Description of problem: When attempting to create a secure channel to the 330J using the developer keyset, the operation fails. This occurs because TKS has some code optimized for the Gemalto keys. A simple fix to the "symkey" library to make this code more general will allow the Safenet key to work. Version-Release number of selected component (if applicable): 1.0.0 How reproducible: Always. Steps to Reproduce: 1. Setup Dogtag with TPS and TKS 2. Use ESC to attempt a format operation. 3. Actual results: The format will fail. Inspection of the logs will indicate that a secure channel could not be created. Expected results: A successful format operation. Additional info:
The fix turned out to be related to the parameters to the InitializeUpdate command. The gemalto token likes the values of 1 and 1 for keyset version and keyset index. The safenet works with 0 and 0 for these values. When the symkey component gets around to computing a session key for a secure channel, it is given the output of InitializeUpdate. For the case of using the developer keyset, we have some code hard coded for gemalto, thus not allowing other keys to use the developer keyset. The following attachment will address this shortcoming.
Created attachment 329065 [details] Patch to allow the safenet token to create secure channel.
CFU, please review 329065.
Created attachment 329768 [details] Spec file for change.
(In reply to comment #4) > Created an attachment (id=329768) [details] > Spec file for change. +cfu might want to test key upgrade case at some point.
Sending symkey/EncryptData.cpp Sending symkey/SessionKey.cpp Transmitting file data .. Committed revision 184. Sending symkey/symkey.spec Transmitting file data . Committed revision 185.
Verified. Enrollment/format operation with Safenet 330J card works on windows (XP and Vista) and RHEL 5 platforms. Key change over from developer key to a new key and back to the developer key works fine.