diff options
22 files changed, 322 insertions, 90 deletions
diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java index f795ff9a6..f86d64b12 100644 --- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java +++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java @@ -87,6 +87,13 @@ public interface IKeyRecord { public Integer getKeySize() throws EBaseException; /** + * Retrieves meta info. + * + * @return MetaInfo + */ + public MetaInfo getMetaInfo(); + + /** * Retrieves archiver identifier. * * @return archiver uid diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java b/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java index 810e89340..0a72a8ebd 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SizePanel.java @@ -500,14 +500,14 @@ public class SizePanel extends WizardPanelBase { CMS.debug("SizePanel: createECCKeypair: sslserver cert for ECDH. Make sure server.xml is set properly with -TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"); pair = CryptoUtil.generateECCKeyPair(token, curveName, null, - ECDH_usages_mask); + ECDH_usages_mask, false, -1, -1); } else { if (ct.equals("sslserver")) { CMS.debug("SizePanel: createECCKeypair: sslserver cert for ECDHE. Make sure server.xml is set properly with +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"); } pair = CryptoUtil.generateECCKeyPair(token, curveName, null, - usages_mask); + usages_mask, false, -1, -1); } // XXX - store curve , w diff --git a/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java b/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java index 43e772c46..7dfc80615 100644 --- a/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java +++ b/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java @@ -20,6 +20,7 @@ package com.netscape.cms.servlet.key; import com.netscape.cms.servlet.common.*; import com.netscape.cms.servlet.base.*; +import com.netscape.certsrv.dbs.keydb.IKeyRecord; import java.io.*; import java.util.*; @@ -52,6 +53,7 @@ public class KeyRecordParser { public final static String OUT_KEY_ALGORITHM = "keyAlgorithm"; public final static String OUT_PUBLIC_KEY = "publicKey"; public final static String OUT_KEY_LEN = "keyLength"; + public final static String OUT_KEY_EC_CURVE = "EllipticCurve"; public final static String OUT_ARCHIVED_BY = "archivedBy"; public final static String OUT_ARCHIVED_ON = "archivedOn"; public final static String OUT_RECOVERED_BY = "recoveredBy"; @@ -86,6 +88,16 @@ public class KeyRecordParser { } else { rarg.addIntegerValue(OUT_KEY_LEN, keySize.intValue()); } + + // handles EC + MetaInfo metaInfo = rec.getMetaInfo(); + if (metaInfo != null) { + String curve = (String)metaInfo.get(OUT_KEY_EC_CURVE); + if (curve != null) { + rarg.addStringValue(OUT_KEY_EC_CURVE, curve); + } + } + rarg.addStringValue(OUT_ARCHIVED_BY, rec.getArchivedBy()); rarg.addLongValue(OUT_ARCHIVED_ON, diff --git a/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java index 7b6fcdb8d..43eb7ce4e 100644 --- a/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java +++ b/base/common/src/com/netscape/cmscore/dbs/KeyRecord.java @@ -265,6 +265,16 @@ public class KeyRecord implements IDBObj, IKeyRecord { } /** + * Retrieves the metaInfo. + * <P> + * + * @return metaInfo + */ + public MetaInfo getMetaInfo() { + return mMetaInfo; + } + + /** * Sets key size. * <P> */ @@ -327,10 +337,6 @@ public class KeyRecord implements IDBObj, IKeyRecord { return mAlgorithm; } - public MetaInfo getMetaInfo() { - return mMetaInfo; - } - /** * Retrieves the creation time of this record. */ diff --git a/base/kra/src/com/netscape/kra/EncryptionUnit.java b/base/kra/src/com/netscape/kra/EncryptionUnit.java index 422eb3a35..2a0e09529 100644 --- a/base/kra/src/com/netscape/kra/EncryptionUnit.java +++ b/base/kra/src/com/netscape/kra/EncryptionUnit.java @@ -371,6 +371,7 @@ public abstract class EncryptionUnit implements IEncryptionUnit { PrivateKey.Type keytype = null; String alg = pubKey.getAlgorithm(); + CMS.debug("EncryptionUnit.unwrap alg ="+ alg); if (alg.equals("DSA")) { keytype = PrivateKey.DSA; } else if (alg.equals("EC")) { @@ -385,21 +386,26 @@ public abstract class EncryptionUnit implements IEncryptionUnit { } catch (TokenException e) { CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); + CMS.debug("EncryptionUnit.unwrap "+ e.toString()); return null; } catch (NoSuchAlgorithmException e) { CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); + CMS.debug("EncryptionUnit.unwrap "+ e.toString()); return null; } catch (InvalidAlgorithmParameterException e) { CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); + CMS.debug("EncryptionUnit.unwrap "+ e.toString()); return null; } catch (InvalidKeyException e) { CMS.getLogger().log(ILogger.EV_SYSTEM, null, ILogger.S_KRA, ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_ENCRYPTION_UNWRAP", e.toString())); Debug.trace("EncryptionUnit::unwrap " + e.toString()); + CMS.debug("EncryptionUnit.unwrap "+ e.toString()); return null; } catch (Exception e) { CMS.debug("EncryptionUnit.unwrap : Exception:"+e.toString()); + CMS.debug("EncryptionUnit.unwrap "+ e.toString()); return null; } } diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java index 2dfc188d2..3cdc80330 100644 --- a/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -17,7 +17,6 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; - import java.util.StringTokenizer; import java.util.Vector; import java.util.Arrays; @@ -33,7 +32,11 @@ import netscape.security.util.*; import netscape.security.util.BigInt; import netscape.security.x509.*; import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.pkcs11.PK11ECPublicKey; +import org.mozilla.jss.pkcs11.PK11ParameterSpec; +import org.mozilla.jss.crypto.*; import org.mozilla.jss.asn1.*; +import org.mozilla.jss.asn1.OBJECT_IDENTIFIER; import org.mozilla.jss.pkix.cms.*; import org.mozilla.jss.pkix.cms.EnvelopedData; //import org.mozilla.jss.pkcs7.*; @@ -42,6 +45,7 @@ import org.mozilla.jss.pkix.crmf.EncryptedKey; import org.mozilla.jss.pkix.crmf.EncryptedKey.Type; import org.mozilla.jss.pkix.primitive.*; import org.mozilla.jss.pkix.primitive.AVA; +import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.util.*; import com.netscape.certsrv.logging.*; import com.netscape.certsrv.security.*; @@ -55,6 +59,7 @@ import com.netscape.certsrv.dbs.keydb.*; import com.netscape.certsrv.request.*; import com.netscape.certsrv.authentication.*; import com.netscape.certsrv.apps.CMS; +import com.netscape.cms.servlet.key.KeyRecordParser; /** @@ -72,7 +77,7 @@ import com.netscape.certsrv.apps.CMS; * <P> * * @author thomask (original) - * @author cfu (non-RSA keys; private keys secure handling); + * @author cfu (partial RFC4211; non-RSA keys; private keys secure handling) * @version $Revision$, $Date$ */ public class EnrollmentService implements IService { @@ -136,6 +141,17 @@ public class EnrollmentService implements IService { */ public boolean serviceRequest(IRequest request) throws EBaseException { + CryptoManager cm = null; + IConfigStore config = null; + Boolean allowEncDecrypt_archival = false; + + try { + cm = CryptoManager.getInstance(); + config = CMS.getConfigStore(); + allowEncDecrypt_archival = config.getBoolean("kra.allowEncDecrypt.archival", false); + } catch (Exception e) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); + } IStatsSubsystem statsSub = (IStatsSubsystem)CMS.getSubsystem("stats"); if (statsSub != null) { @@ -162,6 +178,7 @@ public class EnrollmentService implements IService { mKRA.log(ILogger.LL_INFO, "KRA services enrollment request"); // unwrap user key with transport byte unwrapped[] = null; + byte tmp_unwrapped[] = null; PKIArchiveOptionsContainer aOpts[] = null; String profileId = request.getExtDataInString("profileId"); @@ -199,13 +216,14 @@ public class EnrollmentService implements IService { for (int i = 0; i < aOpts.length; i++) { ArchiveOptions opts = new ArchiveOptions(aOpts[i].mAO); + if (allowEncDecrypt_archival == true) { if (statsSub != null) { statsSub.startTiming("decrypt_user_key"); } mKRA.log(ILogger.LL_INFO, "KRA decrypts external private"); if (CMS.debugOn()) CMS.debug("EnrollmentService::about to decryptExternalPrivate"); - unwrapped = mTransportUnit.decryptExternalPrivate( + tmp_unwrapped = mTransportUnit.decryptExternalPrivate( opts.getEncSymmKey(), opts.getSymmAlgOID(), opts.getSymmAlgParams(), @@ -215,7 +233,7 @@ public class EnrollmentService implements IService { } if (CMS.debugOn()) CMS.debug("EnrollmentService::finished decryptExternalPrivate"); - if (unwrapped == null) { + if (tmp_unwrapped == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); auditMessage = CMS.getLogMessage( @@ -230,6 +248,17 @@ public class EnrollmentService implements IService { CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); } + /* making sure leading 0's are removed */ + int first=0; + for (int j=0; (j< tmp_unwrapped.length) && (tmp_unwrapped[j]==0); j++) { + first++; + } + unwrapped = Arrays.copyOfRange(tmp_unwrapped, first, tmp_unwrapped.length); + } /*else { allowEncDecrypt_archival != true + this is done below with unwrap() + } + */ + // retrieve pubic key X509Key publicKey = getPublicKey(request, aOpts[i].mReqPos); byte publicKeyData[] = publicKey.getEncoded(); @@ -251,29 +280,55 @@ public class EnrollmentService implements IService { CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } - /* Bugscape #54948 - verify public and private key before archiving key */ + String keyAlg = publicKey.getAlgorithm(); + CMS.debug("EnrollmentService: algorithm of key to archive is: "+ keyAlg); - if (statsSub != null) { - statsSub.startTiming("verify_key"); - } - if (verifyKeyPair(publicKeyData, unwrapped) == false) { - mKRA.