[Pki-devel] [PATCH] Ticket #864 865 866 (part 1 symkey, common) NIST SP800-108 KDF

Christina Fu cfu at redhat.com
Tue Dec 9 18:02:54 UTC 2014 

This patch is Part one for tickets:
https://fedorahosted.org/pki/ticket/864 NIST SP800-108 KDF
https://fedorahosted.org/pki/ticket/865 GP Key sanity check
https://fedorahosted.org/pki/ticket/866 pki-common key fixes

The original patches were generated from rhcs8.1, and were submitted by 
a community member party that works closely with us.  The original 
patches have been test-run successfully in a real deployment over a good 
period of time.
They apply only to the TMS (token Management System) environment.

Attached please find the patch that I have integrated from the original 
patches (see above tickets) into the Dogtag master tree. This is only 
the first part, which mainly includes:
1. new code for the symkey JNI changes to support the NIST recommended 
Key Derivation functions
2. code changes to pki-core to support the new symkey calls
3. TKS changes to support needed new parameters from TPS

Please note that the needed changes for TPS will come later in a 
different patch.  This is because the TPS is being rewritten now with 
JAVA, so the original c++ patch need more time to be converted.
Because of this, I had to add
4. code changes to TKS to temporarily support the java-based TPS that 
has not yet been converted to support NIST SP800-108 KDF
Also, the changes in the original patch for TKSKnownSessionKey selftest 
doesn't seem to work.  I will need more time to investigate.  In order 
to get more mileage out of the changed code, I am moving this to the 
next part, and temporarily turn off this particular selftest in this 
patch, and will be turned back on when it is ready.

Because of the interface changes in symkey, the symkey and pki-core 
packages must be updated together.

Because of the complexity and the sheer amount of code involved, Jack, I 
will work with you face-to-face on the review of this code.

Finally, no matter how tempted it is to me, I steer away for 
reformatting the code, just so that in case we find issues down the 
road, we can easily find the right place(s) to discuss with the original 
authors.  Some time later, once enough mileage is gained, we can 
schedule a separate time to reformat it.

It has been tested with simple formats and enrollments with key 
archivals.  I can continue to perform some more tests while the patch is 
being reviewed.

thanks,
Christina
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Ticket-864-865-866-part-1-symkey-common-NIST-SP800-1.patch
Type: text/x-patch
Size: 198580 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20141209/a271a3b9/attachment.bin>

More information about the Pki-devel mailing list