[Pki-devel] [pki-devel][PATCH] 0026-NISTSP8000-feature.patch

John Magne jmagne at redhat.com
Tue Mar 17 19:53:34 UTC 2015 

CFU re-reviewed with some more minor comments
fof a verbal conditional ACK, pushed to master.

Things done:

-fixed an issue where the AppletInfo class was returning the cuid instead of the kdd.
-added some missing entries to the CS.cfg.
-fixed a problem I found withe token enrollment where I was failing to send the kdd value
for the "encrytData" TKS servlet.

Things to do:

CFU noted that we did not implement the feature to "rollback the keyInfo db entry"
for a token that fails to upgrade the keyset in key changeover.
I solved the problem by no longer updating the value in the db until success.

CFU believes this feature had to do with certain auditing issues.

This auditing issue and another auditing issue I left out will be
addressed in the next auditing ticket we have.

Closing Ticket #865

----- Original Message -----
From: "John Magne" <jmagne at redhat.com>
To: "pki-devel" <pki-devel at redhat.com>
Sent: Monday, March 16, 2015 10:59:10 PM
Subject: Fwd: [pki-devel][PATCH] 0026-NISTSP8000-feature.patch

CFU's comments addressed.

Filled in the missing sanity checks on the TPS side cfu commented about.

Tested with scp01 and scp02 tokens, also with sym key changeover.

Made sure we pass both the KDD and CUID down to symkey.

Testing has shown that the KDD and CUID are really different,
so no need to abort the operation if they are not the same.


----- Forwarded Message -----
From: "John Magne" <jmagne at redhat.com>
To: "pki-devel" <pki-devel at redhat.com>
Sent: Friday, March 13, 2015 7:17:07 PM
Subject: [pki-devel][PATCH] 0025-NISTSP8000-feature.patch

NISTSP8000 feature.

Implementation of the nistSP800 dervication feature.
Works for both supported scp01 cards and scp02 cards.
During the various session key and key upgrade functions, the nist derivation code is being called.

Tested with gemalto 64k for scp01 and sc650 for scp02.
Tested symmetric key changeover for both tokens.

Logs verified the nist functions being called for derivation instead of the current calls.

More information about the Pki-devel mailing list