pki.git/base/server/test/com, branch master Unnamed repository; edit this file 'description' to name the repository. Refactored Logger class. 2017-06-22T04:03:45+00:00 Endi S. Dewata edewata@redhat.com 2017-06-21T00:16:00+00:00 31988eb90c0f24f13e9bdbb77a91778c7809ebb3 The Logger class has been modified to provide an interface to create a Logger instance that stores the log category and log source. https://pagure.io/dogtagpki/issue/2689 Change-Id: I1dadcdf35af0f0a17e02328c73ef6d95ca691e7f 
The Logger class has been modified to provide an interface to
create a Logger instance that stores the log category and log
source.

https://pagure.io/dogtagpki/issue/2689

Change-Id: I1dadcdf35af0f0a17e02328c73ef6d95ca691e7f
Added LogSource enumeration. 2017-06-22T02:00:51+00:00 Endi S. Dewata edewata@redhat.com 2017-06-21T20:34:45+00:00 2326a4426218ac1db2885f349d0623490d49d69a A LogSource enumeration has been added to replace the integer log source in the Logger class. https://pagure.io/dogtagpki/issue/2689 Change-Id: I6f69219fbbfa00d83f26a32174c75ff2782eb6af 
A LogSource enumeration has been added to replace the integer
log source in the Logger class.

https://pagure.io/dogtagpki/issue/2689

Change-Id: I6f69219fbbfa00d83f26a32174c75ff2782eb6af
Added LogCategory enumeration. 2017-06-22T02:00:37+00:00 Endi S. Dewata edewata@redhat.com 2017-06-21T16:46:57+00:00 d884229da2673703777d474fddd8c3c61eba9308 A LogCategory enumeration has been added to replace the integer log category in the Logger class. https://pagure.io/dogtagpki/issue/2689 Change-Id: Ic92e64c3abdf859841eaf1006afc61bbf573086d 
A LogCategory enumeration has been added to replace the integer
log category in the Logger class.

https://pagure.io/dogtagpki/issue/2689

Change-Id: Ic92e64c3abdf859841eaf1006afc61bbf573086d
Ticket #2619 Allow CA to process user-signed CMC revocation requests 2017-06-09T01:07:49+00:00 Christina Fu cfu@redhat.com 2017-05-30T21:12:06+00:00 698192f4f62c55142a557f6489ed2323e17401b0 First of all, the original CMC revocation only supports agent-signed CMC revocation requests from the UI where CMCRevReqServlet handles it with CMCAuth. It is in violation with https://tools.ietf.org/html/rfc5273 CMC Transport Protocols, as for HTTP/HTTPS, the body of the message is the binary value of the BER encoding of the PKI Request or Response,so HTML is not an approved method.The other way is through profileSubmitCMCFullServlet (or maybe not, as it was completely broken). One thing that's much less crucial, but goes along with rfc update is the name of the revocation request ASN1 structure. In the new rfc5272, it is now called RevokeRequest insead of RevRequest. This patch revamped the CMC revocation provision and fixing what's broken and adding what's missing. On the client side: CMCRequest - Commented out the code where it made an assumption to use OtherMsg for the signer information. This makes no sense as the outer layer SignedData would have the same information when signing happens. - removed the revRequest.nickname parameter from the configuration. From the code it seems like it expects the certificate to be revoked to exist in the user database, and it uses the same certificate to sign the revocation request. The RFC does allow for self-signed revocation, but it also allows for signing with another certificate provided that it has same subject. By removing the revRequest.nickname parameter, I am using the "nickname" parameter as the signer cert, which may or may not be the same certificate specified in revRequest.serial. It is less confusing. The change also eliminate the need for the cert to be revoked to be present in the db. In addition, revRequest.issuer only needs to be specified if revRequest.sharedSecret is used. The code will extract the issuer info from the signing cert. - added support for unsigned data in support of shared secret in both CMCRequest and server; The original code assumed that a cmc revocation request that relies on shared secret still requires agent signing. CMCRevoke - The original code assumed that the nss db password is the same as Shared Secret (!!). This patch added a "-t" to accept shred secret, and keep the -p for the nss db password. - The original code printed out b64 encoded request to the screen output as well as the file CMCRevoke.out. Both are unusable directly. This patch fixes it so that the output to the screen can be directly copied and pasted into the CMC revocate ui at ee (processed by CMCRevReqServlet); Again, this is not RFC conforming, but I fixed it anyways; - The output to the file CMCRevoke.out has been fixed so that it is the BER encoding of the request, which can be fed directly into the updated server that now conforms to the RFC (see below) - This code still requires the signer certificate nickname to run, making the shared secret method moot. Since CMCRequest has been updated to work properly, we can leave this for now. On the server side. CMCUserSignedAuth has been updated to handle unsigned DATA; Recall that the original CMC revocation only handled SIGNED_DATA (making assumption that agent always signs the requests). This addition is important to support shared secrets properly. Another thing that's important change on the server side is that it now checks the revoking cert's subject against the signer's subject, if authenticated by CMCUserSignedAuth. The original code did not do that, I think it is because it always checks if it's an agent or not. Something that could be improved on is to have its own servlet. However, due to the time restriction, I only updated existing EnrollProfile, ProfileSubmitCMCServlet, and CMCOutputTemplate to handle the rfc conforming cmc revocation requests. The shared secret handling is left in the CMCOutputTemplate for now. Logically it would make sense to go into CMCUserSignedAuth. This could be left as a possible later ticket for improvement. Shared Token plugin implementation will be added in later ticket as well. Previously missed signing cert validation is also added for more complete check. Some SHA1 are turned into SHA2 Finally, some auditing are added, but it is not finalized. It will be done in the next ticket(s). 
First of all, the original CMC revocation only supports agent-signed CMC revocation requests from the UI where CMCRevReqServlet handles it with CMCAuth.  It is in violation with https://tools.ietf.org/html/rfc5273 CMC Transport Protocols, as for HTTP/HTTPS, the body of the message is the binary value of the BER encoding of the PKI Request or Response,so HTML is not an approved method.The other way is through profileSubmitCMCFullServlet (or maybe not, as it was completely broken).

One thing that's much less crucial, but goes along with rfc update is the name of the revocation request ASN1 structure. In the new rfc5272, it is now called RevokeRequest insead of RevRequest.

This patch revamped the CMC revocation provision and fixing what's broken and adding what's missing.

On the client side:

CMCRequest

- Commented out the code where it made an assumption to use OtherMsg for the signer information. This makes no sense as the outer layer SignedData would have the same information when signing happens.

- removed the revRequest.nickname parameter from the configuration.  From the code it seems like it expects the certificate to be revoked to exist in the user database, and it uses the same certificate to sign the revocation request.  The RFC does allow for self-signed revocation, but it also allows for signing with another certificate provided that it has same subject.  By removing the revRequest.nickname parameter, I am using the "nickname" parameter as the signer cert, which may or may not be the same certificate specified in revRequest.serial.  It is less confusing. The change also eliminate the need for the cert to be revoked to be present in the db.  In addition, revRequest.issuer only needs to be specified if revRequest.sharedSecret is used. The code will extract the issuer info from the signing cert.

- added support for unsigned data in support of shared secret in both CMCRequest and server;  The original code assumed that a cmc revocation request that relies on shared secret still requires agent signing.

CMCRevoke

- The original code assumed that the nss db password is the same as Shared Secret (!!).  This patch added a "-t" to accept shred secret, and keep the -p for the nss db password.

- The original code printed out b64 encoded request to the screen output as well as the file CMCRevoke.out.  Both are unusable directly.  This patch fixes it so that the output to the screen can be directly copied and pasted into the CMC revocate ui at ee (processed by CMCRevReqServlet);  Again, this is not RFC conforming, but I fixed it anyways;

- The output to the file CMCRevoke.out has been fixed so that it is the BER encoding of the request, which can be fed directly into the updated server that now conforms to the RFC (see below)

- This code still requires the signer certificate nickname to run, making the shared secret method moot.  Since CMCRequest has been updated to work properly, we can leave this for now.

On the server side.

CMCUserSignedAuth has been updated to handle unsigned DATA;  Recall that the original CMC revocation only handled SIGNED_DATA (making assumption that agent always signs the requests).  This addition is important to support shared secrets properly.

