.SECURE_MSG_MAC_ENC) { + try { + // CMS.debug("SecureChannel.computeAPDU: Before encryption data value: " + apdu.getData().toHexString()); + apdu.secureMessage(encSessionKey); + // CMS.debug("SecureChannel.computeAPDU: After encryption data value: " + apdu.getData().toHexString()); + } catch (EBaseException e) { + throw new TPSException("SecureChannel.computeAPDU: Can't encrypt outgoing data! " + e); + } + + CMS.debug("SecureChannel.computeAPDU: Successfully encrypted apdu data."); + } + } + + // This method computes MAC only. + private void computeAPDUMac(APDU apdu) throws TPSException { + TPSBuffer newMac = null; + TPSBuffer data = null; + + if (apdu == null) { + throw new TPSException("SecureChannel.computeAPDUMac: bad input apdu!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + data = apdu.getDataToMAC(); + + CMS.debug("SecureChannel.computeAPDUMac: data To MAC: " + data.toHexString()); + + try { + newMac = Util.computeMAC(sessionKey, data, icv); + } catch (EBaseException e) { + CMS.debug("SecureChannel.compuatAPDUMac: Can't compute mac. " + e); + throw new TPSException("SecureChannel.compuatAPDUMac: Can't compute mac.", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + CMS.debug("SecureChannel.computeAPDUMac: computed MAC: " + newMac.toHexString()); + + apdu.setMAC(newMac); + + icv.set(newMac); + } + + public void deleteFileX(TPSBuffer aid) throws TPSException, IOException { + CMS.debug("SecureChannel.deleteFileX: entering..."); + if (aid == null) { + throw new TPSException("SecureChannel.deleteFileX: no input aid!"); + } + + DeleteFileAPDU deleteFile = new DeleteFileAPDU(aid); + + computeAPDU(deleteFile); + + processor.handleAPDURequest(deleteFile); + + } + + public TPSBuffer getKeyDiversificationData() { + return keyDiversificationData; + } + + public TPSBuffer getCardChallenge() { + return cardChallenge; + } + + public TPSBuffer getHostChallenge() { + return hostChallenge; + } + + public TPSBuffer getHostCryptogram() { + return hostCryptogram; + } + public TPSBuffer getCardCryptogram() { + return cardCryptogram; } } diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSComputeRandomDataResponse.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSComputeRandomDataResponse.java index 3d53b9333..f241c88ad 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSComputeRandomDataResponse.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSComputeRandomDataResponse.java @@ -35,6 +35,7 @@ public class TKSComputeRandomDataResponse extends RemoteResponse } public TPSBuffer getRandomData() { - return (TPSBuffer) nameValTable.get(IRemoteRequest.TKS_RESPONSE_RandomData); + byte [] random = (byte[]) nameValTable.get(IRemoteRequest.TKS_RESPONSE_RandomData); + return new TPSBuffer(random); } } diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java index 5e154b9f8..0aff29b92 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java @@ -75,7 +75,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler * @return response TKSComputeSessionKeyResponse class object */ public TKSComputeSessionKeyResponse computeSessionKey( - String cuid, + TPSBuffer cuid, TPSBuffer keyInfo, TPSBuffer card_challenge, TPSBuffer card_cryptogram, @@ -104,16 +104,22 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); HttpConnector conn = (HttpConnector) subsystem.getConnectionManager().getConnector(connid); - CMS.debug("TKSRemoteRequestHandler: computeSessionKey(): sending request to tks."); + + String requestString = IRemoteRequest.SERVER_SIDE_KEYGEN + "=" + serverKeygen + + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + + "&" + IRemoteRequest.TOKEN_CARD_CHALLENGE + "=" + Util.specialURLEncode(card_challenge) + + "&" + IRemoteRequest.TOKEN_HOST_CHALLENGE + "=" + Util.specialURLEncode(host_challenge) + + "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialURLEncode(keyInfo) + + "&" + IRemoteRequest.TOKEN_CARD_CRYPTOGRAM + "=" + + Util.specialURLEncode(card_cryptogram.toBytesArray()) + + "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet; + + CMS.debug("TKSRemoteRequestHandler.computeSessionKey: