| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate.
The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint.
UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten.
The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
|
| |
|
|
|
|
|
|
|
| |
The pki CLI has been modified to parse the --ignore-banner option
properly and pass it only to Java-based CLI commands.
https://pagure.io/dogtagpki/issue/2683
Change-Id: Ifc3e98f74682a2fb4daeea16e86f495515a2d1f5
|
| |
|
|
|
|
|
|
|
| |
Some debug logs have been added into JssSubsystem to improve code
clarity.
https://pagure.io/dogtagpki/issue/2695
Change-Id: Ice54cf5cfe1eb4984509b83a1098cd69819e37bc
|
| |
|
|
|
| |
- Bugzilla Bug #1452123 - CA CS.cfg shows default port
- dogtagpki Pagure Issue #2696 - CA CS.cfg shows default port
|
| |
|
|
|
|
|
|
|
| |
Some debug logs have been added into UpdateCRL servlet to improve
code clarity.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I4dc92d574b8ce93f2964663d36ca28851e400839
|
| |
|
|
|
|
| |
Bugzilla Bug #1447144 - CA brought down during separate KRA instance creation
dogtagpki Pagure Issue #2674 - CA brought down during separate KRA instance
creation
|
| |
|
|
|
|
|
|
|
| |
The RevocationRequestListener.accept() has been reformatted to
adjust the indentations after refactoring.
https://pagure.io/dogtagpki/issue/2651
Change-Id: Ia94667b88dd48e3e0cf28ee3dd7eb5a5b4dee4b3
|
| |
|
|
|
|
|
|
|
| |
The RevocationRequestListener.accept() has been refactored to
reduce deeply nested if-statements with early return.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I11dac11f05a4e3626043f4cfa56feacf01e6d5dd
|
| |
|
|
|
|
|
|
|
| |
A new CertStatusChangeRequestProcessedEvent class has been added to
encapsulate the CERT_STATUS_CHANGE_REQUEST_PROCESSED events.
https://pagure.io/dogtagpki/issue/2636
Change-Id: I41cf0ce94b176a2036b9f1f433212bf3c414fb0b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code that generates CERT_REQUEST_PROCESSED events in
ConnectorServlet.processRequest() has been moved into a finally-
clause that wraps around IRequestQueue.processRequest() to ensure
that the events are generated properly.
If a cert was issued for the request that has just been processed
the event outcome is a Success, otherwise it's a Failure.
Any exception thrown by the IRequestQueue.processRequest() will be
passed to the ConnectorServlet.processRequest()'s callers.
https://pagure.io/dogtagpki/issue/2690
Change-Id: I07454afb75328fbee3e50e5852adb5085be0613e
|
| |
|
|
|
|
| |
proof
This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
|
| |
|
|
|
|
|
|
|
| |
The UpdateCRL.process() has been reformatted to adjust the
indentations after refactoring.
https://pagure.io/dogtagpki/issue/2651
Change-Id: Ic67376678d442b9e2a79f9375aef61eab99d1b5c
|
| |
|
|
|
|
|
|
|
| |
The UpdateCRL.process() has been refactored to reduce deeply
nested if-statements with early return.
https://pagure.io/dogtagpki/issue/2651
Change-Id: Ie3aa5f9154eec78e994cf89cc33616d2c5cbaf47
|
| |
|
|
|
|
|
|
|
| |
The UpdateCRL.process() has been refactored to reduce deeply
nested if-statements with early return.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I5591bf08e617614ca7def5ce5fff61e0925e4fc5
|
| |
|
|
|
|
|
|
|
| |
The UpdateCRL.process() has been refactored to reduce deeply
nested if-statements with early return.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I507bf72e28c3ba0ab98f24466bac2a40f1e6b198
|
| |
|
|
|
|
|
|
|
| |
The outcome of CERT_REQUEST_PROCESSED event has been changed to
Failure when the certificate request is canceled by an agent.
https://pagure.io/dogtagpki/issue/2694
Change-Id: Iad25a135851188cc97106d81800e3b8443a2970a
|
| |
|
|
|
|
|
|
|
| |
The outcome of CERT_REQUEST_PROCESSED event has been changed to
Failure when the certificate request is rejected by an agent.
https://pagure.io/dogtagpki/issue/2693
Change-Id: I530de4fe08ba97a8676d56a6aaf6c11ab7c36e40
|
| | |
|
| |
|
|
|
| |
Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
|
| |
|
|
|
|
|
|
|
|
| |
The CertRequestProcessedEvent constructor that takes a certificate
object was modified to log the certificate serial number instead of
the base64-encoded certificate data.
https://pagure.io/dogtagpki/issue/2655
Change-Id: I67f33a7d435d0e5accdb646bdd20bae99d123472
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CertRequestProcessedEvent constructors have been modified to
log the info attributes using the new AuditEvent attributes.
