Merge pull request #8 from RIPE-NCC/feature/hsm-keypair-generator-for-ee-key

Feature/hsm keypair generator for ee key

Author: lolepezy

README.md

@@ -15,6 +15,12 @@ https://github.com/RIPE-NCC/rpki-ta-0/blob/main/LICENSE.txt.
 Changelog
 ---------
 
+### v0.5.3
+  * Fix issues when working with HSM in FIPS 140-[23] level 3 mode
+
+### v0.5.2
+  * Releases are made using GitHub actions from now on
+
 ### v0.5.1
   * Publish releases on GitHub
 

gradle/wrapper/gradle-wrapper.jar

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

gradle/wrapper/gradle-wrapper.properties

@@ -41,6 +41,7 @@
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 
+import javax.security.auth.DestroyFailedException;
 import javax.security.auth.x500.X500Principal;
 import java.io.*;
 import java.math.BigInteger;
@@ -471,10 +472,12 @@ private void fillRevokedObjects(X509CrlBuilder builder, List<? extends SignedObj
     }
 
     private ManifestCms createNewManifest(final SignCtx signCtx) {
-        // Generate a new key pair for the one-time-use EE certificate and do not store it, this prevents accidental
-        // re-use in the future, and prevents keys from piling up in the HSM 'security world'
+        // Generate a new key pair for the one-time-use EE certificate
+        // this key _needs_ to be stored in the HSM (and thus use the HSM keypair factory) because otherwise
+        // the operation triggers an import of the key _into_ the security world, which is not allowed
+        // in FIPS 140-[23] level 3 mode.
         final KeyPairFactory keyPairFactory = new KeyPairFactory(state.getConfig().getKeystoreProvider());
-        final KeyPair eeKeyPair = keyPairFactory.withProvider("SunRsaSign").generate();
+        final KeyPair eeKeyPair = keyPairFactory.withProvider(state.getConfig().getKeypairGeneratorProvider()).generate();
         final X509ResourceCertificate eeCertificate = createEeCertificateForManifest(eeKeyPair, signCtx);
 
         final ManifestCmsBuilder manifestBuilder = createBasicManifestBuilder(eeCertificate, signCtx);
@@ -486,6 +489,13 @@ private ManifestCms createNewManifest(final SignCtx signCtx) {
             }
         }
         final ManifestCms manifest = manifestBuilder.build(eeKeyPair.getPrivate());
+        // Destroy the keypair to prevent it from being kept.
+        try {
+            eeKeyPair.getPrivate().destroy();
+        } catch (DestroyFailedException e) {
+            log.info("Could not destroy private key for {} provider, this is probably expected.",
+                    state.getConfig().getKeypairGeneratorProvider());
+        }
         signCtx.taState.getSignedManifests().add(new SignedManifest(manifest));
         return manifest;
     }

gradlew

@@ -22,15 +22,19 @@ fi
 CONF_DIR="conf"
 LIB_DIR="lib"
 CLASSPATH=${CONF_DIR}:"$LIB_DIR/*"
-CARDSET="TA2022"
+CARDSET="OCS2024"
 MAIN_CLASS="net.ripe.rpki.ta.Main"
 
-TA_TOOL_COMMAND="${JAVA_HOME}/bin/java ${JAVA_OPTS} --module-path /opt/nfast/java/classes -classpath ${CLASSPATH} ${MAIN_CLASS} --env=${APPLICATION_ENVIRONMENT} $@"
-
 if [ ${APPLICATION_ENVIRONMENT} == "production" ]; then
-  # production uses cardset protected keys
-  JAVA_OPTS="-Dprotect=cardset -DignorePassphrase=true $JAVA_OPTS"
+  # production:
+  # * uses cardset protected keys
+  # * load the JCE provider from the module path
+  JAVA_OPTS="-Dprotect=cardset -DignorePassphrase=true --module-path=/opt/nfast/java/classes $JAVA_OPTS"
+fi
 
+TA_TOOL_COMMAND="${JAVA_HOME}/bin/java ${JAVA_OPTS} -classpath ${CLASSPATH} ${MAIN_CLASS} --env=${APPLICATION_ENVIRONMENT} $@"
+
+if [ ${APPLICATION_ENVIRONMENT} == "production" ]; then
   # preload the keys (and provide OCS authorisation with 3/10 cards), then execute the trust anchor binary.
   ${NFAST_BIN}/preload -c ${CARDSET} ${TA_TOOL_COMMAND}
 else