pki.git/base/util/src, branch master Unnamed repository; edit this file 'description' to name the repository. Refactored CertUtil.importExternalCert(). 2017-07-05T21:41:20+00:00 Endi S. Dewata edewata@redhat.com 2017-06-29T06:15:26+00:00 c39cc840b5c2f322cee88ab94e53d20a8e3bfad0 The code for importing external cert into NSS database has been moved into CertUtil.importExternalCert(). https://pagure.io/dogtagpki/issue/2280 Change-Id: Icb347943fc432ad97105229c14768822b070d99f 
The code for importing external cert into NSS database has been
moved into CertUtil.importExternalCert().

https://pagure.io/dogtagpki/issue/2280

Change-Id: Icb347943fc432ad97105229c14768822b070d99f
Refactored CertUtil.importCert(). 2017-07-05T21:41:11+00:00 Endi S. Dewata edewata@redhat.com 2017-06-29T06:40:42+00:00 7524be0fb18304d2562059a82607da0fdd9a2f1d The code for importing certificate into NSS database has been moved into CertUtil.importCert(). https://pagure.io/dogtagpki/issue/2280 Change-Id: I6a7a01b9170a5c0e9973ab1d5a7484349765dc5e 
The code for importing certificate into NSS database has been
moved into CertUtil.importCert().

https://pagure.io/dogtagpki/issue/2280

Change-Id: I6a7a01b9170a5c0e9973ab1d5a7484349765dc5e
Fix 3DES archival 2017-06-16T20:45:33+00:00 Ade Lee alee@redhat.com 2017-06-16T18:48:27+00:00 89f14cc5b7858e60107dc0776a59394bdfb8edaf A previous commit mistakenly conflated the wrapping parameters for DES and DES3 cases, resulting in incorrect data being stored if the storage was successful at all. This broke ipa vault and probably also token key archival and recovery. This patch sets the right parameters for the 3DES case again. Part of BZ# 1458043 Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4 
A previous commit mistakenly conflated the wrapping parameters for
DES and DES3 cases, resulting in incorrect data being stored if the
storage was successful at all.  This broke ipa vault and probably
also token key archival and recovery.

This patch sets the right parameters for the 3DES case again.
Part of BZ# 1458043

Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4
Fix regression in pkcs12 key bag creation 2017-06-15T23:52:39+00:00 Fraser Tweedale ftweedal@redhat.com 2017-06-15T02:38:26+00:00 a411492fe5ad2030bb9f18db9a8ed8d1c45ee7de Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12 file handing to never deal with raw private key material. PKCS12Util.addKeyBag() was changed to export the PrivateKey handle, or fail. This change missed this case where a PKCS #12 file is loaded from file, possibly modified, then written back to a file, without involving an NSSDB. One example is pkcs12-cert-del which deletes a certificate and associated key from a PKCS #12 file. Fix the PKCS12Util.addKeyBag() method to use the stored EncryptedPricateKeyInfo if available, otherwise export the PrivateKey handle. Fixes: https://pagure.io/dogtagpki/issue/2741 Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a 
Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12
file handing to never deal with raw private key material.
PKCS12Util.addKeyBag() was changed to export the PrivateKey handle,
or fail.  This change missed this case where a PKCS #12 file is
loaded from file, possibly modified, then written back to a file,
without involving an NSSDB.  One example is pkcs12-cert-del which
deletes a certificate and associated key from a PKCS #12 file.

Fix the PKCS12Util.addKeyBag() method to use the stored
EncryptedPricateKeyInfo if available, otherwise export the
PrivateKey handle.

Fixes: https://pagure.io/dogtagpki/issue/2741
Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a
Added default URL for OCSPProcessor. 2017-06-15T03:44:15+00:00 Endi S. Dewata edewata@redhat.com 2017-06-15T03:28:16+00:00 1f9db90b4f490f615a67a0f2d26b378345c6ab6a The OCSPProcessor has been modified to provide a default URL for all requests submitted using the processor. https://pagure.io/dogtagpki/issue/2652 Change-Id: I0175947d7d6a6a0284837e0d0464b139a5802444 
The OCSPProcessor has been modified to provide a default URL for
all requests submitted using the processor.

