Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption
On Tue, Apr 11, 2017 at 03:23:18PM -0700, Christina Fu wrote: > Thank you. Please see review comments: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1355358#c6 > > I will review PKCS12Util later. > > Christina > Updated patch jss-0002 and also created https://bugzilla.mozilla.org/show_bug.cgi?id=1359731 with some other JSS patches. Created Gerrit review branch for Dogtag patches: https://review.gerrithub.io/#/c/358634/. This includes patch pki-0178 and also a new patch to change KRA PKCS #12 recovery to use AES, which depends on the new JSS patches linked above. Thanks, Fraser > > On 04/10/2017 11:30 PM, Fraser Tweedale wrote: > > On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote: > > > Hi Fraser, > > > > > > Could you please do the following first? > > > > > > 1. file a Mozilla bugzilla bug for this against Product JSS Release > > > 4.4.1, > > > then assign to yourself: > > > https://bugzilla.mozilla.org/ > > > 2. After making sure your patch compiles well with the 4.4.1 base, attach > > > the patch to that ticket, and mark reviewers > > > > > > thanks! > > > > > > Christina > > > > > Thanks Christina, I filed > > https://bugzilla.mozilla.org/show_bug.cgi?id=1355358 > > > > I was unable to assign myself to the bug ('Assignee' field is not > > active when I go to Edit Bug. > > > > Also not sure how to "mark reviewers". I added you and Elio to Cc > > though. > > > > Thanks, > > Fraser > > > > > On 04/04/2017 02:56 AM, Fraser Tweedale wrote: > > > > Hi team, > > > > > > > > Please review attached patches for JSS and Dogtag that: > > > > > > > > - add some new EncryptedPrivateKeyInfo export and import functions > > > > to JSS > > > > > > > > - update Dogtag's `pki pkcs12' command to use the new functions to > > > > achieve AES encryption of the key bags, with wrapping/unwrapping > > > > occurring on the token. > > > > > > > > PKCS #12 files produced by current releases continue to import > > > > properly (of course, this is an important test vector). > > > > > > > > These patches do not address the PKCS #12 KRA recovery export; This > > > > is my next task and separate patches will be produced. > > > > > > > > Thanks, > > > > Fraser > ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption
Thank you. Please see review comments: https://bugzilla.mozilla.org/show_bug.cgi?id=1355358#c6 I will review PKCS12Util later. Christina On 04/10/2017 11:30 PM, Fraser Tweedale wrote: On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote: Hi Fraser, Could you please do the following first? 1. file a Mozilla bugzilla bug for this against Product JSS Release 4.4.1, then assign to yourself: https://bugzilla.mozilla.org/ 2. After making sure your patch compiles well with the 4.4.1 base, attach the patch to that ticket, and mark reviewers thanks! Christina Thanks Christina, I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1355358 I was unable to assign myself to the bug ('Assignee' field is not active when I go to Edit Bug. Also not sure how to "mark reviewers". I added you and Elio to Cc though. Thanks, Fraser On 04/04/2017 02:56 AM, Fraser Tweedale wrote: Hi team, Please review attached patches for JSS and Dogtag that: - add some new EncryptedPrivateKeyInfo export and import functions to JSS - update Dogtag's `pki pkcs12' command to use the new functions to achieve AES encryption of the key bags, with wrapping/unwrapping occurring on the token. PKCS #12 files produced by current releases continue to import properly (of course, this is an important test vector). These patches do not address the PKCS #12 KRA recovery export; This is my next task and separate patches will be produced. Thanks, Fraser ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption
On Thu, Apr 06, 2017 at 03:45:55PM -0700, Christina Fu wrote: > Hi Fraser, > > Could you please do the following first? > > 1. file a Mozilla bugzilla bug for this against Product JSS Release 4.4.1, > then assign to yourself: > https://bugzilla.mozilla.org/ > 2. After making sure your patch compiles well with the 4.4.1 base, attach > the patch to that ticket, and mark reviewers > > thanks! > > Christina > Thanks Christina, I filed https://bugzilla.mozilla.org/show_bug.cgi?id=1355358 I was unable to assign myself to the bug ('Assignee' field is not active when I go to Edit Bug. Also not sure how to "mark reviewers". I added you and Elio to Cc though. Thanks, Fraser > > On 04/04/2017 02:56 AM, Fraser Tweedale wrote: > > Hi team, > > > > Please review attached patches for JSS and Dogtag that: > > > > - add some new EncryptedPrivateKeyInfo export and import functions > >to JSS > > > > - update Dogtag's `pki pkcs12' command to use the new functions to > >achieve AES encryption of the key bags, with wrapping/unwrapping > >occurring on the token. > > > > PKCS #12 files produced by current releases continue to import > > properly (of course, this is an important test vector). > > > > These patches do not address the PKCS #12 KRA recovery export; This > > is my next task and separate patches will be produced. > > > > Thanks, > > Fraser > ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
Re: [Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption
Hi Fraser, Could you please do the following first? 1. file a Mozilla bugzilla bug for this against Product JSS Release 4.4.1, then assign to yourself: https://bugzilla.mozilla.org/ 2. After making sure your patch compiles well with the 4.4.1 base, attach the patch to that ticket, and mark reviewers thanks! Christina On 04/04/2017 02:56 AM, Fraser Tweedale wrote: Hi team, Please review attached patches for JSS and Dogtag that: - add some new EncryptedPrivateKeyInfo export and import functions to JSS - update Dogtag's `pki pkcs12' command to use the new functions to achieve AES encryption of the key bags, with wrapping/unwrapping occurring on the token. PKCS #12 files produced by current releases continue to import properly (of course, this is an important test vector). These patches do not address the PKCS #12 KRA recovery export; This is my next task and separate patches will be produced. Thanks, Fraser ___ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
[Pki-devel] [PATCH] pki-0178, jss-0000..0002 - PKCS #12 key bag AES encryption
Hi team, Please review attached patches for JSS and Dogtag that: - add some new EncryptedPrivateKeyInfo export and import functions to JSS - update Dogtag's `pki pkcs12' command to use the new functions to achieve AES encryption of the key bags, with wrapping/unwrapping occurring on the token. PKCS #12 files produced by current releases continue to import properly (of course, this is an important test vector). These patches do not address the PKCS #12 KRA recovery export; This is my next task and separate patches will be produced. Thanks, Fraser From de2d7f049eb4462c7442795a77a8a915ae70d216 Mon Sep 17 00:00:00 2001 From: Fraser TweedaleDate: Mon, 3 Apr 2017 11:07:24 +1000 Subject: [PATCH 0/2] Add SEC_OID mappings for AES ECB/CBC algorithms --- org/mozilla/jss/crypto/Algorithm.c | 8 +++- org/mozilla/jss/crypto/Algorithm.h | 2 +- org/mozilla/jss/crypto/Algorithm.java | 8 org/mozilla/jss/crypto/EncryptionAlgorithm.java | 18 -- 4 files changed, 28 insertions(+), 