From 0d821e2d8c62daf9a4cf44e1e0b66e50909338ac Mon Sep 17 00:00:00 2001 From: cfu Date: Fri, 5 Dec 2008 17:39:31 +0000 Subject: Buzilla Bug 474659 - moved public key challenge generation from TPS to TKS git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@163 c9f7a03b-bd48-0410-a16d-cbbf54688b0b --- .../com/netscape/cms/servlet/tks/TokenServlet.java | 39 ++++++++++++++++--- pki/base/tps/src/processor/RA_Enroll_Processor.cpp | 10 +++-- pki/base/tps/src/processor/RA_Processor.cpp | 45 ++++++++++++++++++---- pki/dogtag/common/pki-common.spec | 4 +- pki/dogtag/tps/pki-tps.spec | 4 +- 5 files changed, 84 insertions(+), 18 deletions(-) (limited to 'pki') diff --git a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java index fa0d7a683..9509d421c 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java @@ -760,8 +760,10 @@ public class TokenServlet extends CMSServlet { private void processEncryptData(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { - byte[] data,keyInfo, CUID, xCUID, encryptedData, xkeyInfo; + byte[] keyInfo, CUID, xCUID, encryptedData, xkeyInfo; boolean missingParam = false; + byte[] data = null; + boolean isRandom = true; // randomly generate the data to be encrypted IConfigStore sconfig = CMS.getConfigStore(); encryptedData = null; @@ -774,8 +776,31 @@ public class TokenServlet extends CMSServlet { } CMS.debug("keySet selected: " + keySet); - if ((rdata == null) || (rdata.equals(""))) { - CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data"); + String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true"); + if (s_isRandom.equalsIgnoreCase("false")) { + CMS.debug("TokenServlet: processEncryptData(): Random number not to be generated"); + isRandom = false; + } else { + CMS.debug("TokenServlet: processEncryptData(): Random number generation required"); + isRandom = true; + } + + if (isRandom) { + if ((rdata == null) || (rdata.equals(""))) { + CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data"); + } else { + CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating..."); + } + try { + SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); + data = new byte[16]; + random.nextBytes(data); + } catch (Exception e) { + CMS.debug("TokenServlet: processEncryptData():"+ e.toString()); + throw new EBaseException("processEncryptData:"+ e.toString()); + } + } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))){ + CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data."); missingParam = true; } @@ -807,7 +832,8 @@ public class TokenServlet extends CMSServlet { useSoftToken_s = "false"; if (!missingParam) { - data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata); + if (!isRandom) + data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata); keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); @@ -838,7 +864,10 @@ public class TokenServlet extends CMSServlet { String value = ""; if (encryptedData != null && encryptedData.length > 0) { String outputString = new String(encryptedData); - value = "status=0&"+"encryptedData=" + + // sending both the pre-encrypted and encrypted data back + value = "status=0&"+"data="+ + com.netscape.cmsutil.util.Utils.SpecialEncode(data)+ + "&encryptedData=" + com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData); } else if (missingParam) { value = "status=3"; diff --git a/pki/base/tps/src/processor/RA_Enroll_Processor.cpp b/pki/base/tps/src/processor/RA_Enroll_Processor.cpp index b8a5580d0..f44e77132 100644 --- a/pki/base/tps/src/processor/RA_Enroll_Processor.cpp +++ b/pki/base/tps/src/processor/RA_Enroll_Processor.cpp @@ -1598,7 +1598,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue #define WRAPPED_CHALLENGE_SIZE 16 Buffer *plaintext_challenge = new Buffer(PLAINTEXT_CHALLENGE_SIZE, (BYTE)0); - Buffer *wrapped_challenge = new Buffer(PLAINTEXT_CHALLENGE_SIZE, (BYTE)0); + Buffer *wrapped_challenge = new Buffer(WRAPPED_CHALLENGE_SIZE, (BYTE)0); Buffer *key_check = new Buffer(0, (BYTE)0); const char *tokenType = NULL; @@ -1872,6 +1872,8 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue /* generate challenge for enrollment */ RA::Debug(LL_PER_PDU, "RA_Enroll_Processor::Process", "Generate Challenge"); +/* + random number generation moved to TKS rc = Util::GetRandomChallenge(*plaintext_challenge); if (rc == -1) { RA::Error("RA_Enroll_Processor::Process", @@ -1880,8 +1882,9 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "general challenge error", ""); goto loser; } - } +*/ + } kdd = channel->GetKeyDiversificationData(); khex = kdd.toHex(); RA::Debug("RA_Enroll_Processor::Process", "cuid=%s", khex); @@ -1898,7 +1901,6 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue RA::tdb_activity(session->GetRemoteIP(), cuid, "enrollment", "failure", "challenge encryption error", ""); goto loser; } - // read objects back PR_snprintf((char *)configname, 256, "%s.%s.pkcs11obj.enable", OP_PREFIX, tokenType); @@ -2049,7 +2051,7 @@ TPS_PUBLIC RA_Status RA_Enroll_Processor::Process(RA_Session *session, NameValue /* op.enroll.certificates.num=1 op.enroll.certificates.value.0=caCert -op.enroll.certificates.caCert.nickName=caCert0 pki-tps +op.enroll.certificates.caCert.nickName=caCert0 fpki-tps op.enroll.certificates.caCert.certId=C5 op.enroll.certificates.caCert.certAttrId=c5 op.enroll.certificates.caCert.label=caCert Label diff --git a/pki/base/tps/src/processor/RA_Processor.cpp b/pki/base/tps/src/processor/RA_Processor.cpp index ca04b573e..e6e5dd0f8 100644 --- a/pki/base/tps/src/processor/RA_Processor.cpp +++ b/pki/base/tps/src/processor/RA_Processor.cpp @@ -2072,6 +2072,7 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer { char body[5000]; char configname[256]; +#define PLAINTEXT_CHALLENGE_SIZE 16 // khai, here we wrap the input with the KEK key // in TKS HttpConnection *tksConn = NULL; @@ -2091,7 +2092,12 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer } else { int tks_curr = RA::GetCurrentIndex(tksConn); int currRetries = 0; - char *data = Util::SpecialURLEncode(in); + char *data = NULL; + Buffer *zerob = new Buffer(PLAINTEXT_CHALLENGE_SIZE, (BYTE)0); + if (!(in == *zerob)) + data = Util::SpecialURLEncode(in); + else + RA::Debug(LL_PER_PDU, "RA_Processor::EncryptData","Challenge to be generated on TKS"); char *cuid = Util::SpecialURLEncode(CUID); char *versionID = Util::SpecialURLEncode(version); @@ -2099,14 +2105,10 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer const char *keySet = RA::GetConfigStore()->GetConfigAsString(configname); PR_snprintf((char *)body, 5000, "data=%s&CUID=%s&KeyInfo=%s&keySet=%s", - data, cuid, versionID,keySet); + ((data != NULL)? data:""), cuid, versionID,keySet); PR_snprintf((char *)configname, 256, "conn.%s.servlet.encryptData", connid); const char *servletID = RA::GetConfigStore()->GetConfigAsString(configname); - if( data != NULL ) { - PR_Free( data ); - data = NULL; - } if( cuid != NULL ) { PR_Free( cuid ); cuid = NULL; @@ -2144,6 +2146,9 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer } Buffer *encryptedData = NULL; + // preEncData is only useful when data is null, and data is to be randomly + // generated on TKS + Buffer *preEncData = NULL; status = 0; if (response != NULL) { RA::Debug(LL_PER_PDU, "EncryptData Response is not ","NULL"); @@ -2162,6 +2167,17 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer } else { status = 0; char *p = &content[9]; + // get pre-encryption data + char *preStr = strstr((char *)p, "data="); + if (preStr != NULL) { + p = &preStr[5]; + char pstr[PLAINTEXT_CHALLENGE_SIZE]; + strncpy(pstr, p, PLAINTEXT_CHALLENGE_SIZE*3); + preEncData = Util::URLDecode(pstr); + } + + // get encrypted data + p = &content[9]; char *rcStr = strstr((char *)p, "encryptedData="); if (rcStr != NULL) { rcStr = &rcStr[14]; @@ -2176,10 +2192,14 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer RA::Debug(LL_PER_PDU, "EncryptedData ", "status=%d", status); RA::Debug(LL_PER_PDU, "finish EncryptedData", ""); - if (status > 0 || encryptedData == NULL) { + if ((status > 0) || (preEncData == NULL) || (encryptedData == NULL)) { if (tksConn != NULL) { RA::ReturnTKSConn(tksConn); } + if( data != NULL ) { + PR_Free( data ); + data = NULL; + } return -1; } else { out = *encryptedData; @@ -2187,6 +2207,17 @@ int RA_Processor::EncryptData(Buffer &CUID, Buffer &version, Buffer &in, Buffer delete encryptedData; encryptedData = NULL; } + if (data != NULL) { + RA::Debug(LL_PER_PDU, "EncryptedData ", "challenge overwritten by TKS"); + PR_Free( data ); + data = NULL; + } + in = *preEncData; + + if( preEncData != NULL ) { + delete preEncData; + preEncData = NULL; + } } if( response != NULL ) { response->freeContent(); diff --git a/pki/dogtag/common/pki-common.spec b/pki/dogtag/common/pki-common.spec index 3baa9677e..4f81aa846 100644 --- a/pki/dogtag/common/pki-common.spec +++ b/pki/dogtag/common/pki-common.spec @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.0.0 -%define base_release 28 +%define base_release 29 %define base_group System Environment/Base %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -280,6 +280,8 @@ chmod 00755 %{_datadir}/%{base_prefix}/setup/postinstall ############################################################################### %changelog +* Fri Dec 5 2008 Christina Fu 1.0.0-29 +- Buzilla Bug 474659 - moved public key challenge generation from TPS to TKS * Fri Nov 28 2008 Matthew Harmsen 1.0.0-28 - Bugzilla Bug #445402 - changed "linux"/"fedora" to "dogtag"; changed "pki-svn.fedora.redhat.com" to "pki.fedoraproject.org" diff --git a/pki/dogtag/tps/pki-tps.spec b/pki/dogtag/tps/pki-tps.spec index e46d3b640..ee7a697aa 100644 --- a/pki/dogtag/tps/pki-tps.spec +++ b/pki/dogtag/tps/pki-tps.spec @@ -34,7 +34,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.0.0 -%define base_release 8 +%define base_release 9 %define base_group System Environment/Daemons %define base_vendor Red Hat, Inc. %define base_license LGPLv2 with exceptions @@ -293,6 +293,8 @@ fi ############################################################################### %changelog +* Fri Dec 5 2008 Christina Fu 1.0.0-9 +- Buzilla Bug 474659 - moved public key challenge generation from TPS to TKS * Thu Dec 4 2008 Matthew Harmsen 1.0.0-8 - Bugzilla Bug #474369 - Remove NSS dependency on "pkcs11-devel" and upgrade NSS/NSPR version dependencies -- cgit