#1663 Add SCP03 support
Closed: fixed 6 years ago Opened 8 years ago by dsirrine.

List of targeted cards:

G&D SmartCafe v3.2
Gemalto IDCore 3020


--- Additional comment from Nathan Kinder on 2015-08-18 20:28:38 EDT ---

Are you sure that the SafeNet SC650 supports SCP03? According to SafeNet's website and documentation on the SC650, it supports GlobalPlatform 2.1.1 (which came out in 2003). SCP03 was added as an amendment (amendment D) to the GlobalPlatform 2.2 spec in 2009.

--- Additional comment from Nathan Kinder on 2015-09-15 19:32:39 EDT ---

It also appears that the G&D SmartCafe Expert 3.2 does not support SCP03:

http://www.gi-de.com/gd_media/media/en/documents/brochures/mobile_security_2/nb/SmartCafe-Expert.pdf

The G&D SmartCafe Expert 6.0 does support SCP03 (Global Platform 2.2 amendment D) according to the above PDF. The Gemalto IDCore 3020 that was mentioned also appears to support SCP03:

http://www.gemalto.com/Products/top_javacard/download/IDCore3020_Product_Datasheet_Jan14.pdf

Is the right set of target cards for SCP03 really the following?

  G&D SmartCafe Expert 6.0
  Gemalto IDCore 3020

Per CS/DS meeting of 11/02/2015: 10.3 stretch goal (NTH)

Closed as WONT FIX for RHCS 8.x version of product.

Metadata Update from @dsirrine:
- Issue assigned to jmagne
- Issue set to the milestone: 10.4

7 years ago

Checkin:

commit 6d6b6f954a5bf6730d4b53875c7cc122eb3ab5eb
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Wed Jun 1 10:23:33 2016 -0700

First cut of scp03 support. Supports the g&d smartcafe out of the box.

Developer keyset token operations and key change over supported.

Caveats.

-The diversification step going from master key to card key uses DES3 as required for the token.
-After that point, everything is scp03 to the spec with minor excpetions so far.

Supports 128 bit AES for now. Will resolve this.

Minor config tweaks:

TPS

Symmetric Key Changeover

Use this applet for scp03:

RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc

TKS:

Symmetric Key Changeover

tks.mk_mappings.#02#03=internal:new_master

tks.defKeySet.mk_mappings.#02#03=internal:new_master

Use the uncommented one because scp03 returns a different key set data string.

ToDo:

-Support the rest of the AES sizes other than 128.
-Support optional RMAC apdu.
-Test and adjust the config capability for other tokens.
-Support AES master key. Right now the standard key ends up creating AES card and session keys.

This is a first cut. There are enhancements and fixes to be made, but this will work with the g&d smart cafe 6.0

Metadata Update from @jmagne:
- Custom field feature adjusted to ''
- Custom field proposedmilestone adjusted to ''
- Custom field proposedpriority adjusted to ''
- Custom field reviewer adjusted to ''
- Custom field version adjusted to ''
- Issue close_status updated to: None

7 years ago

Metadata Update from @jmagne:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4.0 (was: 10.4)

7 years ago

Re-opening, to allow for minor changes for the g&d sc 7.0 token.

Metadata Update from @jmagne:
- Issue status updated to: Open (was: Closed)

6 years ago

jmagne added SCP03 support for g&d sc 7 card:
* 164087b1fc302dd8b125cd52e9e55f54ea97e09d

Metadata Update from @mharmsen:
- Issue close_status updated to: fixed
- Issue set to the milestone: 10.4.2 (was: 10.4.0)
- Issue status updated to: Closed (was: Open)

6 years ago

Re-opening due to minor issue with the NON server side keygen case.

Metadata Update from @jmagne:
- Issue status updated to: Open (was: Closed)

6 years ago

commit f26b3aaee1cf36941f387b464b937ffee1403048
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Fri May 5 11:44:17 2017 -0700

Non server keygen issue in SCP03.

Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663

We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue

Metadata Update from @jmagne:
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @mharmsen:
- Issue close_status updated to: fixed
- Issue set to the milestone: 10.4.4 (was: 10.4.2)

6 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.4.1-4.el7,pki-core-10.4.1-4.el7pki

6 years ago

Re-opening based upon associated Bugzilla Bug.

Metadata Update from @mharmsen:
- Issue set to the milestone: 10.4 (was: 10.4.4)
- Issue status updated to: Open (was: Closed)

6 years ago

Commit for latest mini issue:

commit a614eb15476adb00df571d3ea05fdd8ea282141d
Author: Jack Magne jmagne@dhcp-16-206.sjc.redhat.com
Date: Fri Jun 2 15:40:52 2017 -0700

Resolve  #1663 Add SCP03 support .

This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03.

Metadata Update from @jmagne:
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata Update from @mharmsen:
- Issue close_status updated to: fixed
- Issue set to the milestone: 10.4.7 (was: 10.4)

6 years ago

Metadata Update from @mharmsen:
- Custom field fixedinversion adjusted to pki-core-10.4.7-1.fc27 (was: pki-core-10.4.1-4.el7,pki-core-10.4.1-4.el7pki)

6 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2222

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata