Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

2017-04-26 Thread Fraser Tweedale 
On Tue, Apr 11, 2017 at 03:23:18PM -0700, Christina Fu wrote:
> Thank you. Please see review comments:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1355358#c6
> 
> I will review PKCS12Util later.
> 
> Christina
> 
Updated patch jss-0002 and also created
https://bugzilla.mozilla.org/show_bug.cgi?id=1359731 with some
other JSS patches.

Created Gerrit review branch for Dogtag patches:
https://review.gerrithub.io/#/c/358634/.  This includes patch
pki-0178 and also a new patch to change KRA PKCS #12 recovery to use
AES, which depends on the new JSS patches linked above.

Thanks,
Fraser

> 
> On 04/10/2017 11:30 PM, Fraser Tweedale wrote:
> > On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote:
> > > Hi Fraser,
> > > 
> > > Could you please do the following first?
> > > 
> > > 1.  file a Mozilla bugzilla bug for this against Product JSS Release 
> > > 4.4.1,
> > > then assign to yourself:
> > > https://bugzilla.mozilla.org/
> > > 2. After making sure your patch compiles well with the 4.4.1 base, attach
> > > the patch to that ticket, and mark reviewers
> > > 
> > > thanks!
> > > 
> > > Christina
> > > 
> > Thanks Christina, I filed
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1355358
> > 
> > I was unable to assign myself to the bug ('Assignee' field is not
> > active when I go to Edit Bug.
> > 
> > Also not sure how to "mark reviewers".  I added you and Elio to Cc
> > though.
> > 
> > Thanks,
> > Fraser
> > 
> > > On 04/04/2017 02:56 AM, Fraser Tweedale wrote:
> > > > Hi team,
> > > > 
> > > > Please review attached patches for JSS and Dogtag that:
> > > > 
> > > > - add some new EncryptedPrivateKeyInfo export and import functions
> > > > to JSS
> > > > 
> > > > - update Dogtag's `pki pkcs12' command to use the new functions to
> > > > achieve AES encryption of the key bags, with wrapping/unwrapping
> > > > occurring on the token.
> > > > 
> > > > PKCS #12 files produced by current releases continue to import
> > > > properly (of course, this is an important test vector).
> > > > 
> > > > These patches do not address the PKCS #12 KRA recovery export; This
> > > > is my next task and separate patches will be produced.
> > > > 
> > > > Thanks,
> > > > Fraser
> 

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

2017-04-11 Thread Christina Fu 

Thank you. Please see review comments:

https://bugzilla.mozilla.org/show_bug.cgi?id=1355358#c6

I will review PKCS12Util later.

Christina


On 04/10/2017 11:30 PM, Fraser Tweedale wrote:

On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote:

Hi Fraser,

Could you please do the following first?

1.  file a Mozilla bugzilla bug for this against Product JSS Release 4.4.1,
then assign to yourself:
https://bugzilla.mozilla.org/
2. After making sure your patch compiles well with the 4.4.1 base, attach
the patch to that ticket, and mark reviewers

thanks!

Christina


Thanks Christina, I filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1355358

I was unable to assign myself to the bug ('Assignee' field is not
active when I go to Edit Bug.

Also not sure how to "mark reviewers".  I added you and Elio to Cc
though.

Thanks,
Fraser


On 04/04/2017 02:56 AM, Fraser Tweedale wrote:

Hi team,

Please review attached patches for JSS and Dogtag that:

- add some new EncryptedPrivateKeyInfo export and import functions
to JSS

- update Dogtag's `pki pkcs12' command to use the new functions to
achieve AES encryption of the key bags, with wrapping/unwrapping
occurring on the token.

PKCS #12 files produced by current releases continue to import
properly (of course, this is an important test vector).

These patches do not address the PKCS #12 KRA recovery export; This
is my next task and separate patches will be produced.

Thanks,
Fraser


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

2017-04-11 Thread Fraser Tweedale 
On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote:
> Hi Fraser,
> 
> Could you please do the following first?
> 
> 1.  file a Mozilla bugzilla bug for this against Product JSS Release 4.4.1,
> then assign to yourself:
> https://bugzilla.mozilla.org/
> 2. After making sure your patch compiles well with the 4.4.1 base, attach
> the patch to that ticket, and mark reviewers
> 
> thanks!
> 
> Christina
> 
Thanks Christina, I filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1355358

I was unable to assign myself to the bug ('Assignee' field is not
active when I go to Edit Bug.

Also not sure how to "mark reviewers".  I added you and Elio to Cc
though.

Thanks,
Fraser

> 
> On 04/04/2017 02:56 AM, Fraser Tweedale wrote:
> > Hi team,
> > 
> > Please review attached patches for JSS and Dogtag that:
> > 
> > - add some new EncryptedPrivateKeyInfo export and import functions
> >to JSS
> > 
> > - update Dogtag's `pki pkcs12' command to use the new functions to
> >achieve AES encryption of the key bags, with wrapping/unwrapping
> >occurring on the token.
> > 
> > PKCS #12 files produced by current releases continue to import
> > properly (of course, this is an important test vector).
> > 
> > These patches do not address the PKCS #12 KRA recovery export; This
> > is my next task and separate patches will be produced.
> > 
> > Thanks,
> > Fraser
> 

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

2017-04-06 Thread Christina Fu 

Hi Fraser,

Could you please do the following first?

1.  file a Mozilla bugzilla bug for this against Product JSS Release 
4.4.1, then assign to yourself:

https://bugzilla.mozilla.org/
2. After making sure your patch compiles well with the 4.4.1 base, 
attach the patch to that ticket, and mark reviewers


thanks!

Christina


On 04/04/2017 02:56 AM, Fraser Tweedale wrote:

Hi team,

Please review attached patches for JSS and Dogtag that:

- add some new EncryptedPrivateKeyInfo export and import functions
   to JSS

- update Dogtag's `pki pkcs12' command to use the new functions to
   achieve AES encryption of the key bags, with wrapping/unwrapping
   occurring on the token.

PKCS #12 files produced by current releases continue to import
properly (of course, this is an important test vector).

These patches do not address the PKCS #12 KRA recovery export; This
is my next task and separate patches will be produced.

Thanks,
Fraser


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption

2017-04-04 Thread Fraser Tweedale 
Hi team,

Please review attached patches for JSS and Dogtag that:

- add some new EncryptedPrivateKeyInfo export and import functions
  to JSS

- update Dogtag's `pki pkcs12' command to use the new functions to
  achieve AES encryption of the key bags, with wrapping/unwrapping
  occurring on the token.

PKCS #12 files produced by current releases continue to import
properly (of course, this is an important test vector).

These patches do not address the PKCS #12 KRA recovery export; This
is my next task and separate patches will be produced.

Thanks,
Fraser
From de2d7f049eb4462c7442795a77a8a915ae70d216 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Mon, 3 Apr 2017 11:07:24 +1000
Subject: [PATCH 0/2] Add SEC_OID mappings for AES ECB/CBC algorithms

---
 org/mozilla/jss/crypto/Algorithm.c  |  8 +++-
 org/mozilla/jss/crypto/Algorithm.h  |  2 +-
 org/mozilla/jss/crypto/Algorithm.java   |  8 
 org/mozilla/jss/crypto/EncryptionAlgorithm.java | 18 --
 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/org/mozilla/jss/crypto/Algorithm.c 
b/org/mozilla/jss/crypto/Algorithm.c
index 
8679eadca573fdb2bc7903c3e5d0a1a05d4bbd2f..d32bcad469c45c9edcdd5bedfa5e98f2fab0e3a2
 100644
--- a/org/mozilla/jss/crypto/Algorithm.c
+++ b/org/mozilla/jss/crypto/Algorithm.c
@@ -86,7 +86,13 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
 /* 55 */{SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG},
 /* 56 */{SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG},
 /* 57 */{CKM_NSS_AES_KEY_WRAP, PK11_MECH},
-/* 58 */{CKM_NSS_AES_KEY_WRAP_PAD, PK11_MECH}
+/* 58 */{CKM_NSS_AES_KEY_WRAP_PAD, PK11_MECH},
+/* 59 */{SEC_OID_AES_128_ECB, SEC_OID_TAG},
+/* 60 */{SEC_OID_AES_128_CBC, SEC_OID_TAG},
+/* 61 */{SEC_OID_AES_192_ECB, SEC_OID_TAG},
+/* 62 */{SEC_OID_AES_192_CBC, SEC_OID_TAG},
+/* 63 */{SEC_OID_AES_256_ECB, SEC_OID_TAG},
+/* 64 */{SEC_OID_AES_256_CBC, SEC_OID_TAG}
 /* REMEMBER TO UPDATE NUM_ALGS!!! */
 };
 
