| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
When no algorithm OID is provided, we used to default to 3DES.
We need to continue to do this to not break IPA.
Change-Id: I620c3d7cec71be1a529056acc6bf3940e25f2f9d
|
| |
|
|
|
|
|
|
|
|
| |
When using token-based unwrapping of archived keys, the key is being
stored in the token. We do not want to accumulate the keys here;
make them temporary.
Part of: https://pagure.io/dogtagpki/issue/2610
Change-Id: Ic12a4db7238512b4fec5d6fdb023b20195c2d438
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When modifying a profile, attributes are not cleared. Attributes
that were removed in the updated profile configuration are not
actually removed.
When updating a profile via PUT /ca/rest/profiles/{id}/raw, clear
the config store before loading the new configuration.
Fixes: https://fedorahosted.org/pki/ticket/2588
Change-Id: I4988315c57bb5d5a44deb04d41603adb39780f19
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SourceConfigStore load() method does not clear the config store,
but this might be necessary to avoid stale data if wanting to
perform a complete replacement of the data (e.g. reload from file).
We should not change the behaviour of load() in case some code is
relying on the current behaviour, so add the clear() method to the
interface.
Part of: https://fedorahosted.org/pki/ticket/2588
Change-Id: Ia139a49f1a23c4f9410d7b94c9a4c8f14f29fe93
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/2588
Change-Id: I1ac9a3d89c93832ef6b6b48b89138495ef4892fb
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A new CertRequestProcessedEvent constructor has been added to
encapsulate CERT_REQUEST_PROCESSED events that takes an IRequest
object.
The auditInfoValue() method in CAProcessor has been moved into
CertRequestProcessedEvent.
https://pagure.io/dogtagpki/issue/2636
Change-Id: I892f1476835b45910fdc3e64bd9f6fc9e2f016fb
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A new CertRequestProcessedEvent constructor has been added to
encapsulate CERT_REQUEST_PROCESSED events that take an X509CertImpl
object.
Copies of auditInfoCertValue() method in various classes have been
combined and moved into CertRequestProcessedEvent.
https://pagure.io/dogtagpki/issue/2636
Change-Id: Ie234bdb9f1b52399dad4bd1e20f57dcb99d86091
|
| |
|
|
|
|
|
|
|
| |
A new SignedAuditConfigRoleEvent class of has been added to
encapsulate the CONFIG_SIGNED_AUDIT events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I95b897fa0bb73007a7cec009c43ade4cc860f0cd
|
| |
|
|
| |
Change-Id: Id73bd6d3c0874c327bc27260318a2c671f0f0177
|
| |
|
|
|
|
|
|
|
| |
A new CertRequestProcessedEvent class of has been added to
encapsulate the CERT_REQUEST_PROCESSED events.
https://pagure.io/dogtagpki/issue/2636
Change-Id: Ia79e6ae13d09a3ec6509c60435fc24d5a2fee38f
|
| |
|
|
|
|
|
|
|
| |
A new ConfigRoleEvent class of has been added to encapsulate the
CONFIG_ROLE events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Ie0932131d75897f58afdd8217454c6cf6970d738
|
| |
|
|
|
|
|
|
|
| |
A new RoleAssumeEvent class of has been added to encapsulate the
ROLE_ASSUME events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I12e47ea13198b6532b1fdfee2e20765c0cab15e9
|
| |
|
|
|
|
|
|
|
| |
A new AuthzFailEvent class of has been added to encapsulate the
AUTHZ_FAIL events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Id4ab9bd889a1a9314264c0ef2ff7b2389aed8f9c
|
| |
|
|
|
|
|
|
|
| |
A new AuthzSuccessEvent class of has been added to encapsulate the
AUTHZ_SUCCESS events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I2f45fb2c3ba8acdc82777644cf4ad0ec2eff35a5
|
| |
|
|
|
|
|
|
|
| |
A new AuthFailEvent class of has been added to encapsulate the
AUTH_FAIL events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I870398f6a56df007c9520e50947a7b3c85baf79b
|
| |
|
|
|
|
|
|
|
| |
A new AuthSuccessEvent class of has been added to encapsulate the
AUTH_SUCCESS events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Ie7cc751728ac079e30ece354ca44c5266474bcd3
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix Python 3 support for pkispawn: Config values are text values. Therefore
the config file has to be written as text file.
Test Python 3 support in Travis CI. The little script py3rewrite copies
pki.server Python files and rewrites pkispawn and pkidestroy to use
Python 3.
Change-Id: Ia516f80df94cacc2acfa70929ad16bb5b9c39ddf
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
| |
The IAuditor has been modified to define a log() method for
AuditEvent object.
Change-Id: Ie1ad720bd6d3bcd71a4567eed477f0e34a8274c9
|
| |
|
|
|
|
|
| |
The ProfileSubmitCMCServlet.auditInfoCertValue() has been modified
to accept X509CertImpl like CAProcessor.auditInfoCertValue().
Change-Id: Ib3b4c4c19250df73a769590488cb5716a50a065b
|
| |
|
|
|
|
|
| |
The ConnectorServlet.auditInfoCertValue() has been refactored to
accept X509CertImpl like CAProcessor.auditInfoCertValue().
Change-Id: I42f4a17a20f43a8c9dd2b329b07de3a23da7ca33
|
| |
|
|
|
|
|
| |
The auditInfoCertValue(IRequest) in CAProcessor has been merged
into auditInfoCertValue(X509CertImpl) since they are identical.
Change-Id: Iccdad7a3c1ff3bc05f1f0ac1830eada21337dfca
|
| |
|
|
|
|
|
| |
A new audit() methods have been added to log AuditEvents in
AdminServlet.
Change-Id: I92a259363bdda553621491e46122365c7097946a
|
| |
|
|
|
|
|
| |
The code that concatenates lines has been simplified using
String.replace().
Change-Id: Id376f089cb9b8a78cfd9b3fb922e9cd9055c0e74
|
| |
|
|
|
|
|
| |
The code that concatenates lines has been simplified using
String.replace().
Change-Id: Ib8532b12594604e3b013b5ac0ef30ce45f1351ea
|
| |
|
|
|
|
|
|
|
| |
The connectionTimeout parameter has been restored to 80 seconds.
The keepAliveTimeout parameter has been set to 5 minutes.
https://pagure.io/dogtagpki/issue/2643
Change-Id: I05bca0284ad946d833ed144e2f93a4ef4b9b6f0f
|
| |
|
|
|
|
|
|
|
| |
The default SSL connection timeout has been changed to 5 minutes
to improve PKI console usability.
https://pagure.io/dogtagpki/issue/2643
Change-Id: I905ca855285ddd655d965488b175c2d11fe407fd
|
| |
|
|
|
|
|
|
|
|
| |
The PKI console has been modified to display an error message and
exit to the system if the SSL connection has been closed (e.g.
due to timeout).
https://pagure.io/dogtagpki/issue/2643
Change-Id: I4507b42cc4e2e706762159321e6991ae5ec68602
|
| |
|
|
|
|
| |
A new method has been added to set AuditEvent's parameters.
Change-Id: I1b1e23030a819160b035ed67e908b6fbadedd714
|
| |
|
|
| |
Change-Id: I83c1adae3ec900d9c9806def518f6277ce6dedca
|
| |
|
|
|
|
|
|
| |
When an exception is thrown, the connection is currently
not closed, leading to Invalid State exceptions when the
next connection is attempted. This resolves this issue.
Change-Id: I531881434a73affb1c6536dfbb05bce151c854fb
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
CRMFPopClient and the pki cert client both can send a CRMF request
to a CA directly. Logic is added to check the CA for the required
KRA wrapping params and use those in place of any that have been
provided by the environment or command line.
Also, additional data for the supported KRA keyset has been added to
the CAInfoService. This will need to be managed by the admin. The
default is "1" which corresponds to AES.
