#2540 Creating symmetric key (sharedSecret) using tkstool is failing when
operating system is in FIPS mode.
From 820b3f16d1cb3f0532a464aee399512725c2a858 Mon Sep 17 00:00:00 2001
From: Jack Magne
Date: Mon, 10 Apr 2017 11:27:12 -0700
Subject: [PATCH] Tkstool, FIPS Mode fix.
Now the program can create and import shared secret keys while under FIPS mode.
---
base/native-tools/src/tkstool/key.c | 96 ++---
base/native-tools/src/tkstool/tkstool.c | 4 +-
base/native-tools/src/tkstool/tkstool.h | 3 +-
3 files changed, 81 insertions(+), 22 deletions(-)
diff --git a/base/native-tools/src/tkstool/key.c b/base/native-tools/src/tkstool/key.c
index 4fd3796..a027d27 100644
--- a/base/native-tools/src/tkstool/key.c
+++ b/base/native-tools/src/tkstool/key.c
@@ -19,6 +19,11 @@
#include "tkstool.h"
+secuPWDatapwdata = { PW_NONE,
+ 0 };
+
+
+
/***/
/** local private functions **/
/***/
@@ -534,16 +539,26 @@ TKS_ComputeAndDisplayKCV( PRUint8*newKey,
goto done;
}
-key = PK11_ImportSymKeyWithFlags(
- /* slot */slot,
- /* mechanism type */CKM_DES3_ECB,
- /* origin */PK11_OriginGenerated,
- /* operation */CKA_ENCRYPT,
- /* key*/&keyItem,
- /* flags */CKF_ENCRYPT,
- /* isPerm */PR_FALSE,
- /* wincx */0 );
+key = TKS_ImportSymmetricKey( NULL,
+slot,
+CKM_DES3_ECB,
+CKA_ENCRYPT,
+&keyItem,
+&pwdata, PR_FALSE );
+
+
+
+ /* key = PK11_ImportSymKeyWithFlags(
+ slot,
+ CKM_DES3_ECB,
+ PK11_OriginGenerated,
+ CKA_ENCRYPT,
+ &keyItem,
+ CKF_ENCRYPT,
+ PR_FALSE,
+ 0 );
+ */
if( ! key ) {
PR_fprintf( PR_STDERR,
"ERROR: Failed to import %s key!\n\n\n",
@@ -1062,10 +1077,18 @@ TKS_ImportSymmetricKey( char *symmetricKeyName,
CK_MECHANISM_TYPE mechanism,
CK_ATTRIBUTE_TYPE operation,
SECItem *sessionKeyShare,
-secuPWData*pwdata )
+secuPWData*pwdata, PRBool isPerm )
{
PK11Origin origin = PK11_OriginGenerated;
PK11SymKey *symKey = NULL;
+PK11SymKey *sessKey = NULL;
+PK11Context *context = NULL;
+static SECItem noParams = { siBuffer, NULL, 0 };
+SECItem wrappeditem = { siBuffer, NULL, 0 };
+
+int len = 0;
+unsigned char wrappedkey[DES_LENGTH * 3];
+SECStatus s = SECSuccess;
if( slot == NULL ) {
return NULL;
@@ -1077,15 +1100,50 @@ TKS_ImportSymmetricKey( char *symmetricKeyName,
"Generating %s symmetric key . . .\n\n",
symmetricKeyName );
-symKey = PK11_ImportSymKeyWithFlags(
- /* slot */slot,
- /* mechanism type */mechanism,
- /* origin */origin,
- /* operation */operation,
- /* key*/sessionKeyShare,
- /* flags */0,
- /* isPerm */PR_FALSE,
- /* wincx */pwdata );
+sessKey = PK11_TokenKeyGenWithFlags(slot, // slot handle
+ CKM_DES3_KEY_GEN, // mechanism type
+ NULL, // pointer to params (SECItem structure)
+ 0, // keySize (per documentation in pk11skey.c, must be 0 for fixed key length algorithms)
+ 0, // pointer to keyid (SECItem structure)
+ CKF_WRAP | CKF_UNWRAP | CKF_ENCRYPT | CKF_DECRYPT, // opFlags
+ PK11_ATTR_PRIVATE | PK11_ATTR_UNEXTRACTABLE | PK11_ATTR_SENSITIVE, // attrFlags (AC: this is my "best guess" as to what flags should be set)
+ NULL);
+
+if( sessKey == NULL ) {
+goto cleanup;
+}
+
+// Import the key onto the token using the temp session key and the key data.
+//
+
+context = PK11_CreateContextBySymKey(CKM_DES3_ECB, CKA_ENCRYPT,
+sessKey,
+&noParams);
+
+if (context == NULL) {
+goto cleanup;
+}
+
+len = sessionKeyShare->len;
+/* encrypt the key with the master key */
+s = PK11_CipherOp(context, wrappedkey, &len, DES_LENGTH * 3 , sessionKeyShare->data ,DES_LENGTH * 3 );
+if (s != SECSuccess)
+{
+goto cleanup;
+