diff options
| author | Christina Fu <cfu@redhat.com> | 2014-01-23 15:26:13 -0800 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2014-01-23 15:26:13 -0800 |
| commit | 352040246bbd96bc59a2e2b9156c65837a6c02b7 (patch) | |
| tree | cb9a267bbcbe20209da619c87420f14aa5b7864d | |
| parent | b3d5206cd5c06f3c32994698c37b5f52a23f3aa7 (diff) | |
| download | pki-352040246bbd96bc59a2e2b9156c65837a6c02b7.tar.gz pki-352040246bbd96bc59a2e2b9156c65837a6c02b7.tar.xz pki-352040246bbd96bc59a2e2b9156c65837a6c02b7.zip | |
External Registration feature merge (excluding TPS portion due to current TPS-rewrite effort):
http://pki.fedoraproject.org/wiki/TPS_-_New_Recovery_Option:_External_Registration_DS
14 files changed, 578 insertions, 37 deletions
diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in index 0ec7ace87..976a41d03 100644 --- a/base/ca/shared/conf/CS.cfg.in +++ b/base/ca/shared/conf/CS.cfg.in @@ -960,7 +960,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 os.userid=nobody -profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert +profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment profile.caUUIDdeviceCert.class_id=caEnrollImpl profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg profile.caManualRenewal.class_id=caEnrollImpl @@ -1047,12 +1047,18 @@ profile.caTempTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl profile.caTempTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTempTokenUserSigningKeyEnrollment.cfg profile.caTokenUserSigningKeyRenewal.class_id=caUserCertEnrollImpl profile.caTokenUserSigningKeyRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTokenUserSigningKeyRenewal.cfg +profile.caTokenUserAuthKeyRenewal.class_id=caUserCertEnrollImpl +profile.caTokenUserAuthKeyRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTokenUserAuthKeyRenewal.cfg profile.caTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl profile.caTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTokenDeviceKeyEnrollment.cfg profile.caTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl profile.caTokenUserEncryptionKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTokenUserEncryptionKeyEnrollment.cfg profile.caTokenUserSigningKeyEnrollment.class_id=caUserCertEnrollImpl profile.caTokenUserSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTokenUserSigningKeyEnrollment.cfg +profile.caTokenUserDelegateSigningKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenUserDelegateSigningKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTokenUserDelegateSigningKeyEnrollment.cfg +profile.caTokenUserDelegateAuthKeyEnrollment.class_id=caUserCertEnrollImpl +profile.caTokenUserDelegateAuthKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTokenUserDelegateAuthKeyEnrollment.cfg profile.caTokenMSLoginEnrollment.class_id=caUserCertEnrollImpl profile.caTokenMSLoginEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTokenMSLoginEnrollment.cfg profile.caStorageCert.class_id=caEnrollImpl diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg index b814e59cd..9cd4e6d5c 100644 --- a/base/ca/shared/conf/registry.cfg +++ b/base/ca/shared/conf/registry.cfg @@ -173,7 +173,10 @@ profile.caServerCertEnrollImpl.name=Server Certificate Enrollment Profile profile.caUserCertEnrollImpl.class=com.netscape.cms.profile.common.UserCertCAEnrollProfile profile.caUserCertEnrollImpl.desc=Certificate Authority User Certificate Enrollment Profile profile.caUserCertEnrollImpl.name=User Certificate Enrollment Profile -profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl +profileInput.ids=cmcCertReqInputImpl,certReqInputImpl,keyGenInputImpl,encKeyGenInputImpl,signKeyGenInputImpl,dualKeyGenInputImpl,subjectNameInputImpl,submitterInfoInputImpl,genericInputImpl,fileSigningInputImpl,imageInputImpl,subjectDNInputImpl,nsNKeyCertReqInputImpl,nsHKeyCertReqInputImpl,serialNumRenewInputImpl,subjectAltNameExtInputImpl +profileInput.subjectAltNameExtInputImpl.class=com.netscape.cms.profile.input.SubjectAltNameExtInput +profileInput.subjectAltNameExtInputImpl.desc=SAN Input +profileInput.subjectAltNameExtInputImpl.name=SAN Input profileInput.fileSigningInputImpl.class=com.netscape.cms.profile.input.FileSigningInput profileInput.fileSigningInputImpl.desc=File Signing Input profileInput.fileSigningInputImpl.name=File Signing Input diff --git a/base/ca/shared/profiles/ca/caTokenUserDelegateAuthKeyEnrollment.cfg b/base/ca/shared/profiles/ca/caTokenUserDelegateAuthKeyEnrollment.cfg new file mode 100644 index 000000000..f12894ea6 --- /dev/null +++ b/base/ca/shared/profiles/ca/caTokenUserDelegateAuthKeyEnrollment.cfg @@ -0,0 +1,176 @@ +desc=This profile is for enrolling Token User Delegate Authentication key +enable=true +enableBy=admin +name=Token User Delegate Authentication Certificate Enrollment +visible=false +auth.instance_id=AgentCertAuth +input.list=i1,i2,i3 +input.i1.class_id=nsNKeyCertReqInputImpl +input.i1.name=nsNKeyCertReqInputImpl +input.i2.class_id=subjectDNInputImpl +input.i2.name=subjectDNInputImpl +input.i3.class_id=subjectAltNameExtInputImpl +input.i3.name=subjectAltNameExtInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o1.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14 +policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12 +policyset.set1.p1.constraint.class_id=subjectNameConstraintImpl +policyset.set1.p1.constraint.name=Subject Name Constraint +policyset.set1.p1.constraint.params.pattern=.* +policyset.set1.p1.constraint.params.accept=true +policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl +policyset.set1.p1.default.name=Subject Name Default +policyset.set1.p1.default.params.name= +#changed ldap.enable to true to support SMIME +policyset.set1.p1.default.params.ldap.enable=false +policyset.set1.p1.default.params.ldap.searchName=uid +policyset.set1.p1.default.params.ldapStringAttributes=uid,mail +policyset.set1.p1.default.params.ldap.basedn= +policyset.set1.p1.default.params.ldap.maxConns=4 +policyset.set1.p1.default.params.ldap.minConns=1 +policyset.set1.p1.default.params.ldap.ldapconn.Version=2 +policyset.set1.p1.default.params.ldap.ldapconn.host= +policyset.set1.p1.default.params.ldap.ldapconn.port= +policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=1825 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=false +policyset.set1.p5.default.params.keyUsageNonRepudiation=true +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0=(UTF8String)1.3.6.1.4.1.311.20.2.3,$request.req_san_pattern_0$ +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=OtherName +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltExtType_2=OtherName +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=1 +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl +policyset.set1.10.constraint.name=Renewal Grace Period Constraint +policyset.set1.10.constraint.params.renewal.graceBefore=30 +policyset.set1.10.constraint.params.renewal.graceAfter=30 +policyset.set1.10.default.class_id=noDefaultImpl +policyset.set1.10.default.name=No Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p13.constraint.class_id=noConstraintImpl +policyset.set1.p13.constraint.name=No Constraint +policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.params.crlDistPointsCritical=false +policyset.set1.p13.default.params.crlDistPointsNum=1 +policyset.set1.p13.default.params.crlDistPointsEnable_0=false +policyset.set1.p13.default.params.crlDistPointsIssuerName_0= +policyset.set1.p13.default.params.crlDistPointsIssuerType_0= +policyset.set1.p13.default.params.crlDistPointsPointName_0= +policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p13.default.params.crlDistPointsReasons_0= +policyset.set1.p14.constraint.class_id=noConstraintImpl +policyset.set1.p14.constraint.name=No Constraint +policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.p14.default.name=AIA Extension Default +policyset.set1.p14.default.params.authInfoAccessADEnable_0=false +policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.p14.default.params.authInfoAccessADLocation_0= +policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.set1.p14.default.params.authInfoAccessCritical=false +policyset.set1.p14.default.params.authInfoAccessNumADs=1 diff --git a/base/ca/shared/profiles/ca/caTokenUserDelegateSigningKeyEnrollment.cfg b/base/ca/shared/profiles/ca/caTokenUserDelegateSigningKeyEnrollment.cfg new file mode 100644 index 000000000..b55fe895b --- /dev/null +++ b/base/ca/shared/profiles/ca/caTokenUserDelegateSigningKeyEnrollment.cfg @@ -0,0 +1,176 @@ +desc=This profile is for enrolling Token User Delegate Signing key +enable=true +enableBy=admin +name=Token User Delegate Signing Certificate Enrollment +visible=false +auth.instance_id=AgentCertAuth +input.list=i1,i2,i3 +input.i1.class_id=nsNKeyCertReqInputImpl +input.i1.name=nsNKeyCertReqInputImpl +input.i2.class_id=subjectDNInputImpl +input.i2.name=subjectDNInputImpl +input.i3.class_id=subjectAltNameExtInputImpl +input.i3.name=subjectAltNameExtInputImpl +output.list=o1 +output.o1.class_id=nsNKeyOutputImpl +output.o1.name=nsNKeyOutputImpl +policyset.list=set1 +#policyset.set1.list=p2,p4,p5,p1,p6,p7,p8,p9,p12,p13,p14 +policyset.set1.list=p2,p4,p5,p1,p6,p8,p9,p12 +policyset.set1.p1.constraint.class_id=subjectNameConstraintImpl +policyset.set1.p1.constraint.name=Subject Name Constraint +policyset.set1.p1.constraint.params.pattern=.* +policyset.set1.p1.constraint.params.accept=true +policyset.set1.p1.default.class_id=userSubjectNameDefaultImpl +policyset.set1.p1.default.name=Subject Name Default +policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, O=Token Key User +#changed ldap.enable to true to support SMIME +policyset.set1.p1.default.params.ldap.enable=false +policyset.set1.p1.default.params.ldap.searchName=uid +policyset.set1.p1.default.params.ldapStringAttributes=uid,mail +policyset.set1.p1.default.params.ldap.basedn= +policyset.set1.p1.default.params.ldap.maxConns=4 +policyset.set1.p1.default.params.ldap.minConns=1 +policyset.set1.p1.default.params.ldap.ldapconn.Version=2 +policyset.set1.p1.default.params.ldap.ldapconn.host= +policyset.set1.p1.default.params.ldap.ldapconn.port= +policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false +policyset.set1.p2.constraint.class_id=noConstraintImpl +policyset.set1.p2.constraint.name=No Constraint +policyset.set1.p2.default.class_id=validityDefaultImpl +policyset.set1.p2.default.name=Validity Default +policyset.set1.p2.default.params.range=1825 +policyset.set1.p2.default.params.startTime=0 +policyset.set1.p4.constraint.class_id=noConstraintImpl +policyset.set1.p4.constraint.name=No Constraint +policyset.set1.p4.default.class_id=signingAlgDefaultImpl +policyset.set1.p4.default.name=Signing Algorithm Default +policyset.set1.p4.default.params.signingAlg=- +policyset.set1.p5.constraint.class_id=noConstraintImpl +policyset.set1.p5.constraint.name=No Constraint +policyset.set1.p5.default.class_id=keyUsageExtDefaultImpl +policyset.set1.p5.default.name=Key Usage Extension Default +policyset.set1.p5.default.params.keyUsageCritical=true +policyset.set1.p5.default.params.keyUsageCrlSign=false +policyset.set1.p5.default.params.keyUsageDataEncipherment=false +policyset.set1.p5.default.params.keyUsageDecipherOnly=false +policyset.set1.p5.default.params.keyUsageDigitalSignature=true +policyset.set1.p5.default.params.keyUsageEncipherOnly=false +policyset.set1.p5.default.params.keyUsageKeyAgreement=false +policyset.set1.p5.default.params.keyUsageKeyCertSign=false +policyset.set1.p5.default.params.keyUsageKeyEncipherment=false +policyset.set1.p5.default.params.keyUsageNonRepudiation=true +policyset.set1.p6.constraint.class_id=noConstraintImpl +policyset.set1.p6.constraint.name=No Constraint +policyset.set1.p6.default.class_id=subjectAltNameExtDefaultImpl +policyset.set1.p6.default.name=Subject Alternative Name Extension Default +policyset.set1.p6.default.params.subjAltExtGNEnable_0=true +policyset.set1.p6.default.params.subjAltExtGNEnable_1=false +policyset.set1.p6.default.params.subjAltExtGNEnable_2=false +policyset.set1.p6.default.params.subjAltExtGNEnable_3=false +policyset.set1.p6.default.params.subjAltExtGNEnable_4=false +policyset.set1.p6.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ +policyset.set1.p6.default.params.subjAltExtPattern_1= +policyset.set1.p6.default.params.subjAltExtPattern_2= +policyset.set1.p6.default.params.subjAltExtPattern_3= +policyset.set1.p6.default.params.subjAltExtPattern_4= +policyset.set1.p6.default.params.subjAltExtType_0=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_1=OtherName +policyset.set1.p6.default.params.subjAltExtType_2=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_3=RFC822Name +policyset.set1.p6.default.params.subjAltExtType_4=RFC822Name +policyset.set1.p6.default.params.subjAltNameExtCritical=false +policyset.set1.p6.default.params.subjAltNameNumGNs=1 +policyset.set1.p7.constraint.class_id=noConstraintImpl +policyset.set1.p7.constraint.name=No Constraint +policyset.set1.p7.default.class_id=certificatePoliciesExtDefaultImpl +policyset.set1.p7.default.name=Certificate Policies Extension Default +policyset.set1.p7.default.params.Critical=false +policyset.set1.p7.default.params.PoliciesExt.num=5 +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.enable=true +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy0.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy1.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy2.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy3.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.policyId= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.CPSURI.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.enable=false +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.explicitText.value= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.noticeNumbers= +policyset.set1.p7.default.params.PoliciesExt.certPolicy4.PolicyQualifiers0.usernotice.noticeReference.organization= +policyset.set1.p8.constraint.class_id=noConstraintImpl +policyset.set1.p8.constraint.name=No Constraint +policyset.set1.p8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.set1.p8.default.name=Subject Key Identifier Default +policyset.set1.p9.constraint.class_id=noConstraintImpl +policyset.set1.p9.constraint.name=No Constraint +policyset.set1.p9.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.set1.p9.default.name=Authority Key Identifier Extension Default +policyset.set1.10.constraint.class_id=renewGracePeriodConstraintImpl +policyset.set1.10.constraint.name=Renewal Grace Period Constraint +policyset.set1.10.constraint.params.renewal.graceBefore=30 +policyset.set1.10.constraint.params.renewal.graceAfter=30 +policyset.set1.10.default.class_id=noDefaultImpl +policyset.set1.10.default.name=No Default +policyset.set1.p12.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.set1.p12.constraint.name=Basic Constraints Extension Constraint +policyset.set1.p12.constraint.params.basicConstraintsCritical=- +policyset.set1.p12.constraint.params.basicConstraintsIsCA=- +policyset.set1.p12.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.set1.p12.constraint.params.basicConstraintsMinPathLen=-1 +policyset.set1.p12.default.class_id=basicConstraintsExtDefaultImpl +policyset.set1.p12.default.name=Basic Constraints Extension Default +policyset.set1.p12.default.params.basicConstraintsCritical=false +policyset.set1.p12.default.params.basicConstraintsIsCA=false +policyset.set1.p12.default.params.basicConstraintsPathLen=-1 +policyset.set1.p13.constraint.class_id=noConstraintImpl +policyset.set1.p13.constraint.name=No Constraint +policyset.set1.p13.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.name=crlDistributionPointsExtDefaultImpl +policyset.set1.p13.default.params.crlDistPointsCritical=false +policyset.set1.p13.default.params.crlDistPointsNum=1 +policyset.set1.p13.default.params.crlDistPointsEnable_0=false +policyset.set1.p13.default.params.crlDistPointsIssuerName_0= +policyset.set1.p13.default.params.crlDistPointsIssuerType_0= +policyset.set1.p13.default.params.crlDistPointsPointName_0= +policyset.set1.p13.default.params.crlDistPointsPointType_0=URIName +policyset.set1.p13.default.params.crlDistPointsReasons_0= +policyset.set1.p14.constraint.class_id=noConstraintImpl +policyset.set1.p14.constraint.name=No Constraint +policyset.set1.p14.default.class_id=authInfoAccessExtDefaultImpl +policyset.set1.p14.default.name=AIA Extension Default +policyset.set1.p14.default.params.authInfoAccessADEnable_0=false +policyset.set1.p14.default.params.authInfoAccessADLocationType_0=URIName +policyset.set1.p14.default.params.authInfoAccessADLocation_0= +policyset.set1.p14.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.set1.p14.default.params.authInfoAccessCritical=false +policyset.set1.p14.default.params.authInfoAccessNumADs=1 diff --git a/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg b/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg index 281e2a43e..31bfc6733 100644 --- a/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg +++ b/base/ca/shared/profiles/ca/caTokenUserEncryptionKeyRenewal.cfg @@ -4,7 +4,7 @@ enable=true enableBy=admin renewal=true auth.instance_id=AgentCertAuth -name=smart card token signing cert renewal profile +name=smart card token encryption cert renewal profile input.list=i1 input.i1.class_id=serialNumRenewInputImpl output.list=o1 diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java index 6438205ab..60c083e6a 100644 --- a/base/common/src/com/netscape/certsrv/request/IRequest.java +++ b/base/common/src/com/netscape/certsrv/request/IRequest.java @@ -149,6 +149,7 @@ public interface IRequest extends Serializable { public final static String NETKEY_ATTR_SERVERSIDE_MUSCLE_FLAG = "serverSideMuscle"; public final static String NETKEY_ATTR_ENC_PRIVKEY_FLAG = "encryptPrivKey"; public final static String NETKEY_ATTR_USER_CERT = "cert"; + public final static String NETKEY_ATTR_KEYID = "keyid"; public final static String NETKEY_ATTR_KEY_SIZE = "keysize"; public final static String NETKEY_ATTR_KEY_TYPE = "keytype"; public final static String NETKEY_ATTR_KEY_EC_CURVE = "eckeycurve"; diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index 51059c220..b59a8b942 100644 --- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -38,6 +38,7 @@ import org.mozilla.jss.crypto.IVParameterSpec; import org.mozilla.jss.crypto.KeyWrapAlgorithm; import org.mozilla.jss.crypto.KeyWrapper; import org.mozilla.jss.crypto.PrivateKey; +import org.mozilla.jss.crypto.PrivateKey.Type; import org.mozilla.jss.crypto.SymmetricKey; import org.mozilla.jss.pkcs11.PK11SymKey; import org.mozilla.jss.util.Base64OutputStream; @@ -421,6 +422,7 @@ public class TokenKeyRecoveryService implements IService { } } + Type keyType = PrivateKey.RSA; byte wrapped[]; if (allowEncDecrypt_recovery == true) { // Unwrap the archived private key @@ -478,6 +480,20 @@ public class TokenKeyRecoveryService implements IService { wrapped = cipher.doFinal(privateKeyData); } else { //allowEncDecrypt_recovery == false PrivateKey privKey = recoverKey(params, keyRecord, allowEncDecrypt_recovery); + if (privKey == null) { + request.setExtData(IRequest.RESULT, Integer.valueOf(4)); + CMS.debug("TokenKeyRecoveryService: failed getting private key"); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED, + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + agentId); + + audit(auditMessage); + return false; + } + KeyWrapper wrapper = token.getKeyWrapper( KeyWrapAlgorithm.DES3_CBC_PAD); @@ -511,7 +527,15 @@ public class TokenKeyRecoveryService implements IService { } //convert and put in the public key - String PubKey = com.netscape.cmsutil.util.Utils.SpecialEncode(pubData); + String PubKey = ""; + if (keyType == PrivateKey.EC) { + /* url encode */ + PubKey = com.netscape.cmsutil.util.Utils.SpecialEncode(pubData); + CMS.debug("TokenKeyRecoveryService: EC PubKey special encoded"); + } else { + PubKey = base64Encode(pubData); + CMS.debug("TokenKeyRecoveryService: RSA PubKey base64 encoded"); + } auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST, diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java index 7b4c3c74d..417f78123 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java @@ -497,6 +497,8 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe String on_oid = nameValue.substring(pos0 + 1, pos1).trim(); String on_value = nameValue.substring(pos1 + 1).trim(); if (isValidOID(on_oid)) { + CMS.debug("OtherName about to create OtherName object:"); + CMS.debug("OID: " + on_oid + " Value:" + on_value); return new OtherName(new ObjectIdentifier(on_oid), DerValue.tag_PrintableString, on_value); } else { return null; diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java index 61c200a96..240f86a13 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java @@ -57,6 +57,7 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { public static final String CONFIG_PATTERN = "subjAltExtPattern_"; public static final String CONFIG_SOURCE = "subjAltExtSource_"; public static final String CONFIG_SOURCE_UUID4 = "UUID4"; + public static final String CONFIG_SAN_REQ_PATTERN_PREFIX = "$request.req_san_pattern_"; public static final String CONFIG_OLD_TYPE = "subjAltExtType"; public static final String CONFIG_OLD_PATTERN = "subjAltExtPattern"; @@ -447,6 +448,7 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { } if (!pattern.equals("")) { + CMS.debug("SubjectAltNameExtDefault: createExtension() pattern="+ pattern); String gname = ""; // cfu - see if this is server-generated (e.g. UUID4) @@ -480,8 +482,8 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { } } - if (gname.equals("")) { - CMS.debug("gname is empty, not added"); + if (gname.equals("") || gname.contains("$")) { + CMS.debug("ubjectAltNameExtDefault: mapPattern()failed. Not added. gname="+ gname); continue; } CMS.debug("SubjectAltNameExtDefault: createExtension got gname=" + gname); diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java index 77d743334..61d57ec7e 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java @@ -138,6 +138,7 @@ public class UserSubjectNameDefault extends EnrollDefault { } catch (Exception e) { // failed to insert subject name CMS.debug("UserSubjectNameDefault: populate " + e.toString()); + throw new EProfileException(e.toString()); } } } diff --git a/base/server/cms/src/com/netscape/cms/profile/input/SubjectAltNameExtInput.java b/base/server/cms/src/com/netscape/cms/profile/input/SubjectAltNameExtInput.java new file mode 100644 index 000000000..72dc55b6c --- /dev/null +++ b/base/server/cms/src/com/netscape/cms/profile/input/SubjectAltNameExtInput.java @@ -0,0 +1,127 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.cms.profile.input; + +import java.util.*; +import com.netscape.certsrv.base.*; +import com.netscape.certsrv.profile.*; +import com.netscape.certsrv.request.*; +import com.netscape.certsrv.property.*; +import com.netscape.certsrv.apps.*; + +import com.netscape.cms.profile.common.*; + + +/** + * This plugin populates text fields to the enrollment + * page so that SAN parameters + * can be collected from the user. + * <p> + * The collected parameters could be used for + * fomulating the SAN attributes in the certificate. + * <p> + * + */ +public class SubjectAltNameExtInput extends EnrollInput implements IProfileInput { + + public static final int DEF_REQ_ENTRIES = 4; + + public static final String CONFIG_SAN_REQ_PATTERN = "req_san_pattern_"; + public static final String CONFIG_SAN_REQ_TYPE = "req_san_type_"; + + public static final String VAL_SAN_REQ_PATTERN = "req_san_pattern_"; + public static final String VAL_SAN_REQ_TYPE = "req_san_type_"; + + /* defined in CS.cfg: "ca.SAN.entryNum" */ + private int mSANentryNum = DEF_REQ_ENTRIES; + + public SubjectAltNameExtInput() { + for (int i = 0; i< mSANentryNum; i++) { + addValueName(CONFIG_SAN_REQ_PATTERN + i); + addValueName(CONFIG_SAN_REQ_TYPE + i); + } + } + + /** + * Initializes this default policy. + */ + public void init(IProfile profile, IConfigStore config) + throws EProfileException { + super.init(profile, config); + try { + mSANentryNum = + CMS.getConfigStore().getInteger("ca.SAN.entryNum", DEF_REQ_ENTRIES); + } catch (EBaseException e) { + /* mSANentryNum has