diff options
24 files changed, 1469 insertions, 524 deletions
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 4da7429b3..89765753e 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -735,8 +735,8 @@ ca.publish.rule.instance.LdapXCertRule.predicate= ca.publish.rule.instance.LdapXCertRule.publisher=LdapCrossCertPairPublisher ca.publish.rule.instance.LdapXCertRule.type=xcert cmc.popLinkWitnessRequired=false -cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret -cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +#cmc.revokeCert.sharedSecret.class=com.netscape.cms.authentication.SharedSecret +#cmc.sharedSecret.class=com.netscape.cms.authentication.SharedSecret cmc.token=internal cms.passwordlist=internaldb,replicationdb cms.password.ignore.publishing.failure=true @@ -969,7 +969,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 os.userid=nobody -profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment +profile.list=caCMCserverCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment profile.caUUIDdeviceCert.class_id=caEnrollImpl profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg profile.caManualRenewal.class_id=caEnrollImpl @@ -988,12 +988,26 @@ profile.caAgentServerCert.class_id=caEnrollImpl profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAgentServerCert.cfg profile.caRAserverCert.class_id=caEnrollImpl profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAserverCert.cfg +profile.caCMCUserCert.class_id=caEnrollImpl +profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg +profile.caCMCauditSigningCert.class_id=caEnrollImpl +profile.caCMCauditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCauditSigningCert.cfg +profile.caCMCcaCert.class_id=caEnrollImpl +profile.caCMCcaCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCcaCert.cfg +profile.caCMCkraStorageCert.class_id=caEnrollImpl +profile.caCMCkraStorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCkraStorageCert.cfg +profile.caCMCkraTransportCert.class_id=caEnrollImpl +profile.caCMCkraTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCkraTransportCert.cfg +profile.caCMCocspCert.class_id=caEnrollImpl +profile.caCMCocspCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCocspCert.cfg +profile.caCMCserverCert.class_id=caEnrollImpl +profile.caCMCserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCserverCert.cfg +profile.caCMCsubsystemCert.class_id=caEnrollImpl +profile.caCMCsubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCsubsystemCert.cfg profile.caCACert.class_id=caEnrollImpl profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCACert.cfg profile.caInstallCACert.class_id=caEnrollImpl profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInstallCACert.cfg -profile.caCMCUserCert.class_id=caEnrollImpl -profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg profile.caCrossSignedCACert.class_id=caEnrollImpl profile.caCrossSignedCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCrossSignedCACert.cfg profile.caDirBasedDualCert.class_id=caEnrollImpl diff --git a/base/ca/shared/conf/subsystemCert.profile b/base/ca/shared/conf/subsystemCert.profile index 658e69511..a8f08e4a3 100644 --- a/base/ca/shared/conf/subsystemCert.profile +++ b/base/ca/shared/conf/subsystemCert.profile @@ -1,7 +1,7 @@ # # Server Certificate # -id=serverCert.profile +id=subsystemCert.profile name=All Purpose SSL server cert Profile description=This profile creates an SSL server certificate that is valid for SSL servers profileIDMapping=caServerCert diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg new file mode 100644 index 000000000..ed5a1b2a2 --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg @@ -0,0 +1,80 @@ +desc=This certificate profile is for enrolling audit signing certificates using CMC. +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=Audit Signing Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=auditSigningCertSet +policyset.auditSigningCertSet.list=1,2,3,4,5,6,9 +policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint +policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.* +policyset.auditSigningCertSet.1.constraint.params.accept=true +policyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.auditSigningCertSet.1.default.name=Subject Name Default +policyset.auditSigningCertSet.1.default.params.name= +policyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl +policyset.auditSigningCertSet.2.constraint.name=Validity Constraint +policyset.auditSigningCertSet.2.constraint.params.range=720 +policyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false +policyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false +policyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl +policyset.auditSigningCertSet.2.default.name=Validity Default +policyset.auditSigningCertSet.2.default.params.range=720 +policyset.auditSigningCertSet.2.default.params.startTime=0 +policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl +policyset.auditSigningCertSet.3.constraint.name=Key Constraint +policyset.auditSigningCertSet.3.constraint.params.keyType=RSA +policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl +policyset.auditSigningCertSet.3.default.name=Key Default +policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl +policyset.auditSigningCertSet.4.constraint.name=No Constraint +policyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default +policyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl +policyset.auditSigningCertSet.5.constraint.name=No Constraint +policyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.auditSigningCertSet.5.default.name=AIA Extension Default +policyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false +policyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true +policyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.auditSigningCertSet.6.default.name=Key Usage Default +policyset.auditSigningCertSet.6.default.params.keyUsageCritical=true +policyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false +policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.auditSigningCertSet.9.constraint.name=No Constraint +policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.auditSigningCertSet.9.default.name=Signing Alg +policyset.auditSigningCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg new file mode 100644 index 000000000..f6df36fbb --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg @@ -0,0 +1,96 @@ +desc=This certificate profile is for enrolling Certificate Authority certificates using CMC. +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=Certificate Manager Signing Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=caCertSet +policyset.caCertSet.list=1,2,3,4,5,6,8,9,10 +policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.caCertSet.1.constraint.name=Subject Name Constraint +policyset.caCertSet.1.constraint.params.pattern=CN=.* +policyset.caCertSet.1.constraint.params.accept=true +policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.caCertSet.1.default.name=Subject Name Default +policyset.caCertSet.1.default.params.name= +policyset.caCertSet.2.constraint.class_id=validityConstraintImpl +policyset.caCertSet.2.constraint.name=Validity Constraint +policyset.caCertSet.2.constraint.params.range=7305 +policyset.caCertSet.2.constraint.params.notBeforeCheck=false +policyset.caCertSet.2.constraint.params.notAfterCheck=false +policyset.caCertSet.2.default.class_id=caValidityDefaultImpl +policyset.caCertSet.2.default.name=CA Certificate Validity Default +policyset.caCertSet.2.default.params.range=7305 +policyset.caCertSet.2.default.params.startTime=0 +policyset.caCertSet.3.constraint.class_id=keyConstraintImpl +policyset.caCertSet.3.constraint.name=Key Constraint +policyset.caCertSet.3.constraint.params.keyType=- +policyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 +policyset.caCertSet.3.default.class_id=userKeyDefaultImpl +policyset.caCertSet.3.default.name=Key Default +policyset.caCertSet.4.constraint.class_id=noConstraintImpl +policyset.caCertSet.4.constraint.name=No Constraint +policyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.caCertSet.4.default.name=Authority Key Identifier Default +policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint +policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true +policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true +policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1 +policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl +policyset.caCertSet.5.default.name=Basic Constraints Extension Default +policyset.caCertSet.5.default.params.basicConstraintsCritical=true +policyset.caCertSet.5.default.params.basicConstraintsIsCA=true +policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1 +policyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.caCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.caCertSet.6.constraint.params.keyUsageCritical=true +policyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true +policyset.caCertSet.6.constraint.params.keyUsageCrlSign=true +policyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.caCertSet.6.default.name=Key Usage Default +policyset.caCertSet.6.default.params.keyUsageCritical=true +policyset.caCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.caCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.caCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.caCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.caCertSet.6.default.params.keyUsageKeyCertSign=true +policyset.caCertSet.6.default.params.keyUsageCrlSign=true +policyset.caCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.caCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.caCertSet.8.constraint.class_id=noConstraintImpl +policyset.caCertSet.8.constraint.name=No Constraint +policyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default +policyset.caCertSet.8.default.params.critical=false +policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.caCertSet.9.constraint.name=No Constraint +policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.caCertSet.9.default.name=Signing Alg +policyset.caCertSet.9.default.params.signingAlg=- +policyset.caCertSet.10.constraint.class_id=noConstraintImpl +policyset.caCertSet.10.constraint.name=No Constraint +policyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl +policyset.caCertSet.10.default.name=AIA Extension Default +policyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true +policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName +policyset.caCertSet.10.default.params.authInfoAccessADLocation_0= +policyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.caCertSet.10.default.params.authInfoAccessCritical=false +policyset.caCertSet.10.default.params.authInfoAccessNumADs=1 diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg new file mode 100644 index 000000000..259430bfe --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling KRA storage certificates using CMC +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=KRA storage Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=drmStorageCertSet +policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 +policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint +policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* +policyset.drmStorageCertSet.1.constraint.params.accept=true +policyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.drmStorageCertSet.1.default.name=Subject Name Default +policyset.drmStorageCertSet.1.default.params.name= +policyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl +policyset.drmStorageCertSet.2.constraint.name=Validity Constraint +policyset.drmStorageCertSet.2.constraint.params.range=720 +policyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false +policyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false +policyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl +policyset.drmStorageCertSet.2.default.name=Validity Default +policyset.drmStorageCertSet.2.default.params.range=720 +policyset.drmStorageCertSet.2.default.params.startTime=0 +policyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl +policyset.drmStorageCertSet.3.constraint.name=Key Constraint +policyset.drmStorageCertSet.3.constraint.params.keyType=RSA +policyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl +policyset.drmStorageCertSet.3.default.name=Key Default +policyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl +policyset.drmStorageCertSet.4.constraint.name=No Constraint +policyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default +policyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl +policyset.drmStorageCertSet.5.constraint.name=No Constraint +policyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.drmStorageCertSet.5.default.name=AIA Extension Default +policyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false +policyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.drmStorageCertSet.6.default.name=Key Usage Default +policyset.drmStorageCertSet.6.default.params.keyUsageCritical=true +policyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false +policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl +policyset.drmStorageCertSet.7.constraint.name=No Constraint +policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default +policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false +policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.drmStorageCertSet.9.constraint.name=No Constraint +policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.drmStorageCertSet.9.default.name=Signing Alg +policyset.drmStorageCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg new file mode 100644 index 000000000..ec54f9cf8 --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling Key Archival Authority transport certificates using CMC. +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=Key Archival Authority Transport Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=transportCertSet +policyset.transportCertSet.list=1,2,3,4,5,6,7,8 +policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.transportCertSet.1.constraint.name=Subject Name Constraint +policyset.transportCertSet.1.constraint.params.pattern=CN=.* +policyset.transportCertSet.1.constraint.params.accept=true +policyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.transportCertSet.1.default.name=Subject Name Default +policyset.transportCertSet.1.default.params.name= +policyset.transportCertSet.2.constraint.class_id=validityConstraintImpl +policyset.transportCertSet.2.constraint.name=Validity Constraint +policyset.transportCertSet.2.constraint.params.range=720 +policyset.transportCertSet.2.constraint.params.notBeforeCheck=false +policyset.transportCertSet.2.constraint.params.notAfterCheck=false +policyset.transportCertSet.2.default.class_id=validityDefaultImpl +policyset.transportCertSet.2.default.name=Validity Default +policyset.transportCertSet.2.default.params.range=720 +policyset.transportCertSet.2.default.params.startTime=0 +policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl +policyset.transportCertSet.3.constraint.name=Key Constraint +policyset.transportCertSet.3.constraint.params.keyType=RSA +policyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl +policyset.transportCertSet.3.default.name=Key Default +policyset.transportCertSet.4.constraint.class_id=noConstraintImpl +policyset.transportCertSet.4.constraint.name=No Constraint +policyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.transportCertSet.4.default.name=Authority Key Identifier Default +policyset.transportCertSet.5.constraint.class_id=noConstraintImpl +policyset.transportCertSet.5.constraint.name=No Constraint +policyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.transportCertSet.5.default.name=AIA Extension Default +policyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.transportCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.transportCertSet.5.default.params.authInfoAccessCritical=false +policyset.transportCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.transportCertSet.6.constraint.params.keyUsageCritical=true +policyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.transportCertSet.6.default.name=Key Usage Default +policyset.transportCertSet.6.default.params.keyUsageCritical=true +policyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.transportCertSet.6.default.params.keyUsageCrlSign=false +policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.transportCertSet.7.constraint.class_id=noConstraintImpl +policyset.transportCertSet.7.constraint.name=No Constraint +policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default +policyset.transportCertSet.7.default.params.exKeyUsageCritical=false +policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.transportCertSet.8.constraint.name=No Constraint +policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.transportCertSet.8.default.name=Signing Alg +policyset.transportCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg new file mode 100644 index 000000000..8afbd464d --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg @@ -0,0 +1,71 @@ +desc=This certificate profile is for enrolling OCSP Responder signing certificates using CMC. +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=OCSP Responder Signing Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=ocspCertSet +policyset.ocspCertSet.list=1,2,3,4,5,6,8,9 +policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.ocspCertSet.1.constraint.name=Subject Name Constraint +policyset.ocspCertSet.1.constraint.params.pattern=CN=.* +policyset.ocspCertSet.1.constraint.params.accept=true +policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.ocspCertSet.1.default.name=Subject Name Default +policyset.ocspCertSet.1.default.params.name= +policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl +policyset.ocspCertSet.2.constraint.name=Validity Constraint +policyset.ocspCertSet.2.constraint.params.range=720 +policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false +policyset.ocspCertSet.2.constraint.params.notAfterCheck=false +policyset.ocspCertSet.2.default.class_id=validityDefaultImpl +policyset.ocspCertSet.2.default.name=Validity Default +policyset.ocspCertSet.2.default.params.range=720 +policyset.ocspCertSet.2.default.params.startTime=0 +policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl +policyset.ocspCertSet.3.constraint.name=Key Constraint +policyset.ocspCertSet.3.constraint.params.keyType=- +policyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 +policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl +policyset.ocspCertSet.3.default.name=Key Default +policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.4.constraint.name=No Constraint +policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.ocspCertSet.4.default.name=Authority Key Identifier Default +policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.5.constraint.name=No Constraint +policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.ocspCertSet.5.default.name=AIA Extension Default +policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false +policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl +policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension +policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.ocspCertSet.6.default.name=Extended Key Usage Default +policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl +policyset.ocspCertSet.8.constraint.name=No Constraint +policyset.ocspCertSet.8.constraint.params.extCritical=false +policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5 +policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl +policyset.ocspCertSet.8.default.name=OCSP No Check Extension +policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false +policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.ocspCertSet.9.constraint.name=No Constraint +policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.ocspCertSet.9.default.name=Signing Alg +policyset.ocspCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg new file mode 100644 index 000000000..8215d6502 --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg @@ -0,0 +1,90 @@ +desc=This certificate profile is for enrolling server certificates using CMC. +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=Server Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl +policyset.serverCertSet.9.default.name=copy CN to SAN Default diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg new file mode 100644 index 000000000..f473f984e --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling subsystem certificates using CMC. +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=Subsystem Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg index 29baeed26..90cb4243e 100644 --- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg +++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg @@ -1,7 +1,7 @@ -desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. +desc=This certificate profile is for enrolling user certificates by using the agent-signed CMC certificate request with CMC Signature authentication. enable=true enableBy=admin -name=Signed CMC-Authenticated User Certificate Enrollment +name=Agent-Signed CMC-Authenticated User Certificate Enrollment visible=false auth.instance_id=CMCAuth input.list=i1,i2 diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg index 63a4bcaf2..7bfad9c2d 100644 --- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg @@ -1,4 +1,4 @@ -desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with user CMC Signature authentication. +desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication. enable=true enableBy=admin name=User-Signed CMC-Authenticated User Certificate Enrollment diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml index