pki.git/base/tks, branch master Unnamed repository; edit this file 'description' to name the repository. Replaced SHA1-based random number generators. 2017-05-25T14:55:05+00:00 Endi S. Dewata edewata@redhat.com 2017-05-19T23:49:36+00:00 8aa94e1ca017e54454f6f6f6ebb4ee254062e822 The SHA1-based random number generators in some classes have been replaced with the random number generator provided by JssSubsystem. https://pagure.io/dogtagpki/issue/2695 Change-Id: Id0285dbc8c940fa7afb8feccab3086030d949514 
The SHA1-based random number generators in some classes have been
replaced with the random number generator provided by JssSubsystem.

https://pagure.io/dogtagpki/issue/2695

Change-Id: Id0285dbc8c940fa7afb8feccab3086030d949514
Moved TokenServlet into pki-tks package. 2017-05-23T20:19:36+00:00 Endi S. Dewata edewata@redhat.com 2017-05-20T00:37:18+00:00 6dd0800d8bb24d9d2d3f9e377a90f641612c7c78 The TokenServlet has been moved into pki-tks package in order to use the JssSubsystem in pki-cmscore package. Some constants in SecureChannelProtocol have been made public so they can be accessed by the TokenServlet. https://pagure.io/dogtagpki/issue/2695 Change-Id: I5542e5dcf09c3d081a131af042d833203bcc086c 
The TokenServlet has been moved into pki-tks package in order to
use the JssSubsystem in pki-cmscore package.

Some constants in SecureChannelProtocol have been made public so
they can be accessed by the TokenServlet.

https://pagure.io/dogtagpki/issue/2695

Change-Id: I5542e5dcf09c3d081a131af042d833203bcc086c
SCP03 support for g&d sc 7 card. 2017-04-13T01:47:49+00:00 Jack Magne jmagne@dhcp-16-206.sjc.redhat.com 2017-03-24T22:56:17+00:00 164087b1fc302dd8b125cd52e9e55f54ea97e09d This allows the use of the g&d 7 card. This will require the following: 1. An out of band method is needed to generate an AES based master key. We do not as of yet have support with tkstool for this: Ex: /usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16 2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards: Ex: tks.defKeySet._005=## tks.prot3 , protocol 3 specific settings tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one. tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys. tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key. tks.defKeySet._010=## tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings tks.defKeySet._013=## Smart Cafe 6 settings: tks.defKeySet._014=## tks.defKeySet.prot3.divers=emv tks.defKeySet._015=## tks.defKeySet.prot3.diversVer1Keys=emv tks.defKeySet._016=## tks.defKeySet.prot3.devKeyType=DES3 tks.defKeySet._017=## tks.defKeySet.prot3.masterKeyType=DES3 tks.defKeySet._018=##Smart Cafe 7 settings: tks.defKeySet._019=## tks.defKeySet.prot3.divers=none tks.defKeySet._020=## tks.defKeySet.prot3.diversVer1Keys=none tks.defKeySet._021=## tks.defKeySet.prot3.devKeyType=AES tks.defKeySet._022=## tks.defKeySet.prot3.masterKeyType=AES tks.defKeySet._023=## tks.defKeySet._024=## 
This allows the use of the g&d 7 card.
This will require the following:

1. An out of band method is needed to generate an AES based master key.
We do not as of yet have support with tkstool for this:

Ex:

/usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16

2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards:

Ex:

tks.defKeySet._005=## tks.prot3   , protocol 3 specific settings
tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one.
tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset
tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys.
tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key.
tks.defKeySet._010=##
tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings
tks.defKeySet._013=## Smart Cafe 6 settings:
tks.defKeySet._014=##    tks.defKeySet.prot3.divers=emv
tks.defKeySet._015=##    tks.defKeySet.prot3.diversVer1Keys=emv
tks.defKeySet._016=##    tks.defKeySet.prot3.devKeyType=DES3
tks.defKeySet._017=##    tks.defKeySet.prot3.masterKeyType=DES3
tks.defKeySet._018=##Smart Cafe 7 settings:
tks.defKeySet._019=##    tks.defKeySet.prot3.divers=none
tks.defKeySet._020=##    tks.defKeySet.prot3.diversVer1Keys=none
tks.defKeySet._021=##    tks.defKeySet.prot3.devKeyType=AES
tks.defKeySet._022=##    tks.defKeySet.prot3.masterKeyType=AES
tks.defKeySet._023=##
tks.defKeySet._024=##
Added CLIs to access audit log files. 2017-04-04T20:07:54+00:00 Endi S. Dewata edewata@redhat.com 2017-03-28T19:02:22+00:00 88cd07655268831e14e7cd4f6f6a65e331f86583 New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5 
New pki audit commands have been added to list and retrieve audit
log files.

Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
Added audit service and CLI to all subsystems. 2017-04-03T22:29:44+00:00 Endi S. Dewata edewata@redhat.com 2017-03-27T22:15:28+00:00 8e7653987bf592ae6a5968fc0c5ef6696f13d348 Previously the audit service and CLI were only available on TPS. Now they have been added to all subsystems. Change-Id: I3b472254641eb887289c5122df390c46ccd97d47 
Previously the audit service and CLI were only available on TPS.
Now they have been added to all subsystems.

Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
Removed redundant Context attributes. 2017-03-31T17:31:26+00:00 Endi S. Dewata edewata@redhat.com 2017-03-31T17:23:43+00:00 7fc7d3e8844d4992db60a637370b8599bff5a282 All subclasses of PKIService have been modified to remove the Context attribute since they have been declared in the base class. Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a 
All subclasses of PKIService have been modified to remove the
Context attribute since they have been declared in the base class.

Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
Added audit logs for SSL/TLS events. 2017-03-27T22:37:55+00:00 Endi S. Dewata edewata@redhat.com 2017-01-17T11:19:52+00:00 18412763e4ec09f4892c2a7b502d72ebfd9fec2a The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11 
The CMSStartServlet has been modified to register an SSL socket
listener called PKIServerSocketListener to TomcatJSS.

The PKIServerSocketListener will receive the alerts generated by
SSL server sockets and generate ACCESS_SESSION_* audit logs.

The CS.cfg for all subsystems have been modified to include
ACCESS_SESSION_* audit events.

https://pagure.io/dogtagpki/issue/2602

Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
Refactor crypto code 2017-03-14T21:10:28+00:00 Ade Lee alee@redhat.com 2017-03-09T04:46:30+00:00 7e42ef2f63a73931610252db3e30b8a7357e4425 Move some of the crypto functions in EncryptionUnit to CryptoUtil. Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62 
Move some of the crypto functions in EncryptionUnit to CryptoUtil.

Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62
Added access banner to TKS UI. 2017-02-24T16:58:31+00:00 Endi S. Dewata edewata@redhat.com 2017-02-21T15:33:51+00:00 ec0da23e5215f73c05a632da55b95acd52506a2b All pages in TKS UI have been modified to retrieve access banner and display it once at the beginning of the SSL connection. https://fedorahosted.org/pki/ticket/2582 
All pages in TKS UI have been modified to retrieve access banner
and display it once at the beginning of the SSL connection.

https://fedorahosted.org/pki/ticket/2582
Fixed build problem on RHEL. 2017-02-23T16:12:35+00:00 Endi S. Dewata edewata@redhat.com 2017-02-23T02:18:50+00:00 f5293bac716a11721ab601ff027ce141230fd501 The CMake create_symlink commands do not work on RHEL if the source does not exist yet, so they have been replaced with regular ln commands. 
The CMake create_symlink commands do not work on RHEL if the
source does not exist yet, so they have been replaced with regular
ln commands.