diff options
| author | Christina Fu <cfu@redhat.com> | 2017-05-15 18:15:36 -0700 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2017-05-17 11:45:14 -0700 |
| commit | 3c43b1119ca978c296a38a9fe404e1c0cdcdab63 (patch) | |
| tree | e232c34a1f4fdba15737e6d55c24ecfdaccfce13 /base/server/cmsbundle/src | |
| parent | 75f588c291c1ab27e1e2b4edaa4c254a8bbc21a2 (diff) | |
| download | pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.gz pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.tar.xz pki-3c43b1119ca978c296a38a9fe404e1c0cdcdab63.zip | |
Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity proof
This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
Diffstat (limited to 'base/server/cmsbundle/src')
| -rw-r--r-- | base/server/cmsbundle/src/LogMessages.properties | 24 |
1 files changed, 21 insertions, 3 deletions
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 1a5b37a6a..6bc2d827a 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2181,9 +2181,18 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3=<type=AUTH_SUCCESS>:[AuditEvent=AUTH_SUCCESS LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval # # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION -# - used when proof of possession is checked during certificate enrollment +# - used for proof of possession during certificate enrollment processing # -LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}] checking proof of possession +LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession +# LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION +# - used for proof of identification during CMC request processing +# - In case of success, "SubjectID" is the actual identified identification; +# - In case of failure, "SubjectID" is the attempted identification +# +LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=<type=CMC_PROOF_OF_IDENTIFICATION>:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request +# - used for identification and POP linking verification during CMC request processing +# +LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=<type=CMC_ID_POP_LINK_WITNESS>:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification # # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL # - used when CRLs are retrieved by the OCSP Responder @@ -2235,7 +2244,16 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3=<type=OCSP_REMOV # SignerInfo must be a unique String representation for the signer # LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] agent pre-approved CMC request signature verification -LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_5=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification +# +# LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY +# - used when CMC (user-signed or self-signed) certificate requests or revocation requests +# are submitted and signature is verified +# ReqType must be the request type (enrollment, or revocation) +# CertSubject must be the certificate subject name of the certificate request +# SignerInfo must be a unique String representation for the signer +# +LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS_5=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification success +LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}][info={5}] User signed CMC request signature verification failure # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST # - used for TPS to TKS to get random challenge data |