Address Test Port final TMS fixes for rhel7 to master branch, phase 2…

…, RHCS-5403

This checkin coincides with the final sub task of porting the rhel7 tms to the master branch.

Once this code makes it to the testing phase, every feature present in the lastest version of the rhel7 tms
system should be present in any releases taken from the master branch.

Add some more TPS CS.cfg comments for newer features.
Fix tps docker test to include the cfg variable needed to allow tpsclient enrollments to complete.

Change-Id: I7c98ddeffafd912debb908c9efc7a6bb591807ee

.github/workflows/tps-basic-test.yml

@@ -278,7 +278,7 @@ jobs:
               --pkcs12-password Secret.123
           docker exec pki pki -n caadmin tps-user-show tpsadmin
 
-      - name: Set up TPS authentication
+      - name: Set up TPS authentication and misc cfg settings
         run: |
           # import sample TPS users
           docker exec pki ldapadd \
@@ -297,6 +297,10 @@ jobs:
               auths.instance.ldap1.ldap.basedn \
               ou=people,dc=example,dc=com
 
+          # configure TPS to allow tpsclient tests to work
+          docker exec pki pki-server tps-config-set \
+              channel.scp01.no.le.byte true
+
           # restart TPS subsystem
           docker exec pki pki-server tps-redeploy --wait
 

base/common/src/main/java/com/netscape/cmsutil/crypto/CryptoUtil.java

@@ -2471,6 +2471,51 @@ public static List<byte[]> exportSharedSecret(String nickname, java.security.cer
         return listWrappedKeys;
     }
 
+     public static List<byte[]> exportSharedSecretWithAES(String nickname, java.security.cert.X509Certificate wrappingCert,
+            SymmetricKey wrappingKey,boolean useOAEPKeyWrap) throws Exception {
+
+        CryptoManager cm = CryptoManager.getInstance();
+        CryptoToken token = cm.getInternalKeyStorageToken();
+        String method = "CrytoUtil.exportSharedSecret";
+        List<byte[]> listWrappedKeys = new ArrayList<byte[]>();
+
+        logger.debug(method + " nickname: " + nickname);
+
+        SymmetricKey sharedSecretKey = null;
+
+        try {
+            sharedSecretKey = getSymKeyByName(token, nickname);
+        } catch (Exception e) {
+            logger.debug(method + " can't find shared secret: " + nickname);
+            throw new IOException("Shared secret " + nickname + " does not exist");
+        }
+
+        PublicKey pub = wrappingCert.getPublicKey();
+        PK11PubKey pubK = PK11PubKey.fromSPKI(pub.getEncoded());
+
+        //Wrap the temp AES key with the cert
+        byte[] wrappedKey = wrapUsingPublicKey(token, pubK, wrappingKey, useOAEPKeyWrap ? KeyWrapAlgorithm.RSA_OAEP: KeyWrapAlgorithm.RSA);
+
+        listWrappedKeys.add(wrappedKey);
+        //Use the AES key to wrap the shared secret
+
+        KeyWrapAlgorithm  wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD;
+        int ivLen = wrapAlg.getBlockSize();
+        byte[] iv = new byte[ivLen];
+
+        IVParameterSpec ivsp = new IVParameterSpec(iv);
+
+        byte[] wrappedSharedSecret = wrapUsingSymmetricKey(token, wrappingKey, sharedSecretKey, ivsp, wrapAlg);
+
+        listWrappedKeys.add(wrappedSharedSecret);
+
+        if (listWrappedKeys.size() != 2) {
+            throw new IOException("Can't write out shared secret data to export for nickname: " + nickname);
+        }
+
+        return listWrappedKeys;
+    }
+
     public static void importSharedSecret(byte[] wrappedSessionKey,byte[] wrappedSharedSecret,String subsystemCertNickname,String sharedSecretNickname) throws Exception, NotInitializedException, TokenException,
             NoSuchAlgorithmException, ObjectNotFoundException, InvalidKeyException, InvalidAlgorithmParameterException,
             IOException {
@@ -2689,8 +2734,8 @@ public static SymmetricKey unwrapAESSKeyFromBytes(CryptoToken token, byte[] inpu
         String method = "CryptoUtil.unwrapAESKeyFromBytes: ";
 
         logger.debug(method + "begins:  isPerm: " + isPerm);
-	//for now assume 128 bits aes
-        if(inputKeyArray.length > 16) {
+	//support 128 or 256 bits aes
+        if(inputKeyArray.length > 32) {
             throw new Exception(method + "invalid input data size.");
         }
 

