summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Refactored TPS TokenCLI.Endi S. Dewata2017-03-286-9/+23
| | | | | The TPS TokenCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored TPS ProfileCLI.Endi S. Dewata2017-03-286-9/+22
| | | | | The TPS ProfileCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored TPS ConfigCLI.Endi S. Dewata2017-03-283-5/+12
| | | | | The TPS ConfigCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored TPSCertCLI.Endi S. Dewata2017-03-283-5/+12
| | | | | The TPSCertCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored AuthenticatorCLI.Endi S. Dewata2017-03-286-9/+22
| | | | | The AuthenticatorCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored AuditCLI.Endi S. Dewata2017-03-283-6/+13
| | | | | The AuditCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored ActivityCLI.Endi S. Dewata2017-03-283-5/+12
| | | | | The ActivityCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Added audit logs for SSL/TLS events.Endi S. Dewata2017-03-2811-11/+190
| | | | | | | | | | | | | | | The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
* Refactored TPSConnectorCLI for TKS.Endi S. Dewata2017-03-276-8/+21
| | | | | The TPSConnectorCLI for TKS and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored SelfTestCLI.Endi S. Dewata2017-03-274-7/+16
| | | | | The SelfTestCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored CA ProfileMappingCLI.Endi S. Dewata2017-03-276-9/+22
| | | | | The CA ProfileMappingCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored CA ProfileCLI.Endi S. Dewata2017-03-279-18/+41
| | | | | The CA ProfileCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored KRAConnectorCLI for CA.Endi S. Dewata2017-03-274-9/+19
| | | | | The KRAConnectorCLI for CA and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored FeatureCLI.Endi S. Dewata2017-03-273-5/+14
| | | | | The FeatureCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored AuthorityCLI.Endi S. Dewata2017-03-277-9/+26
| | | | | The AuthorityCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Modify storage unit to generate a new IVAde Lee2017-03-249-34/+68
| | | | | | | | | | | | | | | | | Currently, the storage unit reuses the same IV each time a record is stored. This works (probably) for DES3, but not for AES. The getWrappingParams() method is modified to check the config as follows (in order): -- if the iv is defined, use that iv -- if the length is defined, generate a byte array of that length -- return null To ensure that the same IV used to encrypt the secret is stored in the DB, the wrapping param is defined once in the archival process, and passed in to the wrapping functions in storageUnit. Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854
* Change CRMFPopClient to use AES-KeyWrap with paddingAde Lee2017-03-243-37/+86
| | | | | | | | | | | | | | | | | | Also made a couple of small changes to WrappingParams. * Set the wrapIV to null when AES KeyWrap is used. Trying to unpack the PKIArchiveOptions package with this IV set to null fails. * removed superfluous this modifiers. Added a parameter KEY_WRAP_PARAMETER_SET which is set in /etc/pki/pki.conf. If this parameter is set to 0, we will use the old DES3 algorithms. This can be set by clients talking to old servers. CRMFPopClient has the ability to automatically submit requests to a CA. In this case, we shouldcontact the server and determine the version using InfoClient, and choose the algorithm accordingly. We will implement this in a separate patch. Change-Id: Ib4a99545cb59b62a96c272311595e96dda10979e
* Merge github.com:dogtagpki/pkiAde Lee2017-03-2466-229/+306
|\
| * Refactored UserCLI.Endi S. Dewata2017-03-2415-38/+57
| | | | | | | | | | The UserCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
| * Refactored SecurityDomainCLI.Endi S. Dewata2017-03-242-4/+9
| | | | | | | | | | The SecurityDomainCLI and its submodule have been modified to use lazy initialization to get the PKIClient object.
| * Refactored KRA KeyCLI.Endi S. Dewata2017-03-2411-31/+56
| | | | | | | | | | The KRA KeyCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
| * Refactored GroupCLI.Endi S. Dewata2017-03-2411-28/+43
| | | | | | | | | | The CertCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
| * Refactored CA CertCLI.Endi S. Dewata2017-03-2412-39/+61
| | | | | | | | | | The CA CertCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
| * Refactored SubsystemCLI.Endi S. Dewata2017-03-246-70/+52
| | | | | | | | | | | | The SubsystemCLI and its subclasses have been modified to use lazy initialization to get the PKIClient object. They also have been simplified by moving common methods to the base class.
| * Refactored ProxyCLI.Endi S. Dewata2017-03-241-2/+2
| | | | | | | | | | The ProxyCLI has been modified to use lazy initialization to get the PKIClient object.
| * Refactored ClientCLI.Endi S. Dewata2017-03-246-14/+12
| | | | | | | | | | The ClientCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
| * Refactored CLI.getClient().Endi S. Dewata2017-03-242-3/+4
| | | | | | | | | | The CLI.getClient() has been modified to return the parent CLI's PKIClient object if available.
| * Added CLI.getConfig().Endi S. Dewata2017-03-242-0/+10
| | | | | | | | | | A new CLI.getConfig() has been added to return the parent CLI's configuration if available.