outgoing message: " + requestString); + HttpResponse resp = conn.send("computeSessionKey", - IRemoteRequest.SERVER_SIDE_KEYGEN + "=" + serverKeygen + - "&" + IRemoteRequest.TOKEN_CUID + "=" + cuid + - "&" + IRemoteRequest.TOKEN_CARD_CHALLENGE + "=" + Util.specialEncode(card_challenge) + - "&" + IRemoteRequest.TOKEN_HOST_CHALLENGE + "=" + Util.specialEncode(host_challenge) + - "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialEncode(keyInfo) + - "&" + IRemoteRequest.TOKEN_CARD_CRYPTOGRAM + "=" + Util.specialEncode(card_cryptogram) + - "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet); + requestString + ); String content = resp.getContent(); @@ -222,7 +228,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler public TKSCreateKeySetDataResponse createKeySetData( TPSBuffer NewMasterVer, TPSBuffer version, - String cuid) + TPSBuffer cuid) throws EBaseException { CMS.debug("TKSRemoteRequestHandler: createKeySetData(): begins."); if (cuid == null || NewMasterVer == null || version == null) { @@ -240,9 +246,9 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler CMS.debug("TKSRemoteRequestHandler: createKeySetData(): sending request to tks."); HttpResponse resp = conn.send("createKeySetData", - IRemoteRequest.TOKEN_NEW_KEYINFO + "=" + Util.specialEncode(NewMasterVer) + - "&" + IRemoteRequest.TOKEN_CUID + "=" + cuid + - "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialEncode(version) + + IRemoteRequest.TOKEN_NEW_KEYINFO + "=" + Util.specialURLEncode(NewMasterVer) + + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + + "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialURLEncode(version) + "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet); String content = resp.getContent(); @@ -349,7 +355,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler } else { CMS.debug("TKSRemoteRequestHandler: computeRandomData(): got IRemoteRequest.TKS_RESPONSE_RandomData = " + value); - response.put(IRemoteRequest.TKS_RESPONSE_RandomData, Util.specialDecode(value)); + response.put(IRemoteRequest.TKS_RESPONSE_RandomData, Util.uriDecodeFromHex(value)); } CMS.debug("TKSRemoteRequestHandler: computeRandomData(): ends."); @@ -378,7 +384,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler * @return response TKSEncryptDataResponse class object */ public TKSEncryptDataResponse encryptData( - String cuid, + TPSBuffer cuid, TPSBuffer version, TPSBuffer inData) throws EBaseException { @@ -399,9 +405,9 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler CMS.debug("TKSRemoteRequestHandler: encryptData(): sending request to tks."); HttpResponse resp = conn.send("encryptData", - IRemoteRequest.TOKEN_DATA + "=" + Util.specialEncode(inData) + - "&" + IRemoteRequest.TOKEN_CUID + "=" + cuid + - "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialEncode(version) + + IRemoteRequest.TOKEN_DATA + "=" + Util.specialURLEncode(inData) + + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + + "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialURLEncode(version) + "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet); String content = resp.getContent(); diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/engine/TPSEngine.java index 548e0cafa..ab422df6a 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/engine/TPSEngine.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/engine/TPSEngine.java @@ -17,6 +17,15 @@ // --- END COPYRIGHT BLOCK --- package org.dogtagpki.server.tps.engine; +import org.dogtagpki.server.tps.cms.TKSComputeSessionKeyResponse; +import org.dogtagpki.server.tps.cms.TKSRemoteRequestHandler; +import org.dogtagpki.tps.main.TPSBuffer; +import org.dogtagpki.tps.main.TPSException; +import org.dogtagpki.tps.msg.EndOp.TPSStatus; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; + public class TPSEngine { public static final String CFG_DEBUG_ENABLE = "logging.debug.enable"; @@ -67,6 +76,13 @@ public class TPSEngine { public static final String CFG_ALLOW_NO_APPLET = "update.applet.emptyToken.enable"; public static final String CFG_APPLET_UPDATE_REQUIRED_VERSION = "update.applet.requiredVersion"; public static final String CFG_APPLET_DIRECTORY = "update.applet.directory"; + public static final String CFG_APPLET_EXTENSION = "general.applet_ext"; + + public static final String CFG_CHANNEL_BLOCK_SIZE = "channel.blockSize"; + public static final String CFG_CHANNEL_INSTANCE_SIZE = "channel.instanceSize"; + public static final String CFG_CHANNEL_DEFKEY_VERSION = "channel.defKeyVersion"; + public static final String CFG_CHANNEL_APPLET_MEMORY_SIZE = "channel.appletMemorySize"; + public static final String CFG_CHANNEL_DEFKEY_INDEX = "channel.defKeyIndex"; /* default values */ public static final String CFG_DEF_CARDMGR_INSTANCE_AID = "A0000000030000"; @@ -75,7 +91,11 @@ public class TPSEngine { public static final String CFG_DEF_NETKEY_OLD_INSTANCE_AID = "A00000000101"; public static final String CFG_DEF_NETKEY_OLD_FILE_AID = "A000000001"; public static final String CFG_DEF_APPLET_SO_PIN = "000000000000"; - public static final String CFG_ENABLED="Enabled"; + public static final String CFG_ENABLED = "Enabled"; + + public static final int CFG_CHANNEL_DEF_BLOCK_SIZE = 242; + public static final int CFG_CHANNEL_DEF_INSTANCE_SIZE = 1800; + public static final int CFG_CHANNEL_DEF_APPLET_MEMORY_SIZE = 5000; /* External reg values */ @@ -99,6 +119,38 @@ public class TPSEngine { return rc; } + public TKSComputeSessionKeyResponse computeSessionKey(TPSBuffer cuid, + TPSBuffer keyInfo, + TPSBuffer card_challenge, + TPSBuffer host_challenge, + TPSBuffer card_cryptogram, + + String connId) throws TPSException { + + CMS.debug("TPSEngine.computeSessionKey"); + + TKSRemoteRequestHandler tks = null; + + TKSComputeSessionKeyResponse resp = null; + try { + tks = new TKSRemoteRequestHandler(connId); + resp = tks.computeSessionKey(cuid, keyInfo, card_challenge, card_cryptogram, host_challenge); + } catch (EBaseException e) { + throw new TPSException("SecureChannel.computeSessionKey: Error computing session key!" + e, + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + int status = resp.getStatus(); + if (status != 0) { + CMS.debug("SecureChannel.computeSessionKey: Non zero status result: " + status); + throw new TPSException("SecureChannel.computeSessionKey: invalid returned status: " + status); + + } + + return resp; + + } + public boolean isTokenPresent(String cuid) { boolean present = false; diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index 90c1a64e2..24571e234 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -18,29 +18,40 @@ package org.dogtagpki.server.tps.processor; import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; import java.util.Map; import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; -import org.dogtagpki.server.tps.channel.SecureChannel.SecurityLevel; +import org.dogtagpki.server.tps.channel.SecureChannel; +import org.dogtagpki.server.tps.cms.TKSComputeRandomDataResponse; +import org.dogtagpki.server.tps.cms.TKSComputeSessionKeyResponse; +import org.dogtagpki.server.tps.cms.TKSRemoteRequestHandler; import org.dogtagpki.server.tps.engine.TPSEngine; import org.dogtagpki.tps.apdu.APDU; import org.dogtagpki.tps.apdu.APDUResponse; -import org.dogtagpki.tps.apdu.GetData; -import org.dogtagpki.tps.apdu.GetStatus; -import org.dogtagpki.tps.apdu.GetVersion; -import org.dogtagpki.tps.apdu.Select; +import org.dogtagpki.tps.apdu.ExternalAuthenticateAPDU.SecurityLevel; +import org.dogtagpki.tps.apdu.GetDataAPDU; +import org.dogtagpki.tps.apdu.GetStatusAPDU; +import org.dogtagpki.tps.apdu.GetVersionAPDU; +import org.dogtagpki.tps.apdu.InitializeUpdateAPDU; +import org.dogtagpki.tps.apdu.SelectAPDU; import org.dogtagpki.tps.main.TPSBuffer; import org.dogtagpki.tps.main.TPSException; import org.dogtagpki.tps.msg.BeginOp; import org.dogtagpki.tps.msg.EndOp.TPSStatus; import org.dogtagpki.tps.msg.TokenPDURequest; import org.dogtagpki.tps.msg.TokenPDUResponse; +import org.mozilla.jss.CryptoManager.NotInitializedException; +import org.mozilla.jss.pkcs11.PK11SymKey; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.IConfigStore; +import