Bug 459539 - Support the Safenet330J token
Support the Safenet330J token
Product: Dogtag Certificate System
Classification: Community
Component: TPS (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Jack Magne
Chandrasekar Kannan
Depends On:
Blocks: 443788
  Show dependency treegraph
Reported: 2008-08-19 16:52 EDT by Jack Magne
Modified: 2015-01-04 18:33 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-22 19:29:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to help generate key on token (2.68 KB, patch)
2009-01-14 23:34 EST, Jack Magne
no flags Details | Diff
Revised patch for this fix. (2.63 KB, patch)
2009-01-22 21:38 EST, Jack Magne
no flags Details | Diff
Spec file for change. (908 bytes, patch)
2009-01-22 21:40 EST, Jack Magne
no flags Details | Diff

  None (edit)
Description Jack Magne 2008-08-19 16:52:04 EDT
Description of problem:

We are currently having an issue with successfully enrolling the Safenet330J token with Dogtag and TPS.  The actual reason for the failure could be anywhere from TPS down to the applet , or even the card itself. Creating a bug against TPS as a starting point until we know more.

Version-Release number of selected component (if applicable):

Dogtag 1.0.0

How reproducible:


Steps to Reproduce:
1. Setup CA, TKS and TPS
2. Attempt an enrollment with ESC of the safenet card
Actual results:

The enrollment will fail when the applet tries to perform the function "decryptVerifyKey" which tries to decrypt a random challenge generated by TPS.

Expected results:

The enrollment should finish successfully.

Additional info:
Comment 1 Jack Magne 2009-01-14 23:31:55 EST
The first attachment will be for TPS code needed to allow "decryptVerifyKey" on the applet to succeed. It turns out that we need to change the apdu to have a format similar to the PutKey command. The main difference is that the algorith id "80" is to be prepended before the wrapped challenge. This allows decryptVerifyKey to work on the Safenet Token and it still works for our other tokens...
Comment 2 Jack Magne 2009-01-14 23:34:47 EST
Created attachment 329061 [details]
Patch to help generate key on token
Comment 3 Jack Magne 2009-01-14 23:35:57 EST
cfu, can you review 329061?
Comment 4 Christina Fu 2009-01-21 14:42:24 EST
(In reply to comment #2)
> Created an attachment (id=329061) [details]
> Patch to help generate key on token

Comment 5 Jack Magne 2009-01-22 21:37:42 EST
I've done some more testing here. Specifically with server side keygen. I found out that the data being sent to "decryptVerifyKey" in the server sidd keygen case needs to be modified as well. Next patch attachment addresses this issue.
Comment 6 Jack Magne 2009-01-22 21:38:57 EST
Created attachment 329764 [details]
Revised patch for this fix.
Comment 7 Jack Magne 2009-01-22 21:39:17 EST
CFU, can you please review this change?
Comment 8 Jack Magne 2009-01-22 21:40:36 EST
Created attachment 329765 [details]
Spec file for change.
Comment 9 Jack Magne 2009-01-23 20:24:08 EST
Sending        apdu/Generate_Key_APDU.cpp
Transmitting file data .
Committed revision 186.

Sending        channel/Secure_Channel.cpp
Transmitting file data .
Committed revision 187.

Sending        processor/RA_Enroll_Processor.cpp
Transmitting file data .
Committed revision 188.

Sending        pki-tps.spec
Transmitting file data .
Committed revision 189.
Comment 10 Asha Akkiangady 2009-06-16 18:34:29 EDT

Token Enrollment with Safenet 330J token is successful on ESC installed on Windows (XP and Vista) and RHEL 5.3 platforms with the CS 8.0 installed on RHEL 5.3 (x86 and x86_64).

Note You need to log in before you can comment on or make changes to this bug.