a55014215..266604985 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -1553,6 +1553,167 @@ </servlet> <servlet> + <servlet-name> caProfileSubmitCMCFullCACert </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> cert_request_type </param-name> + <param-value> cmc </param-value> </init-param> + <init-param><param-name> profileId </param-name> + <param-value> caCMCcaCert </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSubmitCMCFull </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profile </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileSubmitCMCFullServerCert </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> cert_request_type </param-name> + <param-value> cmc </param-value> </init-param> + <init-param><param-name> profileId </param-name> + <param-value> caCMCserverCert </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSubmitCMCFull </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profile </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileSubmitCMCFullOCSPCert </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> cert_request_type </param-name> + <param-value> cmc </param-value> </init-param> + <init-param><param-name> profileId </param-name> + <param-value> caCMCocspCert </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSubmitCMCFull </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profile </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileSubmitCMCFullSubsystemCert </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> cert_request_type </param-name> + <param-value> cmc </param-value> </init-param> + <init-param><param-name> profileId </param-name> + <param-value> caCMCsubsystemCert </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSubmitCMCFull </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profile </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileSubmitCMCFullAuditSigningCert </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> cert_request_type </param-name> + <param-value> cmc </param-value> </init-param> + <init-param><param-name> profileId </param-name> + <param-value> caCMCauditSigningCert </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSubmitCMCFull </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profile </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileSubmitCMCFullKRATransportCert </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> cert_request_type </param-name> + <param-value> cmc </param-value> </init-param> + <init-param><param-name> profileId </param-name> + <param-value> caCMCkraTransportCert </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSubmitCMCFull </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profile </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> + <servlet-name> caProfileSubmitCMCFullKRAstorageCert </servlet-name> + <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet </servlet-class> + <init-param><param-name> GetClientCert </param-name> + <param-value> false </param-value> </init-param> + <init-param><param-name> cert_request_type </param-name> + <param-value> cmc </param-value> </init-param> + <init-param><param-name> profileId </param-name> + <param-value> caCMCkraStorageCert </param-value> </init-param> + <init-param><param-name> AuthzMgr </param-name> + <param-value> BasicAclAuthz </param-value> </init-param> + <init-param><param-name> authorityId </param-name> + <param-value> ca </param-value> </init-param> + <init-param><param-name> ID </param-name> + <param-value> caProfileSubmitCMCFull </param-value> </init-param> + <init-param><param-name> templatePath </param-name> + <param-value> /ee/ca/ProfileSubmit.template </param-value> </init-param> + <init-param><param-name> resourceID </param-name> + <param-value> certServer.ee.profile </param-value> </init-param> + <init-param><param-name> interface </param-name> + <param-value> ee </param-value> </init-param> + </servlet> + + <servlet> <servlet-name> caProfileSubmitUserSignedCMCFull </servlet-name> <servlet-class> com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet </servlet-class> <init-param><param-name> GetClientCert </param-name> @@ -2303,6 +2464,41 @@ </servlet-mapping> <servlet-mapping> + <servlet-name> caProfileSubmitCMCFullCACert </servlet-name> + <url-pattern> /ee/ca/profileSubmitCMCFullCACert </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSubmitCMCFullServerCert </servlet-name> + <url-pattern> /ee/ca/profileSubmitCMCFullServerCert </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSubmitCMCFullOCSPCert </servlet-name> + <url-pattern> /ee/ca/profileSubmitCMCFullOCSPCert </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSubmitCMCFullSubsystemCert </servlet-name> + <url-pattern> /ee/ca/profileSubmitCMCFullSubsystemCert </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSubmitCMCFullAuditSigningCert </servlet-name> + <url-pattern> /ee/ca/profileSubmitCMCFullAuditSigningCert </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSubmitCMCFullKRATransportCert </servlet-name> + <url-pattern> /ee/ca/profileSubmitCMCFullKRAtransportCert </url-pattern> + </servlet-mapping> + + <servlet-mapping> + <servlet-name> caProfileSubmitCMCFullKRAstorageCert </servlet-name> + <url-pattern> /ee/ca/profileSubmitCMCFullKRAstorageCert </url-pattern> + </servlet-mapping> + + <servlet-mapping> <servlet-name> caProfileSubmitUserSignedCMCFull </servlet-name> <url-pattern> /ee/ca/profileSubmitUserSignedCMCFull </url-pattern> </servlet-mapping> diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java index fd59aa174..9fcb8dbd7 100644 --- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java @@ -2393,7 +2393,7 @@ public class CMCRequest { System.out.println(""); System.out.println(""); System.out.println("The CMC enrollment request in binary format is stored in " + - ofilename + "."); + ofilename); } catch (IOException e) { System.out.println("CMCRequest: unable to open file " + ofilename + " for writing:\n" + e); diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java index 66a356965..97d51715d 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java @@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; +import java.security.cert.X509Certificate; import java.security.MessageDigest; import java.security.PublicKey; import java.util.Enumeration; @@ -247,6 +248,10 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String auditCertSubject = ILogger.UNIDENTIFIED; String auditSignerInfo = ILogger.UNIDENTIFIED; + SessionContext auditContext = SessionContext.getExistingContext(); + X509Certificate clientCert = + (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); + // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures try { @@ -362,7 +367,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String userid = "defUser"; String uid = "defUser"; if (checkSignerInfo) { - IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq); + IAuthToken agentToken = verifySignerInfo(auditContext, authToken, cmcFullReq); if (agentToken == null) { CMS.debug(method + "agentToken null"); throw new EBaseException("CMCAuth: agent verifySignerInfo failure"); @@ -813,8 +818,12 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, level, "CMC Authentication: " + msg); } - protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException { - + protected IAuthToken verifySignerInfo( + SessionContext auditContext, + AuthToken authToken, + SignedData cmcFullReq) throws EBaseException { + String method = "CMCAuth: verifySignerInfo: "; + String msg = ""; EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); OBJECT_IDENTIFIER id = ci.getContentType(); OCTET_STRING content = ci.getContent(); @@ -823,6 +832,11 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, CryptoToken signToken = null; CryptoToken savedToken = null; CryptoManager cm = null; + + if (auditContext == null) { + CMS.debug(method + " auditConext can't be null"); + return null; + } try { cm = CryptoManager.getInstance(); ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); @@ -910,6 +924,34 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, si.verify(digest, id); } else { CMS.debug("CMCAuth: found signing cert... verifying"); + + X509Certificate clientCert = + (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); + if (clientCert == null) { + // createAuditSubjectFromCert(auditContext, x509Certs[0]); + msg = "missing SSL client authentication certificate;"; + CMS.debug(method + msg); + s.close(); + throw new EMissingCredential( + CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); + } + netscape.security.x509.X500Name clientPrincipal = + (X500Name) clientCert.getSubjectDN(); + + netscape.security.x509.X500Name cmcPrincipal = + (X500Name) x509Certs[0].getSubjectDN(); + + // check ssl client cert against cmc signer + if (!clientPrincipal.equals(cmcPrincipal)) { + msg = "SSL client authentication certificate and CMC signer do not match"; + CMS.debug(method + msg); + s.close(); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } else { + CMS.debug(method + "ssl client cert principal and cmc signer principal match"); + } + PublicKey signKey = cert.getPublicKey(); PrivateKey.Type keyType = null; String alg = signKey.getAlgorithm(); diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java index ab9a94ab8..ff82ade9c 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java @@ -1078,6 +1078,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, s.close(); throw new EInvalidCredentials( CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } else { + CMS.debug(method + "ssl client cert principal and cmc signer principal match"); } PublicKey signKey = cert.getPublicKey(); diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java index 7dfaddac4..93d0a74ae 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -198,6 +198,7 @@ public abstract class EnrollProfile extends BasicProfile if (signingUserSerial != null) { donePOI = true; } + // catch for invalid request cmc_msgs = parseCMC(locale, cert_request, donePOI); if (cmc_msgs == null) { @@ -723,6 +724,17 @@ public abstract class EnrollProfile extends BasicProfile byte randomSeed[] = null; UTF8String ident_s = null; SessionContext context = SessionContext.getContext(); + String authManagerId = (String) context.get(SessionContext.AUTH_MANAGER_ID); + if (authManagerId == null) { + CMS.debug(method + "authManagerId null.????"); + //unlikely, but... + authManagerId = "none"; + } else { + CMS.debug(method + "authManagerId =" + authManagerId); + } + if(authManagerId.equals("CMCAuth")) { + donePOI = true; + } boolean id_cmc_revokeRequest = false; if (!context.containsKey("numOfControls")) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 28f4d33ff..c047aac24 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -22,6 +22,7 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.math.BigInteger; +import java.security.Principal; import java.util.Date; import java.util.Iterator; import