com.netscape.symkey.SessionKey; public class TPSProcessor { @@ -51,15 +62,31 @@ public class TPSProcessor { public static final int CPLC_MSN_INDEX = 41; public static final int CPLC_MSN_SIZE = 4; + public static final int INIT_UPDATE_DATA_SIZE = 28; + public static final int DIVERSIFICATION_DATA_SIZE = 10; + public static final int CARD_CRYPTOGRAM_OFFSET = 20; + public static final int CARD_CRYPTOGRAM_SIZE = 8; + public static final int CARD_CHALLENGE_OFFSET = 12; + public static final int CARD_CHALLENGE_SIZE = 8; + private boolean isExternalReg; private TPSSession session; private String selectedTokenType; + private String currentTokenOperation; + + + + public TPSProcessor(TPSSession session) { setSession(session); } + protected void setCurrentTokenOperation(String op) { + currentTokenOperation = op; + } + protected void setSession(TPSSession session) { if (session == null) { throw new NullPointerException("TPS session is null"); @@ -148,7 +175,7 @@ public class TPSProcessor { TPSStatus.STATUS_ERROR_SECURE_CHANNEL); } - Select select_apdu = new Select(p1, p2, aid); + SelectAPDU select_apdu = new SelectAPDU(p1, p2, aid); //return the Response because the caller can //decide what to do, not every failure is fatal. @@ -161,12 +188,12 @@ public class TPSProcessor { CMS.debug("In TPS_Processor.GetStatus."); - GetStatus get_status_apdu = new GetStatus(); + GetStatusAPDU get_status_apdu = new GetStatusAPDU(); return handleAPDURequest(get_status_apdu).getData(); } - protected APDUResponse handleAPDURequest(APDU apdu) throws IOException, TPSException { + public APDUResponse handleAPDURequest(APDU apdu) throws IOException, TPSException { if (apdu == null) { throw new TPSException("TPSProcessor.handleAPDURequest: invalid incoming apdu!"); @@ -198,7 +225,7 @@ public class TPSProcessor { protected TPSBuffer getCplcData() throws IOException, TPSException { CMS.debug("In TPS_Processor.GetData"); - GetData get_data_apdu = new GetData(); + GetDataAPDU get_data_apdu = new GetDataAPDU(); APDUResponse respApdu = handleAPDURequest(get_data_apdu); @@ -220,7 +247,7 @@ public class TPSProcessor { CMS.debug("In TPSProcessor.getAppletVersion"); - GetVersion get_version_apdu = new GetVersion(); + GetVersionAPDU get_version_apdu = new GetVersionAPDU(); APDUResponse respApdu = handleAPDURequest(get_version_apdu); @@ -244,16 +271,245 @@ public class TPSProcessor { } + TPSBuffer computeRandomData(int dataSize, String connId) throws TPSException { + + TKSRemoteRequestHandler tks = null; + + TKSComputeRandomDataResponse data = null; + + try { + tks = new TKSRemoteRequestHandler(connId); + data = tks.computeRandomData(dataSize); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.computeRandomData: Erorr getting random data from TKS!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + int status = data.getStatus(); + + if (status != 0) { + throw new TPSException("TPSProcessor.computeRandomData: Erorr getting random data from TKS!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + return data.getRandomData(); + } + + protected TPSBuffer initializeUpdate(byte keyVersion, byte keyIndex, TPSBuffer randomData) throws IOException, + TPSException { + + CMS.debug("In TPS_Processor.initializeUpdate."); + InitializeUpdateAPDU initUpdate = new InitializeUpdateAPDU(keyVersion, keyIndex, randomData); + + APDUResponse resp = handleAPDURequest(initUpdate); + + if (!resp.checkResult()) { + CMS.debug("TPSProcessor.initializeUpdate: Failed intializeUpdate!"); + throw new TPSException("TPSBuffer.initializeUpdate: Failed initializeUpdate!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + + } + + TPSBuffer data = resp.getResultDataNoCode(); + + if (data.size() != INIT_UPDATE_DATA_SIZE) { + throw new TPSException("TPSBuffer.initializeUpdate: Invalid response from token!