Import SafeNet tokens

Question
1

Hi!

Recently we have bought some etokens from SafeNet and found that an XML was delivered with us. We would like to import the tokens but no luck. The version that we are using is privacyIDEA 2.23.5

The XML is with the following structure inside:

<pskc:KeyPackage>
    <pskc:DeviceInfo>
      <pskc:Manufacturer>iana.GEMALTO</pskc:Manufacturer>
      <pskc:SerialNo></pskc:SerialNo>
      <pskc:Model>LAVA</pskc:Model>
      <pskc:IssueNo>1</pskc:IssueNo>
    </pskc:DeviceInfo>
    <pskc:Key Id="" Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
      <pskc:Issuer>Gemalto</pskc:Issuer>
      <pskc:AlgorithmParameters>
        <pskc:ResponseFormat Encoding="DECIMAL" Length="6" />
      </pskc:AlgorithmParameters>
      <pskc:Data>
        <pskc:Secret>
          <pskc:EncryptedValue>
            <xenc:EncryptionMethod Algorithm="www.w3.org/2001/04/xmlenc#aes128-cbc" />
            <xenc:CipherData>
              <xenc:CipherValue></xenc:CipherValue>
            </xenc:CipherData>
          </pskc:EncryptedValue>
          <pskc:ValueMAC></pskc:ValueMAC>
        </pskc:Secret>
        <pskc:Counter>
          <pskc:PlainValue>0</pskc:PlainValue>
        </pskc:Counter>
      </pskc:Data>
      <pskc:Policy>
        <pskc:KeyUsage>OTP</pskc:KeyUsage>
      </pskc:Policy>
    </pskc:Key>
  </pskc:KeyPackage>

I would like to know if there is any tool to import such formatted xml into privacyidea, or any idea if it is possible to build a CSV and import them to privacyidea? Thanks a lot!

2

Hi and welcome to the forum.
Assuming You used the web UI to import the file, did You pass the encryption key or password when importing it?
Did You get any error messages in the UI? Or in the privacyIDEA or the apache log?

Regards
Paul

3

Hi @johnchanmk

I am sorry. Proprietary vendors often seem to give a **** about open standards.
The file you mentioned, is not an RFC6030 compliant XML file.
Take a look at https://tools.ietf.org/html/rfc6030
or at our example test file https://github.com/privacyidea/privacyidea/blob/master/tests/testdata/pskc-password.xml:

The top level object is a KeyContainer which is missing in the file delivered by Safenet.
Why should we help you, since Safenet or the reseller, who you payed money! failed and made a mistake. Safenet are the right guys to help you, they have to fix their error!

Please go to your reseller or safenet and tell them they have to deliver you an RFC6030 compliant file - which they are supposed to do - after all they claim to be OATH compliant and are an OATH member (https://openauthentication.org/members/actividentity-2/). Only this way we can improve the behaviour of proprietary vendors and improve the world.

4

Sorry for my late reply.
I have uploaded the token through the Web UI, and when it fails, it shows “No toplevel element Tokens”.

5

Hi @cornelinux !

Actually there seems have the top level object KeyContainer in the xml . Maybe let me post the full version here for reference ( I have masked some values with … and xxxxxx )

<?xml version="1.0" encoding="utf-8"?>
<pskc:KeyContainer Version="1.0" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:xenc11="http://www.w3.org/2009/xmlenc11#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:pkcs5="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <pskc:EncryptionKey>
    <xenc11:DerivedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:pskc="urn:ietf:params:xml:ns:keyprov:pskc" xmlns:pkcs5="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc11="http://www.w3.org/2009/xmlenc11#">
      <xenc11:KeyDerivationMethod Algorithm="http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#pbkdf2">
        <xenc11:PBKDF2-params>
          <xenc11:Salt>
            <xenc11:Specified>......</xenc11:Specified>
          </xenc11:Salt>
          <xenc11:IterationCount>129</xenc11:IterationCount>
          <xenc11:KeyLength>16</xenc11:KeyLength>
          <xenc11:PRF />
        </xenc11:PBKDF2-params>
      </xenc11:KeyDerivationMethod>
      <xenc:ReferenceList>
        <xenc:DataReference URI="#ED" />
      </xenc:ReferenceList>
      <xenc11:MasterKeyName>xxxxxx</xenc11:MasterKeyName>
    </xenc11:DerivedKey>
  </pskc:EncryptionKey>
  <pskc:MACMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
    <pskc:MACKey>
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
      <xenc:CipherData>
        <xenc:CipherValue>......</xenc:CipherValue>
      </xenc:CipherData>
    </pskc:MACKey>
  </pskc:MACMethod>

  <pskc:KeyPackage>
    <pskc:DeviceInfo>
      <pskc:Manufacturer>......</pskc:Manufacturer>
      <pskc:SerialNo>......</pskc:SerialNo>
      <pskc:Model>......</pskc:Model>
      <pskc:IssueNo>1</pskc:IssueNo>
    </pskc:DeviceInfo>
    <pskc:Key Id="......" Algorithm="urn:ietf:params:xml:ns:keyprov:pskc:hotp">
      <pskc:Issuer>......</pskc:Issuer>
      <pskc:AlgorithmParameters>
        <pskc:ResponseFormat Encoding="DECIMAL" Length="6" />
      </pskc:AlgorithmParameters>
      <pskc:Data>
        <pskc:Secret>
          <pskc:EncryptedValue>
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
            <xenc:CipherData>
              <xenc:CipherValue>......</xenc:CipherValue>
            </xenc:CipherData>
          </pskc:EncryptedValue>
          <pskc:ValueMAC>......</pskc:ValueMAC>
        </pskc:Secret>
        <pskc:Counter>
          <pskc:PlainValue>0</pskc:PlainValue>
        </pskc:Counter>
      </pskc:Data>
      <pskc:Policy>
        <pskc:KeyUsage>OTP</pskc:KeyUsage>
      </pskc:Policy>
    </pskc:Key>
  </pskc:KeyPackage>
  
</pskc:KeyContainer>
6

You need to import it as a PSKC file (as it is a PSKC file) and not as a Safenet XML.

1 Like
7

It seems that it works.
Thanks very much for your help, @cornelinux :slight_smile:

1 Like