From 82fb03158e2f06e4886c7ad254e3b9880fc1ada3 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@redhat.com>
Date: Mon, 6 May 2024 18:08:30 -0400
Subject: [PATCH 1/3] Trivial fix. Remove illegal characters from comments in
TPS CS.cfg file.
(cherry picked from commit 455fec6347ff4b141936939ac9d4d91afdba0daa)
---
base/tps/shared/conf/CS.cfg | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index 0b4b348..0d2b1ce 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -24,7 +24,7 @@ applet._015=#op.pinReset.userKey.update.applet.requiredVersion.prot.3=1.5.65cbf5
applet._016=#
applet._017=# The applet above is the latest and supports CBC and KWP key wrapping.
applet._018=# Use existing config for standard protoco1 cards Example: applet._019=#op.format.userKey.update.applet.requiredVersion=1.4.58768072
-applet._019=# Add “,A000000003000000,A0000001510000” to all instances of *.cardmgr_instance parameters in the CS.cfg file as shown below. Update all format, enroll and pin reset values for every token type in the file. This is to support some newer cards such as the Cosmo Idemia, allowing the code to select the proper AID at run time.
+applet._019=# Add ,A000000003000000,A0000001510000 to all instances of *.cardmgr_instance parameters in the CS.cfg file as shown below. Update all format, enroll and pin reset values for every token type in the file. This is to support some newer cards such as the Cosmo Idemia, allowing the code to select the proper AID at run time.
applet._020=#########################################
applet.aid.cardmgr_instance=A0000000030000,A000000003000000,A0000001510000
applet.aid.netkey_file=627601FF0000
--
1.8.3.1
From f0101f977d6749f4ecb9069ed331daf9cb98f586 Mon Sep 17 00:00:00 2001
From: jmagne <jmagne@redhat.com>
Date: Fri, 10 May 2024 15:10:20 -0700
Subject: [PATCH 2/3] Fix Bug 2253682 - pkidestroy log keeps HSM token password
[RHCS 9.7.z] (#4737)
This patch addressed the error condiation when pkidestroy fails to delete the tks connector.
Previously the password for the token would be displayed. With this fix, the value is obscured.
Remove extraneous print statement.
(cherry picked from commit 57cbac9c41a44ecd4d3617b78383a18dd5fdcc63)
---
base/server/python/pki/server/deployment/pkihelper.py | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 4f4998a..a91e75d 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -3245,23 +3245,24 @@ class TPSConnector:
"--host", tpshost,
"--port", str(tpsport)]
- output = subprocess.check_output(command,
+ try:
+ output = subprocess.check_output(command,
stderr=subprocess.STDOUT,
shell=False)
- output = output.decode('utf-8')
- error = re.findall("ClientResponseFailure:(.*?)", output)
- if error:
+ output = output.decode('utf-8')
+
+ except subprocess.CalledProcessError:
config.pki_log.warning(
log.PKIHELPER_TPSCONNECTOR_UPDATE_FAILURE_2,
str(tpshost),
str(tpsport),
extra=config.PKI_INDENTATION_LEVEL_2)
+ command[12] = "****"
config.pki_log.error(
- log.PKI_SUBPROCESS_ERROR_1, output,
+ log.PKI_SUBPROCESS_ERROR_1, command,
extra=config.PKI_INDENTATION_LEVEL_2)
- if critical_failure:
- raise Exception(log.PKI_SUBPROCESS_ERROR_1 % output)
-
+ if critical_failure:
+ raise Exception(log.PKI_SUBPROCESS_ERROR_1 % output)
class SecurityDomain:
"""PKI Deployment Security Domain Class"""
--
1.8.3.1
From a53cf5b5e613dfb35262f8b54045e817f30015b3 Mon Sep 17 00:00:00 2001
From: jmagne <jmagne@redhat.com>
Date: Fri, 17 May 2024 10:10:38 -0700
Subject: [PATCH 3/3] Fix issue when the AES shared secret can't be imported
automatically during TPS pkispawn operation. (#4747)
An issue was discovered in the HSM / FIPS case because the code uses the private key of the subsystem cert which can reside on the hsm token. The shared secret right now only supports the internal token.
Bug 2280722 - Shared token is not generated for TPS and TKS during install despite adding pki_import_shared_secret=True param at install [RHCS 9.7.z].
Review comments.
(cherry picked from commit ff4b874aa1211989b71b71c5c99e5423511604d0)
---
.../com/netscape/cmsutil/crypto/CryptoUtil.java | 47 ++++++++++++++++------
1 file changed, 35 insertions(+), 12 deletions(-)
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 29217d1..bb3683f 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -3111,20 +3111,34 @@ public class CryptoUtil {
throw new IOException("Shared secret " + sharedSecretNickname + " already exists");
}
+ X509Certificate cert = cm.findCertByNickname(subsystemCertNickname);
+
+ if(cert != null) {
+ logger.debug(method + " subsystemCert: " + cert);
+ } else {
+ logger.debug(method + " can't find subsytem cert.");
+ throw new Exception("Can't find subsystem cert.");
+ }
+ PrivateKey subsystemPrivateKey = cm.findPrivKeyByCert(cert);
+
+ if(subsystemPrivateKey == null) {
+ throw new InvalidKeyException("Can't find subsytem cert private key");
+ }
+
+ CryptoToken subCertToken = subsystemPrivateKey.getOwningToken();
+
+
+ if(subCertToken == null) {
+ throw new TokenException("Invalid owning token for subsystem cert.");
+ }
+
//Unwrap session key
-
- KeyWrapper keyWrap = token.getKeyWrapper(KeyWrapAlgorithm.RSA);
+ KeyWrapper keyWrap = subCertToken.getKeyWrapper(KeyWrapAlgorithm.RSA);
logger.debug(method + " subsytemCertNickname: " + subsystemCertNickname);
- System.out.println(method + " subsytemCertNickname: " + subsystemCertNickname);
- X509Certificate cert = cm.findCertByNickname(subsystemCertNickname);
- logger.debug(method + " subsystemCert: " + cert);
- PrivateKey subsystemPrivateKey = cm.findPrivKeyByCert(cert);
keyWrap.initUnwrap(subsystemPrivateKey,null);
SymmetricKey unwrappedSessionKey = null;
- //Since we don't know if aes was used to wrap the key, try with and without.
-
try {
unwrappedSessionKey = keyWrap.unwrapSymmetric(wrappedSessionKey, SymmetricKey.AES,
@@ -3141,10 +3155,19 @@ public class CryptoUtil {
IVParameterSpec ivsp = new IVParameterSpec(iv);
- byte[] unwrappedSharedSecret = decryptUsingSymmetricKey(token, ivsp, wrappedSharedSecret,
- unwrappedSessionKey, encAlg);
- SymmetricKey importedSharedSecret = unwrapAESSKeyFromBytes(token, unwrappedSharedSecret, true);
- importedSharedSecret.setNickName(sharedSecretNickname);
+ byte[] unwrappedSharedSecret = {};
+ try {
+ unwrappedSharedSecret = decryptUsingSymmetricKey(subCertToken, ivsp, wrappedSharedSecret,
+ unwrappedSessionKey, encAlg);
+ SymmetricKey importedSharedSecret = unwrapAESSKeyFromBytes(token, unwrappedSharedSecret, true);
+ importedSharedSecret.setNickName(sharedSecretNickname);
+ } catch (Exception e) {
+ System.out.println(method + " exception found " + e);
+ throw e;
+ } finally {
+ CryptoUtil.obscureBytes(unwrappedSharedSecret,"random");
+ }
+
}
public static SymmetricKey unwrapAESSKeyFromBytes(CryptoToken token, byte[] inputKeyArray,
--
1.8.3.1