Bugzilla 661142 - Verification should fail when a revoked certificate is added

  - adding -P to audit signing certs trust database
  - making specific certusage check


git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1723 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

8 files changed, 27 insertions, 13 deletions

diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in
index 760b44a98..3fca3be71 100644
--- a/pki/base/ca/shared/conf/CS.cfg.in
+++ b/pki/base/ca/shared/conf/CS.cfg.in
@@ -46,6 +46,11 @@ preop.admin.group=Certificate Manager Agents
 preop.admincert.profile=caAdminCert
 preop.pin=[PKI_RANDOM_NUMBER]
 ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing
+ca.cert.signing.certusage=SSLCA
+ca.cert.ocsp_signing.certusage=StatusResponder
+ca.cert.sslserver.certusage=SSLServer
+ca.cert.subsystem.certusage=SSLClient
+ca.cert.audit_signing.certusage=ObjectSigner
 preop.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing
 preop.cert.signing.enable=true
 preop.cert.ocsp_signing.enable=true
diff --git a/pki/base/ca/shared/conf/caAuditSigningCert.profile b/pki/base/ca/shared/conf/caAuditSigningCert.profile
index 490759096..5983a186c 100644
--- a/pki/base/ca/shared/conf/caAuditSigningCert.profile
+++ b/pki/base/ca/shared/conf/caAuditSigningCert.profile
@@ -6,7 +6,7 @@ name=CA Audit Signing Certificate Profile
 description=This profile creates a CA Audit signing certificate that is valid for audit log signing purpose.
 profileIDMapping=caSignedLogCert
 profileSetIDMapping=caLogSigningSet
-list=2,4,6,8,9
+list=2,4,6,8
 2.default.class=com.netscape.cms.profile.def.ValidityDefault
 2.default.name=Validity Default
 2.default.params.range=720
@@ -33,7 +33,3 @@ list=2,4,6,8,9
 8.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
 8.default.params.authInfoAccessCritical=false
 8.default.params.authInfoAccessNumADs=1
-9.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
-9.default.name=Extended Key Usage Extension Default
-9.default.params.exKeyUsageCritical=false
-9.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
index 11b8d78fb..e0eb13d35 100644
--- a/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
@@ -11,7 +11,7 @@ input.i2.class_id=submitterInfoInputImpl
 output.list=o1
 output.o1.class_id=certOutputImpl
 policyset.list=auditSigningCertSet
-policyset.auditSigningCertSet.list=1,2,3,4,5,6,7,9
+policyset.auditSigningCertSet.list=1,2,3,4,5,6,9
 policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl
 policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint
 policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.*
@@ -72,12 +72,6 @@ policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false
 policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false
 policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
 policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.auditSigningCertSet.7.constraint.class_id=noConstraintImpl
-policyset.auditSigningCertSet.7.constraint.name=No Constraint
-policyset.auditSigningCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
-policyset.auditSigningCertSet.7.default.name=Extended Key Usage Extension Default
-policyset.auditSigningCertSet.7.default.params.exKeyUsageCritical=false
-policyset.auditSigningCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
 policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
 policyset.auditSigningCertSet.9.constraint.name=No Constraint
 policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
index 0e1c20d2c..720f419f4 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java
@@ -727,7 +727,11 @@ public class CertRequestPanel extends WizardPanelBase {
                     InternalCertificate ic = (InternalCertificate)c;
                     ic.setSSLTrust(InternalCertificate.USER);
                     ic.setEmailTrust(InternalCertificate.USER);
-                    ic.setObjectSigningTrust(InternalCertificate.USER);
+                    if (tag.equals("audit_signing")) {
+                        ic.setObjectSigningTrust(InternalCertificate.USER | InternalCertificate.VALID_PEER | InternalCertificate.TRUSTED_PEER);
+                    } else {
+                        ic.setObjectSigningTrust(InternalCertificate.USER);
+                    }
                 }
             }  
         } catch (Exception e) {
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
index 53b172cf5..764e56e89 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
@@ -569,6 +569,9 @@ public class RestoreKeyCertPanel extends WizardPanelBase {
                         icert.setSSLTrust(InternalCertificate.TRUSTED_CA 
                           | InternalCertificate.TRUSTED_CLIENT_CA
                           | InternalCertificate.VALID_CA);
+                    } else if (name.startsWith("auditSigningCert")) {
+                        InternalCertificate icert = (InternalCertificate)xcert;
+                        icert.setObjectSigningTrust(InternalCertificate.USER | InternalCertificate.VALID_PEER | InternalCertificate.TRUSTED_PEER);
                     }
                 } else
                     cm.importCACertPackage(cert);
diff --git a/pki/base/kra/shared/conf/CS.cfg.in b/pki/base/kra/shared/conf/CS.cfg.in
index 05ed8ce09..f1339f0bb 100644
--- a/pki/base/kra/shared/conf/CS.cfg.in
+++ b/pki/base/kra/shared/conf/CS.cfg.in
@@ -36,6 +36,11 @@ preop.admin.group=Data Recovery Manager Agents
 preop.admincert.profile=caAdminCert
 preop.pin=[PKI_RANDOM_NUMBER]
 kra.cert.list=transport,storage,sslserver,subsystem,audit_signing
+kra.cert.transport.certusage=ProtectedObjectSigner
+kra.cert.storage.certusage=ProtectedObjectSigner
+kra.cert.sslserver.certusage=SSLServer
+kra.cert.subsystem.certusage=SSLClient
+kra.cert.audit_signing.certusage=ObjectSigner
 preop.cert.list=transport,storage,sslserver,subsystem,audit_signing
 preop.cert.transport.enable=true
 preop.cert.storage.enable=true
diff --git a/pki/base/ocsp/shared/conf/CS.cfg.in b/pki/base/ocsp/shared/conf/CS.cfg.in
index 84553d3fc..ad98fe64a 100644
--- a/pki/base/ocsp/shared/conf/CS.cfg.in
+++ b/pki/base/ocsp/shared/conf/CS.cfg.in
@@ -41,6 +41,10 @@ preop.configModules.count=3
 preop.module.token=Internal Key Storage Token
 ocsp.cert.list=signing,sslserver,subsystem,audit_signing
 preop.cert.list=signing,sslserver,subsystem,audit_signing
+ocsp.cert.signing=StatusResponder
+ocsp.cert.sslserver.certusage=SSLServer
+ocsp.cert.subsystem.certusage=SSLClient
+ocsp.cert.audit_signing.certusage=ObjectSigner
 preop.cert.ocsp_signing.enable=true
 preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true
diff --git a/pki/base/tks/shared/conf/CS.cfg.in b/pki/base/tks/shared/conf/CS.cfg.in
index 1b5d89ea3..5f0c587dd 100644
--- a/pki/base/tks/shared/conf/CS.cfg.in
+++ b/pki/base/tks/shared/conf/CS.cfg.in
@@ -31,6 +31,9 @@ preop.product.name=CS
 preop.product.version=@VERSION@
 preop.system.fullname=Token Key Service
 tks.cert.list=sslserver,subsystem,audit_signing
+tks.cert.sslserver.certusage=SSLServer
+tks.cert.subsystem.certusage=SSLClient
+tks.cert.audit_signing.certusage=ObjectSigner
 preop.cert.list=sslserver,subsystem,audit_signing
 preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true