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + return data; + + } + + protected SecureChannel setupSecureChannel(byte keyVersion, byte keyIndex, SecurityLevel securityLevel, + String connId) + throws IOException, TPSException { + + //Assume generating host challenge on TKS, we no longer support not involving the TKS. + + TPSBuffer randomData = computeRandomData(8, connId); + CMS.debug("TPSProcessor.setupSecureChannel: obtained randomData: " + randomData.toHexString()); + + TPSBuffer initUpdateResp = initializeUpdate(keyVersion, keyIndex, randomData); + + TPSBuffer key_diversification_data = initUpdateResp.substr(0, DIVERSIFICATION_DATA_SIZE); + CMS.debug("TPSProcessor.setupSecureChannel: diversification data: " + key_diversification_data.toHexString()); + + TPSBuffer key_info_data = initUpdateResp.substr(DIVERSIFICATION_DATA_SIZE, 2); + CMS.debug("TPSProcessor.setupSecureChannel: key info data: " + key_info_data.toHexString()); + + TPSBuffer card_cryptogram = initUpdateResp.substr(CARD_CRYPTOGRAM_OFFSET, CARD_CRYPTOGRAM_SIZE); + CMS.debug("TPSProcessor.setupSecureChannel: card cryptogram: " + card_cryptogram.toHexString()); + + TPSBuffer card_challenge = initUpdateResp.substr(CARD_CHALLENGE_OFFSET, CARD_CHALLENGE_SIZE); + CMS.debug("TPSProcessor.setupSecureChannel: card challenge: " + card_challenge.toHexString()); + + SecureChannel channel = null; + + try { + channel = generateSecureChannel(connId, key_diversification_data, key_info_data, card_challenge, + card_cryptogram, + randomData); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.setupSecureChannel: Can't set up secure channel: " + e, + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + return channel; + + } + + protected SecureChannel generateSecureChannel(String connId, TPSBuffer keyDiversificationData, + TPSBuffer keyInfoData, TPSBuffer cardChallenge, TPSBuffer cardCryptogram, TPSBuffer hostChallenge) + throws EBaseException, TPSException { + + CMS.debug("TPSProcessor.generateSecureChannel: entering.."); + + TPSEngine engine = getTPSEngine(); + + SecureChannel channel = null; + TPSBuffer hostCryptogram = null; + + TKSComputeSessionKeyResponse resp = engine.computeSessionKey(keyDiversificationData, keyInfoData, + cardChallenge, hostChallenge, cardCryptogram, + connId); + + hostCryptogram = resp.getHostCryptogram(); + + if (hostCryptogram == null) { + new TPSException("TPSProcessor.generateSecureChannel: No host cryptogram returned from token!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + + } + + PK11SymKey sharedSecret = null; + + try { + sharedSecret = getSharedSecretTransportKey(connId); + } catch (Exception e) { + CMS.debug(e); + throw new TPSException("TPSProcessor.generateSecureChannel: Can't get shared secret key!: " + e, + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + PK11SymKey sessionKey = null; + PK11SymKey encSessionKey = null; + String tokenName = "Internal Key Storage Token"; + + try { + TPSBuffer sessionKeyWrapped = resp.getSessionKey(); + TPSBuffer encSessionKeyWrapped = resp.getEncSessionKey(); + + sessionKey = SessionKey.UnwrapSessionKeyWithSharedSecret(tokenName, sharedSecret, + sessionKeyWrapped.toBytesArray()); + + if (sessionKey == null) { + CMS.debug("TPSProcessor.generateSecureChannel: Can't extract session key!"); + throw new TPSException("TPSProcessor.generateSecureChannel: Can't extract session key!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + CMS.debug("TPSProcessor.generateSecureChannel: retrieved session key: " + sessionKey); + + encSessionKey = SessionKey.UnwrapSessionKeyWithSharedSecret(tokenName, sharedSecret, + encSessionKeyWrapped.toBytesArray()); + + if (encSessionKey == null) { + CMS.debug("TPSProcessor.generateSecureChannel: Can't extract enc session key!"); + throw new TPSException("TPSProcessor.generateSecureChannel: Can't extract enc session key!