https://pagure.io/dogtagpki/issue/2652

Change-Id: I0175947d7d6a6a0284837e0d0464b139a5802444
Ticket #2619 Allow CA to process user-signed CMC revocation requests 2017-06-09T01:07:49+00:00 Christina Fu cfu@redhat.com 2017-05-30T21:12:06+00:00 698192f4f62c55142a557f6489ed2323e17401b0 First of all, the original CMC revocation only supports agent-signed CMC revocation requests from the UI where CMCRevReqServlet handles it with CMCAuth. It is in violation with https://tools.ietf.org/html/rfc5273 CMC Transport Protocols, as for HTTP/HTTPS, the body of the message is the binary value of the BER encoding of the PKI Request or Response,so HTML is not an approved method.The other way is through profileSubmitCMCFullServlet (or maybe not, as it was completely broken). One thing that's much less crucial, but goes along with rfc update is the name of the revocation request ASN1 structure. In the new rfc5272, it is now called RevokeRequest insead of RevRequest. This patch revamped the CMC revocation provision and fixing what's broken and adding what's missing. On the client side: CMCRequest - Commented out the code where it made an assumption to use OtherMsg for the signer information. This makes no sense as the outer layer SignedData would have the same information when signing happens. - removed the revRequest.nickname parameter from the configuration. From the code it seems like it expects the certificate to be revoked to exist in the user database, and it uses the same certificate to sign the revocation request. The RFC does allow for self-signed revocation, but it also allows for signing with another certificate provided that it has same subject. By removing the revRequest.nickname parameter, I am using the "nickname" parameter as the signer cert, which may or may not be the same certificate specified in revRequest.serial. It is less confusing. The change also eliminate the need for the cert to be revoked to be present in the db. In addition, revRequest.issuer only needs to be specified if revRequest.sharedSecret is used. The code will extract the issuer info from the signing cert. - added support for unsigned data in support of shared secret in both CMCRequest and server; The original code assumed that a cmc revocation request that relies on shared secret still requires agent signing. CMCRevoke - The original code assumed that the nss db password is the same as Shared Secret (!!). This patch added a "-t" to accept shred secret, and keep the -p for the nss db password. - The original code printed out b64 encoded request to the screen output as well as the file CMCRevoke.out. Both are unusable directly. This patch fixes it so that the output to the screen can be directly copied and pasted into the CMC revocate ui at ee (processed by CMCRevReqServlet); Again, this is not RFC conforming, but I fixed it anyways; - The output to the file CMCRevoke.out has been fixed so that it is the BER encoding of the request, which can be fed directly into the updated server that now conforms to the RFC (see below) - This code still requires the signer certificate nickname to run, making the shared secret method moot. Since CMCRequest has been updated to work properly, we can leave this for now. On the server side. CMCUserSignedAuth has been updated to handle unsigned DATA; Recall that the original CMC revocation only handled SIGNED_DATA (making assumption that agent always signs the requests). This addition is important to support shared secrets properly. Another thing that's important change on the server side is that it now checks the revoking cert's subject against the signer's subject, if authenticated by CMCUserSignedAuth. The original code did not do that, I think it is because it always checks if it's an agent or not. Something that could be improved on is to have its own servlet. However, due to the time restriction, I only updated existing EnrollProfile, ProfileSubmitCMCServlet, and CMCOutputTemplate to handle the rfc conforming cmc revocation requests. The shared secret handling is left in the CMCOutputTemplate for now. Logically it would make sense to go into CMCUserSignedAuth. This could be left as a possible later ticket for improvement. Shared Token plugin implementation will be added in later ticket as well. Previously missed signing cert validation is also added for more complete check. Some SHA1 are turned into SHA2 Finally, some auditing are added, but it is not finalized. It will be done in the next ticket(s). 
First of all, the original CMC revocation only supports agent-signed CMC revocation requests from the UI where CMCRevReqServlet handles it with CMCAuth.  It is in violation with https://tools.ietf.org/html/rfc5273 CMC Transport Protocols, as for HTTP/HTTPS, the body of the message is the binary value of the BER encoding of the PKI Request or Response,so HTML is not an approved method.The other way is through profileSubmitCMCFullServlet (or maybe not, as it was completely broken).

One thing that's much less crucial, but goes along with rfc update is the name of the revocation request ASN1 structure. In the new rfc5272, it is now called RevokeRequest insead of RevRequest.

This patch revamped the CMC revocation provision and fixing what's broken and adding what's missing.

On the client side:

CMCRequest

- Commented out the code where it made an assumption to use OtherMsg for the signer information. This makes no sense as the outer layer SignedData would have the same information when signing happens.

- removed the revRequest.nickname parameter from the configuration.  From the code it seems like it expects the certificate to be revoked to exist in the user database, and it uses the same certificate to sign the revocation request.  The RFC does allow for self-signed revocation, but it also allows for signing with another certificate provided that it has same subject.  By removing the revRequest.nickname parameter, I am using the "nickname" parameter as the signer cert, which may or may not be the same certificate specified in revRequest.serial.  It is less confusing. The change also eliminate the need for the cert to be revoked to be present in the db.  In addition, revRequest.issuer only needs to be specified if revRequest.sharedSecret is used. The code will extract the issuer info from the signing cert.

- added support for unsigned data in support of shared secret in both CMCRequest and server;  The original code assumed that a cmc revocation request that relies on shared secret still requires agent signing.

CMCRevoke

- The original code assumed that the nss db password is the same as Shared Secret (!!).  This patch added a "-t" to accept shred secret, and keep the -p for the nss db password.

