Skip to content

Commit

Permalink
Address Test Port final TMS fixes for rhel7 to master branch, phase 2…
Browse files Browse the repository at this point in the history
…, RHCS-5403 (#4894)

This checkin coincides with the final sub task of porting the rhel7 tms to the master branch.

Once this code makes it to the testing phase, every feature present in the lastest version of the rhel7 tms
system should be present in any releases taken from the master branch.

Add some more TPS CS.cfg comments for newer features.
Fix tps docker test to include the cfg variable needed to allow tpsclient enrollments to complete.
Update call to CryptoUtil.exportSharedSecretWithAES in TPSConnectorProcessor.java to reflect change to
TPSConnectorService.java.

Addresss github code security concerns.
Change-Id: I7c98ddeffafd912debb908c9efc7a6bb591807ee
  • Loading branch information
jmagne authored Nov 7, 2024
1 parent 9cad746 commit 847ddbc
Show file tree
Hide file tree
Showing 34 changed files with 3,905 additions and 2,168 deletions.
6 changes: 5 additions & 1 deletion .github/workflows/tps-basic-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ jobs:
--pkcs12-password Secret.123
docker exec pki pki -n caadmin tps-user-show tpsadmin
- name: Set up TPS authentication
- name: Set up TPS authentication and misc cfg settings
run: |
# import sample TPS users
docker exec pki ldapadd \
Expand All @@ -297,6 +297,10 @@ jobs:
auths.instance.ldap1.ldap.basedn \
ou=people,dc=example,dc=com
# configure TPS to allow tpsclient tests to work
docker exec pki pki-server tps-config-set \
channel.scp01.no.le.byte true
# restart TPS subsystem
docker exec pki pki-server tps-redeploy --wait
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2471,6 +2471,51 @@ public static List<byte[]> exportSharedSecret(String nickname, java.security.cer
return listWrappedKeys;
}

public static List<byte[]> exportSharedSecretWithAES(String nickname, java.security.cert.X509Certificate wrappingCert,
SymmetricKey wrappingKey,boolean useOAEPKeyWrap) throws Exception {

CryptoManager cm = CryptoManager.getInstance();
CryptoToken token = cm.getInternalKeyStorageToken();
String method = "CrytoUtil.exportSharedSecret";
List<byte[]> listWrappedKeys = new ArrayList<byte[]>();

logger.debug(method + " nickname: " + nickname);

SymmetricKey sharedSecretKey = null;

try {
sharedSecretKey = getSymKeyByName(token, nickname);
} catch (Exception e) {
logger.debug(method + " can't find shared secret: " + nickname);
throw new IOException("Shared secret " + nickname + " does not exist");
}

PublicKey pub = wrappingCert.getPublicKey();
PK11PubKey pubK = PK11PubKey.fromSPKI(pub.getEncoded());

//Wrap the temp AES key with the cert
byte[] wrappedKey = wrapUsingPublicKey(token, pubK, wrappingKey, useOAEPKeyWrap ? KeyWrapAlgorithm.RSA_OAEP: KeyWrapAlgorithm.RSA);

listWrappedKeys.add(wrappedKey);
//Use the AES key to wrap the shared secret

KeyWrapAlgorithm wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD;
int ivLen = wrapAlg.getBlockSize();
byte[] iv = new byte[ivLen];

IVParameterSpec ivsp = new IVParameterSpec(iv);

byte[] wrappedSharedSecret = wrapUsingSymmetricKey(token, wrappingKey, sharedSecretKey, ivsp, wrapAlg);

listWrappedKeys.add(wrappedSharedSecret);

if (listWrappedKeys.size() != 2) {
throw new IOException("Can't write out shared secret data to export for nickname: " + nickname);
}

return listWrappedKeys;
}

public static void importSharedSecret(byte[] wrappedSessionKey,byte[] wrappedSharedSecret,String subsystemCertNickname,String sharedSecretNickname) throws Exception, NotInitializedException, TokenException,
NoSuchAlgorithmException, ObjectNotFoundException, InvalidKeyException, InvalidAlgorithmParameterException,
IOException {
Expand Down Expand Up @@ -2689,8 +2734,8 @@ public static SymmetricKey unwrapAESSKeyFromBytes(CryptoToken token, byte[] inpu
String method = "CryptoUtil.unwrapAESKeyFromBytes: ";

logger.debug(method + "begins: isPerm: " + isPerm);
//for now assume 128 bits aes
if(inputKeyArray.length > 16) {
//support 128 or 256 bits aes
if(inputKeyArray.length > 32) {
throw new Exception(method + "invalid input data size.");
}