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + CMS.debug("TPSProcessor.generateSecureChannel: retrieved enc session key: " + encSessionKey); + } catch (Exception e) { + CMS.debug(e); + e.printStackTrace(); + throw new TPSException("TPSProcessor.generateSecureChannel: Problem extracting session keys! " + e, + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + TPSBuffer drmDesKey = null; + TPSBuffer kekDesKey = null; + TPSBuffer keyCheck = null; + + if (checkServerSideKeyGen(connId)) { + //ToDo handle server side keygen. + + } + + channel = new SecureChannel(this, sessionKey, encSessionKey, drmDesKey, + kekDesKey, keyCheck, keyDiversificationData, cardChallenge, + cardCryptogram, hostChallenge, hostCryptogram); + + return channel; + } + protected String upgradeApplet(String operation, String new_version, SecurityLevel securityLevel, - Map<String, String> extensions, int startProgress, int endProgress) throws TPSException { + Map<String, String> extensions, String connId, int startProgress, int endProgress) throws IOException, + TPSException { String newVersion = null; boolean appletUpgraded = false; + String NetKeyAID = null; + String NetKeyPAID = null; + + IConfigStore configStore = CMS.getConfigStore(); + + try { + //These defaults are well known, it is safe to use them. + + NetKeyAID = configStore.getString(TPSEngine.CFG_APPLET_NETKEY_INSTANCE_AID, + TPSEngine.CFG_DEF_NETKEY_INSTANCE_AID); + CMS.debug("In TPS_Processor.upgradeApplet. CardManagerAID: " + " NetKeyAID: " + NetKeyAID); + NetKeyPAID = configStore.getString(TPSEngine.CFG_APPLET_NETKEY_FILE_AID, TPSEngine.CFG_DEF_NETKEY_FILE_AID); + + } catch (EBaseException e1) { + CMS.debug("TPS_Processor.upgradeApplet: Internal Error obtaining mandatory config values. Error: " + e1); + throw new TPSException("TPS error getting config values from config store.", + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + } + + TPSBuffer netkeyAIDBuff = new TPSBuffer(NetKeyAID); + TPSBuffer netkeyPAIDBuff = new TPSBuffer(NetKeyPAID); + + //Not all of these used yet, but will be + //ToDo + int channelBlockSize = getChannelBlockSize(); + int channelInstanceSize = getChannelInstanceSize(); + int channelAppletMemSize = getAppletMemorySize(); + int defKeyVersion = getChannelDefKeyVersion(); + int defKeyIndex = getChannelDefKeyIndex(); + byte[] appletData = null; String directory = getAppletDirectory(operation); CMS.debug("TPSProcessor.upgradeApplet: applet target directory: " + directory); + String appletFileExt = getAppletExtension(); + + String appletFilePath = directory + "/" + new_version + "." + appletFileExt; + + CMS.debug("TPSProcessor.upgradeApplet: targe applet file name: " + appletFilePath); + + //Not ready to use this yet. + //ToDo + + appletData = getAppletFileData(appletFilePath); + + APDUResponse select = selectApplet((byte) 0x04, (byte) 0x00, netkeyAIDBuff); + + if (!select.checkResult()) { + throw new TPSException("TPSProcessor.format: Can't selelect the card manager!"); + } + + SecureChannel channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, securityLevel, connId); + + channel.externalAuthenticate(); + channel.deleteFileX(netkeyAIDBuff); + channel.deleteFileX(netkeyPAIDBuff); + + // Next step will be to load the applet file to token. + // ToDo: + //ToDo actually finish this later. if (appletUpgraded == false) { throw new TPSException("TPSProcessor.upgradeApplet: Error upgrading applet", @@ -263,6 +519,32 @@ public class TPSProcessor { return newVersion; } + protected byte[] getAppletFileData(String appletFilePath) throws IOException, TPSException { + + if (appletFilePath == null) { + throw new TPSException("TPSProcessor.getAppletFileData: Invalid applet file name.", + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + } + + byte[] contents = null; + try { + Path path = Paths.get(appletFilePath); + contents = Files.readAllBytes(path); + + } catch (IOException e) { + CMS.debug("TPSProcessor.getAppletFileData: IOException " + e); + throw e; + } catch (Exception e) { + CMS.debug("PSProcessor.getAppletFileData: Exception: " + e); + throw new TPSException("TPSProcessor.getAppletFileData: Exception: " + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + } + + CMS.debug("TPSProcessor.getAppletFileData: data: " + contents); + + return contents; + } + protected void format(BeginOp message) throws TPSException, IOException { IConfigStore configStore = CMS.getConfigStore(); @@ -277,6 +559,8 @@ public class TPSProcessor { String External_Reg_Cfg = TPSEngine.CFG_EXTERNAL_REG + "." + "enable"; boolean isExternalReg = false; + setCurrentTokenOperation("format"); + try { //These defaults are well known, it is safe to use them. CardManagerAID = configStore.getString(TPSEngine.CFG_APPLET_CARDMGR_INSTANCE_AID, @@ -376,8 +660,10 @@ public class TPSProcessor { SecurityLevel secLevel = SecurityLevel.SECURE_MSG_MAC_ENC; + String tksConnId = getTKSConnectorID(); + String newKeyVersion = upgradeApplet(TPSEngine.OP_FORMAT_PREFIX, appletRequiredVersion, secLevel, - message.getExtensions(), + message.getExtensions(), tksConnId, 10, 90); CMS.debug("TPSProcessor.format: upgraded aplet version: " + newKeyVersion); @@ -405,6 +691,22 @@ public class TPSProcessor { } + boolean checkServerSideKeyGen(String connId) throws TPSException { + + boolean result; + IConfigStore configStore = CMS.getConfigStore(); + + String profileConfig = "conn." + connId + "." + ".serverKeygen"; + + try { + result = configStore.getBoolean(profileConfig, false); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor: checkServerSideKeyGen: Internal error obtaining config value!"); + } + + return result; + } + void checkAllowNoAppletToken(String operation) throws TPSException { boolean allow = true; IConfigStore configStore = CMS.getConfigStore(); @@ -470,6 +772,42 @@ public class TPSProcessor { } + protected String getTKSConnectorID() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + String id = null; + + String config = "op." + currentTokenOperation + "." + selectedTokenType + ".tks.conn"; + + try { + id = configStore.getString(config, "tks1"); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getTKSConnectorID: Internal error finding config value."); + + } + + CMS.debug("TPSProcessor.getTKSConectorID: returning: " + id); + + + return id; + } + + protected String getAppletExtension() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + String extension = null; + String extensionConfig = TPSEngine.CFG_APPLET_EXTENSION; + + try { + extension = configStore.getString(extensionConfig, "ijc"); + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getAppletExtension: Internal error finding config value."); + + } + + CMS.debug("TPSProcessor.getAppletExtension: returning: " + extension); + + return extension; + } + protected String getAppletDirectory(String operation) throws TPSException { IConfigStore configStore = CMS.getConfigStore(); @@ -492,6 +830,146 @@ public class TPSProcessor { return directory; } + protected int getChannelBlockSize() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + int blockSize = 0; + try { + blockSize = configStore.getInteger(TPSEngine.CFG_CHANNEL_BLOCK_SIZE, TPSEngine.CFG_CHANNEL_DEF_BLOCK_SIZE); + + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getChannelBlockSize: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + + } + + CMS.debug("TPSProcess.getChannelBlockSize: returning: " + blockSize); + return blockSize; + + } + + protected int getChannelInstanceSize() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + int instanceSize = 0; + try { + instanceSize = configStore.getInteger(TPSEngine.CFG_CHANNEL_INSTANCE_SIZE, + TPSEngine.CFG_CHANNEL_DEF_INSTANCE_SIZE); + + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getChannelInstanceSize: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + + } + + CMS.debug("TPSProcess.getChannelInstanceSize: returning: " + instanceSize); + + return instanceSize; + + } + + protected int getAppletMemorySize() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + int memSize = 0; + try { + memSize = configStore.getInteger(TPSEngine.CFG_CHANNEL_APPLET_MEMORY_SIZE, + TPSEngine.CFG_CHANNEL_DEF_APPLET_MEMORY_SIZE); + + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getAppletMemorySize: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + + } + CMS.debug("TPSProcess.getAppletMemorySize: returning: " + memSize); + + return memSize; + } + + protected int getChannelDefKeyVersion() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + int ver = 0; + try { + ver = configStore.getInteger(TPSEngine.CFG_CHANNEL_DEFKEY_VERSION, 