diff options
13 files changed, 657 insertions, 141 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java index 711701be8..1cc1c89d9 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java @@ -346,18 +346,14 @@ public class TokenServlet extends CMSServlet { IConfigStore sconfig = CMS.getConfigStore(); boolean isCryptoValidate = false; - byte[] keyInfo, CUID = null, session_key = null; + byte[] keyInfo, xCUID = null, session_key = null; Exception missingSettingException = null; String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); - String rKDD = req.getParameter("KDD"); - if ((rKDD == null) || (rKDD.length() == 0)) { - // KDF phase1: default to rCUID if not present - CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); - rKDD = rCUID; - } + String rKDD = req.getParameter(IRemoteRequest.TOKEN_KDD); + String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); @@ -411,25 +407,31 @@ public class TokenServlet extends CMSServlet { audit(auditMessage); if (!missingParam) { - CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); - if (CUID == null || CUID.length != 10) { + if (xCUID == null || xCUID.length != 10) { badParams += " CUID length,"; CMS.debug("TokenServlet.processCompureSessionKeySCP02: Invalid CUID length"); missingParam = true; } + if ((rKDD == null) || (rKDD.length() == 0)) { + CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: KDD"); + badParams += " KDD,"; + missingParam = true; + } + xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); if (xKDD == null || xKDD.length != 10) { badParams += " KDD length,"; - CMS.debug("TokenServlet: Invalid KDD length"); + CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid KDD length"); missingParam = true; } keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); if (keyInfo == null || keyInfo.length != 2) { badParams += " KeyInfo length,"; - CMS.debug("TokenServlet: Invalid key info length."); + CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid key info length."); missingParam = true; } @@ -529,8 +531,6 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet: processComputeSessionKeySCP02(): tksSharedSymKeyName: " + transportKeyName); - CMS.debug("TokenServlet: ComputeSessionKeySCP02(): tksSharedSymKeyName: " + transportKeyName); - try { isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); } catch (EBaseException eee) { @@ -559,7 +559,9 @@ public class TokenServlet extends CMSServlet { session_key = SessionKey.ComputeSessionKeySCP02( selectedToken, keyNickName, - keyInfo, CUID, macKeyArray, sequenceCounter, derivationConstant, useSoftToken_s, keySet, + keyInfo, + nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value + nistSP800_108KdfUseCuidAsKdd,xCUID,xKDD, macKeyArray, sequenceCounter, derivationConstant, useSoftToken_s, keySet, transportKeyName); if (session_key == null) { @@ -812,7 +814,7 @@ public class TokenServlet extends CMSServlet { if (status.equals("0")) { - String[] logParams = { log_string_from_specialDecoded_byte_array(CUID), // CUID_decoded + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded ILogger.SUCCESS, // Outcome status, // status @@ -831,7 +833,7 @@ public class TokenServlet extends CMSServlet { } else { - String[] logParams = { log_string_from_specialDecoded_byte_array(CUID), // CUID_decoded + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded ILogger.FAILURE, // Outcome status, // status diff --git a/base/server/cms/src/org/dogtagpki/server/connector/IRemoteRequest.java b/base/server/cms/src/org/dogtagpki/server/connector/IRemoteRequest.java index ebaf12636..8025813e6 100644 --- a/base/server/cms/src/org/dogtagpki/server/connector/IRemoteRequest.java +++ b/base/server/cms/src/org/dogtagpki/server/connector/IRemoteRequest.java @@ -27,6 +27,7 @@ package org.dogtagpki.server.connector; public interface IRemoteRequest { // public static final String TOKEN_CUID = "CUID"; public static final String TOKEN_CUID = "tokencuid"; + public static final String TOKEN_KDD = "KDD"; public static final String GET_XML = "xml"; public static final int RESPONSE_STATUS_NOT_FOUND = -1; public static final String RESPONSE_STATUS = "status"; diff --git a/base/symkey/src/com/netscape/symkey/SessionKey.cpp b/base/symkey/src/com/netscape/symkey/SessionKey.cpp index 610928099..d3ac01216 100644 --- a/base/symkey/src/com/netscape/symkey/SessionKey.cpp +++ b/base/symkey/src/com/netscape/symkey/SessionKey.cpp @@ -674,12 +674,12 @@ extern "C" * Signature: ([B[B[B[B)[B */ JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_ComputeSessionKeySCP02 - (JNIEnv *, jclass, jstring, jstring, jbyteArray, jbyteArray, jbyteArray, jbyteArray, jbyteArray, jstring, jstring, jstring); + (JNIEnv *, jclass, jstring, jstring, jbyteArray, jbyte, jboolean, jbyteArray, jbyteArray, jbyteArray, jbyteArray, jbyteArray, jstring, jstring, jstring); #ifdef __cplusplus } #endif #define KEYLENGTH 16 -extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_ComputeSessionKeySCP02(JNIEnv * env, jclass this2, jstring tokenName, jstring keyName, jbyteArray keyInfo, jbyteArray CUID, jbyteArray devKeyArray, jbyteArray sequenceCounter, jbyteArray derivationConstant, jstring useSoftToken_s, jstring keySet, jstring sharedSecretKeyName) +extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_ComputeSessionKeySCP02(JNIEnv * env, jclass this2, jstring tokenName, jstring keyName, jbyteArray keyInfo, jbyte nistSP800_108KdfOnKeyVersion, jboolean nistSP800_108KdfUseCuidAsKdd, jbyteArray CUID, jbyteArray KDD, jbyteArray devKeyArray, jbyteArray sequenceCounter, jbyteArray derivationConstant, jstring useSoftToken_s, jstring keySet, jstring sharedSecretKeyName) { /* hardcode permanent dev key */ jbyte *dev_key = NULL; @@ -707,6 +707,10 @@ extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_Comp PK11SymKey *symkey16 = NULL; PK11SymKey *devKey = NULL; + // KDF output keys + PK11SymKey* macKey = NULL; + PK11SymKey* encKey = NULL; + PK11SymKey* kekKey = NULL; BYTE devData[KEYLENGTH]; char keyname[KEYNAMELENGTH]; @@ -730,6 +734,10 @@ extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_Comp jbyte *handleBytes=NULL; jbyte * cuidValue = NULL; + jsize cuidValue_len = -1; + + jbyte* kddValue = NULL; + jsize kddValue_len = -1; jbyte *sc = NULL; int sc_len = 0; @@ -799,12 +807,28 @@ extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_Comp if ( CUID != NULL ) { cuidValue = (jbyte*)(env)->GetByteArrayElements( CUID, NULL); + cuidValue_len = env->GetArrayLength(CUID); } if( cuidValue == NULL) { goto done; } + if ( cuidValue_len <= 0){ // check that CUID is at least 1 byte in length + goto done; + } + + if ( KDD != NULL ){ + kddValue = env->GetByteArrayElements(KDD, NULL); + kddValue_len = env->GetArrayLength(KDD); + } + if ( kddValue == NULL ){ + goto done; + } + if ( kddValue_len != static_cast<jsize>(NistSP800_108KDF::KDD_SIZE_BYTES) ){ // check that KDD is expected size + goto done; + } + if(tokenName) { tokenNameChars = (char *)(env)->GetStringUTFChars(tokenName, NULL); @@ -843,8 +867,6 @@ extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_Comp break; } - GetDiversificationData(cuidValue,devData,kType); - PR_fprintf(PR_STDOUT,"In SessionKey.ComputeSessionKeySCP02! keyName %s keyVersion[0] %d keyVersion[1] %d \n",keyname,(int) keyVersion[0],(int) keyVersion[1]); if ( (keyVersion[0] == 0x1 && keyVersion[1]== 0x1 ) || @@ -868,7 +890,7 @@ extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_Comp goto done; } - //In the enc key case create the auth as well, we may need it later. + //In the enc key case create the auth developer as well, we may need it later. if(kType == enc) { @@ -883,7 +905,6 @@ extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_Comp PK11_FreeSymKey(authKey); authKey = NULL; - } }else @@ -895,23 +916,89 @@ extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_Comp goto done; } - devKey =ComputeCardKeyOnToken(masterKey,devData,2); - if(devKey == NULL) - { - goto done; - } + + BYTE nistSP800_108KdfOnKeyVersion_byte = static_cast<BYTE>(nistSP800_108KdfOnKeyVersion); + BYTE requestedKeyVersion_byte = static_cast<BYTE>(keyVersion[0]); + // if requested key version meets setting value, use NIST SP800-108 KDF + if (NistSP800_108KDF::useNistSP800_108KDF(nistSP800_108KdfOnKeyVersion_byte, requestedKeyVersion_byte) == true){ + PR_fprintf(PR_STDOUT,"ComputeSessionKeySCP02 NistSP800_108KDF code: Using NIST SP800-108 KDF.