Expand Down
21 changes: 20 additions & 1 deletion base/common/src/main/java/org/dogtagpki/tps/apdu/APDU.java
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,9 @@ public enum Type {
APDU_GET_ISSUERINFO,
APDU_GENERATE_KEY_ECC,
APDU_GET_LIFECYCLE,
APDU_CLEAR_KEY_SLOTS
APDU_CLEAR_KEY_SLOTS,
APDU_DELETE_KEYS // ** G&D 256 Key Rollover Support **

}

protected byte cla;
Expand Down Expand Up @@ -154,6 +156,23 @@ public TPSBuffer getEncoding() {
return encoding;
}

// New method for IDEMIA token processing
public TPSBuffer getEncodingWithLength() {

TPSBuffer encoding = new TPSBuffer();

encoding.add(cla);
encoding.add(ins);
encoding.add(p1);
encoding.add(p2);

if (trailer != null) {
encoding.add(trailer);
}

return encoding;
}

public TPSBuffer getDataToMAC() {
TPSBuffer mac = new TPSBuffer();

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
package org.dogtagpki.tps.apdu;

/**
* ** G&D 256 Key Rollover Support **
*/

import org.dogtagpki.tps.main.TPSBuffer;

public class DeleteKeysAPDU extends APDU {

public DeleteKeysAPDU(TPSBuffer keyVersion) {
setCLA((byte) 0x84);
setINS((byte) 0xE4);
setP1((byte) 0x00);
setP2((byte) 0x00);

TPSBuffer keyData = new TPSBuffer();

keyData.add((byte) 0xD2); // tag for deleting key version
keyData.add((byte) keyVersion.size()); // length of key version
keyData.add(keyVersion); // key version

//CMS.debug("DeleteKeysAPDU: keyData = " + keyData.toHexString());

setData(keyData);

}

@Override
public APDU.Type getType() {
return APDU.Type.APDU_DELETE_KEYS;

}
}
12 changes: 12 additions & 0 deletions base/common/src/main/java/org/dogtagpki/tps/apdu/SelectAPDU.java
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,18 @@ public SelectAPDU(byte p1, byte p2, TPSBuffer theData)
setP1(p1);
setP2(p2);
setData(theData);
// Add trailer byte
TPSBuffer trailer = new TPSBuffer(1);
setTrailer(trailer);
}

// This constructor is used to make a card mgr request with no data
public SelectAPDU(byte p1, byte p2)
{
setCLA((byte) 0x00);
setINS((byte) 0xa4);
setP1(p1);
setP2(p2);
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,8 @@ public enum TPSStatus {
STATUS_ERROR_REVOKE_CERTIFICATES_FAILED(42),
STATUS_ERROR_NOT_TOKEN_OWNER(43),
STATUS_RENEWAL_IS_PROCESSED(44),
STATUS_ERROR_CANNOT_ESTABLISH_COMMUNICATION(45);
STATUS_ERROR_CANNOT_ESTABLISH_COMMUNICATION(45),
STATUS_ERROR_SYMKEY_256_UPGRADE(46); // ** G&D 256 Key Rollover Support **

private TPSStatus(int code) {
this.code = code;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,34 @@ public TokenPDURequestMsg(APDU apdu) {

}

// This constructor is used to add a length byte to the apdu
public TokenPDURequestMsg(APDU apdu, boolean addLength) {

put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_TOKEN_PDU_REQUEST));

TPSBuffer encoding = null;

if (apdu != null) {

if (addLength)
{
encoding = apdu.getEncodingWithLength();
}
else
{
encoding = apdu.getEncoding();
}

int apduSize = encoding.size();

