Bug 485829 - Problems using 2048-bit keys with SmartCardManager
Problems using 2048-bit keys with SmartCardManager
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: ESC (Show other bugs)
1.0
All All
low Severity medium
: ---
: ---
Assigned To: Jack Magne
Chandrasekar Kannan
:
Depends On:
Blocks: 443788 514299
  Show dependency treegraph
 
Reported: 2009-02-16 16:43 EST by Jack Magne
Modified: 2015-01-04 18:36 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 514299 (view as bug list)
Environment:
Last Closed: 2009-07-22 19:32:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Coolkey patch for 2048 bit support. (12.74 KB, patch)
2009-02-16 16:45 EST, Jack Magne
no flags Details | Diff
Coolkey applet patch for 2048 bit support. (5.00 KB, patch)
2009-02-16 16:46 EST, Jack Magne
no flags Details | Diff
A different implementation of "getKeySize()" (3.85 KB, patch)
2009-02-18 01:26 EST, Jack Magne
no flags Details | Diff
Changes to have new applet installed on the system. (6.76 KB, patch)
2009-02-27 15:02 EST, Jack Magne
no flags Details | Diff

  None (edit)
Description Jack Magne 2009-02-16 16:43:22 EST
Description of problem:


ESC depends upon Coolkey and the Coolkey applet perform cryptographic operations. To this point, the Coolkey and the applet has been basically hard coded to support 1024 bit keys. The goal is to provide support such that 2048 bit keys can be managed by ESC and used for cryptographic operations on the target platforms.
Comment 1 Jack Magne 2009-02-16 16:45:25 EST
Created attachment 332126 [details]
Coolkey patch for 2048 bit support.
Comment 2 Jack Magne 2009-02-16 16:46:06 EST
Created attachment 332127 [details]
Coolkey applet patch for 2048 bit support.
Comment 3 Jack Magne 2009-02-16 16:46:49 EST
BobR, can you please review these changes?
Comment 4 Bob Relyea 2009-02-17 19:54:56 EST
Comment on attachment 332126 [details]
Coolkey patch for 2048 bit support.

r+ for the applet changes.

r- for the coolkey changes.

Minor comments:
change the keysize check from >= to !=.

Major comments:
getKeySize looks way to expensive (have you timed a signature with the new code?).

Every time you reach into the applet, you incurr several hundred milliseconds. Minimal calls are therefore desirable. for 2048 we can't avoid the Read/Write object apdu's, but for 1024 bit keys we should still keep it to a single apdu call.

GetKey size will add between 1 and 3-4 apdu calls as we cycle through the key list. It would be better to get this from some other means. Also, does this code work for CAC cards?

One simple way to get the key size is to look up the Modulus len in the corresponding private key. That value is already filled in for us in the PKCS #11 object.

bob
Comment 5 Bob Relyea 2009-02-17 19:56:20 EST
To clear up my comments, I meant r+ for the changes to libckyapplet... the applet is a separate patch I'm reviewing now...

bob
Comment 6 Bob Relyea 2009-02-17 19:59:00 EST
Comment on attachment 332127 [details]
Coolkey applet patch for 2048 bit support.

r+

keep on the non-egate branch for now... We will want a version that works with bigger tokens.
Comment 7 Bob Relyea 2009-02-17 19:59:36 EST
(It's time's like that I wish we had ifdefs in java:(....

bob
Comment 8 Jack Magne 2009-02-18 01:26:25 EST
Created attachment 332339 [details]
A different implementation of "getKeySize()"

This seems to work ok. Will there be issues with CAC? It looks like the code creates the modulus attribute when it creates a CAC priv key.
Comment 9 Bob Relyea 2009-02-18 14:27:26 EST
Comment on attachment 332339 [details]
A different implementation of "getKeySize()"

r+ rrelyea.

This is good enough to check in.

I would like you to make the following changes, however....

You can avoid the lookup by storing the keysize when you look up the keynumber (in objectHandleTokenKeyNum).