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + PublicKey pubkey = null; + org.mozilla.jss.crypto.PrivateKey entityPrivKey = null; + if ( allowEncDecrypt_archival == false) { + try { + pubkey = X509Key.parsePublicKey (new DerValue(publicKeyData)); + } catch (Exception e) { + CMS.debug("EnrollmentService: parsePublicKey:"+e.toString()); + throw new EKRAException( + CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); + } + entityPrivKey = + mTransportUnit.unwrap( + opts.getEncSymmKey(), + opts.getSymmAlgOID(), + opts.getSymmAlgParams(), + opts.getEncValue(), + (PublicKey) pubkey); + } // !allowEncDecrypt_archival + if (keyAlg.equals("RSA") && (allowEncDecrypt_archival == true)) { - auditMessage = CMS.getLogMessage( + /* Bugscape #54948 - verify public and private key before archiving key */ + + if (statsSub != null) { + statsSub.startTiming("verify_key"); + } + // verifyKeyPair() is RSA-centric + if (verifyKeyPair(publicKeyData, unwrapped) == false) { + mKRA.log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); + + + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); - audit(auditMessage); - throw new EKRAException( + audit(auditMessage); + throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); - } - if (statsSub != null) { - statsSub.endTiming("verify_key"); + } + if (statsSub != null) { + statsSub.endTiming("verify_key"); + } } /** @@ -306,8 +361,15 @@ public class EnrollmentService implements IService { if (statsSub != null) { statsSub.startTiming("encrypt_user_key"); } - byte privateKeyData[] = mStorageUnit.encryptInternalPrivate( + byte privateKeyData[] = null; + + if (allowEncDecrypt_archival == true) { + privateKeyData = mStorageUnit.encryptInternalPrivate( unwrapped); + } else { + privateKeyData = mStorageUnit.wrap(entityPrivKey); + } + if (statsSub != null) { statsSub.endTiming("encrypt_user_key"); } @@ -345,24 +407,55 @@ public class EnrollmentService implements IService { throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); } - // we deal with RSA key only - try { - RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); + if (keyAlg.equals("RSA")) { + try { + RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); - rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); - } catch (InvalidKeyException e) { + rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); + } catch (InvalidKeyException e) { - auditMessage = CMS.getLogMessage( + auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST, auditSubjectID, ILogger.FAILURE, auditRequesterID, auditArchiveID); - audit(auditMessage); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); - } + audit(auditMessage); + throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); + } + } else if (keyAlg.equals("EC")) { + String oidDescription = "UNDETERMINED"; + // for KeyRecordParser + MetaInfo metaInfo = new MetaInfo(); + try { + byte curve[] = + ASN1Util.getECCurveBytesByX509PublicKeyBytes(publicKeyData, + false /* without tag and size */); + if (curve.length != 0) { + oidDescription = ASN1Util.getOIDdescription(curve); + } else { + /* this is to be used by derdump */ + byte curveTS[] = + ASN1Util.getECCurveBytesByX509PublicKeyBytes(publicKeyData, + true /* with tag and size */); + if (curveTS.length != 0) { + oidDescription = CMS.BtoA(curveTS); + } + } + } catch (Exception e) { + CMS.debug("EnrollmentService: ASN1Util.getECCurveBytesByX509PublicKeyByte() throws exception: "+ e.toString()); + CMS.debug("EnrollmentService: exception alowed. continue"); + } + + metaInfo.set(KeyRecordParser.OUT_KEY_EC_CURVE, + oidDescription); + + rec.set(IKeyRecord.ATTR_META_INFO, metaInfo); + // key size does not apply to EC; + rec.setKeySize(-1); + } // if record alreay has a serial number, yell out. if (rec.getSerialNumber() != null) { @@ -504,6 +597,9 @@ public class EnrollmentService implements IService { return true; } + /* + * verifyKeyPair() is