Aes v11.4 #4555
Merged
Aes v11.4 #4555
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…t HSM / FIPS environment, original bug: Fix: Bug 2025110 - Get TMS working on latest HSM / FIPS environment (dogtagpki#3949) This bug has 2 goals. The first is to get the shared secret key importation from the tks to tps working. Also this goal invloves making the shared secret key AES instead of soon to be purged DES3. The second goad was to get full server side keygen enrollment working under this strict environment. This goal won't be in the commit due to the fact that this requires some work on the coolkey token applet, which is to com. For my testing I used full PSS and OAEP support. PSS is invoked by setting the "usePSS=true" setting in the pkispawn config file. Also for both tks and tps,after creating, we must set the keyWrap.useOAEP=true setting in the CS.cfg of both tks and tps. Add some review comment changes. Port to 11.4 branch.
…st HSM / FIPS environment [RHCS 10.4]. (dogtagpki#4451) This fix allows the latest HSM / FIPS environment to successfully complete a token enrollment including server side keygen functionality. This is accomplished with TMS code and applet code that allows SCP03 tokens alone the ability to inject a private key onto the tok using the AEK_KEYWRAP_KWP algorithm. This fix includes a new applet that must be used for scp03 tokens. base/tps/shared/applets/1.5.64260792.ijc The CS.cfg must be configured to use this applet as follows: op.enroll.userKey.update.applet.requiredVersion.prot.3=1.5.64260792 for enrollment and, op.format.userKey.update.applet.requiredVersion.prot.3=1.5.64260792 for format. Note any other profiles including external registration must be configured to use this applet if put into play. Note: The following must be configured in the TPS's server.xml to extend the timeout from the client as per this example: connectionTimeout="-1" for each connector SSL or non SSL. This is required since the KWP implementation takes a bit longer to unwrap the keys(s) onto the token than previously. Tested with a full FIPS / latest HSM box using PSS and OAEP for all subsystems. OAEP should be required with PSS optional. Tested with the g&d 7.0 smart cafe SCP03 using a max of 3072 bit keys due to the limitations of the token itself.
|
Kudos, SonarCloud Quality Gate passed! |
|
Pushing since this code reviewed already on CC branch. |
jmagne
added a commit
to jmagne/pki
that referenced
this pull request
Sep 22, 2023
* Junk change to pki.spec. * Fix: Bug Bug 2142908 - add AES support for TMS Shared Secret on latest HSM / FIPS environment, original bug: Fix: Bug 2025110 - Get TMS working on latest HSM / FIPS environment (dogtagpki#3949) This bug has 2 goals. The first is to get the shared secret key importation from the tks to tps working. Also this goal invloves making the shared secret key AES instead of soon to be purged DES3. The second goad was to get full server side keygen enrollment working under this strict environment. This goal won't be in the commit due to the fact that this requires some work on the coolkey token applet, which is to com. For my testing I used full PSS and OAEP support. PSS is invoked by setting the "usePSS=true" setting in the pkispawn config file. Also for both tks and tps,after creating, we must set the keyWrap.useOAEP=true setting in the CS.cfg of both tks and tps. Add some review comment changes. Port to 11.4 branch. * Fix Bug 2180922 - add AES support for TMS server-side keygen on latest HSM / FIPS environment [RHCS 10.4]. (dogtagpki#4451) This fix allows the latest HSM / FIPS environment to successfully complete a token enrollment including server side keygen functionality. This is accomplished with TMS code and applet code that allows SCP03 tokens alone the ability to inject a private key onto the tok using the AEK_KEYWRAP_KWP algorithm. This fix includes a new applet that must be used for scp03 tokens. base/tps/shared/applets/1.5.64260792.ijc The CS.cfg must be configured to use this applet as follows: op.enroll.userKey.update.applet.requiredVersion.prot.3=1.5.64260792 for enrollment and, op.format.userKey.update.applet.requiredVersion.prot.3=1.5.64260792 for format. Note any other profiles including external registration must be configured to use this applet if put into play. Note: The following must be configured in the TPS's server.xml to extend the timeout from the client as per this example: connectionTimeout="-1" for each connector SSL or non SSL. This is required since the KWP implementation takes a bit longer to unwrap the keys(s) onto the token than previously. Tested with a full FIPS / latest HSM box using PSS and OAEP for all subsystems. OAEP should be required with PSS optional. Tested with the g&d 7.0 smart cafe SCP03 using a max of 3072 bit keys due to the limitations of the token itself. --------- Co-authored-by: Jack Magne <jmagne@localhost.localdomain>
jmagne
added a commit
that referenced
this pull request
Sep 26, 2023
* Junk change to pki.spec. * Fix: Bug Bug 2142908 - add AES support for TMS Shared Secret on latest HSM / FIPS environment, original bug: Fix: Bug 2025110 - Get TMS working on latest HSM / FIPS environment (#3949) This bug has 2 goals. The first is to get the shared secret key importation from the tks to tps working. Also this goal invloves making the shared secret key AES instead of soon to be purged DES3. The second goad was to get full server side keygen enrollment working under this strict environment. This goal won't be in the commit due to the fact that this requires some work on the coolkey token applet, which is to com. For my testing I used full PSS and OAEP support. PSS is invoked by setting the "usePSS=true" setting in the pkispawn config file. Also for both tks and tps,after creating, we must set the keyWrap.useOAEP=true setting in the CS.cfg of both tks and tps. Add some review comment changes. Port to 11.4 branch. * Fix Bug 2180922 - add AES support for TMS server-side keygen on latest HSM / FIPS environment [RHCS 10.4]. (#4451) This fix allows the latest HSM / FIPS environment to successfully complete a token enrollment including server side keygen functionality. This is accomplished with TMS code and applet code that allows SCP03 tokens alone the ability to inject a private key onto the tok using the AEK_KEYWRAP_KWP algorithm. This fix includes a new applet that must be used for scp03 tokens. base/tps/shared/applets/1.5.64260792.ijc The CS.cfg must be configured to use this applet as follows: op.enroll.userKey.update.applet.requiredVersion.prot.3=1.5.64260792 for enrollment and, op.format.userKey.update.applet.requiredVersion.prot.3=1.5.64260792 for format. Note any other profiles including external registration must be configured to use this applet if put into play. Note: The following must be configured in the TPS's server.xml to extend the timeout from the client as per this example: connectionTimeout="-1" for each connector SSL or non SSL. This is required since the KWP implementation takes a bit longer to unwrap the keys(s) onto the token than previously. Tested with a full FIPS / latest HSM box using PSS and OAEP for all subsystems. OAEP should be required with PSS optional. Tested with the g&d 7.0 smart cafe SCP03 using a max of 3072 bit keys due to the limitations of the token itself. --------- Co-authored-by: Jack Magne <jmagne@localhost.localdomain>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.