Merge pull request #8 from RIPE-NCC/feature/hsm-keypair-generator-for…

…-ee-key Feature/hsm keypair generator for ee key
RIPE-NCC · Jan 21, 2025 · 3df285e · 3df285e
2 parents acb163e + def2531
commit 3df285e
Show file tree

Hide file tree

Showing 7 changed files with 48 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -15,6 +15,12 @@ https://github.com/RIPE-NCC/rpki-ta-0/blob/main/LICENSE.txt.
 Changelog
 ---------
 
+### v0.5.3
+  * Fix issues when working with HSM in FIPS 140-[23] level 3 mode
+
+### v0.5.2
+  * Releases are made using GitHub actions from now on
+
 ### v0.5.1
   * Publish releases on GitHub
 

diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

diff --git a/gradlew b/gradlew
@@ -83,7 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -144,15 +145,15 @@ if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
     case $MAX_FD in #(
       max*)
         # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045
+        # shellcheck disable=SC2039,SC3045
         MAX_FD=$( ulimit -H -n ) ||
             warn "Could not query maximum file descriptor limit"
     esac
     case $MAX_FD in  #(
       '' | soft) :;; #(
       *)
         # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045
+        # shellcheck disable=SC2039,SC3045
         ulimit -n "$MAX_FD" ||
             warn "Could not set maximum file descriptor limit to $MAX_FD"
     esac
@@ -201,11 +202,11 @@ fi
 # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 
-# Collect all arguments for the java command;
-#   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
-#     shell script including quotes and variable substitutions, so put them in
-#     double quotes to make sure that they get re-expanded; and
-#   * put everything else in single quotes, so that it's not re-expanded.
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
 
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \

diff --git a/gradlew.bat b/gradlew.bat
@@ -43,11 +43,11 @@ set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
 if %ERRORLEVEL% equ 0 goto execute
 
-echo.
-echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
-echo.
-echo Please set the JAVA_HOME variable in your environment to match the
-echo location of your Java installation.
+echo. 1>&2
+echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
 
 goto fail
 
@@ -57,11 +57,11 @@ set JAVA_EXE=%JAVA_HOME%/bin/java.exe
 
 if exist "%JAVA_EXE%" goto execute
 
-echo.
-echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
-echo.
-echo Please set the JAVA_HOME variable in your environment to match the
-echo location of your Java installation.
+echo. 1>&2
+echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2
+echo. 1>&2
+echo Please set the JAVA_HOME variable in your environment to match the 1>&2
+echo location of your Java installation. 1>&2
 
 goto fail
 

diff --git a/src/main/java/net/ripe/rpki/ta/TA.java b/src/main/java/net/ripe/rpki/ta/TA.java
@@ -41,6 +41,7 @@
 import org.joda.time.DateTime;
 import org.joda.time.DateTimeZone;
 
+import javax.security.auth.DestroyFailedException;
 import javax.security.auth.x500.X500Principal;
 import java.io.*;
 import java.math.BigInteger;
@@ -471,10 +472,12 @@ private void fillRevokedObjects(X509CrlBuilder builder, List<? extends SignedObj
     }
 
     private ManifestCms createNewManifest(final SignCtx signCtx) {
-        // Generate a new key pair for the one-time-use EE certificate and do not store it, this prevents accidental
-        // re-use in the future, and prevents keys from piling up in the HSM 'security world'
+        // Generate a new key pair for the one-time-use EE certificate
+        // this key _needs_ to be stored in the HSM (and thus use the HSM keypair factory) because otherwise
+        // the operation triggers an import of the key _into_ the security world, which is not allowed
+        // in FIPS 140-[23] level 3 mode.
         final KeyPairFactory keyPairFactory = new KeyPairFactory(state.getConfig().getKeystoreProvider());
-        final KeyPair eeKeyPair = keyPairFactory.withProvider("SunRsaSign").generate();
+        final KeyPair eeKeyPair = keyPairFactory.withProvider(state.getConfig().getKeypairGeneratorProvider()).generate();
         final X509ResourceCertificate eeCertificate = createEeCertificateForManifest(eeKeyPair, signCtx);
 
         final ManifestCmsBuilder manifestBuilder = createBasicManifestBuilder(eeCertificate, signCtx);
@@ -486,6 +489,13 @@ private ManifestCms createNewManifest(final SignCtx signCtx) {
             }
         }
         final ManifestCms manifest = manifestBuilder.build(eeKeyPair.getPrivate());
+        // Destroy the keypair to prevent it from being kept.
+        try {
+            eeKeyPair.getPrivate().destroy();
+        } catch (DestroyFailedException e) {
+            log.info("Could not destroy private key for {} provider, this is probably expected.",
+                    state.getConfig().getKeypairGeneratorProvider());
+        }
         signCtx.taState.getSignedManifests().add(new SignedManifest(manifest));
         return manifest;
     }

diff --git a/src/main/scripts/ta.sh b/src/main/scripts/ta.sh
@@ -22,15 +22,19 @@ fi
 CONF_DIR="conf"
 LIB_DIR="lib"
 CLASSPATH=${CONF_DIR}:"$LIB_DIR/*"
-CARDSET="TA2022"
+CARDSET="OCS2024"
 MAIN_CLASS="net.ripe.rpki.ta.Main"
 
-TA_TOOL_COMMAND="${JAVA_HOME}/bin/java ${JAVA_OPTS} --module-path /opt/nfast/java/classes -classpath ${CLASSPATH} ${MAIN_CLASS} --env=${APPLICATION_ENVIRONMENT} $@"
-
 if [ ${APPLICATION_ENVIRONMENT} == "production" ]; then
-  # production uses cardset protected keys
-  JAVA_OPTS="-Dprotect=cardset -DignorePassphrase=true $JAVA_OPTS"
+  # production:
+  # * uses cardset protected keys
+  # * load the JCE provider from the module path
+  JAVA_OPTS="-Dprotect=cardset -DignorePassphrase=true --module-path=/opt/nfast/java/classes $JAVA_OPTS"
+fi
 
+TA_TOOL_COMMAND="${JAVA_HOME}/bin/java ${JAVA_OPTS} -classpath ${CLASSPATH} ${MAIN_CLASS} --env=${APPLICATION_ENVIRONMENT} $@"
+
+if [ ${APPLICATION_ENVIRONMENT} == "production" ]; then
   # preload the keys (and provide OCS authorisation with 3/10 cards), then execute the trust anchor binary.
   ${NFAST_BIN}/preload -c ${CARDSET} ${TA_TOOL_COMMAND}
 else