Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address Test Port final TMS fixes for rhel7 to master branch, phase 2… #4894

Merged
merged 1 commit into from
Nov 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .github/workflows/tps-basic-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ jobs:
--pkcs12-password Secret.123
docker exec pki pki -n caadmin tps-user-show tpsadmin

- name: Set up TPS authentication
- name: Set up TPS authentication and misc cfg settings
run: |
# import sample TPS users
docker exec pki ldapadd \
Expand All @@ -297,6 +297,10 @@ jobs:
auths.instance.ldap1.ldap.basedn \
ou=people,dc=example,dc=com

# configure TPS to allow tpsclient tests to work
docker exec pki pki-server tps-config-set \
channel.scp01.no.le.byte true

# restart TPS subsystem
docker exec pki pki-server tps-redeploy --wait

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2471,6 +2471,51 @@ public static List<byte[]> exportSharedSecret(String nickname, java.security.cer
return listWrappedKeys;
}

public static List<byte[]> exportSharedSecretWithAES(String nickname, java.security.cert.X509Certificate wrappingCert,
SymmetricKey wrappingKey,boolean useOAEPKeyWrap) throws Exception {

CryptoManager cm = CryptoManager.getInstance();
CryptoToken token = cm.getInternalKeyStorageToken();
String method = "CrytoUtil.exportSharedSecret";
List<byte[]> listWrappedKeys = new ArrayList<byte[]>();

logger.debug(method + " nickname: " + nickname);

SymmetricKey sharedSecretKey = null;

try {
sharedSecretKey = getSymKeyByName(token, nickname);
} catch (Exception e) {
logger.debug(method + " can't find shared secret: " + nickname);
throw new IOException("Shared secret " + nickname + " does not exist");
}

PublicKey pub = wrappingCert.getPublicKey();
PK11PubKey pubK = PK11PubKey.fromSPKI(pub.getEncoded());

//Wrap the temp AES key with the cert
byte[] wrappedKey = wrapUsingPublicKey(token, pubK, wrappingKey, useOAEPKeyWrap ? KeyWrapAlgorithm.RSA_OAEP: KeyWrapAlgorithm.RSA);

listWrappedKeys.add(wrappedKey);
//Use the AES key to wrap the shared secret

KeyWrapAlgorithm wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD;
int ivLen = wrapAlg.getBlockSize();
byte[] iv = new byte[ivLen];

IVParameterSpec ivsp = new IVParameterSpec(iv);

byte[] wrappedSharedSecret = wrapUsingSymmetricKey(token, wrappingKey, sharedSecretKey, ivsp, wrapAlg);

listWrappedKeys.add(wrappedSharedSecret);

if (listWrappedKeys.size() != 2) {
throw new IOException("Can't write out shared secret data to export for nickname: " + nickname);
}

return listWrappedKeys;
}

public static void importSharedSecret(byte[] wrappedSessionKey,byte[] wrappedSharedSecret,String subsystemCertNickname,String sharedSecretNickname) throws Exception, NotInitializedException, TokenException,
NoSuchAlgorithmException, ObjectNotFoundException, InvalidKeyException, InvalidAlgorithmParameterException,
IOException {
Expand Down Expand Up @@ -2689,8 +2734,8 @@ public static SymmetricKey unwrapAESSKeyFromBytes(CryptoToken token, byte[] inpu
String method = "CryptoUtil.unwrapAESKeyFromBytes: ";

logger.debug(method + "begins: isPerm: " + isPerm);
//for now assume 128 bits aes
if(inputKeyArray.length > 16) {
//support 128 or 256 bits aes
if(inputKeyArray.length > 32) {
throw new Exception(method + "invalid input data size.");
}

Expand Down
21 changes: 20 additions & 1 deletion base/common/src/main/java/org/dogtagpki/tps/apdu/APDU.java
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,9 @@ public enum Type {
APDU_GET_ISSUERINFO,
APDU_GENERATE_KEY_ECC,
APDU_GET_LIFECYCLE,
APDU_CLEAR_KEY_SLOTS
APDU_CLEAR_KEY_SLOTS,
APDU_DELETE_KEYS // ** G&D 256 Key Rollover Support **

}

protected byte cla;
Expand Down Expand Up @@ -154,6 +156,23 @@ public TPSBuffer getEncoding() {
return encoding;
}

// New method for IDEMIA token processing
public TPSBuffer getEncodingWithLength() {

TPSBuffer encoding = new TPSBuffer();

encoding.add(cla);
encoding.add(ins);
encoding.add(p1);
encoding.add(p2);

if (trailer != null) {
encoding.add(trailer);
}

return encoding;
}

public TPSBuffer getDataToMAC() {
TPSBuffer mac = new TPSBuffer();

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
package org.dogtagpki.tps.apdu;

/**
* ** G&D 256 Key Rollover Support **
*/

import org.dogtagpki.tps.main.TPSBuffer;

public class DeleteKeysAPDU extends APDU {

public DeleteKeysAPDU(TPSBuffer keyVersion) {
setCLA((byte) 0x84);
setINS((byte) 0xE4);
setP1((byte) 0x00);
setP2((byte) 0x00);

TPSBuffer keyData = new TPSBuffer();

keyData.add((byte) 0xD2); // tag for deleting key version
keyData.add((byte) keyVersion.size()); // length of key version
keyData.add(keyVersion); // key version

//CMS.debug("DeleteKeysAPDU: keyData = " + keyData.toHexString());

setData(keyData);

}

@Override
public APDU.Type getType() {
return APDU.Type.APDU_DELETE_KEYS;