RSA-centric + */ public boolean verifyKeyPair(byte publicKeyData[], byte privateKeyData[]) { try { diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java index da3c3a87c..9158db847 100644 --- a/base/kra/src/com/netscape/kra/RecoveryService.java +++ b/base/kra/src/com/netscape/kra/RecoveryService.java @@ -360,10 +360,9 @@ public class RecoveryService implements IService { public synchronized PrivateKey recoverKey(Hashtable request, KeyRecord keyRecord, boolean isRSA) throws EBaseException { - if (!isRSA) { - CMS.debug("RecoverService: recoverKey: currently, non-RSA keys are not supported when allowEncDecrypt_ is false"); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_RECOVERY_FAILED_1", "key type not supported")); - } + CMS.debug("RecoverService: recoverKey: key to recover is RSA? "+ + isRSA); + try { if (CMS.getConfigStore().getBoolean("kra.keySplitting")) { Credential creds[] = (Credential[]) diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index ab00de360..d48fe4a44 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -160,15 +160,43 @@ public class CryptoUtil { NoSuchTokenException, NoSuchAlgorithmException, TokenException { + return generateECCKeyPair(token, keysize, usage_ops, usage_mask, + false, -1, -1); + } + + /* + * temporary, sensitive, and extractable usages are per defined in + * JSS pkcs11/PK11KeyPairGenerator.java + */ + public static KeyPair generateECCKeyPair(String token, int keysize, + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_ops, + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_mask, + boolean temporary, int sensitive, int extractable) + throws CryptoManager.NotInitializedException, + NoSuchTokenException, + NoSuchAlgorithmException, + TokenException { CryptoToken t = getTokenByName(token); KeyPairAlgorithm alg = KeyPairAlgorithm.EC; - KeyPairGenerator g = t.getKeyPairGenerator(alg); + KeyPairGenerator keygen = t.getKeyPairGenerator(alg); - g.setKeyPairUsages(usage_ops, usage_mask); - g.initialize(keysize); + keygen.setKeyPairUsages(usage_ops, usage_mask); + keygen.temporaryPairs(temporary); - KeyPair pair = g.genKeyPair(); + if (sensitive == 1 ) + keygen.sensitivePairs(true); + else if (sensitive == 0) + keygen.sensitivePairs(false); + + if (extractable == 1 ) + keygen.extractablePairs(true); + else if (extractable == 0) + keygen.extractablePairs(false); + + keygen.initialize(keysize); + + KeyPair pair = keygen.genKeyPair(); return pair; } @@ -203,6 +231,19 @@ public class CryptoUtil { return generateECCKeyPair(t, curveName, usage_ops, usage_mask); } + public static KeyPair generateECCKeyPair(String token, String curveName, + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_ops, + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_mask, + boolean temporary, int sensitive, int extractable) + throws CryptoManager.NotInitializedException, + NoSuchTokenException, + NoSuchAlgorithmException, + TokenException { + CryptoToken t = getTokenByName(token); + return generateECCKeyPair(t, curveName, usage_ops, usage_mask, + temporary, sensitive, extractable); + } + public static KeyPair generateECCKeyPair(CryptoToken token, String curveName, org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_ops, org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_mask) @@ -210,23 +251,51 @@ public class CryptoUtil { NoSuchTokenException, NoSuchAlgorithmException, TokenException { + return generateECCKeyPair(token, curveName, usage_ops, usage_mask, + false, -1, -1); + } + + /* + * temporary, sensitive, and extractable usages are per defined in + * JSS pkcs11/PK11KeyPairGenerator.java + */ + public static KeyPair generateECCKeyPair(CryptoToken token, String curveName, + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_ops, + org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usage_mask, + boolean temporary, int sensitive, int extractable) + throws CryptoManager.NotInitializedException, + NoSuchTokenException, + NoSuchAlgorithmException, + TokenException { KeyPairAlgorithm alg = KeyPairAlgorithm.EC; - KeyPairGenerator g = token.getKeyPairGenerator(alg); + KeyPairGenerator keygen = token.getKeyPairGenerator(alg); + + keygen.setKeyPairUsages(usage_ops, usage_mask); + keygen.temporaryPairs(temporary); + + if (sensitive == 1 ) + keygen.sensitivePairs(true); + else if (sensitive == 0) + keygen.sensitivePairs(false); + + if (extractable == 1 ) + keygen.extractablePairs(true); + else if (extractable == 0) + keygen.extractablePairs(false); - g.setKeyPairUsages(usage_ops, usage_mask); System.out.println("CryptoUtil: generateECCKeyPair: curve = "+ curveName); int curveCode = 0; try { - curveCode = g.getCurveCodeByName(curveName); + curveCode = keygen.getCurveCodeByName(curveName); } catch (Exception e) { System.out.println("CryptoUtil: generateECCKeyPair: "+ e.toString()); throw new NoSuchAlgorithmException(); } - g.initialize(curveCode); + keygen.initialize(curveCode); System.out.println("CryptoUtil: generateECCKeyPair: after KeyPairGenerator initialize with:"+ curveName); - KeyPair pair = g.genKeyPair(); + KeyPair pair = keygen.genKeyPair(); return pair; } diff --git a/dogtag/kra-ui/dogtag-pki-kra-ui.spec b/dogtag/kra-ui/dogtag-pki-kra-ui.spec index 274d1ec76..e60654bc4 100644 --- a/dogtag/kra-ui/dogtag-pki-kra-ui.spec +++ b/dogtag/kra-ui/dogtag-pki-kra-ui.spec @@ -1,6 +1,6 @@ Name: dogtag-pki-kra-ui Version: 9.0.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Dogtag Certificate System - Data Recovery Authority User Interface URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -57,5 +57,8 @@ rm -rf %{buildroot} %{_datadir}/pki/ %changelog +* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.0-2 +- Bugzilla bug 745278 - [RFE] ECC encryption keys cannot be archived + * Fri Nov 19 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1 - Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0. diff --git a/dogtag/kra-ui/shared/webapps/kra/agent/kra/displayBySerial.template b/dogtag/kra-ui/shared/webapps/kra/agent/kra/displayBySerial.template index a88599ede..8b6795365 100644 --- a/dogtag/kra-ui/shared/webapps/kra/agent/kra/displayBySerial.template +++ b/dogtag/kra-ui/shared/webapps/kra/agent/kra/displayBySerial.template @@ -100,11 +100,17 @@ if (result.header.errorDetails != null) { document.write('<td align=left><font size="-1" face="PrimaSans BT, Verdana, sans-serif">' + result.header.keyAlgorithm + '</font></td>'); document.writeln('</tr>'); - document.writeln('<tr>'); - document.write('<td align=right><font size="-1" face="PrimaSans BT, Verdana, sans-serif">Key length:</font></td>'); - document.write('<td align=left><font size="-1" face="PrimaSans BT, Verdana, sans-serif">' + result.header.keyLength + '</font></td>'); - document.writeln('</tr>'); - + if ((result.header.EllipticCurve != null)) { + document.writeln('<tr>'); + document.write('<td align=right><font size="-1" face="PrimaSans BT, Verdana, sans-serif">Elliptic Key Curve:</font></td>'); + document.write('<td align=left><font size="-1" face="PrimaSans BT, Verdana, sans-serif">' + result.header.EllipticCurve + '</font></td>'); + document.writeln('</tr>'); + } else { + document.writeln('<tr>'); + document.write('<td align=right><font size="-1" face="PrimaSans BT, Verdana, sans-serif">Key length:</font></td>'); + document.write('<td align=left><font size="-1" face="PrimaSans BT, Verdana, sans-serif">' + result.header.keyLength + '</font></td>'); + document.writeln('</tr>'); + } document.write("</table>"); document.writeln('<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0 WIDTH="100%" BACKGROUND="/graphics/hr.gif"><TR><TD> </TD></TR></TABLE>'); diff --git a/dogtag/kra-ui/shared/webapps/kra/agent/kra/displayBySerialForRecovery.template b/dogtag/kra-ui/shared/webapps/kra/agent/kra/displayBySerialForRecovery.template index 717d1d7d6..b1c931b12 100644 --- a/dogtag/kra-ui/shared/webapps/kra/agent/kra/displayBySerialForRecovery.template +++ b/dogtag/kra-ui/shared/webapps/kra/agent/kra/displayBySerialForRecovery.template @@ -143,10 +143,17 @@ if (result.header.errorDetails != null) { document.write('<td align=left><font size="-1" face="PrimaSans BT, Verdana, sans-serif">' + result.header.keyAlgorithm + '</font></td>'); document.writeln('</tr>'); - document.writeln('<tr>'); - document.write('<td align=right><font size="-1" face="PrimaSans BT, Verdana, sans-serif">Key length:</font></td>'); - document.write('<td align=left><font size="-1" face="PrimaSans BT, Verdana, sans-serif">' + result.header.keyLength + '</font></td>'); - document.writeln('</tr>'); + if (result.header.EllipticCurve != null) { + document.writeln('<tr>'); + document.write('<td align=right><font size="-1" face="PrimaSans BT, Verdana, sans-serif">Elliptic Key Curve:</font></td>'); + document.write('<td align=left><font size="-1" face="PrimaSans BT, Verdana, sans-serif">' + result.header.EllipticCurve + '</font></td>'); + document.writeln('</tr>'); + } else { + document.writeln('<tr>'); + document.write('<td align=right><font size="-1" face="PrimaSans BT, Verdana, sans-serif">Key length:</font></td>'); + document.write('<td