Bug 459539

Summary: Support the Safenet330J token
Product: [Retired] Dogtag Certificate System Reporter: Jack Magne <jmagne>
Component: TPSAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: high    
Version: 1.0CC: aakkiang, benl, bob.lord, cfu, rrelyea
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:29:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
Patch to help generate key on token
none
Revised patch for this fix.
none
Spec file for change. none

Description Jack Magne 2008-08-19 20:52:04 UTC 
Description of problem:

We are currently having an issue with successfully enrolling the Safenet330J token with Dogtag and TPS.  The actual reason for the failure could be anywhere from TPS down to the applet , or even the card itself. Creating a bug against TPS as a starting point until we know more.

Version-Release number of selected component (if applicable):

Dogtag 1.0.0

How reproducible:

Always

Steps to Reproduce:
1. Setup CA, TKS and TPS
2. Attempt an enrollment with ESC of the safenet card
3.
  
Actual results:

The enrollment will fail when the applet tries to perform the function "decryptVerifyKey" which tries to decrypt a random challenge generated by TPS.

Expected results:

The enrollment should finish successfully.

Additional info:
Comment 1 Jack Magne 2009-01-15 04:31:55 UTC 
The first attachment will be for TPS code needed to allow "decryptVerifyKey" on the applet to succeed. It turns out that we need to change the apdu to have a format similar to the PutKey command. The main difference is that the algorith id "80" is to be prepended before the wrapped challenge. This allows decryptVerifyKey to work on the Safenet Token and it still works for our other tokens...
Comment 2 Jack Magne 2009-01-15 04:34:47 UTC 
Created attachment 329061 [details]
Patch to help generate key on token
Comment 3 Jack Magne 2009-01-15 04:35:57 UTC 
cfu, can you review 329061?
Comment 4 Christina Fu 2009-01-21 19:42:24 UTC 
(In reply to comment #2)
> Created an attachment (id=329061) [details]
> Patch to help generate key on token

+cfu
Comment 5 Jack Magne 2009-01-23 02:37:42 UTC 
I've done some more testing here. Specifically with server side keygen. I found out that the data being sent to "decryptVerifyKey" in the server sidd keygen case needs to be modified as well. Next patch attachment addresses this issue.
Comment 6 Jack Magne 2009-01-23 02:38:57 UTC 
Created attachment 329764 [details]
Revised patch for this fix.
Comment 7 Jack Magne 2009-01-23 02:39:17 UTC 
CFU, can you please review this change?
Comment 8 Jack Magne 2009-01-23 02:40:36 UTC 
Created attachment 329765 [details]
Spec file for change.
Comment 9 Jack Magne 2009-01-24 01:24:08 UTC 
Sending        apdu/Generate_Key_APDU.cpp
Transmitting file data .
Committed revision 186.

Sending        channel/Secure_Channel.cpp
Transmitting file data .
Committed revision 187.

Sending        processor/RA_Enroll_Processor.cpp
Transmitting file data .
Committed revision 188.

Sending        pki-tps.spec
Transmitting file data .
Committed revision 189.
Comment 10 Asha Akkiangady 2009-06-16 22:34:29 UTC 
Verified.

Token Enrollment with Safenet 330J token is successful on ESC installed on Windows (XP and Vista) and RHEL 5.3 platforms with the CS 8.0 installed on RHEL 5.3 (x86 and x86_64).