* | Refactor code that creates PKIArchiveOptions objectsAde Lee2017-03-2321-929/+235
|/ | | | | | | | | | | | | | * Refactor code in CryptoUtil to parametrize the algorithms used. * Moved WrappingParams to utils jar to allow correct compilation. * Removed code that created a PKIArchiveOptions structure from CRMFPopClient and replaced with calls to CryptoUtil methods. Note that the algorithms have been left as DES3. They will be changed to AES in the next patch. * Converted code in AuthorityKeyExportCLI to use the new methods in CryptoUtil. * Removed DRMTest this code is no longer maintained or used. Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
* Added comparator function to versionAde Lee2017-03-222-20/+54
| | | | Change-Id: I862c86994e6268860380404113a9bea0d237d60e
* Merge "Added infoClient to PKIClient to get server info"Ade Lee2017-03-212-11/+8
|\
| * Added infoClient to PKIClient to get server infoAde Lee2017-03-212-11/+8
| | | | | | | | | | | | Also used the infoClient in the KeyClient Change-Id: Ie81ee731903cf8d2068783a9a09cdcbaaffc0630
* | Merge "Fix Java client to use AES"Ade Lee2017-03-218-50/+267
|\|
| * Fix Java client to use AESAde Lee2017-03-218-50/+267
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Changed the client to use AES-128-CBC-PAD rather than DES-3. Because AES-256-CBC-PAD has no OID defined, we use the following hack: * Pass in the AES-256-CBC OID as the encrypt algorithm OID * Use PKCS#1.5 Padding. * Changed the client to use AES for the wrapping key on retrieval. * Changed the server to implicitly assume PKCS#1.5 (and a key size of 128) when recieving the OID for AES. * Changed the client to send, and the server to pass through the encryption algorithm expected when retrieving the key. * Fixed the generate_iv() function to generate an appropriately sized IV on retrieval. This code has been tested to successfully create and retrieve secrets using AES. Ideally, we'd be using GCM rather than CBC, which then requires no padding - and no hack needed. Hopefully, we can get that working in a subsequent commit. Change-Id: Ic9e8d50169be0fe357a48a5a1b1c452c7a3dfad0
* | Merge github.com:dogtagpki/pkiAde Lee2017-03-2129-265/+919
|\|
| * Added support for disabling SSL ciphers in pki.conf.Endi S. Dewata2017-03-212-2/+10
| | | | | | | | | | The CryptoUtil.setSSLCiphers() has been modified to support a "-" sign in front of the cipher name or ID to disable the cipher.
| * Added support for hex cipher IDs in pki.conf.Endi S. Dewata2017-03-212-4/+10
| | | | | | | | | | The CryptoUtil.setSSLCipher() has been modified to support ciphers specified using hex ID.
| * Allowing client cert auth without NSS database password.Endi S. Dewata2017-03-211-11/+0
| | | | | | | | | | The PKI CLI has been modified to support client cert authentication without NSS database password.
| * Allowing pki pkcs12-import without NSS database password.Endi S. Dewata2017-03-211-1/+1
| | | | | | | | | | The pki.nssdb module has been modified to support operations without NSS database password.
| * Allowing pki client-init without NSS database password.Endi S. Dewata2017-03-211-10/+20
| | | | | | | | | | The pki client-init has been modified to support creating NSS database without password.
| * Fixed default value for SSL datagram.Endi S. Dewata2017-03-201-1/+1
| | | | | | | | | | The minimum SSL version for datagram should have been TLS 1.1 to match the default in pki.conf.
| * Added hard-coded default values for SSL parameters in PKI CLI.Endi S. Dewata2017-03-201-5/+5
| | | | | | | | | | The PKI CLI has been modified to use hard-coded default values in case the pki.conf is not available (e.g. in Eclipse).
| * Added pki.conf parameter for default SSL ciphers.Endi S. Dewata2017-03-192-1/+11
| | | | | | | | | | A new parameter has been added to pki.conf to enable/disable the default SSL ciphers for PKI CLI.
| * Added pki.conf parameter for SSL ciphers.Endi S. Dewata2017-03-193-0/+22
| | | | | | | | | | A new parameter has been added to pki.conf to configure the SSL ciphers used by PKI CLI in addition to the default ciphers.
| * Refactored CryptoUtil.setClientCiphers().Endi S. Dewata2017-03-191-6/+11
| | | | | | | | | | | | The code that converts cipher name into cipher ID and enables the cipher in CryptoUtil.setClientCiphers() has been moved into a separate method.
| * Fixed error handling in CryptoUtil.setClientCiphers().Endi S. Dewata2017-03-191-1/+3
| | | | | | | | | | The CryptoUtil.setClientCiphers() has been modified to throw an exception on unsupported cipher.
| * Fixed error handling in CryptoUtil.unsetSSLCiphers().Endi S. Dewata2017-03-191-7/+7
| | | | | | | | | | The CryptoUtil.unsetSSLCiphers() has been modified not to ignore exceptions.
| * Renamed CryptoUtil.setClientCiphers().Endi S. Dewata2017-03-194-5/+5
| | | | | | | | | | The setClientCiphers() in CryptoUtil has been renamed to setDefaultSSLCiphers() for clarity.
| * Added configuration parameters for SSL version ranges.Endi S. Dewata2017-03-192-2/+32
| | | | | | | | | | The hard-coded SSL version ranges in PKI CLI have been converted into configurable parameters in the pki.conf.
| * Fixed PKIClient initialization in PKI CLI.Endi S. Dewata2017-03-193-2/+13
| | | | | | | | | | | | | | | | The PKI CLI has been modified such that it initializes the PKIClient (and retrieves the access banner) only if the CLI needs to access the PKI server. https://pagure.io/dogtagpki/issue/2612
generated by cgit (git 2.34.1) at 2025-09-27 15:07:21 +0000