base/common/src/main/java/org/dogtagpki/tps/apdu/APDU.java

@@ -58,7 +58,9 @@ public enum Type {
         APDU_GET_ISSUERINFO,
         APDU_GENERATE_KEY_ECC,
         APDU_GET_LIFECYCLE,
-        APDU_CLEAR_KEY_SLOTS
+        APDU_CLEAR_KEY_SLOTS,
+        APDU_DELETE_KEYS   // ** G&D 256 Key Rollover Support **
+
     }
 
     protected byte cla;
@@ -154,6 +156,23 @@ public TPSBuffer getEncoding() {
         return encoding;
     }
 
+    // New method for IDEMIA token processing
+    public TPSBuffer getEncodingWithLength() {
+
+        TPSBuffer encoding = new TPSBuffer();
+
+        encoding.add(cla);
+        encoding.add(ins);
+        encoding.add(p1);
+        encoding.add(p2);
+
+        if (trailer != null) {
+            encoding.add(trailer);
+        }
+
+        return encoding;
+    }
+
     public TPSBuffer getDataToMAC() {
         TPSBuffer mac = new TPSBuffer();
 

base/common/src/main/java/org/dogtagpki/tps/apdu/DeleteKeysAPDU.java

@@ -0,0 +1,34 @@
+package org.dogtagpki.tps.apdu;
+
+/**
+ * ** G&D 256 Key Rollover Support **
+ */
+
+import org.dogtagpki.tps.main.TPSBuffer;
+
+public class DeleteKeysAPDU extends APDU {
+
+    public DeleteKeysAPDU(TPSBuffer keyVersion) {
+        setCLA((byte) 0x84);
+        setINS((byte) 0xE4);
+        setP1((byte) 0x00);
+        setP2((byte) 0x00);
+
+        TPSBuffer keyData = new TPSBuffer();
+
+        keyData.add((byte) 0xD2);               // tag for deleting key version
+        keyData.add((byte) keyVersion.size());  // length of key version
+        keyData.add(keyVersion);                // key version
+
+        //CMS.debug("DeleteKeysAPDU: keyData = " + keyData.toHexString());
+
+        setData(keyData);
+
+    }
+
+    @Override
+    public APDU.Type getType() {
+        return APDU.Type.APDU_DELETE_KEYS;
+
+    }
+}

base/common/src/main/java/org/dogtagpki/tps/apdu/SelectAPDU.java

@@ -30,6 +30,18 @@ public SelectAPDU(byte p1, byte p2, TPSBuffer theData)
         setP1(p1);
         setP2(p2);
         setData(theData);
+        // Add trailer byte
+        TPSBuffer trailer = new TPSBuffer(1);
+        setTrailer(trailer);
+    }
+
+    // This constructor is used to make a card mgr request with no data
+    public SelectAPDU(byte p1, byte p2)
+    {
+        setCLA((byte) 0x00);
+        setINS((byte) 0xa4);
+        setP1(p1);
+        setP2(p2);
     }
 
     @Override

base/common/src/main/java/org/dogtagpki/tps/msg/EndOpMsg.java

@@ -68,7 +68,8 @@ public enum TPSStatus {
         STATUS_ERROR_REVOKE_CERTIFICATES_FAILED(42),
         STATUS_ERROR_NOT_TOKEN_OWNER(43),
         STATUS_RENEWAL_IS_PROCESSED(44),
-        STATUS_ERROR_CANNOT_ESTABLISH_COMMUNICATION(45);
+        STATUS_ERROR_CANNOT_ESTABLISH_COMMUNICATION(45),
+        STATUS_ERROR_SYMKEY_256_UPGRADE(46); // ** G&D 256 Key Rollover Support **
 
         private TPSStatus(int code) {
             this.code = code;

base/common/src/main/java/org/dogtagpki/tps/msg/TokenPDURequestMsg.java

@@ -42,6 +42,34 @@ public TokenPDURequestMsg(APDU apdu) {
 
     }
 
+    // This constructor is used to add a length byte to the apdu
+    public TokenPDURequestMsg(APDU apdu, boolean addLength) {
+
+        put(MSG_TYPE_NAME, msgTypeToInt(MsgType.MSG_TOKEN_PDU_REQUEST));
+
+        TPSBuffer encoding = null;
+
+        if (apdu != null) {
+
+            if (addLength)
+            {
+                encoding = apdu.getEncodingWithLength();
+            }
+            else
+            {
+                encoding = apdu.getEncoding();
+            }
+
+            int apduSize = encoding.size();
+
+            String apdu_value = Util.uriEncodeInHex(encoding.toBytesArray());
+
+            put(PDU_SIZE_NAME, apduSize);
+            put(PDU_DATA_NAME, apdu_value);
+        }
+
+    }
+
     public static void main(String[] args) {
 
