| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Change-Id: I66b369ec33f97dab96f6d832e2eb9ab0c6cdbe98
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Up to now, we have only ever used the same algorithm (DES3_CBC)
for key wrapping and encryption. With the change to use AES Keywrap
and AES CBC, we need to know which mechanism was used to encrypt/wrap
the secrets when returned to the client.
This means passing back more information to the client with the key
data, and also modifying the client to use this information to decode
the data correctly.
Change-Id: I7232085c1eedf38c63abad81db08acc912fa1da1
|
| |
|
|
| |
error checking and debugging
|
| |
|
|
| |
requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
|
| |
|
|
| |
adds both client and server support for two cmc controls: id-cmc-identityProofV2 - for supporting RFC5272, and id-cmc-identification - for assisting in shared secret search; Note: for client, only CMCRequest is updated in this patch
|
| |
|
|
|
| |
The TPS ConnectorCLI and its submodules have been modified to use
lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The TPS TokenCLI and its submodules have been modified to use
lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The TPS ProfileCLI and its submodules have been modified to use
lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The TPS ConfigCLI and its submodules have been modified to use
lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The TPSCertCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
| |
The AuthenticatorCLI and its submodules have been modified to use
lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The AuditCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
| |
The ActivityCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CMSStartServlet has been modified to register an SSL socket
listener called PKIServerSocketListener to TomcatJSS.
The PKIServerSocketListener will receive the alerts generated by
SSL server sockets and generate ACCESS_SESSION_* audit logs.
The CS.cfg for all subsystems have been modified to include
ACCESS_SESSION_* audit events.
https://pagure.io/dogtagpki/issue/2602
Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
|
| |
|
|
|
| |
The TPSConnectorCLI for TKS and its submodules have been modified
to use lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The SelfTestCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
| |
The CA ProfileMappingCLI and its submodules have been modified to
use lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The CA ProfileCLI and its submodules have been modified to use
lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The KRAConnectorCLI for CA and its submodules have been modified
to use lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The FeatureCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
| |
The AuthorityCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the storage unit reuses the same IV each time a record
is stored. This works (probably) for DES3, but not for AES.
The getWrappingParams() method is modified to check the config as follows
(in order):
-- if the iv is defined, use that iv
-- if the length is defined, generate a byte array of that length
-- return null
To ensure that the same IV used to encrypt the secret is stored in the
DB, the wrapping param is defined once in the archival process, and
passed in to the wrapping functions in storageUnit.
Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also made a couple of small changes to WrappingParams.
* Set the wrapIV to null when AES KeyWrap is used. Trying to unpack
the PKIArchiveOptions package with this IV set to null fails.
* removed superfluous this modifiers.
Added a parameter KEY_WRAP_PARAMETER_SET which is set in /etc/pki/pki.conf.
If this parameter is set to 0, we will use the old DES3 algorithms. This
can be set by clients talking to old servers.
CRMFPopClient has the ability to automatically submit requests to
a CA. In this case, we shouldcontact the server and determine the
version using InfoClient, and choose the algorithm accordingly.
We will implement this in a separate patch.
Change-Id: Ib4a99545cb59b62a96c272311595e96dda10979e
|
| |\ |
|
| | |
| |
| |
| |
| | |
The UserCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The SecurityDomainCLI and its submodule have been modified to use
lazy initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The KRA KeyCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The CertCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The CA CertCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| |
| | |
The SubsystemCLI and its subclasses have been modified to use
lazy initialization to get the PKIClient object. They also have
been simplified by moving common methods to the base class.
|
| | |
| |
| |
| |
| | |
The ProxyCLI has been modified to use lazy initialization to get
the PKIClient object.
|
| | |
| |
| |
| |
| | |
The ClientCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The CLI.getClient() has been modified to return the parent CLI's
PKIClient object if available.
|
| | |
| |
| |
| |
| | |
A new CLI.getConfig() has been added to return the parent CLI's
configuration if available.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Refactor code in CryptoUtil to parametrize the algorithms used.
* Moved WrappingParams to utils jar to allow correct compilation.
* Removed code that created a PKIArchiveOptions structure from
CRMFPopClient and replaced with calls to CryptoUtil methods.
Note that the algorithms have been left as DES3. They will be
changed to AES in the next patch.
* Converted code in AuthorityKeyExportCLI to use the new methods
in CryptoUtil.
* Removed DRMTest this code is no longer maintained or used.
Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
|
| |
|
|
| |
Change-Id: I862c86994e6268860380404113a9bea0d237d60e
|
| |\ |
|
| | |
| |
| |
| |
| |
| | |
Also used the infoClient in the KeyClient
Change-Id: Ie81ee731903cf8d2068783a9a09cdcbaaffc0630
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Changed the client to use AES-128-CBC-PAD rather than DES-3.
Because AES-256-CBC-PAD has no OID defined, we use the following
hack:
* Pass in the AES-256-CBC OID as the encrypt algorithm OID
* Use PKCS#1.5 Padding.
* Changed the client to use AES for the wrapping key on retrieval.
* Changed the server to implicitly assume PKCS#1.5 (and a key size
of 128) when recieving the OID for AES.
* Changed the client to send, and the server to pass through
the encryption algorithm expected when retrieving the key.
* Fixed the generate_iv() function to generate an appropriately
sized IV on retrieval.
This code has been tested to successfully create and retrieve
secrets using AES. Ideally, we'd be using GCM rather than CBC,
which then requires no padding - and no hack needed. Hopefully,
we can get that working in a subsequent commit.
Change-Id: Ic9e8d50169be0fe357a48a5a1b1c452c7a3dfad0
|
| |\| |
|
| | |
| |
| |
| |
| | |
The CryptoUtil.setSSLCiphers() has been modified to support a "-"
sign in front of the cipher name or ID to disable the cipher.
|
| | |
| |
| |
| |
| | |
The CryptoUtil.setSSLCipher() has been modified to support ciphers
specified using hex ID.
|
| | |
| |
| |
| |
| | |
The PKI CLI has been modified to support client cert authentication
without NSS database password.
|
| | |
| |
| |
| |
| | |
The pki.nssdb module has been modified to support operations
without NSS database password.
|
| | |
| |
| |
| |
| | |
The pki client-init has been modified to support creating NSS
database without password.
|
| | |
| |
| |
| |
| | |
The minimum SSL version for datagram should have been TLS 1.1 to
match the default in pki.conf.
|
| | |
| |
| |
| |
| | |
The PKI CLI has been modified to use hard-coded default values
in case the pki.conf is not available (e.g. in Eclipse).
|
| | |
| |
| |
| |
| | |
A new parameter has been added to pki.conf to enable/disable the
default SSL ciphers for PKI CLI.
|
| | |
| |
| |
| |
| | |
A new parameter has been added to pki.conf to configure the SSL
ciphers used by PKI CLI in addition to the default ciphers.
|