We can change this to return a keyNum and a keySize and pass both to the initialize function (which will have to take both).

Second, Only decrement modSize if CKY_Buffer_GetByte(modulus, 0) == 0.

The latter you can make right away. The former, write a bug to remind you, but it doesn't have to happen immediately.

bob
Comment 10 Jack Magne 2009-02-18 16:49:17 EST
Bug #486218 created for the requested optimization.
Comment 11 Jack Magne 2009-02-18 21:04:52 EST
Checking in cky_applet.c;
/cvs/dirsec/coolkey/src/libckyapplet/cky_applet.c,v  <--  cky_applet.c
new revision: 1.2; previous revision: 1.1
done
Checking in cky_applet.h;
/cvs/dirsec/coolkey/src/libckyapplet/cky_applet.h,v  <--  cky_applet.h
new revision: 1.2; previous revision: 1.1
done
Checking in cky_factory.c;
/cvs/dirsec/coolkey/src/libckyapplet/cky_factory.c,v  <--  cky_factory.c
new revision: 1.2; previous revision: 1.1
done
Checking in cky_factory.h;
/cvs/dirsec/coolkey/src/libckyapplet/cky_factory.h,v  <--  cky_factory.h
new revision: 1.2; previous revision: 1.1
done
Running syncmail...
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.

Checking in slot.cpp;
/cvs/dirsec/coolkey/src/coolkey/slot.cpp,v  <--  slot.cpp
new revision: 1.11; previous revision: 1.10
done
Checking in slot.h;
/cvs/dirsec/coolkey/src/coolkey/slot.h,v  <--  slot.h
new revision: 1.3; previous revision: 1.2
done
Running syncmail...
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.
Comment 12 Jack Magne 2009-02-18 21:07:10 EST
Checking in CardEdge.java;
/cvs/dirsec/coolkey/applet/src/com/redhat/ckey/applet/CardEdge.java,v  <--  CardEdge.java
new revision: 1.4.2.2; previous revision: 1.4.2.1
done
Running syncmail...
Mailing relnotes@fedoraproject.org...
...syncmail done.
Running syncmail...
Mailing cvsdirsec@fedoraproject.org...
...syncmail done.
Comment 13 Jack Magne 2009-02-27 15:01:12 EST
The new applet has to be checked into tps, to be available for use.
Comment 14 Jack Magne 2009-02-27 15:02:40 EST
Created attachment 333524 [details]
Changes to have new applet installed on the system.
Comment 15 Jack Magne 2009-02-27 15:12:46 EST
Spec File change:

===================================================================
--- pki-tps.spec        (revision 262)
+++ pki-tps.spec        (working copy)
@@ -34,7 +34,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.0.0
-%define base_release      28
+%define base_release      29
 %define base_group        System Environment/Daemons
 %define base_vendor       Red Hat, Inc.
 %define base_license      LGPLv2 with exceptions
@@ -308,6 +308,8 @@
 ###############################################################################
 
 %changelog
+* Fri Feb 27 2009 Jack Magne <jmagne@redhat.com> 1.0.0-29
+- Bugzilla #485829 - Support for 2048 bit safenet keys.
 * Fri Feb 27 2009 Ade Lee <alee@redhat.com> 1.0.0-28
 - Bugzilla 224835 and 367171: Allow cert nicknames to be edited and sizepanel fixes
 * Thu Feb 26 2009 Ade Lee <alee@redhat.com> 1.0.0-27
Comment 16 Matthew Harmsen 2009-02-27 15:14:16 EST
attachment (id=333524) +mharmsen

Comment #15 +mharmsen
Comment 17 Jack Magne 2009-02-27 15:18:57 EST
svn commit -m "Add latest applet to tps, #485829."
Sending        tps/Makefile.am
Sending        tps/Makefile.in
Adding  (bin)  tps/applets/1.4.499dc06c.ijc
Sending        doc/CS.cfg
Transmitting file data .
Committed revision 263.

Note You need to log in before you can comment on or make changes to this bug.