\n"); + + jbyte* context_jbyte = NULL; + jsize context_len_jsize = 0; + if (nistSP800_108KdfUseCuidAsKdd == JNI_TRUE){ + context_jbyte = cuidValue; + context_len_jsize = cuidValue_len; + }else{ + context_jbyte = kddValue; + context_len_jsize = kddValue_len; + } + + const BYTE* const context = reinterpret_cast<const BYTE*>(context_jbyte); + + const size_t context_len = static_cast<size_t>(context_len_jsize); + if (context_len > 0x000000FF){ // sanity check (CUID should never be larger than 255 bytes) + PR_fprintf(PR_STDERR, "ComputeSessionKeySCP02 NistSP800_108KDF code: Error; context_len larger than 255 bytes.\n"); + goto done; + } + + try{ + NistSP800_108KDF::ComputeCardKeys(masterKey, context, context_len, &encKey, &macKey, &kekKey); + }catch(std::runtime_error& ex){ + PR_fprintf(PR_STDERR, "ComputeSessionKeySCP02 NistSP800_108KDF code: Exception invoking NistSP800_108KDF::ComputeCardKeys: "); + PR_fprintf(PR_STDERR, "%s\n", ex.what() == NULL ? "null" : ex.what()); + goto done; + }catch(...){ + PR_fprintf(PR_STDERR, "ComputeSessionKeySCP02 NistSP800_108KDF code: Unknown exception invoking NistSP800_108KDF::ComputeCardKeys.\n"); + goto done; + } + + + //Decide upon the key we actually are asking for. + if(kType == mac ) { + PR_fprintf(PR_STDOUT,"SessionKey.ComputeSessionKeySCP02! Getting mac key. \n"); + devKey = macKey; + macKey = NULL; + } + + if(kType == enc) { + PR_fprintf(PR_STDOUT,"SessionKey.ComputeSessionKeySCP02! Getting enc key. \n"); + devKey = encKey; + encKey = NULL; + + } + + if(kType == kek) { + PR_fprintf(PR_STDOUT,"SessionKey.ComputeSessionKeySCP02! Getting kek key. \n"); + devKey = kekKey; + kekKey = NULL; + } + + } else { + + // Do what the original code did, using the standard routines. + PR_fprintf(PR_STDOUT,"ComputeSessionKeySCP02 NistSP800_108KDF code: Using original KDF.\n"); + GetDiversificationData(cuidValue,devData,kType); + + devKey =ComputeCardKeyOnToken(masterKey,devData,2); + + } + + if(devKey == NULL) + { + goto done; + } - symkey = DeriveKeySCP02(devKey, Buffer((BYTE*)sc, sc_len), Buffer((BYTE*)dc, dc_len)); + symkey = DeriveKeySCP02(devKey, Buffer((BYTE*)sc, sc_len), Buffer((BYTE*)dc, dc_len)); - if(symkey == NULL) - { - goto done; - } + if(symkey == NULL) + { + goto done; + } } //Now wrap the key for the trip back to TPS with shared secret transport key symkey16 = NULL; - transportKey = ReturnSymKey( internal, GetSharedSecretKeyName(NULL)); + transportKey = ReturnSymKey( internal, GetSharedSecretKeyName(NULL)); if ( transportKey == NULL ) { PR_fprintf(PR_STDERR, "Can't find shared secret transport key! \n"); goto done; @@ -956,6 +1043,19 @@ done: symkey = NULL; } + if( macKey ) { + PK11_FreeSymKey( macKey); + macKey = NULL; + } + if ( encKey ) { + PK11_FreeSymKey(encKey); + encKey = NULL; + } + if ( kekKey ) { + PK11_FreeSymKey(kekKey); + kekKey = NULL; + } + if ( transportKey ) { PK11_FreeSymKey( transportKey ); transportKey = NULL; @@ -1023,8 +1123,6 @@ done: } - - //================================================================================= #ifdef __cplusplus extern "C" @@ -1053,14 +1151,11 @@ extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_Comp return NULL; } - unsigned char input[KEYLENGTH] = {0}; - int i = 0; SECItem wrappedKeyItem = { siBuffer, NULL , 0}; SECItem noParams = { siBuffer, NULL, 0 }; SECStatus wrapStatus = SECFailure; - char *keyNameChars=NULL; char *tokenNameChars=NULL; PK11SlotInfo *slot = NULL; @@ -1191,17 +1286,6 @@ extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_Comp goto done; } - - /* copy card and host challenge into input buffer */ - for (i = 0; i < 8; i++) - { - input[i] = cc[i]; - } - for (i = 0; i < 8; i++) - { - input[8+i] = hc[i]; - } - // AC: KDF SPEC CHANGE: Moved this call down. (We don't necessarily need it anymore depending on the KDF we're going to use.) //GetDiversificationData(cuidValue,macData,mac);//keytype is mac @@ -1483,8 +1567,6 @@ extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_Comp return NULL; } - unsigned char input[KEYLENGTH] = {0}; - int i = 0; SECItem wrappedKeyItem = { siBuffer, NULL , 0}; SECItem noParams = { siBuffer, NULL, 0 }; @@ -1605,17 +1687,6 @@ extern "C" JNIEXPORT jbyteArray JNICALL Java_com_netscape_symkey_SessionKey_Comp goto done; } - - /* copy card and host challenge into input buffer */ - for (i = 0; i < 8; i++) - { - input[i] = cc[i]; - } - for (i = 0; i < 8; i++) - { - input[8+i] = hc[i]; - } - // AC: KDF SPEC CHANGE: Moved this call down. (We don't necessarily need it anymore depending on the KDF we're going to use.) //GetDiversificationData(cuidValue,encData,enc); @@ -1897,8 +1968,6 @@ extern "C" JNIEXPORT jobject JNICALL Java_com_netscape_symkey_SessionKey_Compute keySetString = (char *) DEFKEYSET_NAME; } - unsigned char input[KEYLENGTH] = {0}; - int i; jobject keyObj = NULL; jbyte *cc = NULL; @@ -1980,17 +2049,6 @@ extern "C" JNIEXPORT jobject JNICALL Java_com_netscape_symkey_SessionKey_Compute goto done; } - - /* copy card and host challenge into input buffer */ - for (i = 0; i < 8; i++) - { - input[i] = cc[i]; - } - for (i = 0; i < 8; i++) - { - input[8+i] = hc[i]; - } - // AC: KDF SPEC CHANGE: Moved this call down. (We don't necessarily need it anymore depending on the KDF we're going to use.) //GetDiversificationData(cuidValue,kekData,kek);//keytype is kek diff --git a/base/symkey/src/com/netscape/symkey/SessionKey.java b/base/symkey/src/com/netscape/symkey/SessionKey.java index 7a32de60c..d31740e93 100644 --- a/base/symkey/src/com/netscape/symkey/SessionKey.java +++ b/base/symkey/src/com/netscape/symkey/SessionKey.java @@ -79,7 +79,10 @@ public class SessionKey { public static native byte[] ComputeSessionKeySCP02(String tokenName, String keyName, byte[] keyInfo, + byte nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE + boolean nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE byte[] CUID, + byte[] KDD, byte[] devKeyArray, byte[] sequenceCounter, byte[] derivationConstant, @@ -180,7 +183,7 @@ public class SessionKey { byte[] oldKeyInfo, // AC: KDF SPEC CHANGE // AC: BUGFIX for key versions higher than 09: We need to specialDecode keyInfo parameters before sending them into symkey! This means the parameters must be jbyteArray's // -- Changed parameter "jstring keyInfo" to "jbyteArray newKeyInfo" - byte[] newKeyInfo, + byte[] newKeyInfo, byte nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE boolean nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE byte[] CUIDValue, diff --git a/base/symkey/src/com/netscape/symkey/SymKey.cpp b/base/symkey/src/com/netscape/symkey/SymKey.cpp index 8890ac3b5..02465de13 100644 --- a/base/symkey/src/com/netscape/symkey/SymKey.cpp +++ b/base/symkey/src/com/netscape/symkey/SymKey.cpp @@ -535,7 +535,6 @@ PK11SymKey *ComputeCardKey(PK11SymKey *masterKey, unsigned char *data, PK11SlotI static SECItem noParams = { siBuffer, NULL, 0 }; unsigned char *in = data; PK11SymKey *tmpkey = NULL; - unsigned char icv[EIGHT_BYTES] = { 0 }; unsigned char wrappedkey[DES3_LENGTH]; SECItem wrappeditem = { siBuffer, NULL, 0 }; @@ -825,8 +824,8 @@ PRStatus CreateKeySetDataWithSymKeys( Buffer &newMasterVer,const Buffer &old_kek Buffer kc_kek_key(3); Buffer result; - //Buffer *dumpBuffer = NULL; - //int showDerivedKeys = 0; + Buffer *dumpBuffer = NULL; + int showDerivedKeys = 0; PR_fprintf(PR_STDOUT,"In CreateKeySetDataWithSymKeys! Protocol: %d \n",protocol); @@ -873,8 +872,6 @@ PRStatus CreateKeySetDataWithSymKeys( Buffer &newMasterVer,const Buffer &old_kek authKey16 = PK11_Derive(new_auth_key, CKM_EXTRACT_KEY_FROM_KEY, ¶msItem, CKA_ENCRYPT, CKA_DERIVE, 16); - /* - if(showDerivedKeys == 1) { SECItem *keyData = NULL; PK11_ExtractKeyValue( authKey16 ); @@ -886,8 +883,6 @@ PRStatus CreateKeySetDataWithSymKeys( Buffer &newMasterVer,const Buffer &old_kek dumpBuffer = NULL; } - */ - if ( authKey16 == NULL ) { PR_fprintf(PR_STDERR,"Error deriving authKey16. Error %d \n", PR_GetError()); goto done; @@ -908,7 +903,6 @@ PRStatus CreateKeySetDataWithSymKeys( Buffer &newMasterVer,const Buffer &old_kek goto done; } - /* if(showDerivedKeys == 1) { SECItem *keyData = NULL; @@ -921,7 +915,6 @@ PRStatus CreateKeySetDataWithSymKeys( Buffer &newMasterVer,const Buffer &old_kek dumpBuffer = NULL; } - */ wrappedKeyItem.data = (unsigned char *) encrypted_mac_key; wrappedKeyItem.len = encrypted_mac_key.size(); @@ -939,8 +932,6 @@ PRStatus CreateKeySetDataWithSymKeys( Buffer &newMasterVer,const Buffer &old_kek PR_fprintf(PR_STDERR,"Error deriving kekKey16. Error %d \n", PR_GetError()); } - /* - if(showDerivedKeys == 1) { SECItem *keyData = NULL; PK11_ExtractKeyValue( kekKey16 ); @@ -951,8 +942,6 @@ PRStatus CreateKeySetDataWithSymKeys( Buffer &newMasterVer,const Buffer &old_kek delete dumpBuffer; dumpBuffer = NULL; } - - */ wrappedKeyItem.data = (unsigned char *) encrypted_kek_key; wrappedKeyItem.len = encrypted_mac_key.size(); diff --git a/base/tps/shared/conf/CS.cfg.in b/base/tps/shared/conf/CS.cfg.in index 85c2f3549..b899e7d21 100644 --- a/base/tps/shared/conf/CS.cfg.in +++ b/base/tps/shared/conf/CS.cfg.in @@ -257,6 +257,12 @@ op.enroll.delegateIEtoken._003=# where Encryption cert/keys are "recovered" op.enroll.delegateIEtoken._004=# is controlled by registration user record op.enroll.delegateIEtoken._005=######################################### op.enroll.delegateIEtoken.auth.enable=true +op.enroll.delegateIEtoken.cuidMustMatchKDD=false +op.enroll.delegateIEtoken.enableBoundedGPKeyVersion=true +op.enroll.delegateIEtoken.minimumGPKeyVersion=01 +op.enroll.delegateIEtoken.maximumGPKeyVersion=FF +op.enroll.delegateIEtoken.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.delegateIEtoken.validateCardKeyInfoAgainstTokenDB=true op.enroll.delegateIEtoken.auth.id=ldap1 op.enroll.delegateIEtoken.cardmgr_instance=A0000000030000 op.enroll.delegateIEtoken.issuerinfo.enable=true @@ -391,6 +397,12 @@ op.enroll.delegateIEtoken.update.applet.requiredVersion=1.4.4d40a449 op.enroll.delegateIEtoken.update.symmetricKeys.enable=false op.enroll.delegateIEtoken.update.symmetricKeys.requiredVersion=1 op.format.delegateIEtoken.auth.enable=true +op.format.delegateIEtoken.cuidMustMatchKDD=false +op.format.delegateIEtoken.enableBoundedGPKeyVersion=true +op.format.delegateIEtoken.minimumGPKeyVersion=01 +op.format.delegateIEtoken.maximumGPKeyVersion=FF +op.format.delegateIEtoken.rollbackKeyVersionOnPutKeyFailure=false +op.format.delegateIEtoken.validateCardKeyInfoAgainstTokenDB=true op.format.delegateIEtoken.auth.id=ldap3 op.format.delegateIEtoken.ca.conn=ca1 op.format.delegateIEtoken.cardmgr_instance=A0000000030000 @@ -412,6 +424,12 @@ op.enroll.delegateISEtoken._003=# where Encryption cert/keys is "recovered" op.enroll.delegateISEtoken._004=# is controlled by registration user record op.enroll.delegateISEtoken._005=######################################### op.enroll.delegateISEtoken.auth.enable=true +op.enroll.delegateISEtoken.cuidMustMatchKDD=false +op.enroll.delegateISEtoken.enableBoundedGPKeyVersion=true +op.enroll.delegateISEtoken.minimumGPKeyVersion=01 +op.enroll.delegateISEtoken.maximumGPKeyVersion=FF +op.enroll.delegateISEtoken.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.delegateISEtoken.validateCardKeyInfoAgainstTokenDB=true op.enroll.delegateISEtoken.auth.id=ldap1 op.enroll.delegateISEtoken.cardmgr_instance=A0000000030000 op.enroll.delegateISEtoken.issuerinfo.enable=true @@ -640,6 +658,12 @@ op.enroll.externalRegAddToToken._000=######################################### op.enroll.externalRegAddToToken._001=# for externalReg recovering certs/keys only op.enroll.externalRegAddToToken._002=######################################### op.enroll.externalRegAddToToken.auth.enable=true +op.enroll.externalRegAddToToken.cuidMustMatchKDD=false +op.enroll.externalRegAddToToken.enableBoundedGPKeyVersion=true +op.enroll.externalRegAddToToken.minimumGPKeyVersion=01 +op.enroll.externalRegAddToToken.maximumGPKeyVersion=FF +op.enroll.externalRegAddToToken.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.externalRegAddToToken.validateCardKeyInfoAgainstTokenDB=true op.enroll.externalRegAddToToken.auth.id=ldap1 op.enroll.externalRegAddToToken.cardmgr_instance=A0000000030000 op.enroll.externalRegAddToToken.issuerinfo.enable=true @@ -687,6 +711,12 @@ op.enroll.externalRegAddToToken.update.applet.requiredVersion=1.4.4d40a449 op.enroll.externalRegAddToToken.update.symmetricKeys.enable=false op.enroll.externalRegAddToToken.update.symmetricKeys.requiredVersion=1 op.format.externalRegAddToToken.auth.enable=true +op.format.externalRegAddToToken.cuidMustMatchKDD=false +op.format.externalRegAddToToken.enableBoundedGPKeyVersion=true +op.format.externalRegAddToToken.minimumGPKeyVersion=01 +op.format.externalRegAddToToken.maximumGPKeyVersion=FF +op.format.externalRegAddToToken.rollbackKeyVersionOnPutKeyFailure=false +op.format.externalRegAddToToken.validateCardKeyInfoAgainstTokenDB=true op.format.externalRegAddToToken.cardmgr_instance=A0000000030000 op.format.externalRegAddToToken.issuerinfo.enable=true op.format.externalRegAddToToken.issuerinfo.value=http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome @@ -733,6 +763,12 @@ op.enroll._033=# Web Store - 3B759400006202020201 op.enroll._034=######################################### op.enroll.allowUnknownToken=true op.enroll.tokenProfileResolver=enrollMappingResolver +op.enroll.soKey.cuidMustMatchKDD=false +op.enroll.soKey.enableBoundedGPKeyVersion=true +op.enroll.soKey.minimumGPKeyVersion=01 +op.enroll.soKey.maximumGPKeyVersion=FF +op.enroll.soKey.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.soKey.validateCardKeyInfoAgainstTokenDB=true op.enroll.soKey.auth.enable=true op.enroll.soKey.auth.id=ldap2 op.enroll.soKey.cardmgr_instance=A0000000030000 @@ -855,6 +891,12 @@ op.enroll.soKey.pinReset.pin.maxRetries=127 op.enroll.soKey.pinReset.pin.minLen=4 op.enroll.soKey.pkcs11obj.compress.enable=true op.enroll.soKey.pkcs11obj.enable=true +op.enroll.soKeyTemporary.cuidMustMatchKDD=false +op.enroll.soKeyTemporary.enableBoundedGPKeyVersion=true +op.enroll.soKeyTemporary.minimumGPKeyVersion=01 +op.enroll.soKeyTemporary.maximumGPKeyVersion=FF +op.enroll.soKeyTemporary.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.soKeyTemporary.validateCardKeyInfoAgainstTokenDB=true op.enroll.soKeyTemporary.auth.enable=true op.enroll.soKeyTemporary.auth.id=ldap2 op.enroll.soKeyTemporary.cardmgr_instance=A0000000030000 @@ -1014,6 +1056,12 @@ op.enroll.soKey.update.applet.encryption=true op.enroll.soKey.update.applet.requiredVersion=1.4.4d40a449 op.enroll.soKey.update.symmetricKeys.enable=false op.enroll.soKey.update.symmetricKeys.requiredVersion=1 +op.enroll.userKey.cuidMustMatchKDD=false +op.enroll.userKey.enableBoundedGPKeyVersion=true +op.enroll.userKey.minimumGPKeyVersion=01 +op.enroll.userKey.maximumGPKeyVersion=FF +op.enroll.userKey.