}
}
12 changes: 12 additions & 0 deletions base/common/src/main/java/org/dogtagpki/tps/apdu/SelectAPDU.java
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,18 @@ public SelectAPDU(byte p1, byte p2, TPSBuffer theData)
setP1(p1);
setP2(p2);
setData(theData);
// Add trailer byte
TPSBuffer trailer = new TPSBuffer(1);
setTrailer(trailer);
}

// This constructor is used to make a card mgr request with no data
public SelectAPDU(byte p1, byte p2)
{
setCLA((byte) 0x00);
setINS((byte) 0xa4);
setP1(p1);
setP2(p2);
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,8 @@ public enum TPSStatus {
STATUS_ERROR_REVOKE_CERTIFICATES_FAILED(42),
STATUS_ERROR_NOT_TOKEN_OWNER(43),
STATUS_RENEWAL_IS_PROCESSED(44),
STATUS_ERROR_CANNOT_ESTABLISH_COMMUNICATION(45);
STATUS_ERROR_CANNOT_ESTABLISH_COMMUNICATION(45),
STATUS_ERROR_SYMKEY_256_UPGRADE(46); // ** G&D 256 Key Rollover Support **

private TPSStatus(int code) {
this.code = code;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,34 @@ public TokenPDURequestMsg(APDU apdu) {

}

// This constructor is used to add a length byte to the apdu
public TokenPDURequestMsg(APDU apdu, boolean addLength) {

put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_TOKEN_PDU_REQUEST));

TPSBuffer encoding = null;

if (apdu != null) {

if (addLength)
{
encoding = apdu.getEncodingWithLength();
}
else
{
encoding = apdu.getEncoding();
}

int apduSize = encoding.size();

String apdu_value = Util.uriEncodeInHex(encoding.toBytesArray());

put(PDU_SIZE_NAME, apduSize);
put(PDU_DATA_NAME, apdu_value);
}

}

public static void main(String[] args) {

SelectAPDU apdu = null;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,11 @@ private void processServerSideKeyGen(HttpServletRequest req,
String rKeytype = req.getParameter(IRemoteRequest.KRA_KEYGEN_KeyType);
String rKeycurve = req.getParameter(IRemoteRequest.KRA_KEYGEN_EC_KeyCurve);

//Optional AES key wrap alg, default KWP anyway.
String rAesWrapAlg = req.getParameter(IRemoteRequest.KRA_Aes_Wrap_Alg);
logger.debug("GenerateKeyPairServlet: processServerSideKeygen(): rAesWrapAlg: " + rAesWrapAlg);


//Get trans wrapped aes session key if provided.
String raesKeyString = req.getParameter(IRemoteRequest.KRA_Trans_AesKey);

Expand Down Expand Up @@ -241,6 +246,10 @@ private void processServerSideKeyGen(HttpServletRequest req,
thisreq.setExtData(Request.NETKEY_ATTR_KEY_TYPE, rKeytype);
thisreq.setExtData(Request.NETKEY_ATTR_KEY_EC_CURVE, rKeycurve);

if((rAesWrapAlg != null) && (rAesWrapAlg.length() >0)) {
thisreq.setExtData(Request.NETKEY_ATTR_SSKEYGEN_AES_KEY_WRAP_ALG,rAesWrapAlg);
}

queue.processRequest(thisreq);
Integer result = thisreq.getExtDataInInteger(Request.RESULT);
if (result != null) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,7 @@ private void processTokenKeyRecovery(HttpServletRequest req,
boolean missingParam = false;
boolean missingTransAes = false;
boolean missingTransDes = false;
boolean missingAesKeyWrapAlg = false;

String status = "0";

Expand All @@ -182,9 +183,19 @@ private void processTokenKeyRecovery(HttpServletRequest req,
String rKeyid = req.getParameter(IRemoteRequest.KRA_RECOVERY_KEYID);
String rdesKeyString = req.getParameter(IRemoteRequest.KRA_Trans_DesKey);
String rCert = req.getParameter(IRemoteRequest.KRA_RECOVERY_CERT);

//RedHat : make sure the key wrap alg is being processed correctly
String aesKeyWrapAlg = req.getParameter(IRemoteRequest.KRA_Aes_Wrap_Alg);


String raesKeyString = req.getParameter(IRemoteRequest.KRA_Trans_AesKey);

//RedHat : make sure the key wrap alg is being processed correctly
if ((aesKeyWrapAlg == null) || (aesKeyWrapAlg.equals(""))) {
logger.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): missing request parameter: AES-KeyWrap-alg");
missingAesKeyWrapAlg = true;
}

if ((rCUID == null) || (rCUID.equals(""))) {
logger.warn("TokenKeyRecoveryServlet: processTokenKeyRecovery(): missing request parameter: CUID");
missingParam = true;
Expand Down Expand Up @@ -231,6 +242,12 @@ private void processTokenKeyRecovery(HttpServletRequest req,
thisreq.setExtData(Request.NETKEY_ATTR_DRMTRANS_AES_KEY, raesKeyString);
}

//RedHat : make sure the key wrap alg is being processed correctly
if(!missingAesKeyWrapAlg) {
logger.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): aesKeyWrapAlg: " + aesKeyWrapAlg);
thisreq.setExtData(Request.NETKEY_ATTR_SSKEYGEN_AES_KEY_WRAP_ALG,aesKeyWrapAlg);
}

if ((rCert != null) && (!rCert.equals(""))) {
thisreq.setExtData(Request.NETKEY_ATTR_USER_CERT, rCert);
logger.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): received request parameter: cert");
Expand Down
Loading
Loading