The logging property for CERT_REQUEST_PROCESSED event has been
modified to accept a list of attributes as a single string instead
of individual info attributes.
The CERT_REQUEST_PROCESSED constant in AuditEvent has been replaced
with a constant in CertRequestProcessedEvent class which points to
the new logging property.
https://pagure.io/dogtagpki/issue/2655
Change-Id: I981212af7fca58916c73ccdeba9919a4d051af3c
|
| |
|
|
|
|
|
|
|
| |
A new ConfigTrustedPublicKeyEvent class of has been added to
encapsulate the CONFIG_TRUSTED_PUBLIC_KEY events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I2fb4b46dfd63daf3c0c08dc08b3dbac9108ec908
|
| |
|
|
|
|
|
|
|
|
| |
The AuditEvent class has been modified to support variable number
of event attributes which can be used to generate more flexible
audit log entries.
https://pagure.io/dogtagpki/issue/2655
Change-Id: I565062bd7d635c0cbff0e6a7e71477648c9d3212
|
| |
|
|
|
|
|
|
|
|
| |
The conditions to log CERT_REQUEST_PROCESSED have been simplified
since the auditInfoCertValue() will return SIGNED_AUDIT_EMPTY_VALUE
if the certificate object is not available in the request object.
https://pagure.io/dogtagpki/issue/2636
Change-Id: I946481c17729d2c349c949def113fc5563ec90ad
|
| |
|
|
|
|
|
| |
Some log messages have been added to help troubleshoot the cause
of server shutdown.
Change-Id: Ie2a91647a0986fdb11cafed2aec48cce208ef1a2
|
| |
|
|
|
| |
Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The finalization scriptlet now waits after service has been restarted.
Change-Id: Id462728386b9d7e6b3364e1651ef6676115dd1de
Bugzilla: BZ#1446364
Pagure: 2644
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using an HSM, AES KeyWrapping is not available and so
some different code paths were exercised. Fixing bugs in those
paths uncovered a case where we were calling unwrapSymmetric()
with bits and not bytes for the key length.
This does not matter for 3DES, where JSS expects a length of 0,
but very much matters for AES. Fixing this - and the KeyClient
to actually use the returned wrapping algorithm to unwrap, allows
us now to return generated symmetric keys correctly.
Bugzilla BZ#1448521
Pagure: 2690
Change-Id: I2c5c87e28f6f36798b16de238bbaa21da90e7890
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When AES-KW or AES-KWP is not available, we need to be sure to use
a key wrap algorithm that is available for keywrap. This would
be AES-CBC. Removes some TODOs.
Refactor so that getWrappingParams is only defined on the StorageUnit,
which is where it makes sense in any case.
Part of Bugzilla BZ# 1386303
Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In HSMs, we were not able to retrieve asym keys that were
generated from the AsymKeyGenService, because the right
flags were not set (ie. set like in the server side
keygen case).
To do this, I extracted the key generation function from
NetKeygenService to KeyRecoveryAuthority, so that it could
be used by both services.
Bugzilla BZ# 1386303
Change-Id: I13b5f4b602217a685acada94091e91df75e25eff
|
| |
|
|
|
|
| |
Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663
We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue.
|
| |
|
|
| |
Change-Id: I81d3aa98a05208b2f5b1be3700c2e0759b387203
|
| |
|
|
|
|
|
|
|
|
|
|
| |
PKCS #12 export was updated to use AES / PBES2 encryption for the
key bags, but an import code path used when spawning a clone was
missed, and now fails (because it doesn't grok PBES2).
Update it to use CryptoStore.importEncryptedPrivateKeyInfo()
instead, fixing the problem.
Fixes: https://pagure.io/dogtagpki/issue/2677
Change-Id: I11f26ae8a4811f27690541f2c70b3a2adb6264e9
|
| |
|
|
|
|
|
|
| |
pki.authority was mistakenly sending headers as POST body instead of
sending an empty POST body with right headers.
Change-Id: I6a5089e55233cf72f4d8e79832150e7c45f0fdae
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CAInfoService returns CA configuration info, including
KRA-related values the CA clients may need to know (e.g. for
generating a CRMF cert request that will cause keys to be archived
in KRA). Currently that information is statically configured and
does not respect the actual configuration of the KRA.
Update the service to retrieve info from the KRA, which is queried
according to the KRA Connector configuration. After the KRA has
been successfully contacted, the recorded KRA-related settings are
regarded as authoritative.