java.util.Properties; @@ -34,13 +35,18 @@ import org.apache.commons.lang.ArrayUtils; import org.apache.commons.lang.StringUtils; import org.apache.velocity.context.Context; import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.crypto.CryptoStore; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.ObjectNotFoundException; import org.mozilla.jss.crypto.PrivateKey; import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.pkcs11.PK11Store; import org.xml.sax.SAXException; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.ConflictingOperationException; import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.ca.ICertificateAuthority; @@ -261,20 +267,30 @@ public class CertUtil { /* * create requests so renewal can work on these initial certs */ - public static IRequest createLocalRequest(IRequestQueue queue, String serialNum, X509CertInfo info) - throws EBaseException { + public static IRequest createLocalRequest( + IConfigStore cs, + IRequestQueue queue, + String tag, + CertInfoProfile profile, + X509CertInfo info, + X509Key x509key) + throws Exception { + // RequestId rid = new RequestId(serialNum); // just need a request, no need to get into a queue // IRequest r = new EnrollmentRequest(rid); - CMS.debug("CertUtil: createLocalRequest for serial: " + serialNum); + + CMS.debug("CertUtil.createLocalRequest(" + tag + ")"); + IRequest req = queue.newRequest("enrollment"); - CMS.debug("certUtil: newRequest called"); + req.setExtData("profile", "true"); req.setExtData("requestversion", "1.0.0"); req.setExtData("req_seq_num", "0"); + req.setExtData(IEnrollProfile.REQUEST_CERTINFO, info); - req.setExtData(IEnrollProfile.REQUEST_EXTENSIONS, - new CertificateExtensions()); + req.setExtData(IEnrollProfile.REQUEST_EXTENSIONS, new CertificateExtensions()); + req.setExtData("requesttype", "enrollment"); req.setExtData("requestor_name", ""); req.setExtData("requestor_email", ""); @@ -285,6 +301,37 @@ public class CertUtil { req.setExtData("isencryptioncert", "false"); req.setExtData("profileapprovedby", "system"); + Boolean injectSAN = cs.getBoolean("service.injectSAN", false); + CMS.debug("createLocalCert: inject SAN: " + injectSAN); + + if (tag.equals("sslserver") && injectSAN) { + injectSANextensionIntoRequest(cs, req); + } + + req.setExtData("req_key", x509key.toString()); + + String origProfileID = profile.getID(); + int idx = origProfileID.lastIndexOf('.'); + if (idx > 0) { + origProfileID = origProfileID.substring(0, idx); + } + + // store original profile id in cert request + req.setExtData("origprofileid", origProfileID); + + // store mapped profile ID for use in renewal + req.setExtData("profileid", profile.getProfileIDMapping()); + req.setExtData("profilesetid", profile.getProfileSetIDMapping()); + + if (!tag.equals("signing")) { + /* + * (applies to non-CA-signing cert only) + * installAdjustValidity tells ValidityDefault to adjust the + * notAfter value to that of the CA's signing cert if needed + */ + req.setExtData("installAdjustValidity", "true"); + } + // mark request as complete CMS.debug("certUtil: calling setRequestStatus"); req.setRequestStatus(RequestStatus.COMPLETE); @@ -295,35 +342,39 @@ public class CertUtil { /** * update local cert request with the actual request * called from CertRequestPanel.java + * @throws EBaseException + * @throws EPropertyNotFound */ - public static void updateLocalRequest(IConfigStore config, String certTag, String certReq, String reqType, - String subjectName) { - try { - CMS.debug("Updating local request... certTag=" + certTag); - RequestId rid = new RequestId(config.getString("preop.cert." + certTag + ".reqId")); - - ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem( - ICertificateAuthority.ID); - - IRequestQueue queue = ca.getRequestQueue(); - if (queue != null) { - IRequest req = queue.findRequest(rid); - if (req != null) { - if (!certReq.equals("")) - req.setExtData("cert_request", certReq); - req.setExtData("cert_request_type", reqType); - if (subjectName != null) { - req.setExtData("subject", subjectName); - new X500Name(subjectName); // check for errors - } - } - queue.updateRequest(req); - } else { - CMS.debug("CertUtil:updateLocalRequest - request queue = null"); - } - } catch (Exception e) { - CMS.debug("CertUtil:updateLocalRequest - Exception:" + e.toString()); + public static void updateLocalRequest( + IConfigStore config, + String certTag, + String certReq, + String reqType, + String subjectName + ) throws Exception { + + CMS.debug("CertUtil.updateLocalRequest(" + certTag + ")"); + + ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(ICertificateAuthority.ID); + IRequestQueue queue = ca.getRequestQueue(); + + RequestId rid = new RequestId(config.getString("preop.cert." + certTag + ".reqId")); + IRequest req = queue.findRequest(rid); + + if (!certReq.equals("")) { + CMS.debug("CertUtil: updating cert request"); + req.setExtData("cert_request", certReq); + } + + req.setExtData("cert_request_type", reqType); + + if (subjectName != null) { + CMS.debug("CertUtil: updating request subject: " + subjectName); + req.setExtData("subject", subjectName); + new X500Name(subjectName); // check for errors } + + queue.updateRequest(req); } /** @@ -416,11 +467,6 @@ public class CertUtil { CMS.debug("CertUtil.createLocalCert(" + certTag + ")"); - String profile = config.getString(prefix + certTag + ".profile"); - - Boolean injectSAN = config.getBoolean("service.injectSAN", false); - CMS.debug("createLocalCert: injectSAN: " + injectSAN); - String dn = config.getString(prefix + certTag + ".dn"); String keyAlgorithm = null; Date date = new Date(); @@ -466,50 +512,29 @@ public class CertUtil { CMS.debug("Cert Template: " + info); - String instanceRoot = CMS.getConfigStore().getString("instanceRoot"); - String configurationRoot = CMS.getConfigStore().getString("configurationRoot"); + String instanceRoot = config.getString("instanceRoot"); + String configurationRoot = config.getString("configurationRoot"); + + String profileName = config.getString(prefix + certTag + ".profile"); + CMS.debug("CertUtil: profile: " + profileName); - CertInfoProfile processor = new CertInfoProfile(instanceRoot + configurationRoot + profile); + CertInfoProfile profile = new CertInfoProfile(instanceRoot + configurationRoot + profileName); // cfu - create request to enable renewal IRequestQueue queue = ca.getRequestQueue(); - IRequest req = createLocalRequest(queue, serialNo.toString(), info); - if (certTag.equals("sslserver") && injectSAN) { - injectSANextensionIntoRequest(config, req); - } - - CMS.debug("CertUtil profile: " + profile); - req.setExtData("req_key", x509key.toString()); - - // store original profile id in cert request - int idx = profile.lastIndexOf('.'); - if (idx == -1) { - CMS.debug("CertUtil profileName contains no ."); - req.setExtData("origprofileid", profile); - } else { - String name = profile.substring(0, idx); - req.setExtData("origprofileid", name); - } - - // store mapped profile ID for use in renewal - String profileId = processor.getProfileIDMapping(); - req.setExtData("profileid", profileId); - req.setExtData("profilesetid", processor.getProfileSetIDMapping()); + IRequest req = createLocalRequest( + config, + queue, + certTag, + profile, + info, + x509key); RequestId reqId = req.getRequestId(); config.putString("preop.cert." + certTag + ".reqId", reqId.toString()); - if (!certTag.equals("signing")) { - /* - * (applies to non-CA-signing cert only) - * installAdjustValidity tells ValidityDefault to adjust the - * notAfter value to that of the CA's signing cert if needed - */ - req.setExtData("installAdjustValidity", "true"); - } - - processor.populate(req, info); + profile.populate(req, info); /* java.security.PrivateKey pk = ca.getSigningUnit().getPrivateKey(); @@ -555,7 +580,7 @@ public class CertUtil { MetaInfo meta = new MetaInfo(); meta.set(ICertRecord.META_REQUEST_ID, reqId.toString()); - meta.set(ICertRecord.META_PROFILE_ID, profileId); + meta.set(ICertRecord.META_PROFILE_ID, profile.getProfileIDMapping()); ICertRecord record = cr.createCertRecord(cert.getSerialNumber(), cert, meta); cr.addCertificateRecord(record); @@ -723,4 +748,177 @@ public class CertUtil { return false; } + + public static boolean findCertificate(String tokenname, String nickname) + throws Exception { + + CryptoManager cm = CryptoManager.getInstance(); + + String fullnickname = nickname; + if (!CryptoUtil.isInternalToken(tokenname)) { + fullnickname = tokenname + ":" + nickname; + } + + CMS.debug("CertUtil: searching for cert " + fullnickname); + + X509Certificate cert; + try { + cert = cm.findCertByNickname(fullnickname); + } catch (ObjectNotFoundException e) { + CMS.debug("CertUtil: cert not found: " + e); + return false; + } + + if (cert == null) { + CMS.debug("CertUtil: cert not found"); + return false; + } + + return true; + } + + public static boolean findBootstrapServerCert() + throws Exception { + + CryptoManager cm = CryptoManager.getInstance(); + + IConfigStore cs = CMS.getConfigStore(); + String nickname = cs.getString("preop.cert.sslserver.nickname"); + + CMS.debug("CertUtil: searching for cert " + nickname); + + X509Certificate cert; + try { + cert = cm.findCertByNickname(nickname); + } catch (ObjectNotFoundException e) { + CMS.debug("CertUtil: cert not found: " + e); + return false; + } + + Principal issuerDN = cert.getIssuerDN(); + Principal subjectDN = cert.getSubjectDN(); + + if (!issuerDN.equals(subjectDN)) { + CMS.debug("CertUtil: cert is not self-signed"); + return false; + } + + return true; + } + + public static void deleteCert(String tokenname, String nickname) + throws Exception { + + CryptoManager cm = CryptoManager.getInstance(); + + String fullnickname = nickname; + if (!CryptoUtil.isInternalToken(tokenname)) + fullnickname = tokenname + ":" + nickname; + + CMS.debug("CertUtil: deleting cert " + fullnickname); + + X509Certificate cert; + try { + cert = cm.findCertByNickname(fullnickname); + } catch (ObjectNotFoundException e) { + CMS.debug("CertUtil: cert not found: " + e); + return; + } + + CryptoToken tok = CryptoUtil.getKeyStorageToken(tokenname); + CryptoStore store = tok.getCryptoStore(); + + if (store instanceof PK11Store) { + PK11Store pk11store = (PK11Store) store; + pk11store.deleteCertOnly(cert); + CMS.debug("CertUtil: cert deleted successfully"); + + } else { + CMS.debug("CertUtil: unsupported crypto store: " + store.getClass().getName()); + } + } + + public static void deleteBootstrapServerCert() + throws Exception { + + IConfigStore cs = CMS.getConfigStore(); + String nickname = cs.getString("preop.cert.sslserver.nickname"); + + deleteCert(CryptoUtil.INTERNAL_TOKEN_FULL_NAME, nickname); + } + + public static void importCert( + String subsystem, + String tag, + String tokenname, + String nickname, + X509CertImpl impl + ) throws Exception { + + CMS.debug("CertUtil.importCert(" + tag + ")"); + + if (tag.equals("sslserver") && findBootstrapServerCert()) { + CMS.debug("CertUtil: deleting temporary SSL server cert"); + deleteBootstrapServerCert(); + } + + if (findCertificate(tokenname, nickname)) { + CMS.debug("CertUtil: deleting existing " + tag + " cert"); + deleteCert(tokenname, nickname); + } + + CMS.debug("CertUtil: importing " + tag + " cert"); + + if (subsystem.equals("ca") && tag.equals("signing") ) { + CryptoUtil.importUserCertificate(impl, nickname); + + } else { + CryptoUtil.importUserCertificate(impl, nickname, false); + } + } + + public static void importExternalCert( + String tag, + String tokenname, + String nickname, + byte[] cert, + byte[] certChain + ) throws Exception { + + CMS.debug("CertUtil.importExternalCert(" + tag + ")"); + + if (tag.equals("sslserver") && findBootstrapServerCert()) { + CMS.debug("CertUtil: deleting temporary SSL server cert"); + deleteBootstrapServerCert(); + } + + if (findCertificate(tokenname, nickname)) { + CMS.debug("CertUtil: deleting existing " + tag + " cert"); + deleteCert(tokenname, nickname); + } + + if (certChain != null) { + CMS.debug("CertUtil: importing cert chain for " + tag + " cert"); + CryptoUtil.importCertificateChain(certChain); + } + + CMS.debug("CertUtil: importing " + tag + " cert"); + + CryptoManager cm = CryptoManager.getInstance(); + X509Certificate x509cert = cm.importCertPackage(cert, nickname); + + CMS.debug("CertUtil: trusting cert: " + x509cert.getSubjectDN()); + CryptoUtil.trustCertByNickname(nickname); + + X509Certificate[] certs = cm.buildCertificateChain(x509cert); + CMS.debug("CertUtil: cert chain:"); + for (X509Certificate c : certs) { + CMS.debug("ConfigurationUtils: - " + c.getSubjectDN()); + } + + X509Certificate rootCert = certs[certs.length - 1]; + CMS.debug("CertUtil: trusting root cert: " + rootCert.getSubjectDN()); + + CryptoUtil.trustRootCert(rootCert); + } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 9b83830a2..68c3b8dac 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -296,7 +296,9 @@ public class ConfigurationUtils { } cs.commit(false); - CryptoUtil.importCertificateChain(certchain); + + byte[] bytes = CryptoUtil.base64Decode(certchain); + CryptoUtil.importCertificateChain(bytes); } else { throw new IOException("importCertChain: Security Domain response does not contain certificate chain"); @@ -2338,10 +2340,12 @@ public class ConfigurationUtils { setSigningAlgorithm(tag, keyAlgo, config); } - public static void createECCKeyPair(String token, String curveName, IConfigStore config, String ct) + public static KeyPair createECCKeyPair(String token, String curveName, IConfigStore config, String ct) throws NoSuchAlgorithmException, NoSuchTokenException, TokenException, CryptoManager.NotInitializedException, EPropertyNotFound, EBaseException { - CMS.debug("createECCKeyPair: Generating ECC key pair with curvename=" + curveName + ", token=" + token); + + CMS.debug("ConfigurationUtils.createECCKeyPair(" + token + ", " + curveName + ")"); + KeyPair pair = null; /* * default ssl server cert to ECDHE unless stated otherwise @@ -2390,7 +2394,6 @@ public class ConfigurationUtils { // XXX - store curve , w byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID(); String kid = CryptoUtil.byte2string(id); - config.putString(PCERT_PREFIX + ct + ".privkey.id", kid); // try to locate the private key org.mozilla.jss.crypto.PrivateKey privk = CryptoUtil.findPrivateKeyFromID(CryptoUtil.string2byte(kid)); @@ -2400,42 +2403,31 @@ public class ConfigurationUtils { } } while (pair == null); - CMS.debug("Public key class " + pair.getPublic().getClass().getName()); - byte encoded[] = pair.getPublic().getEncoded(); - config.putString(PCERT_PREFIX + ct + ".pubkey.encoded", CryptoUtil.byte2string(encoded)); - - String keyAlgo = config.getString(PCERT_PREFIX + ct + ".signingalgorithm"); - setSigningAlgorithm(ct, keyAlgo, config); + return pair; } - public static void createRSAKeyPair(String token, int keysize, IConfigStore config, String ct) + public static KeyPair createRSAKeyPair(String token, int keysize, IConfigStore config, String ct) throws Exception { - /* generate key pair */ + + CMS.debug("ConfigurationUtils.createRSAKeyPair(" + token + ")"); + KeyPair pair = null; do { pair = CryptoUtil.generateRSAKeyPair(token, keysize); byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID(); String kid = CryptoUtil.byte2string(id); - config.putString(PCERT_PREFIX + ct + ".privkey.id", kid); + // try to locate the private key org.mozilla.jss.crypto.PrivateKey privk = CryptoUtil.findPrivateKeyFromID(CryptoUtil.string2byte(kid)); + if (privk == null) { CMS.debug("Found bad RSA key id " + kid); pair = null; } } while (pair == null); - byte modulus[] = ((RSAPublicKey) pair.getPublic()).getModulus().toByteArray(); - byte exponent[] = ((RSAPublicKey) pair.getPublic()).getPublicExponent().toByteArray(); - - config.putString(PCERT_PREFIX + ct + ".pubkey.modulus", - CryptoUtil.byte2string(modulus)); - config.putString(PCERT_PREFIX + ct + ".pubkey.exponent", - CryptoUtil.byte2string(exponent)); - - String keyAlgo = config.getString(PCERT_PREFIX + ct + ".signingalgorithm"); - setSigningAlgorithm(ct, keyAlgo, config); + return pair; } public static void setSigningAlgorithm(String ct, String keyAlgo, IConfigStore config) throws EPropertyNotFound, @@ -2847,17 +2839,6 @@ public class ConfigurationUtils { } } - String serverCertNickname = nickname; - String path = CMS.getConfigStore().getString("instanceRoot", ""); - if (certTag.equals("sslserver")) { - if (!CryptoUtil.isInternalToken(token)) { - serverCertNickname = token + ":" + nickname; - } - PrintStream ps = new PrintStream(path + "/conf/serverCertNick.conf", "UTF-8"); - ps.println(serverCertNickname); - ps.close(); - } - config.putString(subsystem + "." + certTag + ".nickname", nickname); config.putString(subsystem + "." + certTag + ".tokenname", token); if (certTag.equals("audit_signing")) { @@ -2882,6 +2863,23 @@ public class ConfigurationUtils { CMS.debug("updateConfig() done"); } + public static void updateServerCertNickConf() throws Exception { + + IConfigStore cs = CMS.getConfigStore(); + String token = cs.getString("preop.module.token"); + String nickname = getNickname(cs, "sslserver"); + + String serverCertNickname = nickname; + if (!CryptoUtil.isInternalToken(token)) { + serverCertNickname = token + ":" + nickname; + } + + String path = cs.getString("instanceRoot", ""); + PrintStream ps = new PrintStream(path + "/conf/serverCertNick.conf", "UTF-8"); + ps.println(serverCertNickname); + ps.close(); + } + public static String getNickname(IConfigStore config, String certTag) throws EBaseException { String instanceID = config.getString("instanceId", ""); @@ -2938,15 +2936,20 @@ public class ConfigurationUtils { return 0; } - public static void updateCloneConfig() - throws EBaseException, IOException { + public static void updateCloneConfig() throws EBaseException, IOException { + IConfigStore config = CMS.getConfigStore(); String cstype = config.getString("cs.type", null); cstype = cstype.toLowerCase(); + if (cstype.equals("kra")) { + String token = config.getString("preop.module.token"); + if (!CryptoUtil.isInternalToken(token)) { + CMS.debug("ConfigurationUtils: updating configuration for KRA clone with hardware token"); + String subsystem = config.getString(PCERT_PREFIX + "storage.subsystem"); String storageNickname = getNickname(config, "storage"); String transportNickname = getNickname(config, "transport"); @@ -2954,22 +2957,23 @@ public class ConfigurationUtils { config.putString(subsystem + ".storageUnit.hardware", token); config.putString(subsystem + ".storageUnit.nickName", token + ":" + storageNickname); config.putString(subsystem + ".transportUnit.nickName", token + ":" + transportNickname); + config.commit(false); + } else { // software token // parameters already set } } // audit signing cert - String audit_nn = config.getString(cstype + ".audit_signing" + ".nickname", ""); - String audit_tk = config.getString(cstype + ".audit_signing" + ".tokenname", ""); - if (!CryptoUtil.isInternalToken(audit_tk)) { - config.putString("log.instance.SignedAudit.signedAuditCertNickname", - audit_tk + ":" + audit_nn); - } else { - config.putString("log.instance.SignedAudit.signedAuditCertNickname", - audit_nn); + String nickname = config.getString(cstype + ".audit_signing.nickname", ""); + String token = config.getString(cstype + ".audit_signing.tokenname", ""); + + if (!CryptoUtil.isInternalToken(token)) { + nickname = token + ":" + nickname; } + + config.putString("log.instance.SignedAudit.signedAuditCertNickname", nickname); } public static void loadCertRequest(IConfigStore config, String tag, Cert cert) throws Exception { @@ -3178,8 +3182,11 @@ public class ConfigurationUtils { cr.addCertificateRecord(record); } - public static void handleCerts(Cert cert) throws Exception { + public static void handleCert(Cert cert) throws Exception { + String certTag = cert.getCertTag(); + CMS.debug("ConfigurationUtils.handleCert(" + certTag + ")"); + String subsystem = cert.getSubsystem(); String nickname = cert.getNickname(); IConfigStore config = CMS.getConfigStore(); @@ -3188,156 +3195,50 @@ public class ConfigurationUtils { if (!enable) return; - CMS.debug("handleCerts(): for cert tag '" + cert.getCertTag() + "' using cert type '" + cert.getType() + "'"); + CMS.debug("ConfigurationUtils: cert type: " + cert.getType()); + String b64 = cert.getCert(); String tokenname = config.getString("preop.module.token", ""); if (cert.getType().equals("local") && b64.equals("...certificate be generated internally...")) { - CMS.debug("handleCerts(): processing local cert"); - - String pubKeyType = config.getString(PCERT_PREFIX + certTag + ".keytype"); - X509Key x509key = null; - if (pubKeyType.equals("rsa")) { - x509key = getRSAX509Key(config, certTag); - } else if (pubKeyType.equals("ecc")) { - x509key = getECCX509Key(config, certTag); - } - - if (findCertificate(tokenname, nickname)) { - if (!certTag.equals("sslserver")) - return; + if (CertUtil.findCertificate(tokenname, nickname) && !certTag.equals("sslserver")) { + // if cert already exists (except SSL server cert), skip creation + return; } - X509CertImpl impl = CertUtil.createLocalCert(config, x509key, PCERT_PREFIX, certTag, cert.getType()); - if (impl != null) { - byte[] certb = impl.getEncoded(); - String certs = CryptoUtil.base64Encode(certb); - - cert.setCert(certs); - config.putString(subsystem + "." + certTag + ".cert", certs); - CMS.debug("handleCerts(): nickname=" + nickname); - - try { - CMS.debug("handleCerts(): deleting existing cert"); - if (certTag.equals("sslserver") && findBootstrapServerCert()) - deleteBootstrapServerCert(); - if (findCertificate(tokenname, nickname)) - deleteCert(tokenname, nickname); - - CMS.debug("handleCerts(): importing new cert"); - if (certTag.equals("signing") && subsystem.equals("ca")) - CryptoUtil.importUserCertificate(impl, nickname); - else - CryptoUtil.importUserCertificate(impl, nickname, false); - CMS.debug("handleCerts(): cert