Re: [Pki-devel] [PATCH] Ticket-2618-feature-pre-signed-CMC-renewal-request.patch

2017-05-22 Thread Christina Fu 

pushed to master:

commit 8aafe1d4345f8b8d20b2f87c68b2e6be4eee18eb

thanks,

Christina


On 05/19/2017 06:36 PM, John Magne wrote:

ACK:

Just make sure these changed constraints don't have any negative effect on 
existing profiles that use those constraints..

- Original Message -
From: "Christina Fu" 
To: pki-devel@redhat.com
Sent: Friday, May 19, 2017 5:31:37 PM
Subject: [Pki-devel] [PATCH]
Ticket-2618-feature-pre-signed-CMC-renewal-request.patch



This patch is for https://pagure.io/dogtagpki/issue/2618 allow CA to process 
pre-signed CMC renewal cert requests

Ticket#2618 feature: pre-signed CMC renewal request

This patch provides the feature implementation to allow CA to process 
pre-signed CMC renewal requests. In the world of CMC, renewal request are full 
CMC requests that are signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the 
enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by 
a revoked certificate. It also saves the origNotAfter of the newest certificate 
sharing the same key in the request to be used by the 
RenewGracePeriodConstraint.
The profile caFullCMCUserSignedCert.cfg has been updated to have both 
UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the 
correct order. By default in the UniqueKeyConstraint the constraint parameter 
allowSameKeyRenewal=true.


Thanks,

Christina

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [pki-devel][PATCH] 0094-Tkstool-FIPS-Mode-fix.patch

2017-05-22 Thread John Magne 
 #2540 Creating symmetric key (sharedSecret) using tkstool is failing when 
operating system is in FIPS mode. 


From 820b3f16d1cb3f0532a464aee399512725c2a858 Mon Sep 17 00:00:00 2001
From: Jack Magne 
Date: Mon, 10 Apr 2017 11:27:12 -0700
Subject: [PATCH] Tkstool, FIPS Mode fix.

Now the program can create and import shared secret keys while under FIPS mode.
---
 base/native-tools/src/tkstool/key.c | 96 ++---
 base/native-tools/src/tkstool/tkstool.c |  4 +-
 base/native-tools/src/tkstool/tkstool.h |  3 +-
 3 files changed, 81 insertions(+), 22 deletions(-)

diff --git a/base/native-tools/src/tkstool/key.c b/base/native-tools/src/tkstool/key.c
index 4fd3796..a027d27 100644
--- a/base/native-tools/src/tkstool/key.c
+++ b/base/native-tools/src/tkstool/key.c
@@ -19,6 +19,11 @@
 
 #include "tkstool.h"
 
+secuPWDatapwdata = { PW_NONE,
+  0 };
+
+
+
 /***/
 /**  local private functions  **/
 /***/
@@ -534,16 +539,26 @@ TKS_ComputeAndDisplayKCV( PRUint8*newKey,
 goto done;
 }
 
-key = PK11_ImportSymKeyWithFlags(
-  /* slot   */slot,
-  /* mechanism type */CKM_DES3_ECB,
-  /* origin */PK11_OriginGenerated,
-  /* operation  */CKA_ENCRYPT,
-  /* key*/&keyItem,
-  /* flags  */CKF_ENCRYPT,
-  /* isPerm */PR_FALSE,
-  /* wincx  */0 );
+key =  TKS_ImportSymmetricKey( NULL,
+slot,
+CKM_DES3_ECB,
+CKA_ENCRYPT,
+&keyItem,
+&pwdata, PR_FALSE );
 
+
+
+
+ /*   key = PK11_ImportSymKeyWithFlags(
+  slot,
+  CKM_DES3_ECB,
+  PK11_OriginGenerated,
+  CKA_ENCRYPT,
+  &keyItem,
+  CKF_ENCRYPT,
+  PR_FALSE,
+  0 );
+ */
 if( ! key ) {
 PR_fprintf( PR_STDERR,
 "ERROR:  Failed to import %s key!\n\n\n",
@@ -1062,10 +1077,18 @@ TKS_ImportSymmetricKey( char  *symmetricKeyName,
 CK_MECHANISM_TYPE  mechanism,
 CK_ATTRIBUTE_TYPE  operation,
 SECItem   *sessionKeyShare,
-secuPWData*pwdata )
+secuPWData*pwdata, PRBool isPerm )
 {
 PK11Origin  origin = PK11_OriginGenerated;
 PK11SymKey *symKey = NULL;
+PK11SymKey *sessKey = NULL;
+PK11Context *context = NULL;
+static SECItem noParams = { siBuffer, NULL, 0 };
+SECItem wrappeditem = { siBuffer, NULL, 0 };
+
+int len = 0;
+unsigned char wrappedkey[DES_LENGTH * 3];
+SECStatus s = SECSuccess;
 
 if( slot == NULL ) {
 return NULL;
@@ -1077,15 +1100,50 @@ TKS_ImportSymmetricKey( char  *symmetricKeyName,
 "Generating %s symmetric key . . .\n\n",
 symmetricKeyName );
 
-symKey = PK11_ImportSymKeyWithFlags( 
- /* slot   */slot,
- /* mechanism type */mechanism,
- /* origin */origin,
- /* operation  */operation,
- /* key*/sessionKeyShare,
- /* flags  */0,
- /* isPerm */PR_FALSE,
- /* wincx  */pwdata );
+sessKey =  PK11_TokenKeyGenWithFlags(slot,   // slot handle
+   CKM_DES3_KEY_GEN,   // mechanism type
+   NULL,   // pointer to params (SECItem structure)
+   0,  // keySize (per documentation in pk11skey.c, must be 0 for fixed key length algorithms)
+   0,  // pointer to keyid (SECItem structure)
+   CKF_WRAP | CKF_UNWRAP | CKF_ENCRYPT | CKF_DECRYPT, // opFlags
+   PK11_ATTR_PRIVATE | PK11_ATTR_UNEXTRACTABLE | PK11_ATTR_SENSITIVE, // attrFlags (AC: this is my "best guess" as to what flags should be set)
+   NULL);
+
+if( sessKey == NULL ) {
+goto cleanup;
+}
+
+// Import the key onto the token using the temp session key and the key data.
+//
+
+context = PK11_CreateContextBySymKey(CKM_DES3_ECB, CKA_ENCRYPT,
+sessKey,
+&noParams);
+
+if (context == NULL) {
+goto cleanup;
+}
+
+len = sessionKeyShare->len;
+/* encrypt the key with the master key */
+s = PK11_CipherOp(context, wrappedkey, &len, DES_LENGTH * 3 , sessionKeyShare->data ,DES_LENGTH * 3 );
+if (s != SECSuccess)
+{
+goto cleanup;
+