Another thing that's important change on the server side is that it now checks the revoking cert's subject against the signer's subject, if authenticated by CMCUserSignedAuth.  The original code did not do that, I think it is because it always checks if it's an agent or not.

Something that could be improved on is to have its own servlet.  However, due to the time restriction, I only updated existing EnrollProfile, ProfileSubmitCMCServlet, and CMCOutputTemplate to handle the rfc conforming cmc revocation requests.

The shared secret handling is left in the CMCOutputTemplate for now.  Logically it would make sense to go into CMCUserSignedAuth. This could be left as a possible later ticket for improvement.   Shared Token plugin implementation will be added in later ticket as well.

Previously missed signing cert validation is also added for more complete check.
Some SHA1 are turned into SHA2

Finally, some auditing are added, but it is not finalized.  It will be done in the next ticket(s).
Updated CMS.getLogMessage(). 2017-04-12T22:15:23+00:00 Endi S. Dewata edewata@redhat.com 2017-04-12T19:44:31+00:00 d9d8b19bef7c91c2e3d33618869ea6426ecb4a36 The CMS.getLogMessage() has been generalized to take an array of Objects instead of Strings. Change-Id: Ifcb96d47983a67961efa27325b8ae0a88d9e0231 
The CMS.getLogMessage() has been generalized to take an array of
Objects instead of Strings.

Change-Id: Ifcb96d47983a67961efa27325b8ae0a88d9e0231
Added global TCP Keep-Alive option. 2017-01-18T04:08:38+00:00 Endi S. Dewata edewata@redhat.com 2017-01-07T01:32:47+00:00 b3ee1c28f658a70468c5a5fcf3cb4840574be756 A new tcp.keepAlive parameter has been added for CS.cfg to configure the TCP Keep-Alive option for all LDAP connections created by PKI server. By default the option is enabled. The LdapJssSSLSocketFactory has been modified to support both plain and secure sockets. For clarity, the socket factory has been renamed to PKISocketFactory. All codes that create LDAP connections have been modified to use PKISocketFactory such that the TCP Keep-Alive option can be applied globally. https://fedorahosted.org/pki/ticket/2564 
A new tcp.keepAlive parameter has been added for CS.cfg to
configure the TCP Keep-Alive option for all LDAP connections
created by PKI server. By default the option is enabled.

The LdapJssSSLSocketFactory has been modified to support both
plain and secure sockets. For clarity, the socket factory has been
renamed to PKISocketFactory.

All codes that create LDAP connections have been modified to use
PKISocketFactory such that the TCP Keep-Alive option can be applied
globally.

https://fedorahosted.org/pki/ticket/2564
Moved policy framework classes to org.dogtagpki.legacy. 2016-11-11T22:22:25+00:00 Endi S. Dewata edewata@redhat.com 2016-11-04T18:18:15+00:00 54c04a1d7c270f4e162695105468d280bdc7d028 To discourage the use of policy framework, the framework classes have been moved into org.dogtagpki.legacy. https://fedorahosted.org/pki/ticket/6 
To discourage the use of policy framework, the framework classes
have been moved into org.dogtagpki.legacy.

https://fedorahosted.org/pki/ticket/6
Fix to sort the output of a cert search by serialno. 2016-08-05T18:12:09+00:00 Jack Magne jmagne@dhcp-16-206.sjc.redhat.com 2016-08-04T01:01:23+00:00 f0b1854a8f5cfe97d2d267ea16e4556d94666bb6 






Ticket #2298 exclude some ldap record attributes with key archival This is part 2 of: https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key archival/recovery, not to record certain data in ldap and logs
2016-06-17T01:28:02+00:00

