[pki-devel][PATCH] 0091-SCP03 support for g&d 7 card.patch
by John Magne
[PATCH] SCP03 support for g&d sc 7 card.
Ticket:
https://pagure.io/dogtagpki/issue/1663 Add SCP03 support
This allows the use of the g&d 7 card.
This will require the following:
1. An out of band method is needed to generate an AES based master key.
We do not as of yet have support with tkstool for this:
Ex:
/usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16
2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards:
Ex:
tks.defKeySet._005=## tks.prot3 , protocol 3 specific settings
tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one.
tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset
tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys.
tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key.
tks.defKeySet._010=##
tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings
tks.defKeySet._013=## Smart Cafe 6 settings:
tks.defKeySet._014=## tks.defKeySet.prot3.divers=emv
tks.defKeySet._015=## tks.defKeySet.prot3.diversVer1Keys=emv
tks.defKeySet._016=## tks.defKeySet.prot3.devKeyType=DES3
tks.defKeySet._017=## tks.defKeySet.prot3.masterKeyType=DES3
tks.defKeySet._018=##Smart Cafe 7 settings:
tks.defKeySet._019=## tks.defKeySet.prot3.divers=none
tks.defKeySet._020=## tks.defKeySet.prot3.diversVer1Keys=none
tks.defKeySet._021=## tks.defKeySet.prot3.devKeyType=AES
tks.defKeySet._022=## tks.defKeySet.prot3.masterKeyType=AES
tks.defKeySet._023=##
tks.defKeySet._024=##
7 years
[PATCH] 1028 Fixed pki_console_wrapper.
by Endi Sukma Dewata
The pki_console_wrapper script has been fixed to load cascading
pki.conf properly and to set the logging configuration property.
Pushed to master under trivial rule.
--
Endi S. Dewata
7 years
KRA questions
by Fraser Tweedale
Hi all,
I have some questions about KRA operation. These questions came up
as part of my PKCS #12 AES key bag encryption effort.
1) the kra.allowEncDecrypt.recovery setting controls whether
unwrapping the archived key takes place on a crypto token (the
default) or within Dogtag. It seems to be an instance-wide setting.
What is the purpose of this setting? Is it just a provision for
environments that do not support the key (un)wrapping on a token?
Or does it have some other purpose?
2) When kra.allowEncDecrypt.recovery is false, the private keys
being recovered accumulate in the /etc/pki/pki-tomcat/alias NSSDB
(i.e. the NSS internal token). Presumably the same occurs for
hardware tokens, too. The unwrapping of the archived key in
RecoveryService.recoverKey() calls with boolean temporary = false;
This seems like the wrong behaviour... why would we want to keep the
key in the token?
Thanks,
Fraser
7 years
