The attached patches allow for newer NIST approved stronger algorithms for KDF. See NIST Special Publication 800-108. Most of the impact is in symkey. Additional mods were required for some backwards compatibility for existing card stocks that are in use under the current RHCS8.x diversification scheme.
attachment pki-common_nistSP800-108KDF_keyVersionDecodeFix.patch
attachment pki-tks_nistSP800-108KDF.patch
attachment symkey_nistSP800-108KDF_invocationLogic_keyVersionDecodeFix_miscFixes.patch
attachment symkey_nistSP800-108KDF_makefile.patch
attachment symkey_nistSP800-108KDF_newSourceFiles.patch
attachment symkey_nistSP800-108KDF_signatureChange.patch
Hi, it'd be helpful if you could provide info on the tree/branch that the patches are based off. Thank you.
Replying to [comment:1 cfu]:
They are based off the latest SRC RPMs available for 8.1
First of all, thank you for providing the patches. Also thanks for finding and fixing some of the overlooked issues in the current code base in the affected areas.
I have taken a look at at the changes. I am not making attempt to understand the new spec or evaluate the accuracy of the implementation, which I'll leave it to the author(s) of the patches to test, rather, I am focusing on how the patches will impact the existing functionality and workability. I have one minor comment and one major.
Minor comment:
Major comment:
I am actually okay with it as long as we make it very clear that they are not to be mixed and matched.
The patches have applied cleanly to the latest 8.1 code base.
The following was the investigation result and recommendations for #864/#865/#866I sent to klamb directly via email last week. I'm adding it here for the record:
============== Here is the status. I applied all patches minus the one I couldn't, which I manually edited instead. Compilation was a success on all affected components: symkey, pki-common, pki-tks, and pki-tps.
Just to reiterate, because of the function signature changes, all components need to be updated at the same time. I applied the new components to an existing 8.1 TMS installation and here are the findings: 1. TPS, as expected, it handles existing CS.cfg 2. TKS, not so friendly with existing CS.cfg. It bums you out if you don't have the new parameters in the CS.cfg. -- I suggest patche changes so that defaults could be taken when new params do not exist in CS.cfg, for backward compatibility -- self test TKSKnownSessionKey has the same issue, I suggest the patch either a. set default values for new params, (recommended) or b. keep the old TKSKnownSessionKey. and give new name to the change self test code. 3. minor. As I pointed out in ticket 864, use getBoolean() from IConfigStore instead when retrieving boolean params from CS.cfg
Since 10.2 TPS is re-written in Java, the patch will need to be re-written. These tickets will remain open to make sure they are written and applied to 10.2.X
Proposed Milestone: 10.2.1 (per CS Meeting of 09/17/2014)
Higher priority than External Reg (10.2.2)
for reference: http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf
pushed to master: commit 4c910296a6c6c8bf74fbdace740680db2f1fecab
pushed to DOGTAG_10_2_0_BRANCH commit cdc186f378b0afe526a35400785f47fc5559395c
(cherry picked from commit 4c910296a6c6c8bf74fbdace740680db2f1fecab)
pushed to DOGTAG_10_2_RHEL_BRANCH commit d3051dd3c992b62fc10607bb388121cba50a7003
make this ticket a patch-integration only bug. Ticket 865 (when TPS part is written) will be the actual feature ticket and tested fully.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1202561 (Red Hat Certificate System)
Metadata Update from @klamb: - Issue assigned to cfu - Issue set to the milestone: 10.2.1
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1431
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.