| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the ECC plan and the different phases, please refer to
http://pki.fedoraproject.org/wiki/ECC_in_Dogtag
Design for each phase is on the same wiki page.
Note: the designs beyond phase 2 were more like a brain dump. Although I said
"Do Not Review," you are free to take a peak at what's intended down the road.
I will go back and take a closer look and refine/adjust the designs when I
begin implementation for each new phase.
What you need to know:
* Problem 1 - nethsm issue:
On the server side, if you turn on FIPS mode, in addition to nethsm, you need
to attach certicom as well to have ECC SSL working on the server side. This
problem has already been reported to Thales last year and they said they'd look
into putting the item on their next release. Recently through a different
contact, we learned there might be a way to "turn it on" (still waiting for
their further instruction)
* Problem 2- Certicom issue:
This is a show-stopper for deployment. Initially, on the client side, I used Kai's special
version of Xulrunner/Firefox, attached to Certicom token, so that the CRMF
requests can be generated with key archival option. However, I encountered
(or, re-encountered) an issue with certicom token. Certicom generates ECC keys
with the wrong format (not PKCS7 conforming), which makes ECC key archival
impossible on the server side if you use non-certicom token with DRM (but we
expect an HSM in most product deployment). I have contacted Certicom for this
issue, and they confirmed that they indeed have such issue. We are hoping they will fix it.
But then you might ask, "I thought I saw some ECC enrollment
profiles/javascripts being checked in? How were the tests done?" The tests for
those profiles were done against this ECC key archival/recovery DRM prototype I
implemented last year (needs to be turned on manually in 8.1), where I
"cheated" (yeah, that's why it's called a prototype) by decrypting the private
key in the CRMF on DRM, and then manipulating the byte array to strip off the
offending bytes before archival.
In the real, non-prototype implementation, which is what's in this patch, for
security reasons, private keys are unwrapped directly onto the token during key
archival, so there is no way to manipulate the keys in memory and bypass the
Certicom issue.
A word about Kai's special version of Xulrunner/Firefox. It is not yet
publicly available (due out in Firefox 10.0.4 on RHEL 5.8).
* Problem 3- Firefox with nethsm issue:
Another option was to connect Kai's special version firefox with an HSM to test
my DRM/JSS code. However, for whatever reason, I could not get SSL going
between such Firefox and ECC CA ( I did not try very hard though, as I have one
other option -- writing my own ECC CRMF generation tool. I might come back to
try the nethsm Firefox idea later)
My solution (how I work on this official implementation):
* I hacked up a ECC CRMF tool by taking the CRMFPopClient (existing in current
releases), gutting out the RSA part of the code, and replacing it with ECC
code. I call it CRMFPopClientEC. Two types of ECC key pairs could be
generated: ECDSA or ECDH (That's another benefit of writing my own tool -- I
don't know if you can select which type to generate in the Javascript... maybe
you can, I just don't know). I'm in no way condoning archival of signing
keys!! This is just a test tool.
This tool takes a curve name as option (along with others), generates an ECC
key pair, crafts up an CRMF request with key archival option, and sends request
directly to the specified CA. You will see a "Deferred" message in the HTML
response (see attachment for example)
Once CA agent approves the request, the archival request goes to DRM and the
user private key is archived.
For recovery, DRM agent selects key recovery, etc, and you get your pkcs12.
I did some sanity test with the pkcs12 recovered:
* Import the recovered pkcs12 into a certicom library:
pk12util -d . -h "Certicom FIPS Cert/Key Services" -i userEC.p12
I also tested by retrieving a p12, importing it into a browser, and adding the
user as an agent and the user could act as agent via ssl client auth to the CA.
Finally, much of the RSA-centric code had been cleared out of the way at the
time when I worked on the DRM ECC prototype, so you don't see much of that in
this round.
How do you test? Well, unless you want to use my CRMFPopClientEC tool hooked up
with a nethsm (like I did), or write your own tool, you can't really test it
until Certicom fixes their issue. (BTW CRMFPopClientEC can also be changed to
work with ceriticom, although you would run into the same issue I mentioned
above)
|
|
|
|
|
|
|
| |
The deprecated ApacheHttpClientExecutor class has been replaced with
ApacheHttpClient4Executor.
Ticket #3
|
|
|
|
|
|
|
|
|
|
| |
The CMSException was added to simplify error handling in REST services.
The exception may include an error message and some other attributes.
When the server throws a CMSException (or its subclass), the exception
will be marshalled into XML and unmarshalled by the client, then thrown
again as a new exception which can be caught by the application.
Ticket #100
|
|
|
|
|
|
|
| |
The deprecated fromRaw() method in PK11PubKey has been replaced
with fromSPKI().
Ticket #3
|
|
|
|
|
|
|
| |
The deprecated RevRequest constructor has been replaced with
another constructor with null invalidity date.
Ticket #3
|
|
|
|
|
|
|
| |
The deprecated authenticate() method in LDAPConnection has been
replaced with another authenticate() method with different signature.
Ticket #3
|
|
|
|
|
|
|
|
|
| |
Previously the code depends on the old RESTEasy libraries provided by
Candlepin package. Now the Eclipse classpath, build/setup scripts, and
the spec file have been updated to use the libraries provided by the
new RESTEasy package.
Ticket #29
|
|
|
|
|
|
|
| |
The deprecated getAlgorithmId() method in AlgorithmId has been replaced
with get().
Ticket #3
|
|
|
|
|
|
|
| |
The deprecated createScrollPaneForTable() method in JTable() has been
replaced with JScrollPane() constructor.
Ticket #3
|
|
|
|
|
|
| |
The deprecated show() method in Dialog has been replaced with setVisible().
Ticket #3
|
|
|
|
|
|
|
| |
The deprecated getText() method in JPasswordField has been replaced
with getPassword().
Ticket #3
|
|
|
|
|
|
|
| |
The deprecated readLine() method in DataInputStream has been replaced
by the same method in BufferedReader.
Ticket #3
|
|
|
|
|
|
|
|
| |
The deprecated XMLSerializer has been replaced with LSSerializer.
The new API does not provide a way to control the indentation or
line width.
Ticket #3
|
|
|
|
|
|
|
|
|
|
| |
The build scripts have been modified to provide an option to build
without Javadoc to speed up development builds. The option can be
used as follows:
compose_pki_core_packages --without-javadoc hybrid_rpms
Ticket #111
|
|
|
|
|
|
|
|
|
| |
Previously the source code was located inside a pki folder.
This folder was created during svn migration and is no longer
needed. This folder has now been removed and the contents have
been moved up one level.
Ticket #131
|
|
|
|
|
|
|
|
|
| |
Many of the policy deprecation warnings come from classes that probably ought to
be deprecated as part of the deprecated policy framework as well. Making these
as deprecated removes the deprecation warnings - and we can really see where
we make sure of deprecated policy code elsewhere.
Also removed some URLEncoder, Decoder deprecations
|
|
|
|
|
|
| |
This patch brings down the warnings from 1943 to 1221.
Ticket #103
|
|
|
|
|
|
|
|
|
| |
Removed -clone_start_tls option and subsumed it into -replicationSecurity.
Refactored DatabasePanel parameter verification code to allow it to be
used in both update() and validate(). Added new parameters to pkisilent
and databasepanel.vm.
Also fixed cloning error when master uses localhost.
|
|
|
|
| |
Removed some obsolete files.
|
|
|
|
|
|
|
|
| |
The SystemIdentity and SystemSigner classes have been removed
because they are based on deprecated classes and are not used
anywhere in the code.
Ticket #3
|
|
|
|
|
|
|
|
| |
The deprecated Date(year, month, date) constructor has been replaced
with Calendar API. There are similar Date constructors in JavaScript
but those are not deprecated and should not be replaced.
Ticket #3
|
|
|
|
|
|
|
|
|
|
| |
Tomcat6 has changed the changed the location of the TOMCAT_LOG, and
it should no longer point to catalina.out. This initially caused
dogtag to break because the code to chown TOMCAT_LOG to TOMCAT_USER
was removed. Added code to spec file to fix existing instances.
Also fixed error in spec file. Incorrect selinux patch was being
applied for f17.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
The REST interface was vulnerable to injection attack. This has
been fixed by escaping the special characters in parameter values
before using them in the search filter.
Ticket #96
|
| |
|
|
|
|
|
|
|
|
| |
This patch fixes incorrect implementation of getElement() in
some subclasses of IAttrSet. The method is supposed return the
attribute names as an enumeration of strings.
Ticket #42
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Initial attempt at 'http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment'.
Corrected imports to work with site-packages.
Standardized log messages via encapsulation in a central file.
Updated top-level instance directory.
Streamlined parsing and enhanced logging.
Added "--dry_run" option.
Added umask and default permissions; sanitized use of '+' and '\'.
Aliased 'pkiconfig' as 'config'
Created a single master PKI dictionary from the sectional dictionaries
|
|
|
|
| |
ca_external variable
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide a Realm that provides the following:
1. Allows SSL client certificate authentation upon protected URLs.
For now we are protecting the new DRM Rest functions.
2. Allows simple PKI ACL checking like we have in the current server.
This is accomplished with the help of a simple file that maps URLs
to ACL resourceIDs and operations.
3. DRMRestClient now support SSL Client authentication to test the feature.
How to test this:
Install new KRA server, after installing build pki-core rpm.
Uncomment "PKIJNDIRealm" settings in conf/server.xml
Some customization will be needed for instance specific info. See
the sample in server.xml.
Uncomment the "Security Constraint" and "login-config" settings webapps/kra/WEB-INF/web.xml
In running DRMTest.java in eclipse do the following:
Change the arguments to support SSL Client auth such as:
-h localhost -p 10443 -w secret -d ~/archive-test -s true -c "KRA Administrator of Instance pki-kra's SjcRedhat Domain ID"
where the new flags are -s = true for SSL and -c = <client auth cert name>
Export the KRA's admin/agent client auth cert from Firefox to a pk12 file.
