Ticket: Resolve #1663 Add SCP03 support .
This particular fix resolves a simple issue when formatting a token in FIPS
mode for SCP03.
From de74c600391473759bec495dc4ccafda787959bd Mon Sep 17 00:00:00 2001
From: Jack Magne <[email protected]>
Date: Fri, 2 Jun 2017 15:40:52 -0700
Subject: [PATCH] Resolve #1663 Add SCP03 support .
This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03.
---
.../netscape/cms/servlet/tks/NistSP800_108KDF.java | 28 +++++++++++++---------
.../server/tps/channel/SecureChannel.java | 7 +++---
.../server/tps/processor/TPSProcessor.java | 4 ++++
3 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java b/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
index 9e079aa..2d9e963 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
@@ -9,13 +9,6 @@ import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.CommandLineParser;
-import org.apache.commons.cli.DefaultParser;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.crypto.AlreadyInitializedException;
import org.mozilla.jss.crypto.BadPaddingException;
import org.mozilla.jss.crypto.Cipher;
import org.mozilla.jss.crypto.CryptoToken;
@@ -468,7 +461,7 @@ public class NistSP800_108KDF extends KDF {
// Collection of informal invocations of api used to create various session keys
// Done with test data.
public static void main(String[] args) {
-
+/*
Options options = new Options();
options.addOption("d", true, "Directory for tokendb");
@@ -480,16 +473,29 @@ public class NistSP800_108KDF extends KDF {
(byte) 0x47, (byte) 0x48, (byte) 0x49, (byte) 0x4a, (byte) 0x4b, (byte) 0x4c, (byte) 0x4d, (byte) 0x4e,
(byte) 0x4f };
+
+ byte devKeyGem[] = { (byte) 0x47, (byte) 0x45, (byte) 0x4d, (byte) 0x58, (byte) 0x50, (byte) 0x52, (byte) 0x45,
+ (byte) 0x53, (byte) 0x53, (byte) 0x4f, (byte) 0x53, (byte) 0x41, (byte) 0x4d, (byte) 0x50, (byte) 0x4c,
+ (byte) 0x45 };
+
byte test_cuid[] = { (byte) 0x47,(byte) 0x90,(byte)0x50,(byte)0x37,(byte)0x72,(byte)0x71,(byte)0x97,(byte)0x00,(byte)0x74,(byte)0xA9 };
byte test_kdd[] = { 0x00 ,0x00, 0x04 ,(byte)0x47 ,0x00 ,(byte)0x1F ,0x00 ,(byte)0x46 ,(byte)0xA7 ,0x02 };
+ byte test_kdd_gem[] = {};
+
+
byte test_host_challenge[] = { (byte)0x2F ,(byte)0xB7 ,(byte)0x9F ,(byte)0xB7 ,(byte)0x04 ,(byte)0xFA ,(byte)0x60 ,(byte)0xE8 };
byte test_card_challenge[] = { (byte)0xB9,(byte) 0x69 ,(byte)0xB0 ,(byte)0xCA ,(byte)0x37 ,(byte)0x27 ,(byte)0x2F ,(byte)0x89};
byte test_host_challenge_1[] = { (byte)0xD9 ,(byte)0xA0 ,(byte)0x0E ,(byte)0x36 ,(byte)0x69 ,(byte)0x67 ,(byte)0xFA ,(byte)0xFB };
byte test_card_challenge_1[] = {(byte)0x08 ,(byte) 0xF3 ,(byte) 0xE2 ,(byte)0xC3 ,0x72 ,(byte)0xF0 ,(byte)0xBE ,0x26 };
+
+ byte test_host_challenge_gem[] = {(byte)0x5F, 02 ,(byte) 0x8A , 0x17, 0x35,(byte) 0x0B ,0x33,(byte) 0xA6};
+ byte test_card_challenge_gem[] = { 0x7C,(byte) 0x81,(byte) 0xCB, 0x2D,(byte) 0xA2,(byte) 0xD4, 0x6B,(byte) 0xA9 };
+
+
byte test_key_info[] = { (byte) 0x01,(byte) 03,(byte) 70 };
byte test_old_key_info[] = {0x01,0x03,0x00};
@@ -525,8 +531,8 @@ public class NistSP800_108KDF extends KDF {
SymmetricKey masterKey = SecureChannelProtocol.getSymKeyByName(token,"new_master");
GPParams params = new GPParams();
- params.setVersion1DiversificationScheme("emv");
- params.setDiversificationScheme("emv");
+ params.setVersion1DiversificationScheme("visa2");
+ params.setDiversificationScheme("visa2");
params.setDevKeyType(GPParams.AES);
params.setMasterKeyType(GPParams.AES);
@@ -576,6 +582,6 @@ public class NistSP800_108KDF extends KDF {
System.err.println("JSS error!" + e);
System.exit(1);
}
-
+*/
}
}
diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
index 5e5646b..3b80f27 100644
--- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
+++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
@@ -421,10 +421,11 @@ public class SecureChannel {
throw new TPSException(method + "Failed to calculate card cryptogram!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL);
}
- CMS.debug(method + " dumped macSessionKey: " + new TPSBuffer(macSessionKey.getEncoded()).toHexString() );
+ if(cardCryptogram != null)
+ CMS.debug(method + " actual card cryptogram " + cardCryptogram.toHexString());
- CMS.debug(method + " actual card cryptogram " + cardCryptogram.toHexString());
- CMS.debug(method + " calculated card cryptogram " + calculatedCardCryptogram.toHexString());
+ if(calculatedCardCryptogram != null)
+ CMS.debug(method + " calculated card cryptogram " + calculatedCardCryptogram.toHexString());
ExternalAuthenticateAPDUGP211 externalAuth = new ExternalAuthenticateAPDUGP211(hostCryptogram,
/* secLevel */secLevelGP211);
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 0f96915..e1a5748 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -957,6 +957,10 @@ public class TPSProcessor {
kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
+ CMS.debug(" encSessionKeySCP03 " + encSessionKeySCP03);
+ CMS.debug(" macSessionKeySCP03 " + macSessionKeySCP03);
+ CMS.debug(" kekSessionKeySCP03 " + kekSessionKeySCP03);
+
channel = new SecureChannel(this, encSessionKeySCP03, macSessionKeySCP03, kekSessionKeySCP03,
drmDesKeyBuff, kekDesKeyBuff,
keyCheckBuff, keyDiversificationData, cardChallenge,
--
2.5.0
_______________________________________________
Pki-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pki-devel