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.userKey.validateCardKeyInfoAgainstTokenDB=true op.enroll.userKey.auth.enable=true op.enroll.userKey.auth.id=ldap1 op.enroll.userKey.cardmgr_instance=A0000000030000 @@ -1297,6 +1345,12 @@ op.enroll.userKeyTemporary.pinReset.pin.minLen=4 op.enroll.userKeyTemporary.pkcs11obj.compress.enable=true op.enroll.userKeyTemporary.pkcs11obj.enable=true op.enroll.userKeyTemporary.tks.conn=tks1 +op.enroll.userKeyTemporary.cuidMustMatchKDD=false +op.enroll.userKeyTemporary.enableBoundedGPKeyVersion=true +op.enroll.userKeyTemporary.minimumGPKeyVersion=01 +op.enroll.userKeyTemporary.maximumGPKeyVersion=FF +op.enroll.userKeyTemporary.rollbackKeyVersionOnPutKeyFailure=false +op.enroll.userKeyTemporary.validateCardKeyInfoAgainstTokenDB=true op.enroll.userKey.temporaryToken.tokenType=userKeyTemporary op.enroll.userKeyTemporary.update.applet.directory=[TPS_DIR]/applets op.enroll.userKeyTemporary.update.applet.emptyToken.enable=true @@ -1315,6 +1369,12 @@ op.enroll.userKey.update.symmetricKeys.enable=false op.enroll.userKey.update.symmetricKeys.requiredVersion=1 op.format.allowUnknownToken=true op.format.tokenProfileResolver=formatMappingResolver +op.format.cleanToken.cuidMustMatchKDD=false +op.format.cleanToken.enableBoundedGPKeyVersion=true +op.format.cleanToken.minimumGPKeyVersion=01 +op.format.cleanToken.maximumGPKeyVersion=FF +op.format.cleanToken.rollbackKeyVersionOnPutKeyFailure=false +op.format.cleanToken.validateCardKeyInfoAgainstTokenDB=true op.format.cleanToken.auth.enable=false op.format.cleanToken.auth.id=ldap1 op.format.cleanToken.ca.conn=ca1 @@ -1330,6 +1390,12 @@ op.format.cleanToken.update.applet.encryption=true op.format.cleanToken.update.applet.requiredVersion=1.4.4d40a449 op.format.cleanToken.update.symmetricKeys.enable=false op.format.cleanToken.update.symmetricKeys.requiredVersion=1 +op.format.soCleanSOToken.cuidMustMatchKDD=false +op.format.soCleanSOToken.enableBoundedGPKeyVersion=true +op.format.soCleanSOToken.minimumGPKeyVersion=01 +op.format.soCleanSOToken.maximumGPKeyVersion=FF +op.format.soCleanSOToken.rollbackKeyVersionOnPutKeyFailure=false +op.format.soCleanSOToken.validateCardKeyInfoAgainstTokenDB=true op.format.soCleanSOToken.auth.enable=false op.format.soCleanSOToken.auth.id=ldap1 op.format.soCleanSOToken.ca.conn=ca1 @@ -1345,6 +1411,12 @@ op.format.soCleanSOToken.update.applet.encryption=true op.format.soCleanSOToken.update.applet.requiredVersion=1.4.4d40a449 op.format.soCleanSOToken.update.symmetricKeys.enable=false op.format.soCleanSOToken.update.symmetricKeys.requiredVersion=1 +op.format.soCleanUserToken.cuidMustMatchKDD=false +op.format.soCleanUserToken.enableBoundedGPKeyVersion=true +op.format.soCleanUserToken.minimumGPKeyVersion=01 +op.format.soCleanUserToken.maximumGPKeyVersion=FF +op.format.soCleanUserToken.rollbackKeyVersionOnPutKeyFailure=false +op.format.soCleanUserToken.validateCardKeyInfoAgainstTokenDB=true op.format.soCleanUserToken.auth.enable=false op.format.soCleanUserToken.auth.id=ldap1 op.format.soCleanUserToken.ca.conn=ca1 @@ -1360,6 +1432,12 @@ op.format.soCleanUserToken.update.applet.encryption=true op.format.soCleanUserToken.update.applet.requiredVersion=1.4.4d40a449 op.format.soCleanUserToken.update.symmetricKeys.enable=false op.format.soCleanUserToken.update.symmetricKeys.requiredVersion=1 +op.format.soKey.cuidMustMatchKDD=false +op.format.soKey.enableBoundedGPKeyVersion=true +op.format.soKey.minimumGPKeyVersion=01 +op.format.soKey.maximumGPKeyVersion=FF +op.format.soKey.rollbackKeyVersionOnPutKeyFailure=false +op.format.soKey.validateCardKeyInfoAgainstTokenDB=true op.format.soKey.auth.enable=true op.format.soKey.auth.id=ldap2 op.format.soKey.ca.conn=ca1 @@ -1375,6 +1453,12 @@ op.format.soKey.update.applet.encryption=true op.format.soKey.update.applet.requiredVersion=1.4.4d40a449 op.format.soKey.update.symmetricKeys.enable=false op.format.soKey.update.symmetricKeys.requiredVersion=1 +op.format.soUserKey.cuidMustMatchKDD=false +op.format.soUserKey.enableBoundedGPKeyVersion=true +op.format.soUserKey.minimumGPKeyVersion=01 +op.format.soUserKey.maximumGPKeyVersion=FF +op.format.soUserKey.rollbackKeyVersionOnPutKeyFailure=false +op.format.soUserKey.validateCardKeyInfoAgainstTokenDB=true op.format.soUserKey.auth.enable=false op.format.soUserKey.auth.id=ldap1 op.format.soUserKey.ca.conn=ca1 @@ -1390,6 +1474,12 @@ op.format.soUserKey.update.applet.encryption=true op.format.soUserKey.update.applet.requiredVersion=1.4.4d40a449 op.format.soUserKey.update.symmetricKeys.enable=false op.format.soUserKey.update.symmetricKeys.requiredVersion=1 +op.format.tokenKey.cuidMustMatchKDD=false +op.format.tokenKey.enableBoundedGPKeyVersion=true +op.format.tokenKey.minimumGPKeyVersion=01 +op.format.tokenKey.maximumGPKeyVersion=FF +op.format.tokenKey.rollbackKeyVersionOnPutKeyFailure=false +op.format.tokenKey.validateCardKeyInfoAgainstTokenDB=true op.format.tokenKey.auth.enable=true op.format.tokenKey.auth.id=ldap1 op.format.tokenKey.ca.conn=ca1 @@ -1405,6 +1495,12 @@ op.format.tokenKey.update.applet.encryption=true op.format.tokenKey.update.applet.requiredVersion=1.4.4d40a449 op.format.tokenKey.update.symmetricKeys.enable=false op.format.tokenKey.update.symmetricKeys.requiredVersion=1 +op.format.userKey.cuidMustMatchKDD=false +op.format.userKey.enableBoundedGPKeyVersion=true +op.format.userKey.minimumGPKeyVersion=01 +op.format.userKey.maximumGPKeyVersion=FF +op.format.userKey.rollbackKeyVersionOnPutKeyFailure=false +op.format.userKey.validateCardKeyInfoAgainstTokenDB=true op.format.userKey.auth.enable=true op.format.userKey.auth.id=ldap1 op.format.userKey.ca.conn=ca1 @@ -1421,6 +1517,12 @@ op.format.userKey.update.applet.requiredVersion=1.4.4d40a449 op.format.userKey.update.symmetricKeys.enable=false op.format.userKey.update.symmetricKeys.requiredVersion=1 op.pinReset.tokenProfileResolver=pinResetMappingResolver +op.pinReset.userKey.cuidMustMatchKDD=false +op.pinReset.userKey.enableBoundedGPKeyVersion=true +op.pinReset.userKey.minimumGPKeyVersion=01 +op.pinReset.userKey.maximumGPKeyVersion=FF +op.pinReset.userKey.rollbackKeyVersionOnPutKeyFailure=false +op.pinReset.userKey.validateCardKeyInfoAgainstTokenDB=true op.pinReset.userKey.auth.enable=true op.pinReset.userKey.auth.id=ldap1 op.pinReset.userKey.cardmgr_instance=A0000000030000 diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSPhoneHome.java b/base/tps/src/org/dogtagpki/server/tps/TPSPhoneHome.java index e0b3b6b87..33c9ecd07 100644 --- a/base/tps/src/org/dogtagpki/server/tps/TPSPhoneHome.java +++ b/base/tps/src/org/dogtagpki/server/tps/TPSPhoneHome.java @@ -34,6 +34,7 @@ public class TPSPhoneHome extends HttpServlet { ServletOutputStream stream = null; BufferedInputStream buf = null; FileInputStream input = null; + CMS.debug("TPSPhoneHome.renderPhoneHome entering."); try { @@ -42,8 +43,14 @@ public class TPSPhoneHome extends HttpServlet { String confPath = getConfigPath(); + if(confPath == null) { + throw new IOException("TPSPhoneHome.rederPhoneHome: Can not deteriming path to phone home data!"); + } + confPath += File.separator + phoneHomeName; + CMS.debug("TPSPhoneHome.renderPhoneHome: confPath" + confPath); + input = new FileInputStream(confPath); // InputStream input = ctx.getResourceAsStream(phoneHomeName); buf = new BufferedInputStream(input); @@ -73,6 +80,8 @@ public class TPSPhoneHome extends HttpServlet { private String getConfigPath() { + CMS.debug("TPSPhoneHome.getConfigPath: entering."); + String path = null; String context = getServletContext().getContextPath(); @@ -80,7 +89,18 @@ public class TPSPhoneHome extends HttpServlet { String subsystem = context.startsWith("/") ? context.substring(1) : context; // catalina.base points to instance dir - String instanceDir = System.getProperty("catalina.base"); + String instanceDir = null; + + try { + + instanceDir = System.getProperty("catalina.base"); + + } catch (Exception e) { + CMS.debug("TPSPhoneHome.getConfigPath: System.getProperty exception: " + e); + return null; + } + + CMS.debug("TPSPhoneHome.getConfigPath: instanceDir: " + instanceDir); //Finish off path of conf directory path = instanceDir + File.separator + "conf" + File.separator + diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java index c6537e4c2..b10ca772e 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java @@ -76,6 +76,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler * @return response TKSComputeSessionKeyResponse class object */ public TKSComputeSessionKeyResponse computeSessionKey( + TPSBuffer kdd, TPSBuffer cuid, TPSBuffer keyInfo, TPSBuffer card_challenge, @@ -85,7 +86,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler throws EBaseException { CMS.debug("TKSRemoteRequestHandler: computeSessionKey(): begins."); - if (cuid == null || keyInfo == null || card_challenge == null + if (cuid == null || kdd == null || keyInfo == null || card_challenge == null || card_cryptogram == null || host_challenge == null) { throw new EBaseException("TKSRemoteRequestHandler: computeSessionKey(): input parameter null."); } @@ -105,6 +106,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler (HttpConnector) subsystem.getConnectionManager().getConnector(connid); String