The KRA is contacted ONLY if the current info is NOT authoritative,
otherwise the currently recorded values are used. This means that
any change to relevant KRA configuration (which should occur seldom
if ever) necessitates restart of the CA subsystem.
If this is unsuccessful (e.g. if the KRA is down or the connector is
misconfigured) we use the default values, which may be incorrect.
Fixes: https://pagure.io/dogtagpki/issue/2665
Change-Id: I30a37c42ef9327471e8cce8a171f79f388fec746
|
| |
|
|
|
| |
This patch would fix the issue. It also adds the CMCUserSignedAuth
authentication instance that was missed in the CS.cfg
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The KRA has two private key recovery code paths: one dealing with
keys wrapped to the storage key, and one dealing with symmetrically
encrypted keys. Each has a separate function for constructing a
PKCS #12 file for the recovered key.
This commit updates the PKCS #12 generation for wrapped keys to use
AES encryption. The JSS PBE facility is not expressive enough to
handle PBES2 encryption, which is necessary for many algorithms
including AES, so we now use CryptoStore.getEncryptedPrivateKeyInfo.
Part of: https://pagure.io/dogtagpki/issue/2610
Change-Id: Iba67f15642338316e4a6d09f78504327e8853b85
(cherry picked from commit 8e663b6270d9a9409a04bfcb445318a6d5622b52)
|
| |
|
|
|
|
|
| |
Part of: https://pagure.io/dogtagpki/issue/2610
Change-Id: Ic35a81c4c4dd49622bfdeb677d588641594b7ec6
(cherry picked from commit 507908d1aac8f9db6c380f5cae634521608043e8)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update PKCS12Util to use AES-256-CBC to encrypt private keys.
Use JSS CryptoStore methods to ensure that all key wrapping and
unwrapping is done on the token.
Specifically, CryptoStore.getEncryptedPrivateKeyInfo replaces the
previous process where a symmetric key was generated, the private
key wrapped to the symmetric key, then decryted into Dogtag's
memory, then re-encrypted under the supplied passphrase. Now the
key gets wrapped directly to the supplied passphrase.
Similarly, for import, the EncryptedPrivateKeyInfo was decrypted
using the supplied passphrase, then encrypted to a freshly generated
symmetric key, which was then used to unwrap the key into the token.
Now, the new JSS method CryptoStore.importEncryptedPrivateKeyInfo is
used to unwrap the EncryptedPrivateKeyInfo directly into the token,
using the supplied passphrase.
As a result, the PKCS12KeyInfo class, which previously stored
unencrypted key material (a PrivateKeyInfo object), it now only
deals with PrivateKey (an opaque handle to an PKCS #11 object)
on export and encoded (byte[]) EncryptedPrivateKeyInfo data on
import. This split suggests that PKCS12KeyInfo should be decomposed
into two classes - one containing a PrivateKey and the other
containing a byte[] encryptedPrivateKeyInfo - but this refactoring
is left for another day.
Part of: https://pagure.io/dogtagpki/issue/2610
Change-Id: I75d48de4d7040c9fb3a9a6d1e920c191aa757b70
(cherry picked from commit 2e198ddbe9ec5000ee7e14df0aa364b600d3aa92)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch provides implementation that allows user-signed CMC requests
to be processed; The resulting certificate will bear the same subjectDN
as that of the signing cert;
The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull
where the new profile is to be used: caFullCMCUserSignedCert.cfg
which utilizes the new authentication plugin: CMCUserSignedAuth
and new profile default plugin: CMCUserSignedSubjectNameDefault
and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
|
| |
|
|
|
|
|
|
| |
This is tested using Barbican as a client. We are simply
reverting to the same behavior we had before for the
NSS Crypto provider case.
Change-Id: I11300b3bea5670c783e1b4736d98f35f30ecf2ce
|
| |
|
|
|
|
| |
expected.
This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than ValidityDefault.java, there were possibly some values that could be changed from int to long. Due to the complexity of some of the calculations involved in some of those cases, it is best to fix the exact issue at hand instead of introducing some other possible side effects.
|
| |
|
|
|
|
|
|
|
| |
Incorrect key size lead to errors when the client side
was set to use 3DES. Also deprecate not providing an
encryption algorithm OID explcitly in
archive_encrypted_data()
Change-Id: I51e8ee2aed1d0cddd9d37d91a93c920be901fdb9
|
| |
|
|
|
|
| |
Part of: https://pagure.io/dogtagpki/issue/1408
Change-Id: Iaa1c2c3b6f7de178bd38c2b5b8df57a2a99f64b1
|
| | |
|
