Bug 459538

Summary: TKS support for Safenet 330J card
Product: [Retired] Dogtag Certificate System Reporter: Jack Magne <jmagne>
Component: TKSAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: 1.0CC: aakkiang, benl, bob.lord, cfu
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:29:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
Patch to allow the safenet token to create secure channel.
none
Spec file for change. none

Description Jack Magne 2008-08-19 20:45:57 UTC
Description of problem:

When attempting to create a secure channel to the 330J using the developer keyset, the operation fails. This occurs because TKS has some code optimized for the Gemalto keys. A simple fix to the "symkey" library to make this code more general will allow the Safenet key to work.

Version-Release number of selected component (if applicable):

1.0.0

How reproducible:

Always.

Steps to Reproduce:
1. Setup Dogtag with TPS and TKS
2. Use ESC to attempt a format operation.
3. 
  
Actual results:

The format will fail. Inspection of the logs will indicate that a secure channel could not be created.

Expected results:

A successful format operation.

Additional info:

Comment 1 Jack Magne 2009-01-15 04:49:36 UTC
The fix turned out to be related to the parameters to the InitializeUpdate command. The gemalto token likes the values of 1 and 1 for keyset version and keyset index. The safenet works with 0 and 0 for these values.

When the symkey component gets around to computing a session key for a secure channel, it is given the output of InitializeUpdate. 

For the case of using the developer keyset, we have some code hard coded for gemalto, thus not allowing other keys to use the developer keyset. The following attachment will address this shortcoming.

Comment 2 Jack Magne 2009-01-15 04:50:48 UTC
Created attachment 329065 [details]
Patch to allow the safenet token to create secure channel.

Comment 3 Jack Magne 2009-01-15 04:51:10 UTC
CFU, please review 329065.

Comment 4 Jack Magne 2009-01-23 02:50:53 UTC
Created attachment 329768 [details]
Spec file for change.

Comment 5 Christina Fu 2009-01-23 20:56:28 UTC
(In reply to comment #4)
> Created an attachment (id=329768) [details]
> Spec file for change.

+cfu

might want to test key upgrade case at some point.

Comment 6 Jack Magne 2009-01-24 01:02:41 UTC
Sending        symkey/EncryptData.cpp
Sending        symkey/SessionKey.cpp
Transmitting file data ..
Committed revision 184.

Sending        symkey/symkey.spec
Transmitting file data .
Committed revision 185.

Comment 7 Asha Akkiangady 2009-06-15 03:49:49 UTC
Verified.

Enrollment/format operation with Safenet 330J card works on windows (XP and Vista) and RHEL 5 platforms. 
Key change over from developer key to a new key and back to the developer key works fine.