diff --git a/org/mozilla/jss/crypto/Algorithm.h 
b/org/mozilla/jss/crypto/Algorithm.h
index 
ec2dddb76e66187fce29051069d84293315199f0..c18623185184590799c3c2e0f0627579661051f7
 100644
--- a/org/mozilla/jss/crypto/Algorithm.h
+++ b/org/mozilla/jss/crypto/Algorithm.h
@@ -24,7 +24,7 @@ typedef struct JSS_AlgInfoStr {
 JSS_AlgType type;
 } JSS_AlgInfo;
 
-#define NUM_ALGS 59
+#define NUM_ALGS 65
 
 extern JSS_AlgInfo JSS_AlgTable[];
 extern CK_ULONG JSS_symkeyUsage[];
diff --git a/org/mozilla/jss/crypto/Algorithm.java 
b/org/mozilla/jss/crypto/Algorithm.java
index 
919c2ece0608418015a2f05e7c363cdd70a2b16a..1818bd4703b8d55ae81a64d468a5ade890b21382
 100644
--- a/org/mozilla/jss/crypto/Algorithm.java
+++ b/org/mozilla/jss/crypto/Algorithm.java
@@ -212,4 +212,12 @@ public class Algorithm {
 protected static final short 
SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=56;
 protected static final short CKM_NSS_AES_KEY_WRAP=57;
 protected static final short CKM_NSS_AES_KEY_WRAP_PAD=58;
+
+// AES Encryption Algorithms
+protected static final short SEC_OID_AES_128_ECB = 59;
+protected static final short SEC_OID_AES_128_CBC = 60;
+protected static final short SEC_OID_AES_192_ECB = 61;
+protected static final short SEC_OID_AES_192_CBC = 62;
+protected static final short SEC_OID_AES_256_ECB = 63;
+protected static final short SEC_OID_AES_256_CBC = 64;
 }
diff --git a/org/mozilla/jss/crypto/EncryptionAlgorithm.java 
b/org/mozilla/jss/crypto/EncryptionAlgorithm.java
index 
db10305c14f7c5d75920624c1243feae09b0c92a..8e389b47035d51f073a9005756aed0cde915e024
 100644
--- a/org/mozilla/jss/crypto/EncryptionAlgorithm.java
+++ b/org/mozilla/jss/crypto/EncryptionAlgorithm.java
@@ -347,12 +347,14 @@ public class EncryptionAlgorithm extends Algorithm {
 { 2, 16, 840, 1, 101, 3, 4, 1 } );
 
 public static final EncryptionAlgorithm
-AES_128_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB,
+AES_128_ECB = new EncryptionAlgorithm(SEC_OID_AES_128_ECB,
+Alg.AES, Mode.ECB,
 Padding.NONE, (Class)null, 16,
 AES_ROOT_OID.subBranch(1), 128);
 
 public static final EncryptionAlgorithm
-AES_128_CBC = new EncryptionAlgorithm(CKM_AES_CBC, Alg.AES, Mode.CBC,
+AES_128_CBC = new EncryptionAlgorithm(SEC_OID_AES_128_CBC,
+Alg.AES, Mode.CBC,
 Padding.NONE, IVParameterSpecClasses, 16,
 AES_ROOT_OID.subBranch(2), 128);
 
@@ -361,11 +363,13 @@ public class EncryptionAlgorithm extends Algorithm {
 Padding.PKCS5, IVParameterSpecClasses, 16, null, 128); // no oid
 
 public static final EncryptionAlgorithm
-AES_192_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB,
+AES_192_ECB = new EncryptionAlgorithm(SEC_OID_AES_192_ECB,
+Alg.AES, Mode.ECB,
 Padding.NONE, (Class)null, 16, AES_ROOT_OID.subBranch(21), 192);
 
 public static final EncryptionAlgorithm
-AES_192_CBC =