[Pki-devel] [PATCH] Ticket #864 865 866 (part 1 symkey, common) NIST SP800-108 KDF

John Magne jmagne at redhat.com
Fri Dec 19 02:41:44 UTC 2014 

OK, here was we did on this:

Taking into account that the goal is to
make sure that our current code continues to work.

1.Cfu and I walked through the code in person due to its complexity.
What I found is that the vast majority of the new stuff is the submitters work.
We only added ourselves what was needed to keep the default current case working.
It would be best not to mess too much with what they gave us since it works for them.
Plus I would need some more time to understand the guts of the low level key derivation 
they are doing. Cfu has already vetted their submission, so we should be ok there.

2. We ran a bunch of tests with real tokens:

  Format.
  Enrollment.
  Format with symmetric key changover.
  Another enrollment with the new key set in place.

Everything worked ok, with the exception of symmetric key changeover on the sc650 card.
The code works with the Gemalto 64k series card, which is what I probably developed for.
The error has to do with a couple of the parameters being sent with the apdu having to do
with key set and key index. For some reason one of the values is wrong with the sc650.
Will have to file a separate ticke for that, this probably has nothing to do with cfu's patch here.

I think only for the purpose of getting the ball rolling on this, I can give a conditional
ACK.

With the caveat that cfu makes sure the self tests work, which was not in the patch. The demo setup had this 
fix, so this should not be a big deal.

Later on, when I have the scp02 stuff working, I will have to merge my stuff with these changes since I create
some new functions to derive scp02 session keys.




----- Original Message -----
> From: "Christina Fu" <cfu at redhat.com>
> To: pki-devel at redhat.com
> Sent: Tuesday, December 9, 2014 10:02:54 AM
> Subject: [Pki-devel] [PATCH] Ticket #864 865 866 (part 1 symkey, common) NIST SP800-108 KDF
> 
> This patch is Part one for tickets:
> https://fedorahosted.org/pki/ticket/864 NIST SP800-108 KDF
> https://fedorahosted.org/pki/ticket/865 GP Key sanity check
> https://fedorahosted.org/pki/ticket/866 pki-common key fixes
> 
> The original patches were generated from rhcs8.1, and were submitted by
> a community member party that works closely with us.  The original
> patches have been test-run successfully in a real deployment over a good
> period of time.
> They apply only to the TMS (token Management System) environment.
> 
> Attached please find the patch that I have integrated from the original
> patches (see above tickets) into the Dogtag master tree. This is only
> the first part, which mainly includes:
> 1. new code for the symkey JNI changes to support the NIST recommended
> Key Derivation functions
> 2. code changes to pki-core to support the new symkey calls
> 3. TKS changes to support needed new parameters from TPS
> 
> Please note that the needed changes for TPS will come later in a
> different patch.  This is because the TPS is being rewritten now with
> JAVA, so the original c++ patch need more time to be converted.
> Because of this, I had to add
> 4. code changes to TKS to temporarily support the java-based TPS that
> has not yet been converted to support NIST SP800-108 KDF
> Also, the changes in the original patch for TKSKnownSessionKey selftest
> doesn't seem to work.  I will need more time to investigate.  In order
> to get more mileage out of the changed code, I am moving this to the
> next part, and temporarily turn off this particular selftest in this
> patch, and will be turned back on when it is ready.
> 
> Because of the interface changes in symkey, the symkey and pki-core
> packages must be updated together.
> 
> Because of the complexity and the sheer amount of code involved, Jack, I
> will work with you face-to-face on the review of this code.
> 
> Finally, no matter how tempted it is to me, I steer away for
> reformatting the code, just so that in case we find issues down the
> road, we can easily find the right place(s) to discuss with the original
> authors.  Some time later, once enough mileage is gained, we can
> schedule a separate time to reformat it.
> 
> It has been tested with simple formats and enrollments with key
> archivals.  I can continue to perform some more tests while the patch is
> being reviewed.
> 
> thanks,
> Christina
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list