-
Notifications
You must be signed in to change notification settings - Fork 135
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix: Bug 2123071 - add AES support for TMS server-side keygen on late…
…st HSM / FIPS environment [RHCS 10.4]. This fix allows the latest HSM / FIPS environment to successfully complete a token enrollment including server side keygen functionality. This is accomplished with TMS code and applet code that allows SCP03 tokens alone the ability to inject a private key onto the token using the AEK_KEYWRAP_KWP algorithm. This fix includes a new applet that must be used for scp03 tokens. base/tps/shared/applets/1.5.64260792.ijc The CS.cfg must be configured to use this applet as follows: op.enroll.userKey.update.applet.requiredVersion.prot.3=1.5.64260792 for enrollment and, op.format.userKey.update.applet.requiredVersion.prot.3=1.5.64260792 for format. Note any other profiles including external registration must be configured to use this applet if put into play. Note: The following must be configured in the TPS's server.xml to extend the timeout from the client as per this example: connectionTimeout="-1" for each connector SSL or non SSL. This is required since the KWP implementation takes a bit longer to unwrap the keys(s) onto the token than previously. Tested with a full FIPS / latest HSM box using PSS and OAEP for all subsystems. OAEP should be required with PSS optional. Tested with the g&d 7.0 smart cafe SCP03 using a max of 3072 bit keys due to the limitations of the token itself. Addressed review comments. Addressed final review comment.
- Loading branch information
Showing
23 changed files
with
803 additions
and
191 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.