String apdu_value = Util.uriEncodeInHex(encoding.toBytesArray());

put(PDU_SIZE_NAME, apduSize);
put(PDU_DATA_NAME, apdu_value);
}

}

public static void main(String[] args) {

SelectAPDU apdu = null;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,11 @@ private void processServerSideKeyGen(HttpServletRequest req,
String rKeytype = req.getParameter(IRemoteRequest.KRA_KEYGEN_KeyType);
String rKeycurve = req.getParameter(IRemoteRequest.KRA_KEYGEN_EC_KeyCurve);

//Optional AES key wrap alg, default KWP anyway.
String rAesWrapAlg = req.getParameter(IRemoteRequest.KRA_Aes_Wrap_Alg);
logger.debug("GenerateKeyPairServlet: processServerSideKeygen(): rAesWrapAlg: " + rAesWrapAlg);


//Get trans wrapped aes session key if provided.
String raesKeyString = req.getParameter(IRemoteRequest.KRA_Trans_AesKey);

Expand Down Expand Up @@ -241,6 +246,10 @@ private void processServerSideKeyGen(HttpServletRequest req,
thisreq.setExtData(Request.NETKEY_ATTR_KEY_TYPE, rKeytype);
thisreq.setExtData(Request.NETKEY_ATTR_KEY_EC_CURVE, rKeycurve);

if((rAesWrapAlg != null) && (rAesWrapAlg.length() >0)) {
thisreq.setExtData(Request.NETKEY_ATTR_SSKEYGEN_AES_KEY_WRAP_ALG,rAesWrapAlg);
}

queue.processRequest(thisreq);
Integer result = thisreq.getExtDataInInteger(Request.RESULT);
if (result != null) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,7 @@ private void processTokenKeyRecovery(HttpServletRequest req,
boolean missingParam = false;
boolean missingTransAes = false;
boolean missingTransDes = false;
boolean missingAesKeyWrapAlg = false;

String status = "0";

Expand All @@ -182,9 +183,19 @@ private void processTokenKeyRecovery(HttpServletRequest req,
String rKeyid = req.getParameter(IRemoteRequest.KRA_RECOVERY_KEYID);
String rdesKeyString = req.getParameter(IRemoteRequest.KRA_Trans_DesKey);
String rCert = req.getParameter(IRemoteRequest.KRA_RECOVERY_CERT);

//RedHat : make sure the key wrap alg is being processed correctly
String aesKeyWrapAlg = req.getParameter(IRemoteRequest.KRA_Aes_Wrap_Alg);


String raesKeyString = req.getParameter(IRemoteRequest.KRA_Trans_AesKey);

//RedHat : make sure the key wrap alg is being processed correctly
if ((aesKeyWrapAlg == null) || (aesKeyWrapAlg.equals(""))) {
logger.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): missing request parameter: AES-KeyWrap-alg");
missingAesKeyWrapAlg = true;
}

if ((rCUID == null) || (rCUID.equals(""))) {
logger.warn("TokenKeyRecoveryServlet: processTokenKeyRecovery(): missing request parameter: CUID");
missingParam = true;
Expand Down Expand Up @@ -231,6 +242,12 @@ private void processTokenKeyRecovery(HttpServletRequest req,
thisreq.setExtData(Request.NETKEY_ATTR_DRMTRANS_AES_KEY, raesKeyString);
}

//RedHat : make sure the key wrap alg is being processed correctly
if(!missingAesKeyWrapAlg) {
logger.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): aesKeyWrapAlg: " + aesKeyWrapAlg);
thisreq.setExtData(Request.NETKEY_ATTR_SSKEYGEN_AES_KEY_WRAP_ALG,aesKeyWrapAlg);
}

if ((rCert != null) && (!rCert.equals(""))) {
thisreq.setExtData(Request.NETKEY_ATTR_USER_CERT, rCert);
logger.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): received request parameter: cert");
Expand Down
Loading

0 comments on commit 847ddbc

Please sign in to comment.