Import this cert into ~/archive-test by using "pk12util" utility.
Run the DRMTest.java program in eclipse and observe the results. There should be a prompt
for a client cert.
|
|
|
|
|
|
|
|
|
| |
The NameValuePairs class has been modified to extend the Linked-
HashMap which preserves the order of elements as in the original
code. Some methods are renamed to match Java Map interface. The
NameValuePair class is no longer needed and has been removed.
Ticket #78
|
|
|
|
|
|
|
|
|
|
|
|
| |
The certificate status update and retrieving modifications tasks
have been modified to use the executor service. Unlike daemon
threads, the service will allow existing task to exit gracefully
before shutting down. An abandon operation is used terminate the
persistent search used for retrieving modifications. Some methods
have been moved to CertificateRepository class to simplify
synchronizations.
Ticket #73
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The JobsScheduler has been modified to stop all jobs on shutdown.
This is done by setting a flag in each job instead of stopping the
job thread abruptly. Long running jobs should check this flag
periodically and then exit gracefully. None of the existing jobs
need to do this since they do not run very long.
Other threads that run background services have been converted into
daemons such that they will terminate automatically when the JVM
exits.
Ticket #73
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mechanism for getting an ldap connection to the internaldb was incorrect,
both in the Security Domain Session Table and the DatabasePanel. As a result,
connections to the internaldb failed for accessing the security domain session
table and when trying to clone a master which connects to its database using
client auth.
The thread that handles reading the security domain session table is now only
instantiated when running on a configured security domain master.
Additionally, needed acls for the client auth certificate ldap user have been
moved to manager.ldif. This includes acls to allow creation and management of
replication agreements and replication users (now being created under
ou=csusers, cn=config)
Added logs to show when ldif import errors occur. Also made sure to write and
remove master ldap password for use in replication.
Ticket #5
|
|
|
|
| |
Bugzilla Bug #767800 - Firefox Launcher on Panel being modified for all users.
|
|
|
|
|
|
|
|
|
|
|
|
| |
'http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment'."
This reverts commit b5219f534cf0b60452346b31a84b9eddd881f614.
This patch was accidently committed to origin as part of a previous push.
Conflicts:
pki/specs/pki-core.spec
|
|
|
|
|
|
| |
Configuration wizard should provide option to issue ECC credentials for admin during ECC CA configuration.
Bug #784387.
|
| |
|
|
|
|
|
|
|
|
| |
The DRM REST interface previously uses strings for key ID and request ID.
It has been modified to use KeyId and RequestId classes which can accept
decimal or hex numbers and internally store it as BigInteger.
Ticket #94
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Corrected imports to work with site-packages.
Standardized log messages via encapsulation in a central file.
Corrected imports to work with site-packages.
Standardized log messages via encapsulation in a central file.
Updated top-level instance directory.
Streamlined parsing and enhanced logging.
Added "--dry_run" option.
Added umask and default permissions; sanitized use of '+' and '\'.
|
|
|
|
|
|
| |
RSA should be default selection for transport, storage, and audit keys till ECC is fully implemented.
Bug #787806.
|
|
|
|
|
|
|
|
| |
The KeyDAO and KeyRequestDAO have been changed to remove hard-coded
paths and use annotation reflection to get the paths from the REST
interface definitions.
Ticket #95
|
|
|
|
|
|
|
| |
The OSUtil is no longer used by the code. It has been removed from
build scripts and tools.
Ticket #90
|
|
|
|
|
|
|
|
| |
Some subsystems could not be created using a shared port because it
would generate a web.xml with invalid nested comment. The web.xml
templates has been fixed to remove the nested comment.
Ticket #112
|
|
|
|
|
|
| |
Added platform-dependent patches for SELinux component
Bugzilla Bug #739708 - Selinux fix for ephemeral ports (F16)
Bugzilla Bug #795966 - pki-selinux policy is kind of a mess (F17)
|
|
|
|
|
|
|
|
|
|
| |
The OS subsystem was previously used to get the PID and to handle
shutdown signals using the OSUtil. It has been removed because the
functionalities can be obtained without using native code. The PID
will now be read from an external PID file created by the wrapper
script. The shutdown signals will now be handled by shutdown hook.
Ticket #90
|
|
|
|
|
|
|
|
| |
The OSUtil's BtoA() and AtoB() have been replaced by Base64
codec from Apache Commons library. The codec is configured to
use 64-byte line width as defined in RFC 1421.
Ticket #90
|
|
|
|
|
|
|
|
| |
The OSUtil's BtoA() and AtoB() have been replaced with wrapper
methods in com.netscape.cmsutil.util.Utils to simplify transition
into Base64 codec from Apache Commons library.
Ticket #90
|
|
|
|
|
|
|
|
|
| |
The Utils classes in com.netscape.cms.publish.publishers
and com.netscape.cms.servlet.common packages have been renamed
to PublisherUtils and ServletUtils to avoid conflicts with
com.netscape.cmsutil.util.Utils.
Ticket #90
|