imported for certTag '" + certTag + "'"); - - } catch (Exception ee) { - CMS.debug(ee); - CMS.debug("handleCerts(): import certificate for certTag=" + certTag + " Exception: " - + ee.toString()); - } - } + handleLocalCert(config, cert, tokenname); } else if (cert.getType().equals("remote")) { - CMS.debug("handleCerts(): processing remote cert"); - - if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) { - - CMS.debug("handleCerts(): deleting existing cert"); - String b64chain = cert.getCertChain(); - - try { - if (certTag.equals("sslserver") && findBootstrapServerCert()) - deleteBootstrapServerCert(); - if (findCertificate(tokenname, nickname)) { - deleteCert(tokenname, nickname); - } - } catch (Exception e) { - CMS.debug(e); - } - - CMS.debug("handleCerts(): importing new cert"); - b64 = CryptoUtil.stripCertBrackets(b64.trim()); - String certs = CryptoUtil.normalizeCertStr(b64); - byte[] certb = CryptoUtil.base64Decode(certs); - - config.putString(subsystem + "." + certTag + ".cert", certs); - try { - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate x509cert = cm.importCertPackage(certb, nickname); - CryptoUtil.trustCertByNickname(nickname); - - X509Certificate[] certchains = cm.buildCertificateChain(x509cert); - X509Certificate leaf = null; - - if (certchains != null) { - CMS.debug("handleCerts(): certchains length=" + certchains.length); - leaf = certchains[certchains.length - 1]; - } - - if (leaf == null) { - CMS.debug("handleCerts(): leaf is null!"); - throw new IOException("leaf is null"); - } + if (b64 == null || b64.length() == 0 || b64.startsWith("...")) { + throw new PKIException("Missing certificate data for " + certTag + " cert"); + } - if (b64chain != null && b64chain.length() != 0) { - CMS.debug("handlecerts: cert might not have contained chain...calling importCertificateChain: " - + b64chain); - try { - CryptoUtil.importCertificateChain(CryptoUtil.normalizeCertAndReq(b64chain)); - } catch (Exception e) { - CMS.debug("handleCerts(): importCertChain: Exception: " + e.toString()); - } - } + b64 = CryptoUtil.stripCertBrackets(b64.trim()); + String strCert = CryptoUtil.normalizeCertStr(b64); + byte[] binCert = CryptoUtil.base64Decode(strCert); - InternalCertificate icert = (InternalCertificate) leaf; + config.putString(subsystem + "." + certTag + ".cert", strCert); - icert.setSSLTrust( - InternalCertificate.TRUSTED_CA - | InternalCertificate.TRUSTED_CLIENT_CA - | InternalCertificate.VALID_CA); - CMS.debug("handleCerts(): import certificate successfully, certTag=" + certTag); - } catch (Exception ee) { - ee.printStackTrace(); - CMS.debug("handleCerts: import certificate for certTag=" + certTag + " Exception: " + ee.toString()); - } + String strStrChain = cert.getCertChain(); + byte[] binCertChain = null; - } else { - CMS.debug("handleCerts(): b64 not set"); - throw new PKIException("Missing " + certTag + " certificate to import"); + if (strStrChain != null && strStrChain.length() != 0) { + strStrChain = CryptoUtil.normalizeCertAndReq(strStrChain); + binCertChain = CryptoUtil.base64Decode(strStrChain); } + CertUtil.importExternalCert(certTag, tokenname, nickname, binCert, binCertChain); + } else { - CMS.debug("handleCerts(): processing " + cert.getType() + " cert"); b64 = CryptoUtil.stripCertBrackets(b64.trim()); String certs = CryptoUtil.normalizeCertStr(b64); byte[] certb = CryptoUtil.base64Decode(certs); X509CertImpl impl = new X509CertImpl(certb); - CMS.debug("handleCerts(): deleting existing cert"); - try { - if (certTag.equals("sslserver") && findBootstrapServerCert()) - deleteBootstrapServerCert(); - if (findCertificate(tokenname, nickname)) { - deleteCert(tokenname, nickname); - } - } catch (Exception e) { - CMS.debug(e); - } - - CMS.debug("handleCerts(): importing new cert"); - try { - if (certTag.equals("signing") && subsystem.equals("ca")) - CryptoUtil.importUserCertificate(impl, nickname); - else - CryptoUtil.importUserCertificate(impl, nickname, false); - } catch (Exception ee) { - CMS.debug("handleCerts(): Failed to import user certificate." + ee.toString()); - throw new Exception("Unable to import " + certTag + " certificate: " + ee, ee); - } + CertUtil.importCert(subsystem, certTag, tokenname, nickname, impl); } //update requests in request queue for local certs to allow renewal @@ -3350,12 +3251,46 @@ public class ConfigurationUtils { if (!CryptoUtil.isInternalToken(tokenname)) NickName = tokenname + ":" + nickname; - CMS.debug("handleCerts(): set trust on CA signing cert " + NickName); + CMS.debug("ConfigurationUtils: set trust on CA signing cert " + NickName); CryptoUtil.trustCertByNickname(NickName); CMS.reinit(ICertificateAuthority.ID); } } + private static void handleLocalCert( + IConfigStore config, + Cert cert, + String tokenname) + throws Exception { + + String certTag = cert.getCertTag(); + CMS.debug("ConfigurationUtils.handleLocalCert(" + certTag + ")"); + + String pubKeyType = config.getString(PCERT_PREFIX + certTag + ".keytype"); + + X509Key x509key = null; + if (pubKeyType.equals("rsa")) { + x509key = getRSAX509Key(config, certTag); + } else if (pubKeyType.equals("ecc")) { + x509key = getECCX509Key(config, certTag); + } + + CMS.debug("ConfigurationUtils: creating local cert"); + + X509CertImpl impl = CertUtil.createLocalCert(config, x509key, PCERT_PREFIX, certTag, cert.getType()); + + byte[] binCert = impl.getEncoded(); + String strCert = CryptoUtil.base64Encode(binCert); + cert.setCert(strCert); + + String subsystem = cert.getSubsystem(); + config.putString(subsystem + "." + certTag + ".cert", strCert); + + CMS.debug("ConfigurationUtils: importing local cert"); + + CertUtil.importCert(subsystem, certTag, tokenname, cert.getNickname(), impl); + } + public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException, ObjectNotFoundException, TokenException { if (tag.equals("signing") || tag.equals("external_signing")) @@ -3383,97 +3318,6 @@ public class ConfigurationUtils { } } - public static boolean findCertificate(String tokenname, String nickname) throws NotInitializedException, - TokenException, IOException { - IConfigStore cs = CMS.getConfigStore(); - CryptoManager cm = CryptoManager.getInstance(); - - String fullnickname = nickname; - boolean hardware = false; - if (!CryptoUtil.isInternalToken(tokenname)) { - hardware = true; - fullnickname = tokenname + ":" + nickname; - } - - X509Certificate cert = null; - try { - cert = cm.findCertByNickname(fullnickname); - } catch (ObjectNotFoundException e) { - return false; - } - - if (cert == null) - return false; - try { - @SuppressWarnings("unused") - boolean done = cs.getBoolean("preop.CertRequestPanel.done"); // check for errors - } catch (Exception e) { - if (hardware) { - CMS.debug("ConfigurationUtils: findCertificate: The certificate with the same nickname: " - + fullnickname + " has been found on HSM. Please remove it before proceeding."); - throw new IOException("The certificate with the same nickname: " - + fullnickname + " has been found on HSM. Please remove it before proceeding.", e); - } - } - return true; - } - - public static boolean findBootstrapServerCert() throws EBaseException, NotInitializedException, TokenException { - IConfigStore cs = CMS.getConfigStore(); - - String nickname = cs.getString("preop.cert.sslserver.nickname"); - - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate cert; - try { - cert = cm.findCertByNickname(nickname); - } catch (ObjectNotFoundException e) { - return false; - } - Principal issuerDN = cert.getIssuerDN(); - Principal subjectDN = cert.getSubjectDN(); - if (issuerDN.equals(subjectDN)) - return true; - - return false; - } - - public static void deleteBootstrapServerCert() throws EBaseException, NotInitializedException, - NoSuchTokenException, TokenException { - IConfigStore cs = CMS.getConfigStore(); - String nickname = cs.getString("preop.cert.sslserver.nickname"); - deleteCert(CryptoUtil.INTERNAL_TOKEN_FULL_NAME, nickname); - } - - public static void deleteCert(String tokenname, String nickname) throws NotInitializedException, - NoSuchTokenException, TokenException { - - CryptoManager cm = CryptoManager.getInstance(); - CryptoToken tok = CryptoUtil.getKeyStorageToken(tokenname); - CryptoStore store = tok.getCryptoStore(); - String fullnickname = nickname; - if (!CryptoUtil.isInternalToken(tokenname)) - fullnickname = tokenname + ":" + nickname; - - CMS.debug("deleteCert: nickname=" + fullnickname); - X509Certificate cert; - try { - cert = cm.findCertByNickname(fullnickname); - } catch (ObjectNotFoundException e) { - CMS.debug("deleteCert: cert not found"); - return; - } - - if (store instanceof PK11Store) { - PK11Store pk11store = (PK11Store) store; - try { - pk11store.deleteCertOnly(cert); - } catch (NoSuchItemOnTokenException e) { - } - CMS.debug("deleteCert: cert deleted successfully"); - } - } - public static void backupKeys(String pwd, String fname) throws Exception { CMS.debug("backupKeys(): start"); diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java index ded237b8d..63c9b82d2 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java @@ -494,7 +494,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { /////////////////////////////////////////////// String tmpCertSerialS = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT); if (tmpCertSerialS != null) { - // unlikely to happenm, but do this just in case + // unlikely to happen, but do this just in case CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth:" + tmpCertSerialS); CMS.debug("ProfileSubmitCMCServlet: null it out"); ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index afbb24a78..f726db6f1 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -21,7 +21,6 @@ import java.math.BigInteger; import java.net.MalformedURLException; import java.net.URL; import java.security.KeyPair; -import java.security.NoSuchAlgorithmException; import java.security.PublicKey; import java.util.ArrayList; import java.util.Arrays; @@ -179,10 +178,10 @@ public class SystemConfigService extends PKIService implements SystemConfigResou for (Cert cert : certs) { try { - CMS.debug("Processing '" + cert.getCertTag() + "' certificate:"); - ConfigurationUtils.handleCerts(cert); + CMS.debug("=== Handling " + cert.getCertTag() + " cert ==="); + ConfigurationUtils.handleCert(cert); ConfigurationUtils.setCertPermissions(cert.getCertTag()); - CMS.debug("Processed '" + cert.getCertTag() + "' certificate."); + } catch (Exception e) { CMS.debug(e); throw new PKIException("Error in configuring system certificates: " + e, e); @@ -290,118 +289,118 @@ public class SystemConfigService extends PKIService implements SystemConfigResou return certList; } - public void processCerts(ConfigurationRequest request, String token, Collection<String> certList, - Collection<Cert> certs, MutableBoolean hasSigningCert) { + public void processCerts( + ConfigurationRequest request, + String token, + Collection<String> certList, + Collection<Cert> certs, + MutableBoolean