diff options
author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-01-11 19:14:32 +0000 |
---|---|---|
committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-01-11 19:14:32 +0000 |
commit | 57d529cce8f005d2ca98681f4e2df1008ef6130d (patch) | |
tree | d030347ebfa2ba186b45b73f873c49d8d9204789 | |
parent | 3a0e4d837fdd82c87a460d436033eb76efef7fd2 (diff) | |
download | pki-57d529cce8f005d2ca98681f4e2df1008ef6130d.tar.gz pki-57d529cce8f005d2ca98681f4e2df1008ef6130d.tar.xz pki-57d529cce8f005d2ca98681f4e2df1008ef6130d.zip |
Bugzilla 661142 - Verification should fail when a revoked certificate is added
- adding -P to audit signing certs trust database
- making specific certusage check
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1723 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
8 files changed, 27 insertions, 13 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg.in b/pki/base/ca/shared/conf/CS.cfg.in index 760b44a98..3fca3be71 100644 --- a/pki/base/ca/shared/conf/CS.cfg.in +++ b/pki/base/ca/shared/conf/CS.cfg.in @@ -46,6 +46,11 @@ preop.admin.group=Certificate Manager Agents preop.admincert.profile=caAdminCert preop.pin=[PKI_RANDOM_NUMBER] ca.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing +ca.cert.signing.certusage=SSLCA +ca.cert.ocsp_signing.certusage=StatusResponder +ca.cert.sslserver.certusage=SSLServer +ca.cert.subsystem.certusage=SSLClient +ca.cert.audit_signing.certusage=ObjectSigner preop.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing preop.cert.signing.enable=true preop.cert.ocsp_signing.enable=true diff --git a/pki/base/ca/shared/conf/caAuditSigningCert.profile b/pki/base/ca/shared/conf/caAuditSigningCert.profile index 490759096..5983a186c 100644 --- a/pki/base/ca/shared/conf/caAuditSigningCert.profile +++ b/pki/base/ca/shared/conf/caAuditSigningCert.profile @@ -6,7 +6,7 @@ name=CA Audit Signing Certificate Profile description=This profile creates a CA Audit signing certificate that is valid for audit log signing purpose. profileIDMapping=caSignedLogCert profileSetIDMapping=caLogSigningSet -list=2,4,6,8,9 +list=2,4,6,8 2.default.class=com.netscape.cms.profile.def.ValidityDefault 2.default.name=Validity Default 2.default.params.range=720 @@ -33,7 +33,3 @@ list=2,4,6,8,9 8.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 8.default.params.authInfoAccessCritical=false 8.default.params.authInfoAccessNumADs=1 -9.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -9.default.name=Extended Key Usage Extension Default -9.default.params.exKeyUsageCritical=false -9.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4 diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg index 11b8d78fb..e0eb13d35 100644 --- a/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg @@ -11,7 +11,7 @@ input.i2.class_id=submitterInfoInputImpl output.list=o1 output.o1.class_id=certOutputImpl policyset.list=auditSigningCertSet -policyset.auditSigningCertSet.list=1,2,3,4,5,6,7,9 +policyset.auditSigningCertSet.list=1,2,3,4,5,6,9 policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.* @@ -72,12 +72,6 @@ policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false -policyset.auditSigningCertSet.7.constraint.class_id=noConstraintImpl -policyset.auditSigningCertSet.7.constraint.name=No Constraint -policyset.auditSigningCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -policyset.auditSigningCertSet.7.default.name=Extended Key Usage Extension Default -policyset.auditSigningCertSet.7.default.params.exKeyUsageCritical=false -policyset.auditSigningCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4 policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl policyset.auditSigningCertSet.9.constraint.name=No Constraint policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java index 0e1c20d2c..720f419f4 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertRequestPanel.java @@ -727,7 +727,11 @@ public class CertRequestPanel extends WizardPanelBase { InternalCertificate ic = (InternalCertificate)c; ic.setSSLTrust(InternalCertificate.USER); ic.setEmailTrust(InternalCertificate.USER); - ic.setObjectSigningTrust(InternalCertificate.USER); + if (tag.equals("audit_signing")) { + ic.setObjectSigningTrust(InternalCertificate.USER | InternalCertificate.VALID_PEER | InternalCertificate.TRUSTED_PEER); + } else { + ic.setObjectSigningTrust(InternalCertificate.USER); + } } } } catch (Exception e) { diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java index 53b172cf5..764e56e89 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java @@ -569,6 +569,9 @@ public class RestoreKeyCertPanel extends WizardPanelBase { icert.setSSLTrust(InternalCertificate.TRUSTED_CA | InternalCertificate.TRUSTED_CLIENT_CA | InternalCertificate.VALID_CA); + } else if (name.startsWith("auditSigningCert")) { + InternalCertificate icert = (InternalCertificate)xcert; + icert.setObjectSigningTrust(InternalCertificate.USER | InternalCertificate.VALID_PEER | InternalCertificate.TRUSTED_PEER); } } else cm.importCACertPackage(cert); diff --git a/pki/base/kra/shared/conf/CS.cfg.in b/pki/base/kra/shared/conf/CS.cfg.in index 05ed8ce09..f1339f0bb 100644 --- a/pki/base/kra/shared/conf/CS.cfg.in +++ b/pki/base/kra/shared/conf/CS.cfg.in @@ -36,6 +36,11 @@ preop.admin.group=Data Recovery Manager Agents preop.admincert.profile=caAdminCert preop.pin=[PKI_RANDOM_NUMBER] kra.cert.list=transport,storage,sslserver,subsystem,audit_signing +kra.cert.transport.certusage=ProtectedObjectSigner +kra.cert.storage.certusage=ProtectedObjectSigner +kra.cert.sslserver.certusage=SSLServer +kra.cert.subsystem.certusage=SSLClient +kra.cert.audit_signing.certusage=ObjectSigner preop.cert.list=transport,storage,sslserver,subsystem,audit_signing preop.cert.transport.enable=true preop.cert.storage.enable=true diff --git a/pki/base/ocsp/shared/conf/CS.cfg.in b/pki/base/ocsp/shared/conf/CS.cfg.in index 84553d3fc..ad98fe64a 100644 --- a/pki/base/ocsp/shared/conf/CS.cfg.in +++ b/pki/base/ocsp/shared/conf/CS.cfg.in @@ -41,6 +41,10 @@ preop.configModules.count=3 preop.module.token=Internal Key Storage Token ocsp.cert.list=signing,sslserver,subsystem,audit_signing preop.cert.list=signing,sslserver,subsystem,audit_signing +ocsp.cert.signing=StatusResponder +ocsp.cert.sslserver.certusage=SSLServer +ocsp.cert.subsystem.certusage=SSLClient +ocsp.cert.audit_signing.certusage=ObjectSigner preop.cert.ocsp_signing.enable=true preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true diff --git a/pki/base/tks/shared/conf/CS.cfg.in b/pki/base/tks/shared/conf/CS.cfg.in index 1b5d89ea3..5f0c587dd 100644 --- a/pki/base/tks/shared/conf/CS.cfg.in +++ b/pki/base/tks/shared/conf/CS.cfg.in @@ -31,6 +31,9 @@ preop.product.name=CS preop.product.version=@VERSION@ preop.system.fullname=Token Key Service tks.cert.list=sslserver,subsystem,audit_signing +tks.cert.sslserver.certusage=SSLServer +tks.cert.subsystem.certusage=SSLClient +tks.cert.audit_signing.certusage=ObjectSigner preop.cert.list=sslserver,subsystem,audit_signing preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true |