Change-Id: I186f9c610005ec300bccf1b07470493ce7cdfeb4
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To process a cert request immediately (rather than having it queued
as pending), the user must be authenticated *by the profile*; auth
tokens from the main authentication system are not used.
For external authentication support it is possible that the external
authentication is sufficient to authenticate use of a problem;
especially when the profile uses componenets like
ExternalProcessConstraint to perform validation of the cert request
against external sources of information.
To support this use case, add the SessionAuthentication profile
authenticator, which merely reuses the IAuthToken from the session
context, if present.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
| |
Add the ExternalProcessConstraint profile policy constraint class.
It can be configured to execute an arbitrary program that performs
additional request validation, rejecting the request if it
terminates with a nonzero exit status. Information about the
request is conveyed in the subprocess' environment.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
|
| |
When processing a certificate request, if the authenticated
principal is an ExternalPrincipal, add its whole attribute map to
the IRequest. This provides a way for AJP request attributes to be
propagated through the profile system to profile components like
ExternalProcessConstraint. One such attribute that is needed for
GSS-API support is "KRB5CCNAME".
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a certificate request comes with additional data in the
'cert-request' query param, add that to the request. Profile
components can then use this data.
This is needed to convey the subject principal name to the
ExternalProcessConstraint, when validating FreeIPA certificate
requests after we switch to GSS-API authentication.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CMS.getLogMessage performs message formatting via MessageFormat,
then the message gets logged via a Logger. The Logger also performs
message formatting via MessageFormat. If the formatted log message
contains '{' or '}' (e.g. if it contains JSON) the MessageFormat
implementation interprets these as FormatElement delimiters and
parsing fails.
Update CMS.getLogMessage() to scan arguments for unsafe characters
and if found, escape the whole message so that subsequent logging
will succeed.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
| |
The PKIServerSocketListener has been modified to use WeakHashMap
to store socket info that might not be available after the socket
has been closed.
https://pagure.io/dogtagpki/issue/2642
Change-Id: I7e86a9bbc46e7bba4cec36664780c52bf0e88416
|
| |
|
|
|
| |
Change-Id: Ibc16a49b4a03524fb62ddb33326a36ffa0b0389f
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
| |
Travis CI tests are now using a systemd container to install and run a
389-DS, CA and KRA instance.
Change-Id: Ibc7d1a6b1e218492a84e88d4339de34b1eb58c7c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous commit added a field in the KeyRecord to
specify whether or not a key was encrypted or key wrapped
when archived. This patch modifies the recovery servlets
to use this field to determine how to decrypt/unwrap the
key for transport.
Absence of this field in the key record implies that is
an old record - and we use the value of the CS.cfg parameter
as the default.
Change-Id: Ia8ae679e8b3fe8462d42848d614bff863ef68e50
|
| |
|
|
| |
provides the feature for CMC on handling id-cmc-popLinkWitnessV2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Whether a secret was encrypted or wrapped in the storage unit
depends on a parameter in CS.cfg. If that parameter is changed,
the Storage unit may use the wrong mechanism to try to decrypt
the stored key. Thats ok for encrypt/wrap using DES or AES-CBC,
but not for AES KeyWrap.
In this patch, we add a field in the Key record to specify whether
the secret was encrypted with stored (or keywrapped if false).
A subsequent patch will change the logic when decrypting to use
this field.
Change-Id: If535156179bd1259cfaaf5e56fd4d36ffdb0eb0e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keys (like symmetric keys and asymmetric keys) are returned
from the KRA either encrypted or key wrapped. Because the
AES keywrapping algorithm cannot be decrypted using AES CBC,
we need special logic to unwrap the keys.
The flow here is as follows:
1. When a key retrieval request is sent to the server,
the client sends the encryption and key wrapping
algorithms it requires the key to be wrapped along
with the wrapping key.
2. If no encryption algorithm or key wrap algorithm is
recieved, the server assumes its talking to an old
client and uses DES3.
3. The key is retrieved and (on server's choice) is wrapped
or encrypted. The return package will have either
encryption or key wrap algorithm set (depending on how
the key was encrypted/wrapped.)
