search

dogtagpki / pki

The Dogtag Certificate System is an enterprise-class Certificate Authority (CA) which supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management.
https://www.dogtagpki.org
GNU General Public License v2.0
374 stars 138 forks source link

NIST SP800-108 KDF (patch-integration) #1431

Closed pki-bot closed 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #864. Originally filed by klamb (@mklamb) on 2014-02-21 15:20:26:

The attached patches allow for newer NIST approved stronger algorithms for KDF. See NIST Special Publication 800-108. Most of the impact is in symkey. Additional mods were required for some backwards compatibility for existing card stocks that are in use under the current RHCS8.x diversification scheme.

pki-bot commented 4 years ago

Comment from klamb (@mklamb) at 2014-02-21 15:21:21

attachment pki-common_nistSP800-108KDF_keyVersionDecodeFix.patch

pki-bot commented 4 years ago

Comment from klamb (@mklamb) at 2014-02-21 15:21:31

attachment pki-tks_nistSP800-108KDF.patch

pki-bot commented 4 years ago

Comment from klamb (@mklamb) at 2014-02-21 15:21:41

attachment symkey_nistSP800-108KDF_invocationLogic_keyVersionDecodeFix_miscFixes.patch

pki-bot commented 4 years ago

Comment from klamb (@mklamb) at 2014-02-21 15:21:52

attachment symkey_nistSP800-108KDF_makefile.patch

pki-bot commented 4 years ago

Comment from klamb (@mklamb) at 2014-02-21 15:22:13

attachment symkey_nistSP800-108KDF_newSourceFiles.patch

pki-bot commented 4 years ago

Comment from klamb (@mklamb) at 2014-02-21 15:22:25

attachment symkey_nistSP800-108KDF_signatureChange.patch

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2014-02-24 18:05:55

Hi, it'd be helpful if you could provide info on the tree/branch that the patches are based off. Thank you.

pki-bot commented 4 years ago

Comment from klamb (@mklamb) at 2014-02-24 18:09:30

Replying to [comment:1 cfu]:

Hi, it'd be helpful if you could provide info on the tree/branch that the patches are based off. Thank you.

They are based off the latest SRC RPMs available for 8.1

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2014-07-14 23:21:03

First of all, thank you for providing the patches. Also thanks for finding and fixing some of the overlooked issues in the current code base in the affected areas.

I have taken a look at at the changes. I am not making attempt to understand the new spec or evaluate the accuracy of the implementation, which I'll leave it to the author(s) of the patches to test, rather, I am focusing on how the patches will impact the existing functionality and workability. I have one minor comment and one major.

Minor comment:

Major comment:

I am actually okay with it as long as we make it very clear that they are not to be mixed and matched.

The patches have applied cleanly to the latest 8.1 code base.

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2014-07-21 20:23:57

The following was the investigation result and recommendations for 864/865/866I sent to mklamb directly via email last week. I'm adding it here for the record:

============== Here is the status. I applied all patches minus the one I couldn't, which I manually edited instead. Compilation was a success on all affected components: symkey, pki-common, pki-tks, and pki-tps.

Just to reiterate, because of the function signature changes, all components need to be updated at the same time. I applied the new components to an existing 8.1 TMS installation and here are the findings:

  1. TPS, as expected, it handles existing CS.cfg
  2. TKS, not so friendly with existing CS.cfg. It bums you out if you don't have the new parameters in the CS.cfg. -- I suggest patche changes so that defaults could be taken when new params do not exist in CS.cfg, for backward compatibility -- self test TKSKnownSessionKey has the same issue, I suggest the patch either a. set default values for new params, (recommended) or b. keep the old TKSKnownSessionKey. and give new name to the change self test code.
  3. minor. As I pointed out in ticket 864, use getBoolean() from IConfigStore instead when retrieving boolean params from CS.cfg

Since 10.2 TPS is re-written in Java, the patch will need to be re-written. These tickets will remain open to make sure they are written and applied to 10.2.X

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2014-09-18 04:15:46

Proposed Milestone: 10.2.1 (per CS Meeting of 09/17/2014)

Higher priority than External Reg (10.2.2)

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2014-12-09 20:59:26

for reference: http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2014-12-19 21:29:27

pushed to master: commit 4c910296a6c6c8bf74fbdace740680db2f1fecab

pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2014-12-20 01:21:32

pushed to DOGTAG_10_2_0_BRANCH commit cdc186f378b0afe526a35400785f47fc5559395c

(cherry picked from commit 4c910296a6c6c8bf74fbdace740680db2f1fecab)
pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2014-12-20 02:49:53

pushed to DOGTAG_10_2_RHEL_BRANCH commit d3051dd3c992b62fc10607bb388121cba50a7003

(cherry picked from commit 4c910296a6c6c8bf74fbdace740680db2f1fecab)
pki-bot commented 4 years ago

Comment from cfu (@cfu) at 2014-12-20 03:07:42

make this ticket a patch-integration only bug. Ticket 865 (when TPS part is written) will be the actual feature ticket and tested fully.

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2015-03-16 23:40:19

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1202561 (Red Hat Certificate System)

pki-bot commented 4 years ago

Comment from klamb (@mklamb) at 2017-02-27 14:08:24

Metadata Update from @mklamb: