[Pki-devel] [PATCH] Ticket #864 865 866 (part 1 symkey, common) NIST SP800-108 KDF

Christina Fu cfu at redhat.com
Fri Dec 19 19:28:21 UTC 2014 

Thanks Jack for going through the code and testing with me.

pushed to master
commit 4c910296a6c6c8bf74fbdace740680db2f1fecab

On 12/18/2014 06:41 PM, John Magne wrote:
> OK, here was we did on this:
>
> Taking into account that the goal is to
> make sure that our current code continues to work.
>
> 1.Cfu and I walked through the code in person due to its complexity.
> What I found is that the vast majority of the new stuff is the submitters work.
> We only added ourselves what was needed to keep the default current case working.
> It would be best not to mess too much with what they gave us since it works for them.
> Plus I would need some more time to understand the guts of the low level key derivation
> they are doing. Cfu has already vetted their submission, so we should be ok there.
>
> 2. We ran a bunch of tests with real tokens:
>
>    Format.
>    Enrollment.
>    Format with symmetric key changover.
>    Another enrollment with the new key set in place.
>
> Everything worked ok, with the exception of symmetric key changeover on the sc650 card.
> The code works with the Gemalto 64k series card, which is what I probably developed for.
> The error has to do with a couple of the parameters being sent with the apdu having to do
> with key set and key index. For some reason one of the values is wrong with the sc650.
> Will have to file a separate ticke for that, this probably has nothing to do with cfu's patch here.
>
> I think only for the purpose of getting the ball rolling on this, I can give a conditional
> ACK.
>
> With the caveat that cfu makes sure the self tests work, which was not in the patch. The demo setup had this
> fix, so this should not be a big deal.
>
> Later on, when I have the scp02 stuff working, I will have to merge my stuff with these changes since I create
> some new functions to derive scp02 session keys.
>
>
>
>
> ----- Original Message -----
>> From: "Christina Fu" <cfu at redhat.com>
>> To: pki-devel at redhat.com
>> Sent: Tuesday, December 9, 2014 10:02:54 AM
>> Subject: [Pki-devel] [PATCH] Ticket #864 865 866 (part 1 symkey, common) NIST SP800-108 KDF
>>
>> This patch is Part one for tickets:
>> https://fedorahosted.org/pki/ticket/864 NIST SP800-108 KDF
>> https://fedorahosted.org/pki/ticket/865 GP Key sanity check
>> https://fedorahosted.org/pki/ticket/866 pki-common key fixes
>>
>> The original patches were generated from rhcs8.1, and were submitted by
>> a community member party that works closely with us.  The original
>> patches have been test-run successfully in a real deployment over a good
>> period of time.
>> They apply only to the TMS (token Management System) environment.
>>
>> Attached please find the patch that I have integrated from the original
>> patches (see above tickets) into the Dogtag master tree. This is only
>> the first part, which mainly includes:
>> 1. new code for the symkey JNI changes to support the NIST recommended
>> Key Derivation functions
>> 2. code changes to pki-core to support the new symkey calls
>> 3. TKS changes to support needed new parameters from TPS
>>
>> Please note that the needed changes for TPS will come later in a
>> different patch.  This is because the TPS is being rewritten now with
>> JAVA, so the original c++ patch need more time to be converted.
>> Because of this, I had to add
>> 4. code changes to TKS to temporarily support the java-based TPS that
>> has not yet been converted to support NIST SP800-108 KDF
>> Also, the changes in the original patch for TKSKnownSessionKey selftest
>> doesn't seem to work.  I will need more time to investigate.  In order
>> to get more mileage out of the changed code, I am moving this to the
>> next part, and temporarily turn off this particular selftest in this
>> patch, and will be turned back on when it is ready.
>>
>> Because of the interface changes in symkey, the symkey and pki-core
>> packages must be updated together.
>>
>> Because of the complexity and the sheer amount of code involved, Jack, I
>> will work with you face-to-face on the review of this code.
>>
>> Finally, no matter how tempted it is to me, I steer away for
>> reformatting the code, just so that in case we find issues down the
>> road, we can easily find the right place(s) to discuss with the original
>> authors.  Some time later, once enough mileage is gained, we can
>> schedule a separate time to reformat it.
>>
>> It has been tested with simple formats and enrollments with key
>> archivals.  I can continue to perform some more tests while the patch is
>> being reviewed.
>>
>> thanks,
>> Christina
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list