         SelectAPDU apdu = null;

base/kra/src/main/java/com/netscape/cms/servlet/connector/GenerateKeyPairServlet.java

@@ -161,6 +161,11 @@ private void processServerSideKeyGen(HttpServletRequest req,
         String rKeytype = req.getParameter(IRemoteRequest.KRA_KEYGEN_KeyType);
         String rKeycurve = req.getParameter(IRemoteRequest.KRA_KEYGEN_EC_KeyCurve);
 
+        //Optional AES key wrap alg, default KWP anyway.
+        String rAesWrapAlg = req.getParameter(IRemoteRequest.KRA_Aes_Wrap_Alg);
+        logger.debug("GenerateKeyPairServlet: processServerSideKeygen():  rAesWrapAlg: " + rAesWrapAlg);
+
+
         //Get trans wrapped aes session key if provided.
         String raesKeyString = req.getParameter(IRemoteRequest.KRA_Trans_AesKey);
 
@@ -241,6 +246,10 @@ private void processServerSideKeyGen(HttpServletRequest req,
             thisreq.setExtData(Request.NETKEY_ATTR_KEY_TYPE, rKeytype);
             thisreq.setExtData(Request.NETKEY_ATTR_KEY_EC_CURVE, rKeycurve);
 
+            if((rAesWrapAlg != null) && (rAesWrapAlg.length() >0)) {
+                thisreq.setExtData(Request.NETKEY_ATTR_SSKEYGEN_AES_KEY_WRAP_ALG,rAesWrapAlg);
+            }
+
             queue.processRequest(thisreq);
             Integer result = thisreq.getExtDataInInteger(Request.RESULT);
             if (result != null) {

base/kra/src/main/java/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java

@@ -172,6 +172,7 @@ private void processTokenKeyRecovery(HttpServletRequest req,
         boolean missingParam = false;
         boolean missingTransAes = false;
         boolean missingTransDes = false;
+        boolean missingAesKeyWrapAlg = false;
 
         String status = "0";
 
@@ -182,9 +183,19 @@ private void processTokenKeyRecovery(HttpServletRequest req,
         String rKeyid = req.getParameter(IRemoteRequest.KRA_RECOVERY_KEYID);
         String rdesKeyString = req.getParameter(IRemoteRequest.KRA_Trans_DesKey);
         String rCert = req.getParameter(IRemoteRequest.KRA_RECOVERY_CERT);
+
+        //RedHat : make sure the key wrap alg is being processed correctly
+        String aesKeyWrapAlg = req.getParameter(IRemoteRequest.KRA_Aes_Wrap_Alg);
+
 
         String raesKeyString = req.getParameter(IRemoteRequest.KRA_Trans_AesKey);
 
+        //RedHat : make sure the key wrap alg is being processed correctly
+        if ((aesKeyWrapAlg == null) || (aesKeyWrapAlg.equals(""))) {
+            logger.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): missing request parameter: AES-KeyWrap-alg");
+            missingAesKeyWrapAlg = true;
+        }
+
         if ((rCUID == null) || (rCUID.equals(""))) {
             logger.warn("TokenKeyRecoveryServlet: processTokenKeyRecovery(): missing request parameter: CUID");
             missingParam = true;
@@ -231,6 +242,12 @@ private void processTokenKeyRecovery(HttpServletRequest req,
                 thisreq.setExtData(Request.NETKEY_ATTR_DRMTRANS_AES_KEY, raesKeyString);
             }
 
+            //RedHat : make sure the key wrap alg is being processed correctly
+            if(!missingAesKeyWrapAlg) {
+                logger.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): aesKeyWrapAlg: " + aesKeyWrapAlg);
+                thisreq.setExtData(Request.NETKEY_ATTR_SSKEYGEN_AES_KEY_WRAP_ALG,aesKeyWrapAlg);
+            }
+
             if ((rCert != null) && (!rCert.equals(""))) {
                 thisreq.setExtData(Request.NETKEY_ATTR_USER_CERT, rCert);
                logger.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): received request parameter: cert");