From 3adb695ea6a7f50d7631a4c048f75dae078889fa Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Thu, 24 Aug 2023 20:41:00 -0400 Subject: [PATCH 5/8] Fix Bug 2180920 add AES support for TMS server-side keygen on latest HSM / FIPS environment [RHCS 9.7.z] Back port AES KWP wrap alg support only for JSS in this branch to allow for the TMS bug referenced above to work. --- org/mozilla/jss/crypto/Algorithm.c | 3 ++- org/mozilla/jss/crypto/Algorithm.h | 2 +- org/mozilla/jss/crypto/Algorithm.java | 2 ++ org/mozilla/jss/crypto/KeyWrapAlgorithm.java | 8 ++++++++ 4 files changed, 13 insertions(+), 2 deletions(-) diff --git a/org/mozilla/jss/crypto/Algorithm.c b/org/mozilla/jss/crypto/Algorithm.c index 84290ad..9492d01 100644 --- a/org/mozilla/jss/crypto/Algorithm.c +++ b/org/mozilla/jss/crypto/Algorithm.c @@ -96,7 +96,8 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = { /* the CKM_AES_KEY_WRAP_* have different defs than CKM_NSS_AES_KEY_WRAP_* */ /* 65 */ {CKM_AES_KEY_WRAP, PK11_MECH}, /* 66 */ {CKM_AES_KEY_WRAP_PAD, PK11_MECH}, -/* 67 */ {SEC_OID_PKCS1_RSA_PSS_SIGNATURE, SEC_OID_TAG} +/* 67 */ {SEC_OID_PKCS1_RSA_PSS_SIGNATURE, SEC_OID_TAG}, +/* 68 */ {CKM_AES_KEY_WRAP_KWP, PK11_MECH} /* REMEMBER TO UPDATE NUM_ALGS!!! */ }; diff --git a/org/mozilla/jss/crypto/Algorithm.h b/org/mozilla/jss/crypto/Algorithm.h index 09b5869..6bf4d96 100644 --- a/org/mozilla/jss/crypto/Algorithm.h +++ b/org/mozilla/jss/crypto/Algorithm.h @@ -24,7 +24,7 @@ typedef struct JSS_AlgInfoStr { JSS_AlgType type; } JSS_AlgInfo; -#define NUM_ALGS 68 +#define NUM_ALGS 69 extern JSS_AlgInfo JSS_AlgTable[]; extern CK_ULONG JSS_symkeyUsage[]; diff --git a/org/mozilla/jss/crypto/Algorithm.java b/org/mozilla/jss/crypto/Algorithm.java index 26d4758..bd93f13 100644 --- a/org/mozilla/jss/crypto/Algorithm.java +++ b/org/mozilla/jss/crypto/Algorithm.java @@ -229,5 +229,7 @@ public class Algorithm { protected static final short CKM_AES_KEY_WRAP_PAD=66; // RSA-PSS protected static final short SEC_OID_PKCS1_RSA_PSS_SIGNATURE = 67; + // CKM_AES_KEY_WRAP_KWP for HSM support + protected static final int CKM_AES_KEY_WRAP_KWP = 68; } diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java index 3113f61..346eca7 100644 --- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java +++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java @@ -130,6 +130,14 @@ public class KeyWrapAlgorithm extends Algorithm { AES_KEY_WRAP_PAD = new KeyWrapAlgorithm(CKM_NSS_AES_KEY_WRAP_PAD, "AES KeyWrap/Padding", (Class) null, true, 8); + /* + * Added to support HSMs. There is no CKM_NSS equivalent, unlike the + * above two mechanisms. + */ + public static final KeyWrapAlgorithm + AES_KEY_WRAP_PAD_KWP = new KeyWrapAlgorithm(CKM_AES_KEY_WRAP_KWP, "AES KeyWrap/Wrapped", + (Class) null, true, 8); + public static final OBJECT_IDENTIFIER AES_KEY_WRAP_PAD_OID = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.8"); public static final OBJECT_IDENTIFIER AES_KEY_WRAP_OID = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.5"); public static final OBJECT_IDENTIFIER AES_CBC_PAD_OID = new OBJECT_IDENTIFIER("2.16.840.1.101.3.4.1.2"); -- 1.8.3.1