- The original code printed out b64 encoded request to the screen output as well as the file CMCRevoke.out.  Both are unusable directly.  This patch fixes it so that the output to the screen can be directly copied and pasted into the CMC revocate ui at ee (processed by CMCRevReqServlet);  Again, this is not RFC conforming, but I fixed it anyways;

- The output to the file CMCRevoke.out has been fixed so that it is the BER encoding of the request, which can be fed directly into the updated server that now conforms to the RFC (see below)

- This code still requires the signer certificate nickname to run, making the shared secret method moot.  Since CMCRequest has been updated to work properly, we can leave this for now.

On the server side.

CMCUserSignedAuth has been updated to handle unsigned DATA;  Recall that the original CMC revocation only handled SIGNED_DATA (making assumption that agent always signs the requests).  This addition is important to support shared secrets properly.

Another thing that's important change on the server side is that it now checks the revoking cert's subject against the signer's subject, if authenticated by CMCUserSignedAuth.  The original code did not do that, I think it is because it always checks if it's an agent or not.

Something that could be improved on is to have its own servlet.  However, due to the time restriction, I only updated existing EnrollProfile, ProfileSubmitCMCServlet, and CMCOutputTemplate to handle the rfc conforming cmc revocation requests.

The shared secret handling is left in the CMCOutputTemplate for now.  Logically it would make sense to go into CMCUserSignedAuth. This could be left as a possible later ticket for improvement.   Shared Token plugin implementation will be added in later ticket as well.

Previously missed signing cert validation is also added for more complete check.
Some SHA1 are turned into SHA2

Finally, some auditing are added, but it is not finalized.  It will be done in the next ticket(s).
Server side changes to correctly parse the new PKIArchiveOptions 2017-06-07T20:00:52+00:00 Ade Lee alee@redhat.com 2017-06-06T20:16:40+00:00 d5c331a42955365b76a1549aec047e613d3185dc The server is modified to read the new OIDs in the PKIArchiveOptions and handle them correctly. Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4 
The server is modified to read the new OIDs in the PKIArchiveOptions
and handle them correctly.

Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4
Refactor client to not use keysets 2017-06-07T20:00:41+00:00 Ade Lee alee@redhat.com 2017-05-26T17:06:18+00:00 38df4274214938ceece85627abb6d4fe77b960ff It is simpler to simply tell the client which algorithm to use for key wrapping and encryption, rather than use key sets. Therefore: * KRAInfo and CAInfo are refactored to provide the algorithms required for key wrapping and encryption. * Client is modified to use these parameters to determine which algorithms to use. * We specify the OIDs that will be used in the PKIARchiveOptions more correctly. The options are basically: AES-128-CBC, DES3-CBC, AES KeyWrap/Pad Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409 
It is simpler to simply tell the client which
algorithm to use for key wrapping and encryption, rather
than use key sets.  Therefore:

* KRAInfo and CAInfo are refactored to provide the
  algorithms required for key wrapping and encryption.

* Client is modified to use these parameters to determine
  which algorithms to use.

* We specify the OIDs that will be used in the PKIARchiveOptions
  more correctly.  The options are basically:
  AES-128-CBC, DES3-CBC, AES KeyWrap/Pad

Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
Convert CMC code to use AES 2017-06-01T02:15:23+00:00 Ade Lee alee@redhat.com 2017-05-27T02:57:07+00:00 0984d8a114b326a75b2c32cd9da2b7dee23920bb * Switched out CrytoUtil calls that use DES and replaced them with AES equivalents. Removed these now unneeded methods. * Added 16 byte constant IV for AES operations. This must be replaced by a randomly generated IV. Added TODOs where IVs should be replaced. * Corrected misspellings of "enreypted" in both request fields and variable names * Removed some code from null checks where the result could never be null. These cases were flagged in eclipse as dead code. Change-Id: Iec0c0e86fd772af8b3c9588f11a0ea1e517776fb 
* Switched out CrytoUtil calls that use DES and replaced them
  with AES equivalents.  Removed these now unneeded methods.
* Added 16 byte constant IV for AES operations.  This must be
  replaced by a randomly generated IV.  Added TODOs where IVs
  should be replaced.
* Corrected misspellings of "enreypted" in both request fields
  and variable names
* Removed some code from null checks where the result could
  never be null.  These cases were flagged in eclipse as dead
  code.

Change-Id: Iec0c0e86fd772af8b3c9588f11a0ea1e517776fb
Updated log messages in OCSPProcessor. 2017-05-23T20:25:32+00:00 Endi S. Dewata edewata@redhat.com 2017-05-23T20:25:32+00:00 fd149624a7ace41c75c5034345503c0d412f7aa3 The OCSPProcessor has been modified to log the OCSP response to help troubleshooting. https://pagure.io/dogtagpki/issue/2695 Change-Id: I9c880def083221af26cac902ff6d7852d0555a8f 
The OCSPProcessor has been modified to log the OCSP response to
help troubleshooting.

https://pagure.io/dogtagpki/issue/2695

Change-Id: I9c880def083221af26cac902ff6d7852d0555a8f