|
 |
18a1d4 |
From fe4788410c0b5e879bdcfe986f50350f2343e531 Mon Sep 17 00:00:00 2001
|
|
|
18a1d4 |
From: jmagne <jmagne@redhat.com>
|
|
|
18a1d4 |
Date: Mon, 3 Jun 2024 16:47:56 -0700
|
|
|
18a1d4 |
Subject: [PATCH] Fix Bug 2265180 - Add Support for Symmetric Key Rollover
|
|
|
18a1d4 |
[RHCS 9.7.z]. (#4765)
|
|
|
18a1d4 |
|
|
|
18a1d4 |
We found in QE a situation in fips mode with the hsm that the calculation of the scp03 keycheck value
|
|
|
18a1d4 |
could fail. Simply making that method behave like the scp01 version of the method fixes the issue.
|
|
|
18a1d4 |
|
|
|
18a1d4 |
Also added some trivial code to apease tpsclient. We do so by creating a new secret config value used only
|
|
|
18a1d4 |
by those testing the product with tpsclient:
|
|
|
18a1d4 |
|
|
|
18a1d4 |
channel.scp01.no.le.byte=true
|
|
|
18a1d4 |
|
|
|
18a1d4 |
This will skip the le zero byte on only the generatekey and readobject apdu's only if scp01 is detected and this value is true.
|
|
|
18a1d4 |
Otherwise everything will default to current behavior and the le byte of zero will be added as per current behavior.
|
|
|
18a1d4 |
|
|
|
18a1d4 |
Fix case when rollover feature checks config in non external reg mode and caused NPE.
|
|
|
18a1d4 |
Adding one file that didn't make it into the last commit.
|
|
|
18a1d4 |
(cherry picked from commit acb198939fc215beb44921852425d08c9257db97)
|
|
|
18a1d4 |
---
|
|
|
18a1d4 |
base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 6 ++++--
|
|
|
18a1d4 |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
18a1d4 |
|
|
|
18a1d4 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
18a1d4 |
index 984ce79..2aa01a3 100644
|
|
|
18a1d4 |
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
18a1d4 |
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
18a1d4 |
@@ -2570,7 +2570,8 @@ public class TPSProcessor {
|
|
|
18a1d4 |
symKeyUpgradeStatus = TPSStatus.STATUS_ERROR_SYMKEY_256_UPGRADE;
|
|
|
18a1d4 |
}
|
|
|
18a1d4 |
// Check whether exception is caused by attempting to change 256 OMK to 128 FMK
|
|
|
18a1d4 |
- else if (getSelectedKeySet().equals(getKeyDowngradeKeySet()) && getSymmetricKeysRequiredVersion() == getKeyDowngradeVersion())
|
|
|
18a1d4 |
+ // RedHat : avoid null ptr. For non external reg case.
|
|
|
18a1d4 |
+ else if (getSelectedKeySet() != null && getSelectedKeySet().equals(getKeyDowngradeKeySet()) && getSymmetricKeysRequiredVersion() == getKeyDowngradeVersion())
|
|
|
18a1d4 |
{
|
|
|
18a1d4 |
// proceed with downgrade if configured to do so
|
|
|
18a1d4 |
CMS.debug("TPSProcessor.checkAndUpgradeSymKeys: try downgrade key size.");
|
|
|
18a1d4 |
@@ -3660,7 +3661,8 @@ public class TPSProcessor {
|
|
|
18a1d4 |
|
|
|
18a1d4 |
// ** G&D 256 Key Rollover Support **
|
|
|
18a1d4 |
// set the flag to indicate if card needs to roll over to 256 OMK
|
|
|
18a1d4 |
- boolean keyRollNeeded = (getSelectedKeySet().equals(getKeyRolloverKeySet()) && requiredVersion == getKeyRolloverVersion());
|
|
|
18a1d4 |
+ // RedHat : avoid null ptr. For non external reg case.
|
|
|
18a1d4 |
+ boolean keyRollNeeded = (getSelectedKeySet() != null && getSelectedKeySet().equals(getKeyRolloverKeySet()) && requiredVersion == getKeyRolloverVersion());
|
|
|
18a1d4 |
CMS.debug(" keyRollNeeded: " + keyRollNeeded);
|
|
|
18a1d4 |
// try to make a secure channel with the 'requiredVersion' keys
|
|
|
18a1d4 |
// If this fails, we know we will have to attempt an upgrade
|
|
|
18a1d4 |
--
|
|
|
18a1d4 |
1.8.3.1
|
|
|
18a1d4 |
|