Christina Fu
cfu@redhat.com

2016-06-16T22:44:58+00:00

51f34c3edb73a78b42468b756b89d07fc9ec7839

This patch allows one to exclude certain ldap attributes from the enrollment records for crmf requests
(both CRMF, and CMC CRMF).  The following are the highlights:
* CRMF Manual approval profile is disabled: caDualCert.cfg
  - If excludedLdapAttrs.enabled is true, then this profile will not work, as the crmf requests (by default it is false)
    are not written to ldap record for agents to act on
* excludedLdapAttrs.attrs can be used to configure the attribute list to be excluded
* a new CRMF "auto approval" (directory based, needs to be setup) is provided
* if excludedLdapAttrs.enabled is true (in both ca and kra), the following fields are not written to the ldap record in case of CRMF:
(note: the code deliberately use literal strings on purpose for the reason that the exact literal strings need to be spelled out
in excludedLdapAttrs.attrs if the admin chooses to override the default)
           "req_x509info",
           "publickey",
            "req_extensions",
            "cert_request",
            "req_archive_options",
            "req_key"
* Because of the above (possible exclusion of cert requests in record, profiles
  that require agent manual approval will no longer function in the case that
  excludedLdapAttrs.enabled is true
* a sleepOneMinute() method is added for debugging purpose.  It is not called in the final code, but is left there for future debugging purpose
* code was fixed so that in KRA request will display subject name even though the x509info is missing from request
* cmc requests did not have request type in records, so they had to be added for differentiation

The following have been tested:
* CRMF auto enroll
* CRMF manual enroll/approval
* CMC-CRMF enroll
* both CA and KRA internal ldap are examined for correct data exclusion

Note: CRMF could potentially not include key archival option, however, I am not going to differentiate them at the moment.  An earlier prototype I had built attempted to do that and the signing cert's record isn't excluded for attrs write while it's CRMF request is the same as that of its encryption cert counterpart within the same request.  Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion.





This patch allows one to exclude certain ldap attributes from the enrollment records for crmf requests
(both CRMF, and CMC CRMF).  The following are the highlights:
* CRMF Manual approval profile is disabled: caDualCert.cfg
  - If excludedLdapAttrs.enabled is true, then this profile will not work, as the crmf requests (by default it is false)
    are not written to ldap record for agents to act on
* excludedLdapAttrs.attrs can be used to configure the attribute list to be excluded
* a new CRMF "auto approval" (directory based, needs to be setup) is provided
* if excludedLdapAttrs.enabled is true (in both ca and kra), the following fields are not written to the ldap record in case of CRMF:
(note: the code deliberately use literal strings on purpose for the reason that the exact literal strings need to be spelled out
in excludedLdapAttrs.attrs if the admin chooses to override the default)
           "req_x509info",
           "publickey",
            "req_extensions",
            "cert_request",
            "req_archive_options",
            "req_key"
* Because of the above (possible exclusion of cert requests in record, profiles
  that require agent manual approval will no longer function in the case that
  excludedLdapAttrs.enabled is true
* a sleepOneMinute() method is added for debugging purpose.  It is not called in the final code, but is left there for future debugging purpose
* code was fixed so that in KRA request will display subject name even though the x509info is missing from request
* cmc requests did not have request type in records, so they had to be added for differentiation

The following have been tested:
* CRMF auto enroll
* CRMF manual enroll/approval
* CMC-CRMF enroll
* both CA and KRA internal ldap are examined for correct data exclusion

Note: CRMF could potentially not include key archival option, however, I am not going to differentiate them at the moment.  An earlier prototype I had built attempted to do that and the signing cert's record isn't excluded for attrs write while it's CRMF request is the same as that of its encryption cert counterpart within the same request.  Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion.







Fixed TPS VLV sort orders.
2016-06-10T15:05:45+00:00

Endi S. Dewata
edewata@redhat.com

2016-06-07T08:02:30+00:00

0db2c7673dc25470930390c4664f7caf9be77088

The TPS VLVs for tokens and activities has been modified to sort
the results by date in reverse order.

The DBRegistry.getLDAPAttributes() was modified to support reverse
sort order by recognizing the "-" prefix in the list of sort keys
and pass it to LDAP.

The DBVirtualList.setSortKey() was modified to ignore bubble up the
exceptions that happen during LDAP attribute mapping.

https://fedorahosted.org/pki/ticket/2263
https://fedorahosted.org/pki/ticket/2269





The TPS VLVs for tokens and activities has been modified to sort
the results by date in reverse order.

The DBRegistry.getLDAPAttributes() was modified to support reverse
sort order by recognizing the "-" prefix in the list of sort keys
and pass it to LDAP.

The DBVirtualList.setSortKey() was modified to ignore bubble up the
exceptions that happen during LDAP attribute mapping.

https://fedorahosted.org/pki/ticket/2263
https://fedorahosted.org/pki/ticket/2269