8:41 p.m.
OK, here was we did on this:
Taking into account that the goal is to
make sure that our current code continues to work.
1.Cfu and I walked through the code in person due to its complexity.
What I found is that the vast majority of the new stuff is the submitters work.
We only added ourselves what was needed to keep the default current case working.
It would be best not to mess too much with what they gave us since it works for them.
Plus I would need some more time to understand the guts of the low level key derivation
they are doing. Cfu has already vetted their submission, so we should be ok there.
2. We ran a bunch of tests with real tokens:
Format.
Enrollment.
Format with symmetric key changover.
Another enrollment with the new key set in place.
Everything worked ok, with the exception of symmetric key changeover on the sc650 card.
The code works with the Gemalto 64k series card, which is what I probably developed for.
The error has to do with a couple of the parameters being sent with the apdu having to do
with key set and key index. For some reason one of the values is wrong with the sc650.
Will have to file a separate ticke for that, this probably has nothing to do with
cfu's patch here.
I think only for the purpose of getting the ball rolling on this, I can give a
conditional
ACK.
With the caveat that cfu makes sure the self tests work, which was not in the patch. The
demo setup had this
fix, so this should not be a big deal.
Later on, when I have the scp02 stuff working, I will have to merge my stuff with these
changes since I create
some new functions to derive scp02 session keys.
----- Original Message -----
From: "Christina Fu" <cfu(a)redhat.com>
To: pki-devel(a)redhat.com
Sent: Tuesday, December 9, 2014 10:02:54 AM
Subject: [Pki-devel] [PATCH] Ticket #864 865 866 (part 1 symkey, common) NIST SP800-108
KDF
This patch is Part one for tickets:
https://fedorahosted.org/pki/ticket/864 NIST SP800-108 KDF
https://fedorahosted.org/pki/ticket/865 GP Key sanity check
https://fedorahosted.org/pki/ticket/866 pki-common key fixes
The original patches were generated from rhcs8.1, and were submitted by
a community member party that works closely with us. The original
patches have been test-run successfully in a real deployment over a good
period of time.
They apply only to the TMS (token Management System) environment.
Attached please find the patch that I have integrated from the original
patches (see above tickets) into the Dogtag master tree. This is only
the first part, which mainly includes:
1. new code for the symkey JNI changes to support the NIST recommended
Key Derivation functions
2. code changes to pki-core to support the new symkey calls
3. TKS changes to support needed new parameters from TPS
Please note that the needed changes for TPS will come later in a
different patch. This is because the TPS is being rewritten now with
JAVA, so the original c++ patch need more time to be converted.
Because of this, I had to add
4. code changes to TKS to temporarily support the java-based TPS that
has not yet been converted to support NIST SP800-108 KDF
Also, the changes in the original patch for TKSKnownSessionKey selftest
doesn't seem to work. I will need more time to investigate. In order
to get more mileage out of the changed code, I am moving this to the
next part, and temporarily turn off this particular selftest in this
patch, and will be turned back on when it is ready.
Because of the interface changes in symkey, the symkey and pki-core
packages must be updated together.
Because of the complexity and the sheer amount of code involved, Jack, I
will work with you face-to-face on the review of this code.
Finally, no matter how tempted it is to me, I steer away for
reformatting the code, just so that in case we find issues down the
road, we can easily find the right place(s) to discuss with the original
authors. Some time later, once enough mileage is gained, we can
schedule a separate time to reformat it.
It has been tested with simple formats and enrollments with key
archivals. I can continue to perform some more tests while the patch is
being reviewed.
thanks,
Christina
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel