pki.git/base/util/src/netscape/security/pkcs, branch master Unnamed repository; edit this file 'description' to name the repository. Fix regression in pkcs12 key bag creation 2017-06-15T23:52:39+00:00 Fraser Tweedale ftweedal@redhat.com 2017-06-15T02:38:26+00:00 a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12 file handing to never deal with raw private key material. PKCS12Util.addKeyBag() was changed to export the PrivateKey handle, or fail. This change missed this case where a PKCS #12 file is loaded from file, possibly modified, then written back to a file, without involving an NSSDB. One example is pkcs12-cert-del which deletes a certificate and associated key from a PKCS #12 file. Fix the PKCS12Util.addKeyBag() method to use the stored EncryptedPricateKeyInfo if available, otherwise export the PrivateKey handle. Fixes: https://pagure.io/dogtagpki/issue/2741 Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a 
Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12
file handing to never deal with raw private key material.
PKCS12Util.addKeyBag() was changed to export the PrivateKey handle,
or fail.  This change missed this case where a PKCS #12 file is
loaded from file, possibly modified, then written back to a file,
without involving an NSSDB.  One example is pkcs12-cert-del which
deletes a certificate and associated key from a PKCS #12 file.

Fix the PKCS12Util.addKeyBag() method to use the stored
EncryptedPricateKeyInfo if available, otherwise export the
PrivateKey handle.

Fixes: https://pagure.io/dogtagpki/issue/2741
Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a
Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity proof 2017-05-17T18:45:14+00:00 Christina Fu cfu@redhat.com 2017-05-16T01:15:36+00:00 3c43b1119ca978c296a38a9fe404e1c0cdcdab63 This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches. 
This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
PKCS12Util: add some much-needed comments 2017-04-30T05:49:58+00:00 Fraser Tweedale ftweedal@redhat.com 2017-04-28T09:45:53+00:00 118f648961e502f55d6997f59f6cf8f355218da5 Part of: https://pagure.io/dogtagpki/issue/2610 Change-Id: Ic35a81c4c4dd49622bfdeb677d588641594b7ec6 (cherry picked from commit 507908d1aac8f9db6c380f5cae634521608043e8) 
Part of: https://pagure.io/dogtagpki/issue/2610

Change-Id: Ic35a81c4c4dd49622bfdeb677d588641594b7ec6
(cherry picked from commit 507908d1aac8f9db6c380f5cae634521608043e8)
PKCS12Util: use AES to encrypt private keys 2017-04-30T05:49:48+00:00 Fraser Tweedale ftweedal@redhat.com 2017-03-23T03:34:31+00:00 633c7c6519c925af7e3700adff29961d72435c7f Update PKCS12Util to use AES-256-CBC to encrypt private keys. Use JSS CryptoStore methods to ensure that all key wrapping and unwrapping is done on the token. Specifically, CryptoStore.getEncryptedPrivateKeyInfo replaces the previous process where a symmetric key was generated, the private key wrapped to the symmetric key, then decryted into Dogtag's memory, then re-encrypted under the supplied passphrase. Now the key gets wrapped directly to the supplied passphrase. Similarly, for import, the EncryptedPrivateKeyInfo was decrypted using the supplied passphrase, then encrypted to a freshly generated symmetric key, which was then used to unwrap the key into the token. Now, the new JSS method CryptoStore.importEncryptedPrivateKeyInfo is used to unwrap the EncryptedPrivateKeyInfo directly into the token, using the supplied passphrase. As a result, the PKCS12KeyInfo class, which previously stored unencrypted key material (a PrivateKeyInfo object), it now only deals with PrivateKey (an opaque handle to an PKCS #11 object) on export and encoded (byte[]) EncryptedPrivateKeyInfo data on import. This split suggests that PKCS12KeyInfo should be decomposed into two classes - one containing a PrivateKey and the other containing a byte[] encryptedPrivateKeyInfo - but this refactoring is left for another day. Part of: https://pagure.io/dogtagpki/issue/2610 Change-Id: I75d48de4d7040c9fb3a9a6d1e920c191aa757b70 (cherry picked from commit 2e198ddbe9ec5000ee7e14df0aa364b600d3aa92) 
Update PKCS12Util to use AES-256-CBC to encrypt private keys.
Use JSS CryptoStore methods to ensure that all key wrapping and
unwrapping is done on the token.

Specifically, CryptoStore.getEncryptedPrivateKeyInfo replaces the
previous process where a symmetric key was generated, the private
key wrapped to the symmetric key, then decryted into Dogtag's
memory, then re-encrypted under the supplied passphrase.  Now the
key gets wrapped directly to the supplied passphrase.

Similarly, for import, the EncryptedPrivateKeyInfo was decrypted
using the supplied passphrase, then encrypted to a freshly generated
symmetric key, which was then used to unwrap the key into the token.
Now, the new JSS method CryptoStore.importEncryptedPrivateKeyInfo is
used to unwrap the EncryptedPrivateKeyInfo directly into the token,
using the supplied passphrase.

As a result, the PKCS12KeyInfo class, which previously stored
unencrypted key material (a PrivateKeyInfo object), it now only
deals with PrivateKey (an opaque handle to an PKCS #11 object)
on export and encoded (byte[]) EncryptedPrivateKeyInfo data on
import.  This split suggests that PKCS12KeyInfo should be decomposed
into two classes - one containing a PrivateKey and the other
containing a byte[] encryptedPrivateKeyInfo - but this refactoring
is left for another day.

Part of: https://pagure.io/dogtagpki/issue/2610

Change-Id: I75d48de4d7040c9fb3a9a6d1e920c191aa757b70
(cherry picked from commit 2e198ddbe9ec5000ee7e14df0aa364b600d3aa92)
Refactor crypto code 2017-03-14T21:10:28+00:00 Ade Lee alee@redhat.com 2017-03-09T04:46:30+00:00 7e42ef2f63a73931610252db3e30b8a7357e4425 Move some of the crypto functions in EncryptionUnit to CryptoUtil. Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62 
Move some of the crypto functions in EncryptionUnit to CryptoUtil.

Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62
Update PKCS12Util to use SLF4J. 2016-11-18T16:16:26+00:00 Endi S. Dewata edewata@redhat.com 2016-11-18T06:54:53+00:00 e1c87187b5e47e8e38b6bc91c105c92ea5069c59 The PKCS12Util class has been modified to use SLF4J logging framework. The CMake scripts has been modified to include SLF4J libraries in the classpath. The spec file has been modified to add SLF4J dependencies. https://fedorahosted.org/pki/ticket/195 
The PKCS12Util class has been modified to use SLF4J logging
framework. The CMake scripts has been modified to include SLF4J
libraries in the classpath. The spec file has been modified to
add SLF4J dependencies.

https://fedorahosted.org/pki/ticket/195
Fixed exception message in PKCS12Util.loadFromByteArray(). 2016-11-02T15:31:39+00:00 Endi S. Dewata edewata@redhat.com 2016-10-29T05:52:36+00:00 3e8a0ee2e889190e71df97a2efa77626cd4df26a For clarity the PKCS12Util.loadFromByteArray() has been modified to generate a more accurate exception message on PKCS #12 verification failure. https://fedorahosted.org/pki/ticket/2476 
For clarity the PKCS12Util.loadFromByteArray() has been modified
to generate a more accurate exception message on PKCS #12
verification failure.

https://fedorahosted.org/pki/ticket/2476
Fix for BZ 1358462 2016-08-29T21:56:35+00:00 Geetika Kapoor gkapoor@redhat.com 2016-08-12T09:35:58+00:00 4b48187b744f1cff2a64c4c5eb00866875a1f99d 






Fixed KRA cloning issue.
2016-06-28T23:17:05+00:00

Endi S. Dewata
edewata@redhat.com

2016-06-21T16:39:25+00:00

8598a68ac954d1020f4e0063e257a20512961567

The pki pkcs12-import CLI has been modified not to import
certificates that already exist in the NSS database unless
specifically requested with the --overwrite parameter. This
will avoid changing the trust flags of the CA signing
certificate during KRA cloning.

The some other classes have been modified to provide better
debugging information.

https://fedorahosted.org/pki/ticket/2374





The pki pkcs12-import CLI has been modified not to import
certificates that already exist in the NSS database unless
specifically requested with the --overwrite parameter. This
will avoid changing the trust flags of the CA signing
certificate during KRA cloning.

The some other classes have been modified to provide better
debugging information.

https://fedorahosted.org/pki/ticket/2374







Ticket #2346 support SHA384withRSA
2016-06-18T00:35:46+00:00

Christina Fu
cfu@redhat.com

2016-06-17T22:18:52+00:00

158bb22a87832ff2be07ac4b75c8f2927caefd55

This patch adds support for SHA384withRSA signing algorithm.





This patch adds support for SHA384withRSA signing algorithm.