Bug 459538 - TKS support for Safenet 330J card
TKS support for Safenet 330J card
Product: Dogtag Certificate System
Classification: Community
Component: TKS (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Jack Magne
Chandrasekar Kannan
Depends On:
Blocks: 443788
  Show dependency treegraph
Reported: 2008-08-19 16:45 EDT by Jack Magne
Modified: 2015-01-04 18:33 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:29:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to allow the safenet token to create secure channel. (2.86 KB, patch)
2009-01-14 23:50 EST, Jack Magne
no flags Details | Diff
Spec file for change. (909 bytes, patch)
2009-01-22 21:50 EST, Jack Magne
no flags Details | Diff

  None (edit)
Description Jack Magne 2008-08-19 16:45:57 EDT
Description of problem:

When attempting to create a secure channel to the 330J using the developer keyset, the operation fails. This occurs because TKS has some code optimized for the Gemalto keys. A simple fix to the "symkey" library to make this code more general will allow the Safenet key to work.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Setup Dogtag with TPS and TKS
2. Use ESC to attempt a format operation.
Actual results:

The format will fail. Inspection of the logs will indicate that a secure channel could not be created.

Expected results:

A successful format operation.

Additional info:
Comment 1 Jack Magne 2009-01-14 23:49:36 EST
The fix turned out to be related to the parameters to the InitializeUpdate command. The gemalto token likes the values of 1 and 1 for keyset version and keyset index. The safenet works with 0 and 0 for these values.

When the symkey component gets around to computing a session key for a secure channel, it is given the output of InitializeUpdate. 

For the case of using the developer keyset, we have some code hard coded for gemalto, thus not allowing other keys to use the developer keyset. The following attachment will address this shortcoming.
Comment 2 Jack Magne 2009-01-14 23:50:48 EST
Created attachment 329065 [details]
Patch to allow the safenet token to create secure channel.
Comment 3 Jack Magne 2009-01-14 23:51:10 EST
CFU, please review 329065.
Comment 4 Jack Magne 2009-01-22 21:50:53 EST
Created attachment 329768 [details]
Spec file for change.
Comment 5 Christina Fu 2009-01-23 15:56:28 EST
(In reply to comment #4)
> Created an attachment (id=329768) [details]
> Spec file for change.


might want to test key upgrade case at some point.
Comment 6 Jack Magne 2009-01-23 20:02:41 EST
Sending        symkey/EncryptData.cpp
Sending        symkey/SessionKey.cpp
Transmitting file data ..
Committed revision 184.

Sending        symkey/symkey.spec
Transmitting file data .
Committed revision 185.
Comment 7 Asha Akkiangady 2009-06-14 23:49:49 EDT

Enrollment/format operation with Safenet 330J card works on windows (XP and Vista) and RHEL 5 platforms. 
Key change over from developer key to a new key and back to the developer key works fine.

Note You need to log in before you can comment on or make changes to this bug.