hasSigningCert) throws Exception { - try { - boolean generateServerCert = !request.getGenerateServerCert().equalsIgnoreCase("false"); - boolean generateSubsystemCert = request.getGenerateSubsystemCert(); + boolean generateServerCert = !request.getGenerateServerCert().equalsIgnoreCase("false"); + boolean generateSubsystemCert = request.getGenerateSubsystemCert(); - hasSigningCert.setValue(false); + hasSigningCert.setValue(false); - for (String tag : certList) { - boolean enable = cs.getBoolean("preop.cert." + tag + ".enable", true); - if (!enable) continue; + for (String tag : certList) { - SystemCertData certData = null; + CMS.debug("=== Processing " + tag + " cert ==="); - for (SystemCertData systemCert : request.getSystemCerts()) { - if (systemCert.getTag().equals(tag)) { - certData = systemCert; - break; - } - } + boolean enable = cs.getBoolean("preop.cert." + tag + ".enable", true); + if (!enable) continue; - if (certData == null) { - CMS.debug("No data for '" + tag + "' was found!"); - throw new BadRequestException("No data for '" + tag + "' was found!"); + SystemCertData certData = null; + + for (SystemCertData systemCert : request.getSystemCerts()) { + if (systemCert.getTag().equals(tag)) { + certData = systemCert; + break; } + } - String tokenName = certData.getToken() != null ? certData.getToken() : token; - if (request.getStandAlone() && request.getStepTwo()) { - // Stand-alone PKI (Step 2) - if (tag.equals("external_signing")) { + if (certData == null) { + CMS.debug("No data for '" + tag + "' was found!"); + throw new BadRequestException("No data for '" + tag + "' was found!"); + } - String b64 = certData.getCert(); - if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) { - hasSigningCert.setValue(true); + String tokenName = certData.getToken() != null ? certData.getToken() : token; + if (request.getStandAlone() && request.getStepTwo()) { + // Stand-alone PKI (Step 2) + if (tag.equals("external_signing")) { - if (request.getIssuingCA().equals("External CA")) { - String nickname = certData.getNickname() != null ? certData.getNickname() : "caSigningCert External CA"; - Cert cert = new Cert(tokenName, nickname, tag); - ConfigurationUtils.setExternalCACert(b64, csSubsystem, cs, cert); + String b64 = certData.getCert(); + if (b64 != null && b64.length() > 0 && !b64.startsWith("...")) { + hasSigningCert.setValue(true); - CMS.debug("Step 2: certStr for '" + tag + "' is " + b64); - String certChainStr = certData.getCertChain(); + if (request.getIssuingCA().equals("External CA")) { + String nickname = certData.getNickname() != null ? certData.getNickname() : "caSigningCert External CA"; + Cert cert = new Cert(tokenName, nickname, tag); + ConfigurationUtils.setExternalCACert(b64, csSubsystem, cs, cert); - if (certChainStr != null) { - ConfigurationUtils.setExternalCACertChain(certChainStr, csSubsystem, cs, cert); - CMS.debug("Step 2: certChainStr for '" + tag + "' is " + certChainStr); - certs.add(cert); + CMS.debug("Step 2: certStr for '" + tag + "' is " + b64); + String certChainStr = certData.getCertChain(); - } else { - throw new BadRequestException("CertChain not provided"); - } - } + if (certChainStr != null) { + ConfigurationUtils.setExternalCACertChain(certChainStr, csSubsystem, cs, cert); + CMS.debug("Step 2: certChainStr for '" + tag + "' is " + certChainStr); + certs.add(cert); - continue; + } else { + throw new BadRequestException("CertChain not provided"); + } } - } - } - if (!generateServerCert && tag.equals("sslserver")) { - updateConfiguration(request, certData, "sslserver"); - continue; + continue; + } } + } - if (!generateSubsystemCert && tag.equals("subsystem")) { - // update the details for the shared subsystem cert here. - updateConfiguration(request, certData, "subsystem"); + if (!generateServerCert && tag.equals("sslserver")) { + updateConfiguration(request, certData, "sslserver"); + continue; + } - // get parameters needed for cloning - updateCloneConfiguration(certData, "subsystem", tokenName); - continue; - } + if (!generateSubsystemCert && tag.equals("subsystem")) { + // update the details for the shared subsystem cert here. + updateConfiguration(request, certData, "subsystem"); - processCert( - request, - token, - certList, - certs, - hasSigningCert, - certData, - tokenName); + // get parameters needed for cloning + updateCloneConfiguration(certData, "subsystem", tokenName); + continue; } - // make sure to commit changes here for step 1 - cs.commit(false); + processKeyPair( + request, + token, + certData); - } catch (NumberFormatException e) { - // move these validations to validate()? - throw new BadRequestException("Non-integer value for key size"); + Cert cert = processCert( + request, + hasSigningCert, + certData, + tokenName); - } catch (NoSuchAlgorithmException e) { - throw new BadRequestException("Invalid algorithm " + e); + certs.add(cert); + } - } catch (PKIException e) { - throw e; + // make sure to commit changes here for step 1 + cs.commit(false); - } catch (Exception e) { - CMS.debug(e); - throw new PKIException("Error in setting certificate names and key sizes: " + e); + ConfigurationUtils.updateServerCertNickConf(); + + if (request.isClone()) { + ConfigurationUtils.updateCloneConfig(); } } - public void processCert( + public void processKeyPair( ConfigurationRequest request, String token, - Collection<String> certList, - Collection<Cert> certs, - MutableBoolean hasSigningCert, - SystemCertData certData, - String tokenName) throws Exception { + SystemCertData certData + ) throws Exception { String tag = certData.getTag(); + CMS.debug("SystemConfigService.processKeyPair(" + tag + ")"); + String keytype = certData.getKeyType() != null ? certData.getKeyType() : "rsa"; String keyalgorithm = certData.getKeyAlgorithm(); @@ -410,47 +409,69 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } String signingalgorithm = certData.getSigningAlgorithm() != null ? certData.getSigningAlgorithm() : keyalgorithm; - String nickname = cs.getString("preop.cert." + tag + ".nickname"); - String dn = cs.getString("preop.cert." + tag + ".dn"); cs.putString("preop.cert." + tag + ".keytype", keytype); cs.putString("preop.cert." + tag + ".keyalgorithm", keyalgorithm); cs.putString("preop.cert." + tag + ".signingalgorithm", signingalgorithm); // support injecting SAN into server cert - if ( tag.equals("sslserver") && certData.getServerCertSAN() != null) { - CMS.debug("updateConfiguration(): san_server_cert found"); + if (tag.equals("sslserver") && certData.getServerCertSAN() != null) { + CMS.debug("SystemConfigService: san_server_cert found"); cs.putString("service.injectSAN", "true"); cs.putString("service.sslserver.san", certData.getServerCertSAN()); + } else { - if ( tag.equals("sslserver")) - CMS.debug("SystemConfigService:processCerts(): san_server_cert not found for tag sslserver"); + if (tag.equals("sslserver")) { + CMS.debug("SystemConfigService: san_server_cert not found"); + } } cs.commit(false); if (request.isExternal() && tag.equals("signing")) { // external/existing CA - // load key pair for existing and externally-signed signing cert - CMS.debug("SystemConfigService: loading signing cert key pair"); + + CMS.debug("SystemConfigService: loading existing key pair from NSS database"); KeyPair pair = ConfigurationUtils.loadKeyPair(certData.getNickname(), certData.getToken()); + + CMS.debug("SystemConfigService: storing key pair into CS.cfg"); ConfigurationUtils.storeKeyPair(cs, tag, pair); } else if (!request.getStepTwo()) { + + CMS.debug("SystemConfigService: generating key pair"); + + KeyPair pair; if (keytype.equals("ecc")) { String curvename = certData.getKeySize() != null ? certData.getKeySize() : cs.getString("keys.ecc.curve.default"); cs.putString("preop.cert." + tag + ".curvename.name", curvename); - ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag); + pair = ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag); } else { String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs .getString("keys.rsa.keysize.default"); cs.putString("preop.cert." + tag + ".keysize.size", keysize); - ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag); + pair = ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag); } + CMS.debug("SystemConfigService: storing key pair into CS.cfg"); + ConfigurationUtils.storeKeyPair(cs, tag, pair); + } else { - CMS.debug("configure(): step two selected. keys will not be generated for '" + tag + "'"); + CMS.debug("SystemConfigService: key pair already generated in step one"); } + } + + public Cert processCert( + ConfigurationRequest request, + MutableBoolean hasSigningCert, + SystemCertData certData, + String tokenName) throws Exception { + + String tag = certData.getTag(); + CMS.debug("SystemConfigService.processCert(" + tag + ")"); + + String nickname = cs.getString("preop.cert." + tag + ".nickname"); + String dn = cs.getString("preop.cert." + tag + ".dn"); Cert cert = new Cert(tokenName, nickname, tag); cert.setDN(dn); @@ -462,13 +483,26 @@ public class SystemConfigService extends PKIService implements SystemConfigResou // update configuration for existing or externally-signed signing certificate String certStr = cs.getString("ca." + tag + ".cert" ); cert.setCert(certStr); - CMS.debug("SystemConfigService: certificate " + tag + ": " + certStr); + + CMS.debug("SystemConfigService: cert: " + certStr); ConfigurationUtils.updateConfig(cs, tag); - } else if (!request.getStepTwo()) { + CMS.debug("SystemConfigService: Loading cert request from CS.cfg"); + ConfigurationUtils.loadCertRequest(cs, tag, cert); + + CMS.debug("SystemConfigService: Loading cert " + tag); + ConfigurationUtils.loadCert(cs, cert); + + CMS.debug("SystemConfigService: External CA has signing cert"); + hasSigningCert.setValue(true); + return cert; + } + + if (!request.getStepTwo()) { ConfigurationUtils.configCert(null, null, null, cert); } else { + String subsystem = cs.getString("preop.cert." + tag + ".subsystem"); String certStr; @@ -484,24 +518,16 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } cert.setCert(certStr); - CMS.debug("Step 2: certStr for '" + tag + "' is " + certStr); + CMS.debug("SystemConfigService: cert: " + certStr); } - if (request.isExternal() && tag.equals("signing")) { // external/existing CA - - CMS.debug("SystemConfigService: Loading cert request for " + tag + " cert"); - ConfigurationUtils.loadCertRequest(cs, tag, cert); - - CMS.debug("SystemConfigService: Loading cert " + tag); - ConfigurationUtils.loadCert(cs, cert); - - } else if (request.getStandAlone()) { + if (request.getStandAlone()) { // Handle Cert Requests for everything EXCEPT Stand-alone PKI (Step 2) if (!request.getStepTwo()) { // Stand-alone PKI (Step 1) ConfigurationUtils.generateCertRequest(cs, tag, cert); - CMS.debug("Stand-alone " + csType + " Admin CSR"); + CMS.debug("SystemConfigService: Standalone " + csType + " Admin CSR"); String adminSubjectDN = request.getAdminSubjectDN(); String