Separated TPS does not automatically receive shared secret from remot…

…e TKS. Support to allow the TPS to do the following: 1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS. 2. Have the TKS securely return the shared secret back to the TPS during the end of configuration. 3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and. 4. Given a name that is mapped to the TPS's id string. Additional fixes: 1. The TKS was modified to actually be able to use multiple shared secrets registered by multiple TPS instances. Caveat: At this point if the same remote TPS instance is created over and over again, the TPS's user in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret not functional. At this point we need to assume that the TPS user has ONE "userCert" registered at this time.
dogtagpki · Jul 2, 2016 · 0f05622 · 0f05622
1 parent cfab57d
commit 0f05622
Show file tree

Hide file tree

Showing 9 changed files with 435 additions and 197 deletions.
diff --git a/base/common/src/com/netscape/certsrv/key/KeyData.java b/base/common/src/com/netscape/certsrv/key/KeyData.java
@@ -48,7 +48,11 @@ public class KeyData {
     @XmlElement
     Integer size;
 
-    String privateData;
+    @XmlElement
+    String additionalWrappedPrivateData;
+    // Optionally used for importing a shared secret from TKS to TPS
+    // Will contain wrapped shared secret data.
+    // Can be used for anything in other scenarios
 
     public KeyData() {
         // required for JAXB (defaults)
@@ -68,6 +72,15 @@ public void setWrappedPrivateData(String wrappedPrivateData) {
         this.wrappedPrivateData = wrappedPrivateData;
     }
 
+    public String getAdditionalWrappedPrivateData() {
+        return additionalWrappedPrivateData;
+    }
+
+
+    public void setAdditionalWrappedPrivateData(String additionalWrappedPrivateData) {
+        this.additionalWrappedPrivateData = additionalWrappedPrivateData;
+    }
+
     /**
      * @return the nonceData
      */
@@ -126,11 +139,5 @@ public void setSize(Integer size) {
         this.size = size;
     }
 
-    public String getPrivateData() {
-        return privateData;
-    }
 
-    public void setPrivateData(String privateData) {
-        this.privateData = privateData;
-    }
 }
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
@@ -418,7 +418,8 @@ public static String getSharedSecretKeyName(String name) throws EBaseException {
         String method = "SecureChannelProtocol.getSharedSecretKeyName:";
         CMS.debug(method + " Entering...");
 
-        if (name != null && SecureChannelProtocol.sharedSecretKeyName == null) {
+        // No longer cache the secret name, there could be a different one for each incoming TPS connection.
+        if (name != null) {
             SecureChannelProtocol.sharedSecretKeyName = name;
         }
 

diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
@@ -70,6 +70,7 @@ public class TokenServlet extends CMSServlet {
     public static int ERROR = 1;
     String mKeyNickName = null;
     String mNewKeyNickName = null;
+    String mCurrentUID = null;
     IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":");
 
     private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST =
@@ -951,8 +952,6 @@ private void processComputeSessionKey(HttpServletRequest req,
 
         transportKeyName = getSharedSecretName(sconfig);
 
-        CMS.debug("TokenServlet: ComputeSessionKey(): tksSharedSymKeyName: " + transportKeyName);
-
         String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE);
         String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE);
         String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO);
@@ -1537,13 +1536,32 @@ private String getSharedSecretName(IConfigStore cs) throws EBaseException {
 
         if (useNewNames) {
             String tpsList = cs.getString("tps.list", "");
+            String firstSharedSecretName = null;
             if (!tpsList.isEmpty()) {
                 for (String tpsID : tpsList.split(",")) {
                     String sharedSecretName = cs.getString("tps." + tpsID + ".nickname", "");
+
+                    // This one will be a fall back in case we can't get a specific one
+                    if (firstSharedSecretName == null) {
+                        firstSharedSecretName = sharedSecretName;
+                    }
+
                     if (!sharedSecretName.isEmpty()) {
-                        return sharedSecretName;
+                        if (mCurrentUID != null) {
+                            String csUid = cs.getString("tps." + tpsID + ".userid", "");
+
+                            if (mCurrentUID.equalsIgnoreCase(csUid)) {
+                                CMS.debug("TokenServlet.getSharedSecretName: found a match of the user id! " + csUid);
+                                return sharedSecretName;
+                            }
+                        }
                     }
                 }
+
+                if (firstSharedSecretName != null) {
+                    //Return the first in the list if we couldn't isolate one
+                    return firstSharedSecretName;
+                }
             }
             CMS.debug("getSharedSecretName: no shared secret has been configured");
             throw new EBaseException("No shared secret has been configured");
@@ -2351,6 +2369,8 @@ public void process(CMSRequest cmsReq) throws EBaseException {
         IAuthToken authToken = authenticate(cmsReq);
         AuthzToken authzToken = null;
 
+        mCurrentUID = (String) authToken.get(IAuthToken.UID) ;
+
         try {
             authzToken = authorize(mAclMethod, authToken,
                     mAuthzResourceName, "execute");

diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
@@ -719,10 +719,15 @@ pki_tks_uri=\fIhttps://<tks_hostname>:<tks_https_port>\fP
 .fi
 
 .PP
-If TPS and TKS are installed on separate instances the shared secret key needs
-to be generated manually in TKS, then manually imported into TPS.
+If TPS and TKS are installed on separate instances the shared secret key
+should be imported over the wire between the TKS and TPS automatically.
 
-Generate the shared secret key in TKS with the following command:
+If the automated procedure fails for any unlikely reason the following
+manual procedure will serve as a fallback. The key needs to be created
+on the TKS side and imported into the TPS side in this case.
+
+
+Generate the shared secret key (if needed) in TKS with the following command:
 
 .IP
 tkstool -T -d /var/lib/pki/pki-tomcat/alias -n sharedSecret