Bug 459539 - Support the Safenet330J token
Summary: Support the Safenet330J token
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: TPS
Version: 1.0
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Jack Magne
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 443788
TreeView+ depends on / blocked
 
Reported: 2008-08-19 20:52 UTC by Jack Magne
Modified: 2015-01-04 23:33 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-07-22 23:29:37 UTC
Embargoed:

Attachments (Terms of Use)
Patch to help generate key on token (2.68 KB, patch)
2009-01-15 04:34 UTC, Jack Magne 		no flags Details | Diff
Revised patch for this fix. (2.63 KB, patch)
2009-01-23 02:38 UTC, Jack Magne 		no flags Details | Diff
Spec file for change. (908 bytes, patch)
2009-01-23 02:40 UTC, Jack Magne 		no flags Details | Diff
View All

Description Jack Magne 2008-08-19 20:52:04 UTC 
Description of problem:

We are currently having an issue with successfully enrolling the Safenet330J token with Dogtag and TPS.  The actual reason for the failure could be anywhere from TPS down to the applet , or even the card itself. Creating a bug against TPS as a starting point until we know more.

Version-Release number of selected component (if applicable):

Dogtag 1.0.0

How reproducible:

Always

Steps to Reproduce:
1. Setup CA, TKS and TPS
2. Attempt an enrollment with ESC of the safenet card
3.
  
Actual results:

The enrollment will fail when the applet tries to perform the function "decryptVerifyKey" which tries to decrypt a random challenge generated by TPS.

Expected results:

The enrollment should finish successfully.

Additional info:
Comment 1 Jack Magne 2009-01-15 04:31:55 UTC 
The first attachment will be for TPS code needed to allow "decryptVerifyKey" on the applet to succeed. It turns out that we need to change the apdu to have a format similar to the PutKey command. The main difference is that the algorith id "80" is to be prepended before the wrapped challenge. This allows decryptVerifyKey to work on the Safenet Token and it still works for our other tokens...
Comment 2 Jack Magne 2009-01-15 04:34:47 UTC 
Created attachment 329061 [details]
Patch to help generate key on token
Comment 3 Jack Magne 2009-01-15 04:35:57 UTC 
cfu, can you review 329061?
Comment 4 Christina Fu 2009-01-21 19:42:24 UTC 
(In reply to comment #2)
> Created an attachment (id=329061) [details]
> Patch to help generate key on token

+cfu
Comment 5 Jack Magne 2009-01-23 02:37:42 UTC 
I've done some more testing here. Specifically with server side keygen. I found out that the data being sent to "decryptVerifyKey" in the server sidd keygen case needs to be modified as well. Next patch attachment addresses this issue.
Comment 6 Jack Magne 2009-01-23 02:38:57 UTC 
Created attachment 329764 [details]
Revised patch for this fix.
Comment 7 Jack Magne 2009-01-23 02:39:17 UTC 
CFU, can you please review this change?
Comment 8 Jack Magne 2009-01-23 02:40:36 UTC 
Created attachment 329765 [details]
Spec file for change.
Comment 9 Jack Magne 2009-01-24 01:24:08 UTC 
Sending        apdu/Generate_Key_APDU.cpp
Transmitting file data .
Committed revision 186.

Sending        channel/Secure_Channel.cpp
Transmitting file data .
Committed revision 187.

Sending        processor/RA_Enroll_Processor.cpp
Transmitting file data .
Committed revision 188.

Sending        pki-tps.spec
Transmitting file data .
Committed revision 189.
Comment 10 Asha Akkiangady 2009-06-16 22:34:29 UTC 
Verified.

Token Enrollment with Safenet 330J token is successful on ESC installed on Windows (XP and Vista) and RHEL 5.3 platforms with the CS 8.0 installed on RHEL 5.3 (x86 and x86_64).
Note You need to log in before you can comment on or make changes to this bug.