default; ok */ + CMS.debug("SubjectAltNameExtInput: init(): getting config failed on ca.SAN.entryNum"); + } + } + + /** + * Retrieves the localizable name of this policy. + */ + public String getName(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBJECT_ALT_NAME_EXT_NAME"); + } + + /** + * Retrieves the localizable description of this policy. + */ + public String getText(Locale locale) { + return CMS.getUserMessage(locale, "CMS_PROFILE_INPUT_SUBJECT_ALT_NAME_EXT_TEXT"); + } + + /** + * Returns selected value names based on the configuration. + */ + public Enumeration<String> getValueNames() { + Vector<String> v = new Vector<String>(); + + for (int i = 0; i< mSANentryNum; i++) { + v.addElement(VAL_SAN_REQ_TYPE + i); // default case + v.addElement(VAL_SAN_REQ_PATTERN + i); // default case + } + + return v.elements(); + } + + /** + * Populates the request with this policy default. + */ + public void populate(IProfileContext ctx, IRequest request) + throws EProfileException { + // + } + + /** + * Retrieves the descriptor of the given value + * parameter by name. + */ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_SAN_REQ_TYPE)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_REQ_SAN_TYPE")); + } else if (name.equals(VAL_SAN_REQ_PATTERN)) { + return new Descriptor(IDescriptor.STRING, null, + null, + CMS.getUserMessage(locale, "CMS_PROFILE_REQ_SAN_PATTERN")); + } + return null; + } +} diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DisplayBySerial.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DisplayBySerial.java index da7f01ca5..51fecd15a 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/DisplayBySerial.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DisplayBySerial.java @@ -250,6 +250,12 @@ public class DisplayBySerial extends CMSServlet { HttpServletResponse resp, Locale locale) throws EBaseException { + boolean b64CertOnly = false; // for request that needs only b64 cert + String isB64CertOnly = req.getParameter("b64CertOnly"); + if (isB64CertOnly != null && isB64CertOnly.equals("true")) { + b64CertOnly = true; + } + try { ICertRecord rec = mCertDB.readCertificateRecord(seq); if (rec == null) { @@ -326,6 +332,10 @@ public class DisplayBySerial extends CMSServlet { CMS.getLogMessage("CMSGW_ERROR_PARSING_EXTENS", e.toString())); } + byte[] ba = cert.getEncoded(); + // Do base 64 encoding + header.addStringValue("certChainBase64", CMS.BtoA(ba)); + IRevocationInfo revocationInfo = rec.getRevocationInfo(); if (revocationInfo != null) { @@ -346,10 +356,11 @@ public class DisplayBySerial extends CMSServlet { } } - ICertPrettyPrint certDetails = CMS.getCertPrettyPrint(cert); - - header.addStringValue("certPrettyPrint", + if (!b64CertOnly) { + ICertPrettyPrint certDetails = CMS.getCertPrettyPrint(cert); + header.addStringValue("certPrettyPrint", certDetails.toString(locale)); + } /* String scheme = req.getScheme(); @@ -365,21 +376,19 @@ public class DisplayBySerial extends CMSServlet { */ header.addStringValue("authorityid", mAuthority.getId()); - String certFingerprints = ""; + if (!b64CertOnly) { + String certFingerprints = ""; - try { - certFingerprints = CMS.getFingerPrints(cert); - } catch (Exception e) { - log(ILogger.LL_FAILURE, + try { + certFingerprints = CMS.getFingerPrints(cert); + } catch (Exception e) { + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERR_DIGESTING_CERT", e.toString())); + } + if (certFingerprints.length() > 0) + header.addStringValue("certFingerprint", certFingerprints); } - if (certFingerprints.length() > 0) - header.addStringValue("certFingerprint", certFingerprints); - byte[] ba = cert.getEncoded(); - // Do base 64 encoding - - header.addStringValue("certChainBase64", Utils.base64encode(ba)); header.addStringValue("serialNumber", seq.toString(16)); /* @@ -412,28 +421,30 @@ public class DisplayBySerial extends CMSServlet { } } - // Wrap the chain into a degenerate P7 object - String p7Str; + if (!b64CertOnly) { + // Wrap the chain into a degenerate P7 object + String p7Str; - try { - PKCS7 p7 = new PKCS7(new AlgorithmId[0], + try { + PKCS7 p7 = new PKCS7(new AlgorithmId[0], new ContentInfo(new byte[0]), certsInChain, new SignerInfo[0]); - ByteArrayOutputStream bos = new ByteArrayOutputStream(); + ByteArrayOutputStream bos = new ByteArrayOutputStream(); - p7.encodeSignedData(bos, false); - byte[] p7Bytes = bos.toByteArray(); + p7.encodeSignedData(bos, false); + byte[] p7Bytes = bos.toByteArray(); - p7Str = Utils.base64encode(p7Bytes); - header.addStringValue("pkcs7ChainBase64", p7Str); - } catch (Exception e) { - //p7Str = "PKCS#7 B64 Encoding error - " + e.toString() - //+ "; Please contact your administrator"; - log(ILogger.LL_FAILURE, + p7Str = Utils.base64encode(p7Bytes); + header.addStringValue("pkcs7ChainBase64", p7Str); + } catch (Exception e) { + //p7Str = "PKCS#7 B64 Encoding error - " + e.toString() + //+ "; Please contact your administrator"; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSGW_ERROR_FORMING_PKCS7_1", e.toString())); - throw new ECMSGWException( + throw new ECMSGWException( CMS.getLogMessage("CMSGW_ERROR_FORMING_PKCS7")); + } } } catch (EBaseException e) { log(ILogger.LL_FAILURE, diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java index ebcd42c14..cd3c22adf 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/connector/TokenKeyRecoveryServlet.java @@ -124,6 +124,7 @@ public class TokenKeyRecoveryServlet extends CMSServlet { * input params are: * CUID - the CUID of the old token where the keys/certs were initially for * userid - the userid that belongs to both the old token and the new token + * keyid - the keyid in DRM for recovery using keyid * drm_trans_desKey - the des key generated for the NEW token * wrapped with DRM transport key * cert - the user cert corresponding to the key to be recovered @@ -155,6 +156,7 @@ public class TokenKeyRecoveryServlet extends CMSServlet { String rCUID = req.getParameter("CUID"); String rUserid = req.getParameter("userid"); + String rKeyid = req.getParameter("keyid"); String rdesKeyString = req.getParameter("drm_trans_desKey"); String rCert = req.getParameter("cert"); @@ -174,8 +176,9 @@ public class TokenKeyRecoveryServlet extends CMSServlet { missingParam = true; } - if ((rCert == null) || (rCert.equals(""))) { - CMS.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): missing request parameter: cert"); + if (((rCert == null) || (rCert.equals(""))) && + ((rKeyid == null) || (rKeyid.equals("")))) { + CMS.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): missing request parameter: cert or keyid"); missingParam = true; } @@ -186,7 +189,14 @@ public class TokenKeyRecoveryServlet extends CMSServlet { thisreq.setExtData(IRequest.NETKEY_ATTR_CUID, rCUID); thisreq.setExtData(IRequest.NETKEY_ATTR_USERID, rUserid); thisreq.setExtData(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY, rdesKeyString); - thisreq.setExtData(IRequest.NETKEY_ATTR_USER_CERT, rCert); + if ((rCert != null) && (!rCert.equals(""))) { + thisreq.setExtData(IRequest.NETKEY_ATTR_USER_CERT, rCert); + CMS.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): received request parameter: cert"); + } + if ((rKeyid != null) && (!rKeyid.equals(""))) { + thisreq.setExtData(IRequest.NETKEY_ATTR_KEYID, rKeyid); + CMS.debug("TokenKeyRecoveryServlet: processTokenKeyRecovery(): received request parameter: keyid"); + } //XXX auto process for netkey queue.processRequest(thisreq); diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties index 1eaa150d3..fe43094e6 100644 --- a/base/server/cmsbundle/src/UserMessages.properties +++ b/base/server/cmsbundle/src/UserMessages.properties @@ -1008,6 +1008,8 @@ CMS_PROFILE_CERTIFICATE_POLICIES_EMPTY_CPSURI=Empty CPSuri CMS_PROFILE_REQUESTOR_NAME=Requestor Name CMS_PROFILE_REQUESTOR_EMAIL=Requestor Email CMS_PROFILE_REQUESTOR_PHONE=Requestor Phone +CMS_PROFILE_REQ_SAN_TYPE=Request Subject Alternative Name Extension Type +CMS_PROFILE_REQ_SAN_PATTERN=Request Subject Alternative Name Extension Pattern CMS_PROFILE_SN_UID=UID CMS_PROFILE_SN_EMAIL=Email CMS_PROFILE_SN_CN=Common Name |