requestString = IRemoteRequest.SERVER_SIDE_KEYGEN + "=" + serverKeygen + + "&" + IRemoteRequest.TOKEN_KDD + "=" + Util.specialURLEncode(kdd) + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + "&" + IRemoteRequest.TOKEN_CARD_CHALLENGE + "=" + Util.specialURLEncode(card_challenge) + "&" + IRemoteRequest.TOKEN_HOST_CHALLENGE + "=" + Util.specialURLEncode(host_challenge) + @@ -229,6 +231,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler * @return response TKSComputeSessionKeyResponse class object */ public TKSComputeSessionKeyResponse computeSessionKeySCP02( + TPSBuffer kdd, TPSBuffer cuid, TPSBuffer keyInfo, TPSBuffer sequenceCounter, @@ -237,7 +240,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler throws EBaseException { CMS.debug("TKSRemoteRequestHandler: computeSessionKeySCP02(): begins."); - if (cuid == null || keyInfo == null || + if (cuid == null || kdd == null || keyInfo == null || sequenceCounter == null || derivationConstant == null) { throw new EBaseException("TKSRemoteRequestHandler: computeSessionKeySCP02(): input parameter null."); @@ -258,6 +261,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler (HttpConnector) subsystem.getConnectionManager().getConnector(connid); String requestString = IRemoteRequest.SERVER_SIDE_KEYGEN + "=" + serverKeygen + + "&" + IRemoteRequest.TOKEN_KDD + "=" + Util.specialURLEncode(kdd) + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialURLEncode(keyInfo) + "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet + @@ -364,7 +368,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler public TKSCreateKeySetDataResponse createKeySetData( TPSBuffer NewMasterVer, TPSBuffer version, - TPSBuffer cuid, int protocol, TPSBuffer wrappedDekSessionKey) + TPSBuffer cuid, TPSBuffer kdd, int protocol, TPSBuffer wrappedDekSessionKey) throws EBaseException { CMS.debug("TKSRemoteRequestHandler: createKeySetData(): begins."); if (cuid == null || NewMasterVer == null || version == null) { @@ -382,16 +386,16 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler CMS.debug("TKSRemoteRequestHandler: createKeySetData(): sending request to tks."); String command = IRemoteRequest.TOKEN_NEW_KEYINFO + "=" + Util.specialURLEncode(NewMasterVer) + + "&" + IRemoteRequest.TOKEN_KDD + "=" + Util.specialURLEncode(kdd) + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialURLEncode(version) + "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet + "&" + IRemoteRequest.CHANNEL_PROTOCOL + "=" + protocol; - if(wrappedDekSessionKey != null) { // We have secure channel protocol 02 trying to upgrade the key set. + if (wrappedDekSessionKey != null) { // We have secure channel protocol 02 trying to upgrade the key set. command += "&" + IRemoteRequest.WRAPPED_DEK_SESSION_KEY + "=" + Util.specialURLEncode(wrappedDekSessionKey); } - HttpResponse resp = conn.send("createKeySetData", command); @@ -529,12 +533,13 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler * @return response TKSEncryptDataResponse class object */ public TKSEncryptDataResponse encryptData( + TPSBuffer kdd, TPSBuffer cuid, TPSBuffer version, TPSBuffer inData) throws EBaseException { CMS.debug("TKSRemoteRequestHandler: encryptData(): begins."); - if (cuid == null || version == null || inData == null) { + if (cuid == null || kdd == null || version == null || inData == null) { throw new EBaseException("TKSRemoteRequestHandler: encryptData(): input parameter null."); } @@ -552,6 +557,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler conn.send("encryptData", IRemoteRequest.TOKEN_DATA + "=" + Util.specialURLEncode(inData) + "&" + IRemoteRequest.TOKEN_CUID + "=" + Util.specialURLEncode(cuid) + + "&" + IRemoteRequest.TOKEN_KDD + "=" + Util.specialURLEncode(kdd) + "&" + IRemoteRequest.TOKEN_KEYINFO + "=" + Util.specialURLEncode(version) + "&" + IRemoteRequest.TOKEN_KEYSET + "=" + keySet); diff --git a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java index e7efcc031..609fc0367 100644 --- a/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java +++ b/base/tps/src/org/dogtagpki/server/tps/engine/TPSEngine.java @@ -159,6 +159,12 @@ public class TPSEngine { /* misc values */ + public static final String CFG_CUID_MUST_MATCH_KDD = "cuidMustMatchKDD"; + public static final String CFG_ENABLE_BOUNDED_GP_KEY_VERSION = "enableBoundedGPKeyVersion"; + public static final String CFG_MINIMUM_GP_KEY_VERSION = "minimumGPKeyVersion"; + public static final String CFG_MAXIMUM_GP_KEY_VERSION = "maximumGPKeyVersion"; + public static final String CFG_VALIDATE_CARD_KEY_INFO_AGAINST_DB = "validateCardKeyInfoAgainstTokenDB"; + public static final String ENROLL_OP = "enroll"; public static final String FORMAT_OP = "format"; public static final String RECOVERY_OP = "recovery"; @@ -208,6 +214,7 @@ public class TPSEngine { } public TKSComputeSessionKeyResponse computeSessionKeySCP02( + TPSBuffer kdd, TPSBuffer cuid, TPSBuffer keyInfo, TPSBuffer sequenceCounter, @@ -216,7 +223,7 @@ public class TPSEngine { String tokenType) throws TPSException { - if (cuid == null || keyInfo == null || sequenceCounter == null || derivationConstant == null + if (cuid == null || kdd == null || keyInfo == null || sequenceCounter == null || derivationConstant == null || tokenType == null) { throw new TPSException("TPSEngine.computeSessionKeySCP02: Invalid input data!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL); @@ -229,7 +236,7 @@ public class TPSEngine { TKSComputeSessionKeyResponse resp = null; try { tks = new TKSRemoteRequestHandler(connId); - resp = tks.computeSessionKeySCP02(cuid, keyInfo, sequenceCounter, derivationConstant, tokenType); + resp = tks.computeSessionKeySCP02(kdd,cuid, keyInfo, sequenceCounter, derivationConstant, tokenType); } catch (EBaseException e) { throw new TPSException("TPSEngine.computeSessionKeySCP02: Error computing session key!" + e, TPSStatus.STATUS_ERROR_SECURE_CHANNEL); @@ -246,7 +253,7 @@ public class TPSEngine { } - public TKSComputeSessionKeyResponse computeSessionKey(TPSBuffer cuid, + public TKSComputeSessionKeyResponse computeSessionKey(TPSBuffer kdd, TPSBuffer cuid, TPSBuffer keyInfo, TPSBuffer card_challenge, TPSBuffer host_challenge, @@ -254,7 +261,7 @@ public class TPSEngine { String connId, String tokenType) throws TPSException { - if (cuid == null || keyInfo == null || card_challenge == null || host_challenge == null + if (cuid == null || kdd == null || keyInfo == null || card_challenge == null || host_challenge == null || card_cryptogram == null || connId == null || tokenType == null) { throw new TPSException("TPSEngine.computeSessionKey: Invalid input data!", @@ -269,7 +276,7 @@ public class TPSEngine { TKSComputeSessionKeyResponse resp = null; try { tks = new TKSRemoteRequestHandler(connId); - resp = tks.computeSessionKey(cuid, keyInfo, card_challenge, card_cryptogram, host_challenge, tokenType); + resp = tks.computeSessionKey(kdd,cuid, keyInfo, card_challenge, card_cryptogram, host_challenge, tokenType); } catch (EBaseException e) { throw new TPSException("TPSEngine.computeSessionKey: Error computing session key!" + e, TPSStatus.STATUS_ERROR_SECURE_CHANNEL); @@ -372,11 +379,11 @@ public class TPSEngine { } - public TPSBuffer createKeySetData(TPSBuffer newMasterVersion, TPSBuffer oldVersion, int protocol, TPSBuffer cuid, TPSBuffer wrappedDekSessionKey, String connId) + public TPSBuffer createKeySetData(TPSBuffer newMasterVersion, TPSBuffer oldVersion, int protocol, TPSBuffer cuid, TPSBuffer kdd, TPSBuffer wrappedDekSessionKey, String connId) throws TPSException { CMS.debug("TPSEngine.createKeySetData. entering..."); - if (newMasterVersion == null || oldVersion == null || cuid == null || connId == null) { + if (newMasterVersion == null || oldVersion == null || cuid == null || kdd == null || connId == null) { throw new TPSException("TPSEngine.createKeySetData: Invalid input data", TPSStatus.STATUS_ERROR_KEY_CHANGE_OVER); } @@ -387,7 +394,7 @@ public class TPSEngine { try { tks = new TKSRemoteRequestHandler(connId); - resp = tks.createKeySetData(newMasterVersion, oldVersion, cuid, protocol,wrappedDekSessionKey); + resp = tks.createKeySetData(newMasterVersion, oldVersion, cuid, kdd, protocol,wrappedDekSessionKey); } catch (EBaseException e) { throw new TPSException("TPSEngine.createKeySetData, failure to get key set data from TKS", diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java b/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java index bc46eaba8..b5574760e 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java @@ -12,6 +12,7 @@ public class AppletInfo { private TPSBuffer aid; private TPSBuffer cuid; + private TPSBuffer kdd; private TPSBuffer msn; private int totalMem; private int freeMem; @@ -25,6 +26,14 @@ public class AppletInfo { } + public void setKDD(TPSBuffer theKDD) { + kdd = new TPSBuffer(theKDD); + } + + public TPSBuffer getKDD() { + return kdd; + } + public void setCUID(TPSBuffer theCuid) { cuid = new TPSBuffer(theCuid); } @@ -33,6 +42,22 @@ public class AppletInfo { return cuid; } + public String getKDDhexString(){ + if(cuid != null) { + return kdd.toHexString(); + } + + return null; + } + + public String getKDDhexStringPlain() { + if(cuid != null) { + return kdd.toHexStringPlain(); + } + + return null; + } + public void setMSN(TPSBuffer theMsn) { msn = new TPSBuffer(theMsn); } diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index 5b8560a1d..265ce0491 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -301,7 +301,7 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug("TPSEnrollProcessor.enroll: Finished updating applet if needed."); //Check and upgrade keys if called for - SecureChannel channel = checkAndUpgradeSymKeys(); + SecureChannel channel = checkAndUpgradeSymKeys(appletInfo,tokenRecord); channel.externalAuthenticate(); //Reset the token's pin, create one if we don't have one already @@ -467,13 +467,13 @@ public class TPSEnrollProcessor extends TPSProcessor { pkcs11objx.setFormatVersion(pkcs11objx.getOldFormatVersion()); // Make sure we have a good secure channel before writing out the final objects - channel = setupSecureChannel(); + channel = setupSecureChannel(appletInfo); statusUpdate(92, "PROGRESS_WRITE_OBJECTS"); writeFinalPKCS11ObjectToToken(pkcs11objx, appletInfo, channel); statusUpdate(98, "PROGRESS_ISSUER_INFO"); - writeIssuerInfoToToken(channel); + writeIssuerInfoToToken(channel,appletInfo); statusUpdate(99, "PROGRESS_SET_LIFECYCLE"); channel.setLifeycleState((byte) 0x0f); diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java index 73085b19c..5d029a180 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java @@ -119,7 +119,7 @@ public class TPSPinResetProcessor extends TPSProcessor { //Check and upgrade keys if called for - SecureChannel channel = checkAndUpgradeSymKeys(); + SecureChannel channel = checkAndUpgradeSymKeys(appletInfo,tokenRecord); channel.externalAuthenticate(); checkAndHandlePinReset(channel); diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index ee8b7529f..f9a0445d6 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -291,7 +291,7 @@ public class TPSProcessor { } protected TPSBuffer getCplcData() throws IOException, TPSException { - CMS.debug("In TPS_Processor."); + CMS.debug("In TPS_Processor. getCplcData"); GetDataAPDU get_data_apdu = new GetDataAPDU(); @@ -366,7 +366,7 @@ public class TPSProcessor { try { tks = new TKSRemoteRequestHandler(connId); - data = tks.encryptData(appletInfo.getCUID(), keyInfo, plaintextChallenge); + data = tks.encryptData(appletInfo.getKDD(),appletInfo.getCUID(), keyInfo, plaintextChallenge); } catch (EBaseException e) { throw new TPSException("TPSProcessor.encryptData: Erorr getting wrapped data from TKS!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL); @@ -436,7 +436,7 @@ public class TPSProcessor { } - protected SecureChannel setupSecureChannel() throws TPSException, IOException { + protected SecureChannel setupSecureChannel(AppletInfo appletInfo) throws TPSException, IOException { SecureChannel channel = null; //Create a standard secure channel with current key set. @@ -446,7 +446,7 @@ public class TPSProcessor { int defKeyIndex = getChannelDefKeyIndex(); channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, - getTKSConnectorID()); + getTKSConnectorID(),appletInfo); channel.externalAuthenticate(); @@ -454,7 +454,7 @@ public class TPSProcessor { } protected SecureChannel setupSecureChannel(byte keyVersion, byte keyIndex, - String connId) + String connId,AppletInfo appletInfo) throws IOException, TPSException { //Assume generating host challenge on TKS, we no longer support not involving the TKS. @@ -462,6 +462,11 @@ public class TPSProcessor { CMS.debug("TPSProcessor.setupSecureChannel: keyVersion: " + keyVersion + " keyIndex: " + keyIndex ); + if(appletInfo == null) { + throw new TPSException("TPSProcessor.setupSecureChannel: invalid input data.", TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + TPSBuffer randomData = computeRandomData(8, connId); CMS.debug("TPSProcessor.setupSecureChannel: obtained randomData: " + randomData.toHexString()); @@ -470,6 +475,8 @@ public class TPSProcessor { TPSBuffer initUpdateResp = initializeUpdate(keyVersion, keyIndex, randomData); TPSBuffer key_diversification_data = initUpdateResp.substr(0, DIVERSIFICATION_DATA_SIZE); + appletInfo.setKDD(key_diversification_data); + CMS.debug("TPSProcessor.setupSecureChannel: diversification data: " + key_diversification_data.toHexString()); TPSBuffer key_info_data = initUpdateResp.substr(DIVERSIFICATION_DATA_SIZE, 2); @@ -512,6 +519,8 @@ public class TPSProcessor { key_info_data.setAt(1, (byte) 0x1); CMS.debug("TPSProcessor.setupSecureChannel 02: key Info , after massage: " + key_info_data.toHexString()); + tokenRecord.setKeyInfo(key_info_data.toHexStringPlain()); + } else { card_challenge = initUpdateResp.substr(CARD_CHALLENGE_OFFSET, CARD_CHALLENGE_SIZE); } @@ -522,7 +531,7 @@ public class TPSProcessor { try { channel = generateSecureChannel(connId, key_diversification_data, key_info_data, card_challenge, card_cryptogram, - randomData, sequenceCounter); + randomData, sequenceCounter,appletInfo); } catch (EBaseException e) { throw new TPSException("TPSProcessor.setupSecureChannel: Can't set up secure channel: " + e, TPSStatus.STATUS_ERROR_SECURE_CHANNEL); @@ -534,11 +543,11 @@ public class TPSProcessor { protected SecureChannel generateSecureChannel(String connId, TPSBuffer keyDiversificationData, TPSBuffer keyInfoData, TPSBuffer cardChallenge, TPSBuffer cardCryptogram, TPSBuffer hostChallenge, - TPSBuffer sequenceCounter) + TPSBuffer sequenceCounter,AppletInfo appletInfo) throws EBaseException, TPSException, IOException { if (connId == null || keyDiversificationData == null || keyInfoData == null || cardChallenge == null - || cardCryptogram == null || hostChallenge == null) { + || cardCryptogram == null || hostChallenge == null || appletInfo == null) { throw new TPSException("TPSProcessor.generateSecureChannel: Invalid input data!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL); } @@ -565,6 +574,30 @@ public class TPSProcessor { PK11SymKey sharedSecret = null; + //Sanity checking + + boolean cuidOK = checkCUIDMatchesKDD(appletInfo.getCUIDhexStringPlain(), appletInfo.getKDDhexStringPlain()); + + boolean isVersionInRange = checkCardGPKeyVersionIsInRange(appletInfo.getCUIDhexStringPlain(), appletInfo.getKDDhexStringPlain(), keyInfoData.toHexStringPlain()); + + boolean doesVersionMatchTokenDB = checkCardGPKeyVersionMatchesTokenDB(appletInfo.getCUIDhexStringPlain(), appletInfo.getKDDhexStringPlain(), keyInfoData.toHexStringPlain()); + + if(cuidOK == false) { + throw new TPSException("TPSProcessor.generateSecureChannel: cuid vs kdd matching policy not met!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + if(isVersionInRange == false) { + + throw new TPSException("TPSProcessor.generateSecureChannel: key version is not within acceptable range!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + if(doesVersionMatchTokenDB == false) { + throw new TPSException("TPSProcessor.generateSecureChannel: key version from token does not match that of the token db!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + try { sharedSecret = getSharedSecretTransportKey(connId); } catch (Exception e) { @@ -577,7 +610,7 @@ public class TPSProcessor { if (platProtInfo.isGP201() || platProtInfo.isSCP01()) { - resp = engine.computeSessionKey(keyDiversificationData, keyInfoData, + resp = engine.computeSessionKey(keyDiversificationData, appletInfo.getCUID(), keyInfoData, cardChallenge, hostChallenge, cardCryptogram, connId, getSelectedTokenType()); @@ -652,7 +685,7 @@ public class TPSProcessor { } CMS.debug("TPSProcessor.generateSecureChannel Trying secure channel protocol 02"); - respEnc02 = engine.computeSessionKeySCP02(keyDiversificationData, keyInfoData, + respEnc02 = engine.computeSessionKeySCP02(keyDiversificationData, appletInfo.getCUID(), keyInfoData, sequenceCounter, new TPSBuffer(SecureChannel.ENCDerivationConstant), connId, getSelectedTokenType()); @@ -666,7 +699,7 @@ public class TPSProcessor { TPSStatus.STATUS_ERROR_SECURE_CHANNEL); } - respCMac02 = engine.computeSessionKeySCP02(keyDiversificationData, keyInfoData, + respCMac02 = engine.computeSessionKeySCP02(keyDiversificationData, appletInfo.getCUID(), keyInfoData, sequenceCounter, new TPSBuffer(SecureChannel.C_MACDerivationConstant), connId, getSelectedTokenType()); @@ -681,7 +714,7 @@ public class TPSProcessor { TPSStatus.STATUS_ERROR_SECURE_CHANNEL); } - respRMac02 = engine.computeSessionKeySCP02(keyDiversificationData, keyInfoData, + respRMac02 = engine.computeSessionKeySCP02(keyDiversificationData, appletInfo.getCUID(), keyInfoData, sequenceCounter, new TPSBuffer(SecureChannel.R_MACDerivationConstant), connId, getSelectedTokenType()); @@ -696,7 +729,7 @@ public class TPSProcessor { TPSStatus.STATUS_ERROR_SECURE_CHANNEL); } - respDek02 = engine.computeSessionKeySCP02(keyDiversificationData, keyInfoData, + respDek02 = engine.computeSessionKeySCP02(keyDiversificationData, appletInfo.getCUID(), keyInfoData, sequenceCounter, new TPSBuffer(SecureChannel.DEKDerivationConstant), connId, getSelectedTokenType()); @@ -793,7 +826,7 @@ public class TPSProcessor { upgraded = 1; CMS.debug("TPSProcessor.checkAndUpgradeApplet: Upgrading applet to : " + targetAppletVersion); - upgradeApplet("op." + currentTokenOperation, targetAppletVersion, getBeginMessage() + upgradeApplet(appletInfo, "op." + currentTokenOperation, targetAppletVersion, getBeginMessage() .getExtensions(), tksConnId, 5, 12); } @@ -804,13 +837,13 @@ public class TPSProcessor { // We didn't need to upgrade the applet but create new channel for now. selectCardManager(); - setupSecureChannel(); + setupSecureChannel(appletInfo); } } - protected void upgradeApplet(String operation, String new_version, + protected void upgradeApplet(AppletInfo appletInfo, String operation, String new_version, Map<String, String> extensions, String connId, int startProgress, int endProgress) throws IOException, TPSException { @@ -850,7 +883,7 @@ public class TPSProcessor { throw new TPSException("TPSProcessor.upgradeApplet: Can't selelect the card manager!"); } - SecureChannel channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, connId); + SecureChannel channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, connId,appletInfo); channel.externalAuthenticate(); @@ -1866,14 +1899,15 @@ public class TPSProcessor { String tksConnId = getTKSConnectorID(); - upgradeApplet(TPSEngine.OP_FORMAT_PREFIX, appletRequiredVersion, + upgradeApplet(appletInfo,TPSEngine.OP_FORMAT_PREFIX, appletRequiredVersion, beginMsg.getExtensions(), tksConnId, 10, 90); CMS.debug("TPSProcessor.format: Completed applet upgrade."); + // Add issuer info to the token - writeIssuerInfoToToken(null); + writeIssuerInfoToToken(null,appletInfo); if (requiresStatusUpdate()) { statusUpdate(100, "PROGRESS_DONE"); @@ -1881,9 +1915,8 @@ public class TPSProcessor { // Upgrade Symm Keys if needed - SecureChannel channel = checkAndUpgradeSymKeys(); + SecureChannel channel = checkAndUpgradeSymKeys(appletInfo,tokenRecord); channel.externalAuthenticate(); - tokenRecord.setKeyInfo(channel.getKeyInfoData().toHexStringPlain()); if (isTokenPresent && revokeCertsAtFormat()) { // Revoke certificates on token, if so configured @@ -1922,7 +1955,7 @@ public class TPSProcessor { } - protected void writeIssuerInfoToToken(SecureChannel origChannel) throws TPSException, IOException, + protected void writeIssuerInfoToToken(SecureChannel origChannel,AppletInfo appletInfo) throws TPSException, IOException, UnsupportedEncodingException { if (checkIssuerInfoEnabled()) { @@ -1937,7 +1970,7 @@ public class TPSProcessor { channel = origChannel; } else { - channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, tksConnId); + channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, tksConnId,appletInfo); channel.externalAuthenticate(); } @@ -2566,7 +2599,7 @@ public class TPSProcessor { selectCardManager(); TPSBuffer cplc_data = getCplcData(); - CMS.debug("cplc_data: " + cplc_data.toString()); + CMS.debug("cplc_data: " + cplc_data.toHexString()); TPSBuffer token_cuid = extractTokenCUID(cplc_data); TPSBuffer token_msn = extractTokenMSN(cplc_data); @@ -2670,7 +2703,7 @@ public class TPSProcessor { return version; } - protected SecureChannel checkAndUpgradeSymKeys() throws TPSException, IOException { + protected SecureChannel checkAndUpgradeSymKeys(AppletInfo appletInfo,TokenRecord tokenRecord) throws TPSException, IOException { /* If the key of the required version is not found, create them. @@ -2690,6 +2723,10 @@ public class TPSProcessor { set it to be the new default] */ + if(tokenRecord == null || appletInfo == null) { + throw new TPSException("TPSProcessor.checkAndUpgradeSymKeys: invalid input data!"); + } + SecureChannel channel = null; int defKeyVersion = 0; @@ -2708,7 +2745,7 @@ public class TPSProcessor { try { channel = setupSecureChannel((byte) requiredVersion, (byte) defKeyIndex, - getTKSConnectorID()); + getTKSConnectorID(),appletInfo); } catch (TPSException e) { @@ -2721,7 +2758,7 @@ public class TPSProcessor { selectCardManager(); - channel = setupSecureChannel(); + channel = setupSecureChannel(appletInfo); /* Assemble the Buffer with the version information The second byte is the key offset, which is always 1 @@ -2745,8 +2782,30 @@ public class TPSProcessor { protocol = 2; } + //Sanity checking + + boolean cuidOK = checkCUIDMatchesKDD(appletInfo.getCUIDhexStringPlain(), appletInfo.getKDDhexStringPlain()); + boolean isVersionInRange = checkCardGPKeyVersionIsInRange(appletInfo.getCUIDhexStringPlain(), appletInfo.getKDDhexStringPlain(), curKeyInfo.toHexStringPlain()); + boolean doesVersionMatchTokenDB = checkCardGPKeyVersionMatchesTokenDB(appletInfo.getCUIDhexStringPlain(), appletInfo.getKDDhexStringPlain(), curKeyInfo.toHexStringPlain()); + + if(cuidOK == false) { + throw new TPSException("TPSProcessor.generateSecureChannel: cuid vs kdd matching policy not met!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + if(isVersionInRange == false) { + + throw new TPSException("TPSProcessor.generateSecureChannel: key version is not within acceptable range!