0x0); + + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getChannelDefKeyVersion: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + + } + + CMS.debug("TPSProcessor.getChannelDefKeyVersion: " + ver); + + return ver; + + } + + protected int getChannelDefKeyIndex() throws TPSException { + IConfigStore configStore = CMS.getConfigStore(); + int index = 0; + try { + index = configStore.getInteger(TPSEngine.CFG_CHANNEL_DEFKEY_INDEX, 0x0); + + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getChannelDefKeyVersion: Internal error finding config value: " + e, + TPSStatus.STATUS_ERROR_UPGRADE_APPLET); + + } + + CMS.debug("TPSProcessor.getChannelDefKeyIndex: " + index); + + return index; + + } + + protected PK11SymKey getSharedSecretTransportKey(String connId) throws TPSException, NotInitializedException { + + IConfigStore configStore = CMS.getConfigStore(); + String sharedSecretName = null; + try { + String configName = "conn." + connId + ".tksSharedSymKeyName"; + sharedSecretName = configStore.getString(configName, "sharedSecret"); + + } catch (EBaseException e) { + throw new TPSException("TPSProcessor.getSharedSecretTransportKey: Internal error finding config value: " + + e, + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + + } + + CMS.debug("TPSProcessor.getSharedSecretTransportKey: calculated key name: " + sharedSecretName); + + String symmKeys = null; + boolean keyPresent = false; + try { + symmKeys = SessionKey.ListSymmetricKeys("internal"); + CMS.debug("TPSProcessor.getSharedSecretTransportKey: symmKeys List: " + symmKeys); + } catch (Exception e) { + // TODO Auto-generated catch block + CMS.debug(e); + } + + for (String keyName : symmKeys.split(",")) { + if (sharedSecretName.equals(keyName)) { + CMS.debug("TPSProcessor.getSharedSecret: shared secret key found!"); + keyPresent = true; + break; + } + + } + + if (!keyPresent) { + throw new TPSException("TPSProcessor.getSharedSecret: Can't find shared secret!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + // We know for now that shared secret is on this token + String tokenName = "Internal Key Storage Token"; + PK11SymKey sharedSecret = SessionKey.GetSymKeyByName(tokenName, sharedSecretName); + + CMS.debug("TPSProcessor.getSharedSecret: SymKey returns: " + sharedSecret); + + return sharedSecret; + + } + public boolean getIsExternalReg() { return isExternalReg; } @@ -755,6 +1233,14 @@ public class TPSProcessor { } + public TPSEngine getTPSEngine() { + TPSSubsystem subsystem = + (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); + + return subsystem.getEngine(); + + } + public static void main(String[] args) { } diff --git a/base/tps/abrt_checker_21190.log b/base/tps/abrt_checker_21190.log new file mode 100644 index 000000000..97d259eb9 --- /dev/null +++ b/base/tps/abrt_checker_21190.log @@ -0,0 +1,9 @@ +Uncaught java.lang.ClassNotFoundException exception in thread "main" in a method java.lang.ClassLoader.loadClass() with signature (Ljava/lang/String;Z)Ljava/lang/Class; +Exception in thread "main" java.lang.ClassNotFoundException: .usr.lib64.eclipse..plugins.org.eclipse.equinox.launcher_1.3.0.v20130930-1720.jar + at java.net.URLClassLoader$1.run(URLClassLoader.java:366) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/net/URLClassLoader$1.class] + at java.net.URLClassLoader$1.run(URLClassLoader.java:355) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/net/URLClassLoader$1.class] + at java.security.AccessController.doPrivileged(Native Method) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/security/AccessController.class] + at java.net.URLClassLoader.findClass(URLClassLoader.java:354) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/net/URLClassLoader.class] + at java.lang.ClassLoader.loadClass(ClassLoader.java:424) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/lang/ClassLoader.class] + at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/sun/misc/Launcher$AppClassLoader.class] + at java.lang.ClassLoader.loadClass(ClassLoader.java:357) [jar:file:/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.2.9.fc20.x86_64/jre/lib/rt.jar!/java/lang/ClassLoader.class] |