Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity proof

This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
author: Christina Fu <cfu@redhat.com> 2017-05-15 18:15:36 -0700
committer: Christina Fu <cfu@redhat.com> 2017-05-17 11:45:14 -0700
commit: 3c43b1119ca978c296a38a9fe404e1c0cdcdab63 (patch)
tree: e232c34a1f4fdba15737e6d55c24ecfdaccfce13 /base/common/src
parent: 75f588c291c1ab27e1e2b4edaa4c254a8bbc21a2 (diff)
download: pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.gz
pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.xz
pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.zip
3 files changed, 15 insertions, 3 deletions
diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java
index 21639e2a6..7d30d2edd 100644
--- a/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java
+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthManager.java
@@ -33,6 +33,7 @@ public interface IAuthManager {
 
     /* standard credential for CMC request signing cert */
     public static final String CRED_CMC_SIGNING_CERT = "cmcSigningCert";
+    public static final String CRED_CMC_SELF_SIGNED = "cmcSelfSigned";
 
     /**
      * Standard credential for client cert's serial number from revocation.
diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java b/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java
index e1ccc2d34..908952712 100644
--- a/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java
+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthSubsystem.java
@@ -119,6 +119,11 @@ public interface IAuthSubsystem extends ISubsystem {
     public static final String CMCAUTH_AUTHMGR_ID = "CMCAuth";
 
     /**
+     * Constant for CMC user-signed authentication manager ID.
+     */
+    public static final String CMC_USER_SIGNED_AUTH_AUTHMGR_ID = "CMCUserSignedAuth";
+
+    /**
      * Authenticate the given credentials using the given manager name.
      *
      * @param authCred The authentication credentials
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 523b204d7..059363eee 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -125,7 +125,11 @@ public class AuditEvent implements IBundleLogEvent {
     public final static String CERT_PROFILE_APPROVAL =
             "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4";
     public final static String PROOF_OF_POSSESSION =
-            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2";
+            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3";
+    public final static String CMC_PROOF_OF_IDENTIFICATION =
+            "LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3";
+    public final static String CMC_ID_POP_LINK_WITNESS =
+            "LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3";
 
     public final static String CRL_RETRIEVAL =
             "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3";
@@ -143,8 +147,10 @@ public class AuditEvent implements IBundleLogEvent {
             "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3";
     public final static String CMC_SIGNED_REQUEST_SIG_VERIFY =
             "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5";
-    public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY =
-            "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5";
+    public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS_5";
+    public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE =
+            "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6";
 
     public final static String COMPUTE_RANDOM_DATA_REQUEST =
             "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2";
author	Christina Fu <cfu@redhat.com>	2017-05-15 18:15:36 -0700
committer	Christina Fu <cfu@redhat.com>	2017-05-17 11:45:14 -0700
commit	3c43b1119ca978c296a38a9fe404e1c0cdcdab63 (patch)
tree	e232c34a1f4fdba15737e6d55c24ecfdaccfce13 /base/common/src
parent	75f588c291c1ab27e1e2b4edaa4c254a8bbc21a2 (diff)
download	pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.gz pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.xz pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.zip