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + + if(doesVersionMatchTokenDB == false) { + throw new TPSException("TPSProcessor.generateSecureChannel: key version from token does not match that of the token db!", + TPSStatus.STATUS_ERROR_SECURE_CHANNEL); + } + TPSBuffer keySetData = engine.createKeySetData(newVersion, curKeyInfo, protocol, - channel.getKeyDiversificationData(), channel.getDekSessionKeyWrapped(), connId); + appletInfo.getCUID(),channel.getKeyDiversificationData(), channel.getDekSessionKeyWrapped(), connId); CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: new keySetData from TKS: " + keySetData.toHexString()); @@ -2768,7 +2827,7 @@ public class TPSProcessor { byte[] nv_dev = { (byte) 0x1, (byte) 0x1 }; TPSBuffer devKeySetData = engine.createKeySetData(new TPSBuffer(nv_dev), curKeyInfo, protocol, - channel.getKeyDiversificationData(), channel.getDekSessionKeyWrapped(), connId); + appletInfo.getCUID(), channel.getKeyDiversificationData(), channel.getDekSessionKeyWrapped(), connId); CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: about to get rid of keyset 0xFF and replace it with keyset 0x1 with developer key set"); channel.putKeys((byte) 0x0, (byte) 0x1, devKeySetData); @@ -2783,8 +2842,11 @@ public class TPSProcessor { String curVersionStr = curKeyInfo.toHexString(); String newVersionStr = newVersion.toHexString(); - TPSSession session = getSession(); - TokenRecord tokenRecord = session.getTokenRecord(); + + //Only change in db if we upgrade, thus we don't need to worry about rolling back on failure. + //Thus the setting, rollbackKeyVersionOnPutKeyFailure is not needed. + + CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: changing token db keyInfo to: " + newVersion.toHexStringPlain()); tokenRecord.setKeyInfo(newVersion.toHexStringPlain()); CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: curVersionStr: " + curVersionStr + " newVersionStr: " @@ -2792,12 +2854,14 @@ public class TPSProcessor { selectCoolKeyApplet(); channel = setupSecureChannel((byte) requiredVersion, (byte) defKeyIndex, - getTKSConnectorID()); + getTKSConnectorID(),appletInfo); } else { CMS.debug("TPSProcessor.checkAndUpgradeSymeKeys: We are already at the desired key set, returning secure channel."); } + // tokenRecord.setKeyInfo(channel.getKeyInfoData().toHexStringPlain()); + } else { //Create a standard secure channel with current key set. CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: Key changeover disabled in the configuration."); @@ -2805,7 +2869,7 @@ public class TPSProcessor { defKeyVersion = getChannelDefKeyVersion(); channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, - getTKSConnectorID()); + getTKSConnectorID(),appletInfo); } @@ -3234,6 +3298,245 @@ public class TPSProcessor { return platProtInfo; } + boolean checkCardGPKeyVersionIsInRange(String CUID, String KDD, String keyInfoData) throws TPSException { + boolean result = true; + + //ToDo : Add Audit messages . + + + String method = "checkCardGPKeyVersionIsInRange: "; + + CMS.debug(method + " entering: keyInfoData: " + keyInfoData); + + if (CUID == null || KDD == null || keyInfoData == null) { + throw new TPSException(method + " Invalid input data!"); + } + + IConfigStore configStore = CMS.getConfigStore(); + + String checkBoundedGPKeyVersionConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_ENABLE_BOUNDED_GP_KEY_VERSION; + + CMS.debug(method + " config to check: " + checkBoundedGPKeyVersionConfig); + + try { + result = configStore.getBoolean(checkBoundedGPKeyVersionConfig, true); + } catch (EBaseException e) { + throw new TPSException( + method + " error getting config value."); + } + + CMS.debug(method + " returning: " + result); + + // Check only if asked. + + if (result == true) { + + String minConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_MINIMUM_GP_KEY_VERSION; + String maxConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_MAXIMUM_GP_KEY_VERSION; + + CMS.debug(method + " config to check: minConfig: " + minConfig + " maxConfig: " + maxConfig); + + String maxVersion = null; + String minVersion = null; + + try { + minVersion = configStore.getString(minConfig, "01"); + maxVersion = configStore.getString(maxConfig, "FF"); + } catch (EBaseException e) { + throw new TPSException( + method + " error getting config value."); + } + + if (minVersion.length() != 2 || maxVersion.length() != 2) { + result = false; + } + + CMS.debug(method + " minVersion: " + minVersion + " maxVersion: " + maxVersion); + + if (keyInfoData.length() != 4) { + result = false; + } else { + // Actually check the version range; + + String keyInfoVer = keyInfoData.substring(0, 2); + + CMS.debug(method + " Version reported from key Info Data: " + keyInfoVer); + + int versionMinCompare = keyInfoVer.compareToIgnoreCase(minVersion); + int versionMaxCompare = keyInfoVer.compareToIgnoreCase(maxVersion); + + CMS.debug(method + " versionMinCompare: " + versionMinCompare + " versionMaxCompare: " + + versionMaxCompare); + + if (versionMinCompare >= 0 && versionMaxCompare <= 0) { + CMS.debug(method + " Version : " + keyInfoVer + " is in range of: " + minVersion + " and: " + + maxVersion); + result = true; + } else { + result = false; + CMS.debug(method + " Version : " + keyInfoVer + " is NOT in range of: " + minVersion + " and: " + + maxVersion); + } + } + + } else { + //Configured to ignore, report success. + result = true; + } + + CMS.debug(method + " Returning result of: " + result); + + return result; + } + + boolean checkCUIDMatchesKDD(String CUID, String KDD) throws TPSException { + boolean result = true; + + String method = "TPsProcessor.checkCUIDMatchesKDD: " ; + + CMS.debug(method + " CUID " + CUID + " KDD: " + KDD); + + if (CUID == null || KDD == null) { + throw new TPSException(method + " invalid input data!"); + } + + IConfigStore configStore = CMS.getConfigStore(); + + String checkCUIDMatchesKDDConfig = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_CUID_MUST_MATCH_KDD; + + CMS.debug(method + " config to check: " + checkCUIDMatchesKDDConfig); + + try { + result = configStore.getBoolean(checkCUIDMatchesKDDConfig, false); + } catch (EBaseException e) { + throw new TPSException( + method + " error getting config value."); + } + + CMS.debug(method + " config result: " + result); + + // Check only if asked to + if (result == true) { + if (CUID.compareToIgnoreCase(KDD) == 0) { + CMS.debug(method + " CUID and KDD values match!"); + result = true; + } else { + CMS.debug(method + " CUID and KDD values differ!"); + result = false; + } + } else { + //Configured to ignore, report success. + result = true; + } + + CMS.debug(method + " returning result: " + result); + + return result; + } + + protected String getKeyInfoFromTokenDB(String cuid) throws TPSException { + String keyInfo = null; + + if (cuid == null) { + throw new TPSException("TPSProcessor.getKeyInfoFromTokenDB: invalid input data!", + TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } + + TokenRecord tokenRecord = getTokenRecord(); + + keyInfo = tokenRecord.getKeyInfo(); + + CMS.debug("TPProcessor.getKeyInfioFromTokenDB: returning: " + keyInfo); + + return keyInfo; + + } + + boolean checkCardGPKeyVersionMatchesTokenDB(String CUID, String KDD, + String keyInfoData) throws TPSException { + + String method = "checkCardGPKeyVersionMatchesTokenDB: "; + + if(CUID == null || KDD == null || keyInfoData == null) { + throw new TPSException(method + " Invalid input data!"); + } + + boolean result = true; + + IConfigStore configStore = CMS.getConfigStore(); + + String checkValidateVersion = "op." + currentTokenOperation + "." + selectedTokenType + "." + + TPSEngine.CFG_VALIDATE_CARD_KEY_INFO_AGAINST_DB; + + CMS.debug(method + " config to check: " + checkValidateVersion); + + try { + result = configStore.getBoolean(checkValidateVersion, true); + } catch (EBaseException e) { + throw new TPSException( + method + " error getting config value."); + } + + CMS.debug(method + " config result: " + result); + + + if(result == true) { + //Check only if asked to. + + String keyInfoInDB = getKeyInfoFromTokenDB(CUID); + + CMS.debug(method + " keyInfoFromTokenDB: " + keyInfoInDB); + CMS.debug(method + " keyInfoFromToken: " + keyInfoData); + + + if(keyInfoData.compareToIgnoreCase(keyInfoInDB) != 0) { + CMS.debug(method + " Key Info in the DB is NOT the same as the one from the token!"); + result = false; + } else { + CMS.debug(method + " Key Info in the DB IS the same as the one from the token!"); + result = true; + } + + } else { + result = true; + } + + CMS.debug(method + " returning result: " + result); + + return result; + + } + + /* Only for debugging, extract bytes of a PK11SymKey + private String getSymKeyData(PK11SymKey key) { + String result = null; + + if(key == null) { + result = ""; + return result; + } + + try { + byte [] extracted = key.getKeyData(); + + TPSBuffer keyBuff = new TPSBuffer(extracted); + + result = keyBuff.toHexString(); + + } catch (Exception e) { + + //Probably can not extract this key due to policy + result = ""; + } + + return result; + } + */ + public static void main(String[] args) { } |