8 deletions(-) diff --git a/org/mozilla/jss/crypto/Algorithm.c b/org/mozilla/jss/crypto/Algorithm.c index 8679eadca573fdb2bc7903c3e5d0a1a05d4bbd2f..d32bcad469c45c9edcdd5bedfa5e98f2fab0e3a2 100644 --- a/org/mozilla/jss/crypto/Algorithm.c +++ b/org/mozilla/jss/crypto/Algorithm.c @@ -86,7 +86,13 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = { /* 55 */{SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG}, /* 56 */{SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG}, /* 57 */{CKM_NSS_AES_KEY_WRAP, PK11_MECH}, -/* 58 */{CKM_NSS_AES_KEY_WRAP_PAD, PK11_MECH} +/* 58 */{CKM_NSS_AES_KEY_WRAP_PAD, PK11_MECH}, +/* 59 */{SEC_OID_AES_128_ECB, SEC_OID_TAG}, +/* 60 */{SEC_OID_AES_128_CBC, SEC_OID_TAG}, +/* 61 */{SEC_OID_AES_192_ECB, SEC_OID_TAG}, +/* 62 */{SEC_OID_AES_192_CBC, SEC_OID_TAG}, +/* 63 */{SEC_OID_AES_256_ECB, SEC_OID_TAG}, +/* 64 */{SEC_OID_AES_256_CBC, SEC_OID_TAG} /* REMEMBER TO UPDATE NUM_ALGS!!! */ }; diff --git a/org/mozilla/jss/crypto/Algorithm.h b/org/mozilla/jss/crypto/Algorithm.h index ec2dddb76e66187fce29051069d84293315199f0..c18623185184590799c3c2e0f0627579661051f7 100644 --- a/org/mozilla/jss/crypto/Algorithm.h +++ b/org/mozilla/jss/crypto/Algorithm.h @@ -24,7 +24,7 @@ typedef struct JSS_AlgInfoStr { JSS_AlgType type; } JSS_AlgInfo; -#define NUM_ALGS 59 +#define NUM_ALGS 65 extern JSS_AlgInfo JSS_AlgTable[]; extern CK_ULONG JSS_symkeyUsage[]; diff --git a/org/mozilla/jss/crypto/Algorithm.java b/org/mozilla/jss/crypto/Algorithm.java index 919c2ece0608418015a2f05e7c363cdd70a2b16a..1818bd4703b8d55ae81a64d468a5ade890b21382 100644 --- a/org/mozilla/jss/crypto/Algorithm.java +++ b/org/mozilla/jss/crypto/Algorithm.java @@ -212,4 +212,12 @@ public class Algorithm { protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=56; protected static final short CKM_NSS_AES_KEY_WRAP=57; protected static final short CKM_NSS_AES_KEY_WRAP_PAD=58; + +// AES Encryption Algorithms +protected static final short SEC_OID_AES_128_ECB = 59; +protected static final short SEC_OID_AES_128_CBC = 60; +protected static final short SEC_OID_AES_192_ECB = 61; +protected static final short SEC_OID_AES_192_CBC = 62; +protected static final short SEC_OID_AES_256_ECB = 63; +protected static final short SEC_OID_AES_256_CBC = 64; } diff --git a/org/mozilla/jss/crypto/EncryptionAlgorithm.java b/org/mozilla/jss/crypto/EncryptionAlgorithm.java index db10305c14f7c5d75920624c1243feae09b0c92a..8e389b47035d51f073a9005756aed0cde915e024 100644 --- a/org/mozilla/jss/crypto/EncryptionAlgorithm.java +++ b/org/mozilla/jss/crypto/EncryptionAlgorithm.java @@ -347,12 +347,14 @@ public class EncryptionAlgorithm extends Algorithm { { 2, 16, 840, 1, 101, 3, 4, 1 } ); public static final EncryptionAlgorithm -AES_128_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB, +AES_128_ECB = new EncryptionAlgorithm(SEC_OID_AES_128_ECB, +Alg.AES, Mode.ECB, Padding.NONE, (Class)null, 16, AES_ROOT_OID.subBranch(1), 128); public static final EncryptionAlgorithm -AES_128_CBC = new EncryptionAlgorithm(CKM_AES_CBC, Alg.AES, Mode.CBC, +AES_128_CBC = new EncryptionAlgorithm(SEC_OID_AES_128_CBC, +Alg.AES, Mode.CBC, Padding.NONE, IVParameterSpecClasses, 16, AES_ROOT_OID.subBranch(2), 128); @@ -361,11 +363,13 @@ public class EncryptionAlgorithm extends Algorithm { Padding.PKCS5, IVParameterSpecClasses, 16, null, 128); // no oid public static final EncryptionAlgorithm -AES_192_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB, +AES_192_ECB = new EncryptionAlgorithm(SEC_OID_AES_192_ECB, +Alg.AES, Mode.ECB, Padding.NONE, (Class)null, 16, AES_ROOT_OID.subBranch(21), 192); public static final EncryptionAlgorithm -AES_192_CBC =