4. client uses that to determine how to unwrap key.
This patch:
1. Makes sure the key wrap algorithm requested by client
is passed through and used to wrap the retrieved key.
2. Adds logic in the python client to unwrap/decrypt.
3. As python-cryptography does not yet support
AES KeyWrap with padding, the python client is configured
to request AES-CBC by default.
Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1
|
| |
|
|
|
|
|
|
|
| |
The PKIServerSocketListener has been fixed to obtain the correct
client IP address from SSL socket.
https://pagure.io/dogtagpki/issue/2602
Change-Id: I7d3b2dc14d6f442830ee5911613a0e9fc360cfba
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The command "./scripts/compose_pki_core_packages rpms" is tested on
Fedora 25, 26 and rawhide. On 25 and 26, the COPR @pki/10.4 is enabled
to provide additional build dependencies.
Travis Ci is configured to use pre-populated Docker images from
https://github.com/dogtagpki/pki-ci-containers . The images contain
build dependencies.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
| |
subprocess returns bytes in Python 3. Make sure to
decode first when returning env variables.
Change-Id: I225044c0463f0a84ac5ffb77b28391fac269598d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows the use of the g&d 7 card.
This will require the following:
1. An out of band method is needed to generate an AES based master key.
We do not as of yet have support with tkstool for this:
Ex:
/usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16
2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards:
Ex:
tks.defKeySet._005=## tks.prot3 , protocol 3 specific settings
tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one.
tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset
tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys.
tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key.
tks.defKeySet._010=##
tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings
tks.defKeySet._013=## Smart Cafe 6 settings:
tks.defKeySet._014=## tks.defKeySet.prot3.divers=emv
tks.defKeySet._015=## tks.defKeySet.prot3.diversVer1Keys=emv
tks.defKeySet._016=## tks.defKeySet.prot3.devKeyType=DES3
tks.defKeySet._017=## tks.defKeySet.prot3.masterKeyType=DES3
tks.defKeySet._018=##Smart Cafe 7 settings:
tks.defKeySet._019=## tks.defKeySet.prot3.divers=none
tks.defKeySet._020=## tks.defKeySet.prot3.diversVer1Keys=none
tks.defKeySet._021=## tks.defKeySet.prot3.devKeyType=AES
tks.defKeySet._022=## tks.defKeySet.prot3.masterKeyType=AES
tks.defKeySet._023=##
tks.defKeySet._024=##
|
| |
|
|
|
|
|
| |
New audit(AuditEvent) methods have been added alongside the
existing audit(String) methods.
Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
|
| |
|
|
|
|
|
| |
The CMS.getLogMessage() has been generalized to take an array of
Objects instead of Strings.
Change-Id: Ifcb96d47983a67961efa27325b8ae0a88d9e0231
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the server cannot do key wrapping using the AES KeyWrap,
probably because the backend HSM cannot do key wrapping, then
there is a setting to allow it to use encrypt/decrypt instead.
If the key wrap algorithm is something simple like 3DES or AES-CBC,
then the client can just use key wrapping to wrap the key on its
token, and the server can use an encryption algorithm to decrypt.
The client does not need to know that the server cannot handle a
key wrap, because keywrapping and encryption are pretty much the
same mechanism - just either in server memory or not.
When we do key wrapping using AES KeyWrap though, there is no
corresponding encryption algorithm used to decrypt. So the server
cannot simply decrypt a message wrapped with AES Keywrap (or at least
not in any obvious way). So in this case, the client needs to know
if the server can handle keywrap.
The patch therefore does the following:
1. For CRMFPopClient, adds a command line option to specify if key
wrapping or encryption is required.
2. Reads an environment variable if no option is provided.
3. If encryption is specified, uses key wrapping using AES-CBC
which can be decrypted on the server side.
4. For cert-client, contacts the server to determine from the
CAInfoResource if keywrapping is supported.
Change-Id: If66f51c929cfde1c0ff3b9f39cb57b92fcdc150c
|