certreqStr = request.getAdminCertRequest(); certreqStr = CryptoUtil.normalizeCertAndReq(certreqStr); @@ -515,17 +541,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou ConfigurationUtils.generateCertRequest(cs, tag, cert); } - if (request.isClone()) { - ConfigurationUtils.updateCloneConfig(); - } - - if (request.isExternal() && tag.equals("signing")) { // external/existing CA - CMS.debug("SystemConfigService: External CA has signing cert"); - hasSigningCert.setValue(true); - certs.add(cert); - return; - } - // to determine if we have the signing cert when using an external ca // this will only execute on a ca or stand-alone pki String b64 = certData.getCert(); @@ -545,7 +560,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } } - certs.add(cert); + return cert; } private void updateCloneConfiguration(SystemCertData cdata, String tag, String tokenName) throws NotInitializedException, diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSubsystem.java index 50c07af25..4950cf775 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSubsystem.java @@ -405,7 +405,9 @@ public class DBSubsystem implements IDBSubsystem { String dn = h.get(PROP_BASEDN) + "," + mBaseDN; String rangeDN = h.get(PROP_RANGE_DN) + "," + mBaseDN; + CMS.debug("DBSubsystem: retrieving " + dn); LDAPEntry entry = conn.read(dn); + LDAPAttribute attr = entry.getAttribute(PROP_NEXT_RANGE); if (attr == null) { throw new Exception("Missing Attribute" + PROP_NEXT_RANGE + "in Entry " + dn); @@ -414,12 +416,17 @@ public class DBSubsystem implements IDBSubsystem { BigInteger nextRangeNo = new BigInteger(nextRange); BigInteger incrementNo = new BigInteger(h.get(PROP_INCREMENT)); + String newNextRange = nextRangeNo.add(incrementNo).toString(); + // To make sure attrNextRange always increments, first delete the current value and then // increment. Two operations in the same transaction - LDAPAttribute attrNextRange = new LDAPAttribute(PROP_NEXT_RANGE, nextRangeNo.add(incrementNo).toString()); + LDAPAttribute attrNextRange = new LDAPAttribute(PROP_NEXT_RANGE, newNextRange); LDAPModification[] mods = { new LDAPModification(LDAPModification.DELETE, attr), new LDAPModification(LDAPModification.ADD, attrNextRange) }; + + CMS.debug("DBSubsystem: updating " + PROP_NEXT_RANGE + " from " + nextRange + " to " + newNextRange); + conn.modify(dn, mods); // Add new range object @@ -434,13 +441,18 @@ public class DBSubsystem implements IDBSubsystem { attrs.add(new LDAPAttribute("securePort", CMS.getEESSLPort())); String dn2 = "cn=" + nextRange + "," + rangeDN; LDAPEntry rangeEntry = new LDAPEntry(dn2, attrs); + + CMS.debug("DBSubsystem: adding new range object: " + dn2); + conn.add(rangeEntry); + CMS.debug("DBSubsystem: getNextRange Next range has been added: " + nextRange + " - " + endRange); + } catch (Exception e) { - CMS.debug("DBSubsystem: getNextRange. Unable to provide next range :" + e); - e.printStackTrace(); + CMS.debug(e); nextRange = null; + } finally { try { if ((conn != null) && (mLdapConnFactory != null)) { @@ -451,6 +463,7 @@ public class DBSubsystem implements IDBSubsystem { CMS.debug("Error releasing the ldap connection" + e.toString()); } } + return nextRange; } diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRepository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRepository.java index 88028d798..49b530223 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRepository.java +++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRepository.java @@ -194,7 +194,7 @@ public class KeyRepository extends Repository implements IKeyRepository { CMS.debug("request checkRanges done"); } catch (Exception e) { - CMS.debug("key checkRanges done: " + e.toString()); + CMS.debug(e); } } diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/Repository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/Repository.java index 371f8f641..afe901361 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/dbs/Repository.java +++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/Repository.java @@ -448,11 +448,11 @@ public abstract class Repository implements IRepository { */ public void checkRanges() throws EBaseException { if (!mDB.getEnableSerialMgmt()) { - CMS.debug("Serial Management not enabled. Returning .. "); + CMS.debug("Repository: Serial Management not enabled. Returning .. "); return; } if (CMS.getEESSLPort() == null) { - CMS.debug("Server not completely started. Returning .."); + CMS.debug("Repository: Server not completely started. Returning .."); return; } @@ -466,27 +466,34 @@ public abstract class Repository implements IRepository { } else { numsInRange = mMaxSerialNo.subtract(mLastSerialNo); } + + CMS.debug("Repository: Serial numbers left in range: " + numsInRange); + CMS.debug("Repository: Last serial number: " + mLastSerialNo); + BigInteger numsInNextRange = null; BigInteger numsAvail = null; - CMS.debug("Serial numbers left in range: " + numsInRange.toString()); - CMS.debug("Last Serial Number: " + mLastSerialNo.toString()); + if ((mNextMaxSerialNo != null) && (mNextMinSerialNo != null)) { numsInNextRange = mNextMaxSerialNo.subtract(mNextMinSerialNo).add(BigInteger.ONE); numsAvail = numsInRange.add(numsInNextRange); - CMS.debug("Serial Numbers in next range: " + numsInNextRange.toString()); - CMS.debug("Serial Numbers available: " + numsAvail.toString()); + CMS.debug("Repository: Serial numbers in next range: " + numsInNextRange.toString()); } else { numsAvail = numsInRange; - CMS.debug("Serial Numbers available: " + numsAvail.toString()); } + CMS.debug("Repository: Serial numbers available: " + numsAvail); + CMS.debug("Repository: Low water mark: " + mLowWaterMarkNo); + if ((numsAvail.compareTo(mLowWaterMarkNo) < 0) && (!CMS.isPreOpMode())) { - CMS.debug("Low water mark reached. Requesting next range"); - mNextMinSerialNo = new BigInteger(mDB.getNextRange(mRepo), mRadix); + CMS.debug("Repository: Requesting next range"); + String nextRange = mDB.getNextRange(mRepo); + CMS.debug("Repository: next range: " + nextRange); + + mNextMinSerialNo = new BigInteger(nextRange, mRadix); if (mNextMinSerialNo == null) { - CMS.debug("Next Range not available"); + CMS.debug("Repository: Next range not available"); } else { - CMS.debug("nNextMinSerialNo has been set to " + mNextMinSerialNo.toString(mRadix)); + CMS.debug("Repository: Next min serial number: " + mNextMinSerialNo.toString(mRadix)); mNextMaxSerialNo = mNextMinSerialNo.add(mIncrementNo).subtract(BigInteger.ONE); numsAvail = numsAvail.add(mIncrementNo); mDB.setNextMinSerialConfig(mRepo, mNextMinSerialNo.toString(mRadix)); diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java index eca8dddb6..6da8d950d 100644 --- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java @@ -121,6 +121,7 @@ import netscape.security.pkcs.PKCS10Attribute; import netscape.security.pkcs.PKCS10Attributes; import netscape.security.pkcs.PKCS7; import netscape.security.pkcs.PKCS9Attribute; +import netscape.security.pkcs.ParsingException; import netscape.security.util.BigInt; import netscape.security.util.DerInputStream; import netscape.security.util.DerOutputStream; @@ -1217,51 +1218,42 @@ public class CryptoUtil { return val.toString(); } - public static void importCertificateChain(String certchain) + public static void importCertificateChain(byte[] bytes) throws IOException, CryptoManager.NotInitializedException, TokenException, CertificateEncodingException, CertificateException { - byte[] blah = base64Decode(certchain); + CryptoManager manager = CryptoManager.getInstance(); - PKCS7 pkcs7 = null; + + X509Certificate cert = null; + try { // try PKCS7 first - pkcs7 = new PKCS7(blah); - } catch (Exception e) { - } - X509Certificate cert = null; - if (pkcs7 == null) { - cert = manager.importCACertPackage(blah); - } else { - java.security.cert.X509Certificate certsInP7[] = - pkcs7.getCertificates(); - if (certsInP7 == null) { - cert = manager.importCACertPackage(blah); - } else { - for (int i = 0; i < certsInP7.length; i++) { - // import P7 one by one - cert = manager.importCACertPackage(certsInP7[i].getEncoded()); + PKCS7 pkcs7 = new PKCS7(bytes); + + java.security.cert.X509Certificate[] certs = pkcs7.getCertificates(); + + if (certs != null) { + // import PKCS7 certs one by one + for (int i = 0; i < certs.length; i++) { + cert = manager.importCACertPackage(certs[i].getEncoded()); } } + + } catch (ParsingException e) { + // not PKCS7 } - X509Certificate[] certchains = - CryptoManager.getInstance().buildCertificateChain(cert); - if (certchains != null) { - cert = certchains[certchains.length - 1]; + if (cert == null) { + cert = manager.importCACertPackage(bytes); } - // set trust flags to CT,C,C - InternalCertificate icert = (InternalCertificate) cert; - icert.setSSLTrust(InternalCertificate.TRUSTED_CA - | InternalCertificate.TRUSTED_CLIENT_CA - | InternalCertificate.VALID_CA); - icert.setEmailTrust(InternalCertificate.TRUSTED_CA - | InternalCertificate.VALID_CA); - icert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA - | InternalCertificate.VALID_CA); + X509Certificate[] certs = manager.buildCertificateChain(cert); + X509Certificate rootCert = certs[certs.length - 1]; + + trustRootCert(rootCert); } public static SEQUENCE parseCRMFMsgs(byte cert_request[]) @@ -1820,6 +1812,22 @@ public class CryptoUtil { cert.setEmailTrust(flag); } + public static void trustRootCert(X509Certificate rootCert) { + + // set trust flags to CT,C,C + InternalCertificate cert = (InternalCertificate) rootCert; + + cert.setSSLTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.TRUSTED_CLIENT_CA + | InternalCertificate.VALID_CA); + + cert.setEmailTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.VALID_CA); + + cert.setObjectSigningTrust(InternalCertificate.TRUSTED_CA + | InternalCertificate.VALID_CA); + } + /** * To certificate server point of view, SSL trust is * what we referring. @@ -2064,25 +2072,24 @@ public class CryptoUtil { TokenException, CryptoManager.NicknameConflictException, CryptoManager.UserCertConflictException { - CryptoManager cm = CryptoManager.getInstance(); - cm.importUserCACertPackage(cert.getEncoded(), nickname); - trustCertByNickname(nickname); + importUserCertificate(cert, nickname, true); } - public static void importUserCertificate(X509CertImpl cert, String nickname, - boolean trust) + public static void importUserCertificate(X509CertImpl cert, String nickname, boolean trust) throws CryptoManager.NotInitializedException, CertificateEncodingException, NoSuchItemOnTokenException, TokenException, CryptoManager.NicknameConflictException, CryptoManager.UserCertConflictException { - CryptoManager cm = CryptoManager.getInstance(); + CryptoManager cm = CryptoManager.getInstance(); cm.importUserCACertPackage(cert.getEncoded(), nickname); - if (trust) + + if (trust) { trustCertByNickname(nickname); + } } public static java.security.cert.X509Certificate[] getX509CertificateFromPKCS7(byte[] b) throws IOException { |