align=left><font size="-1" face="PrimaSans BT, Verdana, sans-serif">' + result.header.keyLength + '</font></td>'); + document.writeln('</tr>'); + } document.writeln('<tr>'); document.write('<td align=right><font size="-1" face="PrimaSans BT, Verdana, sans-serif">Async Recovery:</font></td>'); diff --git a/dogtag/kra-ui/shared/webapps/kra/agent/kra/queryKey.template b/dogtag/kra-ui/shared/webapps/kra/agent/kra/queryKey.template index 0bea5f140..9396b9840 100644 --- a/dogtag/kra-ui/shared/webapps/kra/agent/kra/queryKey.template +++ b/dogtag/kra-ui/shared/webapps/kra/agent/kra/queryKey.template @@ -129,8 +129,8 @@ function displayKeyRecord(rec) document.write(renderDetailsButton(rec.serialNumber)); document.write('</td>'); document.write('<td align=left colspan=2><font size="-1" face="PrimasSans BT, Verdana, sans-serif">' + - renderOidName(rec.keyAlgorithm) + (rec.keyLength != null ? - " with "+ rec.keyLength + "-bit key" : "")+ '</font></td>'); + renderOidName(rec.keyAlgorithm) + (((rec.keyLength != null) && (rec.keyLength >= 0)) ? + " with "+ rec.keyLength + "-bit key" : ((rec.EllipticCurve != null)? " with " + rec.EllipticCurve:""))+ '</font></td>'); document.write('<td align=left colspan=2><font size="-1" face="PrimaSans BT, Verdana, sans-serif">' + rec.ownerName + '</font></td>'); document.write('</tr>'); diff --git a/dogtag/kra-ui/shared/webapps/kra/agent/kra/queryKeyForRecovery.template b/dogtag/kra-ui/shared/webapps/kra/agent/kra/queryKeyForRecovery.template index 09e873377..ff5a850a9 100644 --- a/dogtag/kra-ui/shared/webapps/kra/agent/kra/queryKeyForRecovery.template +++ b/dogtag/kra-ui/shared/webapps/kra/agent/kra/queryKeyForRecovery.template @@ -141,8 +141,8 @@ function displayKeyRecord(rec) document.write(renderDetailsButton(rec.serialNumber,result.header.publicKeyData)); document.write('</td>'); document.write('<td align=left colspan=2><font size="-1" face="PrimasSans BT, Verdana, sans-serif">' + - renderOidName(rec.keyAlgorithm) + (rec.keyLength != null ? - " with "+ rec.keyLength + "-bit key" : "")+ '</font></td>'); + renderOidName(rec.keyAlgorithm) + (((rec.keyLength != null) && (rec.keyLength >= 0)) ? + " with "+ rec.keyLength + "-bit key" : ((rec.EllipticCurve != null)? " with " + rec.EllipticCurve:""))+ '</font></td>'); document.write('<td align=left colspan=2><font size="-1" face="PrimaSans BT, Verdana, sans-serif">' + rec.ownerName + '</font></td>'); document.write('</tr>'); diff --git a/dogtag/kra-ui/shared/webapps/kra/agent/kra/srchKey.template b/dogtag/kra-ui/shared/webapps/kra/agent/kra/srchKey.template index a06999996..d2b42f01f 100644 --- a/dogtag/kra-ui/shared/webapps/kra/agent/kra/srchKey.template +++ b/dogtag/kra-ui/shared/webapps/kra/agent/kra/srchKey.template @@ -129,8 +129,8 @@ function displayKeyRecord(rec) document.write(renderDetailsButton(rec.serialNumber)); document.write('</td>'); document.write('<td align=left colspan=2><font size="-1" face="PrimasSans BT, Verdana, sans-serif">' + - renderOidName(rec.keyAlgorithm) + (rec.keyLength != null ? - " with "+ rec.keyLength + "-bit key" : "")+ '</font></td>'); + renderOidName(rec.keyAlgorithm) + (((rec.keyLength != null) && (rec.keyLength >= 0)) ? + " with "+ rec.keyLength + "-bit key" : ((rec.EllipticCurve != null)? " with " + rec.EllipticCurve:""))+ '</font></td>'); document.write('<td align=left colspan=2><font size="-1" face="PrimaSans BT, Verdana, sans-serif">' + rec.ownerName + '</font></td>'); document.write('</tr>'); diff --git a/dogtag/kra-ui/shared/webapps/kra/agent/kra/srchKeyForRecovery.template b/dogtag/kra-ui/shared/webapps/kra/agent/kra/srchKeyForRecovery.template index 4c5387c32..761688213 100644 --- a/dogtag/kra-ui/shared/webapps/kra/agent/kra/srchKeyForRecovery.template +++ b/dogtag/kra-ui/shared/webapps/kra/agent/kra/srchKeyForRecovery.template @@ -142,8 +142,8 @@ function displayKeyRecord(rec) document.write(renderDetailsButton(rec.serialNumber,result.header.publicKeyData)); document.write('</td>'); document.write('<td align=left colspan=2><font size="-1" face="PrimasSans BT, Verdana, sans-serif">' + - renderOidName(rec.keyAlgorithm) + (rec.keyLength != null ? - " with "+ rec.keyLength + "-bit key" : "")+ '</font></td>'); + renderOidName(rec.keyAlgorithm) + (((rec.keyLength != null) && (rec.keyLength >= 0)) ? + " with "+ rec.keyLength + "-bit key" : ((rec.EllipticCurve != null)? " with " + rec.EllipticCurve:""))+ '</font></td>'); document.write('<td align=left colspan=2><font size="-1" face="PrimaSans BT, Verdana, sans-serif">' + rec.ownerName + '</font></td>'); document.write('</tr>'); diff --git a/specs/dogtag-pki-theme.spec b/specs/dogtag-pki-theme.spec index 5df653c52..e0844beba 100644 --- a/specs/dogtag-pki-theme.spec +++ b/specs/dogtag-pki-theme.spec @@ -1,6 +1,6 @@ Name: dogtag-pki-theme Version: 9.0.11 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Certificate System - Dogtag PKI Theme Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -350,6 +350,9 @@ chmod 755 %{buildroot}%{_datadir}/pki/tps-ui/cgi-bin/sow/cfg.pl %changelog +* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.11-2 +- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived + * Fri Mar 9 2012 Matthew Harmsen <mharmsen@redhat.com> 9.0.11-1 - Bugzilla Bug #796006 - Get DOGTAG_9_BRANCH GIT repository in-sync with DOGTAG_9_BRANCH SVN repository . . . diff --git a/specs/dogtag-pki.spec b/specs/dogtag-pki.spec index b5a1c5fb2..3894f4791 100644 --- a/specs/dogtag-pki.spec +++ b/specs/dogtag-pki.spec @@ -1,7 +1,7 @@ Summary: Dogtag Public Key Infrastructure (PKI) Suite Name: dogtag-pki Version: 9.0.0 -Release: 10%{?dist} +Release: 11%{?dist} # The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 License: GPLv2 and LGPLv2 URL: http://pki.fedoraproject.org/ @@ -13,7 +13,7 @@ BuildArch: noarch %if 0%{?fedora} >= 17 %define dogtag_pki_theme_version 9.0.11 %define esc_version 1.1.0 -%define jss_version 4.2.6-21 +%define jss_version 4.2.6-24 %define osutil_version 2.0.2 %define pki_core_version 9.0.18 %define pki_kra_version 9.0.10 @@ -27,7 +27,7 @@ BuildArch: noarch %if 0%{?fedora} >= 16 %define dogtag_pki_theme_version 9.0.11 %define esc_version 1.1.0 -%define jss_version 4.2.6-19.1 +%define jss_version 4.2.6-24 %define osutil_version 2.0.2 %define pki_core_version 9.0.18 %define pki_kra_version 9.0.10 @@ -41,7 +41,7 @@ BuildArch: noarch %if 0%{?fedora} >= 15 %define dogtag_pki_theme_version 9.0.11 %define esc_version 1.1.0 -%define jss_version 4.2.6-17 +%define jss_version 4.2.6-24 %define osutil_version 2.0.1 %define pki_core_version 9.0.18 %define pki_kra_version 9.0.10 @@ -194,23 +194,26 @@ rm -rf %{buildroot} %doc README %changelog -* Fri Mar 9 2012 Matthew Harmsen <mharmsen@redhat.com> 9.0.10-1 +* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.0-11 +- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived + +* Fri Mar 9 2012 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-10 - Bugzilla Bug #796006 - Get DOGTAG_9_BRANCH GIT repository in-sync with DOGTAG_9_BRANCH SVN repository . . . -* Thu Jan 5 2012 Matthew Harmsen <mharmsen@redhat.com> 9.0.9-1 +* Thu Jan 5 2012 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-9 - Bugzilla Bug #737761 - Update Dogtag Packages for Fedora 16 (Update minimum packages to account for NSS bug change in Bugzilla Bug #771357 - sslget does not work after FEDORA-2011-17400 update, breaking FreeIPA install) -* Fri Oct 28 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.8-1 +* Fri Oct 28 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-8 - Bugzilla Bug #749927 - Java class conflicts using Java 7 in Fedora 17 (rawhide) . . . - Bugzilla Bug #749945 - Installation error reported during CA, DRM, OCSP, and TKS package installation . . . -* Thu Sep 22 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.7-1 +* Thu Sep 22 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-7 - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) - Bugzilla Bug #699809 - Convert CS to use systemd (alee) diff --git a/specs/pki-console.spec b/specs/pki-console.spec index b22517404..d4fed2bdf 100644 --- a/specs/pki-console.spec +++ b/specs/pki-console.spec @@ -1,6 +1,6 @@ Name: pki-console Version: 9.0.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Certificate System - PKI Console URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -18,11 +18,11 @@ BuildRequires: nspr-devel BuildRequires: nss-devel %if 0%{?fedora} >= 16 BuildRequires: jpackage-utils >= 1.7.5-10 -BuildRequires: jss >= 4.2.6-19.1 +BuildRequires: jss >= 4.2.6-24 BuildRequires: pki-util >= 9.0.15 %else BuildRequires: jpackage-utils -BuildRequires: jss >= 4.2.6-17 +BuildRequires: jss >= 4.2.6-24 BuildRequires: pki-util %endif @@ -32,10 +32,10 @@ Requires: ldapjdk Requires: pki-console-theme >= 9.0.0 %if 0%{?fedora} >= 16 Requires: jpackage-utils >= 1.7.5-10 -Requires: jss >= 4.2.6-19.1 +Requires: jss >= 4.2.6-24 %else Requires: jpackage-utils -Requires: jss >= 4.2.6-17 +Requires: jss >= 4.2.6-24 %endif Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz @@ -84,6 +84,9 @@ cd build %changelog +* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.5-2 +- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived + * Thu Sep 22 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.5-1 - Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) - Bugzilla Bug #699809 - Convert CS to use systemd (alee) diff --git a/specs/pki-core.spec b/specs/pki-core.spec index 1b848fdfc..098aea646 100644 --- a/specs/pki-core.spec +++ b/specs/pki-core.spec @@ -1,6 +1,6 @@ Name: pki-core Version: 9.0.19 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -28,14 +28,14 @@ BuildRequires: xalan-j2 BuildRequires: xerces-j2 %if 0%{?fedora} >= 16 BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 4.2.6-19.1 +BuildRequires: jss >= 4.2.6-24 BuildRequires: osutil >= 2.0.2 BuildRequires: systemd-units BuildRequires: tomcatjss >= 6.0.2 %else %if 0%{?fedora} >= 15 BuildRequires: jpackage-utils -BuildRequires: jss >= 4.2.6-17 +BuildRequires: jss >= 4.2.6-24 BuildRequires: osutil >= 2.0.1 BuildRequires: tomcatjss >= 6.0.0 %else @@ -749,6 +749,9 @@ fi %changelog +* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.19-2 +- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived + * Fri Mar 16 2012 Ade Lee <alee@redhat.com> 9.0.19-1 - BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes - Corrected patch selected for selinux f17 rules diff --git a/specs/pki-kra.spec b/specs/pki-kra.spec index e5978fd9c..e055ba592 100644 --- a/specs/pki-kra.spec +++ b/specs/pki-kra.spec @@ -1,6 +1,6 @@ Name: pki-kra Version: 9.0.11 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Certificate System - Data Recovery Manager URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -21,13 +21,13 @@ BuildRequires: nspr-devel BuildRequires: nss-devel %if 0%{?fedora} >= 16 BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 4.2.6-19.1 +BuildRequires: jss >= 4.2.6-24 BuildRequires: pki-common >= 9.0.18 BuildRequires: pki-util >= 9.0.18 BuildRequires: systemd-units %else BuildRequires: jpackage-utils -BuildRequires: jss >= 4.2.6-17 +BuildRequires: jss >= 4.2.6-24 BuildRequires: pki-common BuildRequires: pki-util %endif @@ -253,6 +253,9 @@ fi %changelog +* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.11-2 +- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived + * Fri Mar 16 2012 Ade Lee <alee@redhat.com> 9.0.11-1 - BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes diff --git a/specs/pki-ocsp.spec b/specs/pki-ocsp.spec index c6eb9f295..72bc9c03b 100644 --- a/specs/pki-ocsp.spec +++ b/specs/pki-ocsp.spec @@ -1,6 +1,6 @@ Name: pki-ocsp Version: 9.0.10 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Certificate System - Online Certificate Status Protocol Manager URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -21,13 +21,13 @@ BuildRequires: nspr-devel BuildRequires: nss-devel %if 0%{?fedora} >= 16 BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 4.2.6-19.1 +BuildRequires: jss >= 4.2.6-24 BuildRequires: pki-common >= 9.0.15 BuildRequires: pki-util >= 9.0.15 BuildRequires: systemd-units %else BuildRequires: jpackage-utils -BuildRequires: jss >= 4.2.6-17 +BuildRequires: jss >= 4.2.6-24 BuildRequires: pki-common BuildRequires: pki-util %endif @@ -263,6 +263,9 @@ fi %changelog +* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.10-2 +- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived + * Fri Mar 16 2012 Ade Lee <alee@redhat.com> 9.0.10-1 - BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes diff --git a/specs/pki-tks.spec b/specs/pki-tks.spec index a2e47e088..2ff8a394e 100644 --- a/specs/pki-tks.spec +++ b/specs/pki-tks.spec @@ -1,6 +1,6 @@ Name: pki-tks Version: 9.0.10 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Certificate System - Token Key Service URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -21,13 +21,13 @@ BuildRequires: nspr-devel BuildRequires: nss-devel %if 0%{?fedora} >= 16 BuildRequires: jpackage-utils >= 0:1.7.5-10 -BuildRequires: jss >= 4.2.6-19.1 +BuildRequires: jss >= 4.2.6-24 BuildRequires: pki-common >= 9.0.15 BuildRequires: pki-util >= 9.0.15 BuildRequires: systemd-units %else BuildRequires: jpackage-utils -BuildRequires: jss >= 4.2.6-17 +BuildRequires: jss >= 4.2.6-24 BuildRequires: pki-common BuildRequires: pki-util %endif @@ -254,6 +254,9 @@ fi %changelog +* Tue Apr 10 2012 Christina Fu <cfu@redhat.com> 9.0.10-2 +- Bugzilla Bug #745278 - [RFE] ECC encryption keys cannot be archived + * Fri Mar 16 2012 Ade Lee <alee@redhat.com> 9.0.10-1 - BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes |