| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
The duplicate code for configuring default SSL version ranges has
been merged into reusable methods in CryptoUtil.
|
|
|
|
|
|
|
|
|
|
| |
Wrapping params can now be specified in CS.cfg as per design.
The default will be AES. If the parameters are not set, then the
old mechanism (DES) will be used instead.
A migration script will be created in a separate commit.
Change-Id: I01a74b99c4ed127d66e5b766357af59a1147839d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many parts of Dogtag expect an IAuthToken, which represents the
authenticated user. The sole implementation, AuthToken, uses some
concepts that do not carry across to externally authenticated
principals, e.g. an external principal does not have an associated
IAuthManager that was used to authenticate the principal. Therefore
something different is needed.
Implement ExternalAuthToken which wraps a GenericPrincipal and
provides access to the data therein.
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
|
|
|
|
|
| |
Small refactor to define the auth token keys set by
AgentCertAuthentication in IAuthToken, so that consumers do not need
to import AgentCertAuthentication directly, or redefine the
constants.
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
|
| |
A new constructor has been added into EInvalidCredentials to
support exception chaining.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Developer keyset token operations and key change over supported.
Caveats.
-The diversification step going from master key to card key uses DES3 as required for the token.
-After that point, everything is scp03 to the spec with minor excpetions so far.
Supports 128 bit AES for now. Will resolve this.
Minor config tweaks:
TPS
Symmetric Key Changeover
Use this applet for scp03:
RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc
TKS:
Symmetric Key Changeover
tks.mk_mappings.#02#03=internal:new_master
tks.defKeySet.mk_mappings.#02#03=internal:new_master
Use the uncommented one because scp03 returns a different key set data string.
ToDo:
-Support the rest of the AES sizes other than 128.
-Support optional RMAC apdu.
-Test and adjust the config capability for other tokens.
-Support AES master key. Right now the standard key ends up creating AES card and session keys.
|
|
|
|
| |
Change-Id: I6024ca5a32769b460d578dfad46598432381784c
|
|
|
|
|
|
| |
Move some of the crypto functions in EncryptionUnit to CryptoUtil.
Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62
|
|
|
|
|
|
|
|
|
|
|
| |
On the security data recovery service, the client can now specify the
encryption and wrapping algorithms to be used when wrapping the key,
rather than assuming DES. The server will use the specified wrapping
algorithm (and key).
If the algorithms are not specified, then the old mechanism is assumed.
Change-Id: I793c120e99d819403fdf7ca925e26f0f7d50fcc7
|
|
|
|
|
|
|
|
| |
The PKIArchiveOptions object contains an OID for the encryption algorithm.
Use this to create the correct WrappingParam for the tranport unit instead
of defaulting to DES3.
Change-Id: Id591fff8b7fc5e4506afbe619621904e4937c44f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are several changes in this patch:
1. Simplify EncryptionUnit by moving the methods called by either the StorageUnit or the
TransportUnit into those classes. This helps to determine which methods are called by
which class (because in general they require different arguments). It may be possible
to later simplify and reduce code repetition by pulling core functionality back into
the EncryptionUnit.
2. Add methods to WrappingParameters and KeyRecord to store the Wrapping Parameter values
as part of the KeyRecord when the key is stored. On retrieval, this data is read and
used to extract the data. If the data is not present, then use the old DES3 parameters.
3. Change the internal (storageUnit) wrapping to use AES-CBC for encryption and AES-KeyWrap
for storage by default. If a parameter kra.storageUnit.useOldWrapping=true, then
the old wrapping will be used instead.
Change-Id: I098b0b3bd3b0ad917483e4e07925adfedacc3562
|
|
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/2601
|
|
|
|
|
| |
Exceptions should be bubbled up and not swallowed at the EncryptionUnit
level. This will help in diagnosing issues.
|
|
|
|
| |
The crypto functions to unwrap the session key have been parameterized.
|
|
|
|
|
| |
Theis patch parametrizes some of the encryption functions, for key
wrapping and storage.
|
|
|
|
|
|
|
| |
EncryptionUnit is a bit of a mess right now. Refactored so that
crypto specific code is in a few functions. These can now be
parameterized to allow selection of parameters for wrapping method,
algorithm etc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
New REST services classes have been added to PKIApplication.
The InfoService provides general information about the server
including version number and access banner. The LoginService
provides a way to notify the server that the banner has been
displayed on the client, which in that case the InfoService
will no longer return the banner again in the same session.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
|
| |
Remove an unused constructor from CertRetrievalRequest, and add a
constructor that receives the CertId, simplifying usage.
Part of: https://fedorahosted.org/pki/ticket/2601
|
|
|
|
|
| |
The SubsystemClient.login() method has been modified to return
the AccountInfo obtained from AccountClient.login().
|
|
|
|
|
|
|
|
| |
The serverURI field in ClientConfig has been replaced with
serverURL since it actually stores the location of the server.
New methods have been added to access the serverURL field.
Existing methods for serverURI are retained for backward
compatibility.
|
|
|
|
|
| |
KEY_USAGE was accidentally added and verify usage was left off.
This results in BZ#1238684
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the migration case, it is useful to delete the initially
created signing certificate database record and have that be
imported through the ldif data import instead.
Therefore, we add an option to remove this entry. The user
also needs to provide the serial number for the entry.
This resolves the following tickets/BZs:
BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed
on CA website incorrect
BZ# 1409946/Trac 2571 - Request ID undefined for CA signing
certificate
|
|
|
|
|
|
|
| |
The ConfigurationRequest.TOKEN_DEFAULT has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
| |
The Constants.PR_FULL_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
| |
The Constants.PR_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
| |
The Constants.PR_INTERNAL_TOKEN has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new tcp.keepAlive parameter has been added for CS.cfg to
configure the TCP Keep-Alive option for all LDAP connections
created by PKI server. By default the option is enabled.
The LdapJssSSLSocketFactory has been modified to support both
plain and secure sockets. For clarity, the socket factory has been
renamed to PKISocketFactory.
All codes that create LDAP connections have been modified to use
PKISocketFactory such that the TCP Keep-Alive option can be applied
globally.
https://fedorahosted.org/pki/ticket/2564
|
|
|
|
|
| |
This is the dogtag upstream side of the TPS portion of this ticket.
This fix also involves an applet fix, handled in another bug.
|
|
|
|
|
|
|
| |
The CMake scripts have been modified to remove redundant
invocations of find_file() to find Tomcat libraries.
https://fedorahosted.org/pki/ticket/2560
|
|
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
|
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
|
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
|
|
|
|
|
|
|
|
| |
The getAuthzManagerByRealm public method is defined in
AuthzSubsystem but to support external principals we want to make
this part of the IAuthzSubsystem interface, so other classes (e.g.
ACLInterceptor) can use it.
Part of: https://fedorahosted.org/pki/ticket/1359
|
|
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
|
|
|
|
|
|
| |
Commit db58e6071f6bb57de006e6499c0a0c6a8c8e67bf has been reverted
due to build issue on RHEL/CentOS.
https://fedorahosted.org/pki/ticket/2531
|
|
|
|
|
|
|
|
|
|
| |
Previously the pki user-cert-add fails to check whether the server
has a CA subsystem when it's invoked over SSL. That is because the
CLI tries to establish a new but improperly set up SSL connection.
Now the CLI has been modified to use the existing server
connection.
https://fedorahosted.org/pki/ticket/1517
|
|
|
|
|
|
|
|
|
| |
The PKIConnection has been modified to provide two get() methods:
one returning a generic Response object wnd the other returning an
object with the specified type. The ConfigurationUtils has been
modified accordingly.
https://fedorahosted.org/pki/ticket/1517
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TPS throws "err=6" when attempting to format and enroll G&D Cards.
https://bugzilla.redhat.com/show_bug.cgi?id=1320283
This fix addresses this bug , but also:
Fixes this issue:
Applet upgrade during rekey operation results in formatted token.
Also, it takes care of a related issue where the new apdu needed for the
lifecycle state causes the testing tool "tpslcient" to seg fault.
The fix here is a minimal fix to have tpsclient return an error when it gets
this apdu it can't handle, instead of crashing.
|
|
|
|
|
|
|
|
| |
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|
|
|
|
|
|
|
| |
To discourage the use of policy framework, the framework classes
have been moved into org.dogtagpki.legacy.
https://fedorahosted.org/pki/ticket/6
|
|
|
|
|
|
|
|
| |
The list of source and class files in some CMake files have been
generalized to allow renaming Java packages without changing the
CMake files again.
https://fedorahosted.org/pki/ticket/6
|
|
|
|
|
|
|
|
|
| |
To reduce Eclipse warnings, classes and methods related to policy
framework have been undeprecated. In the future the policy
framework may be removed since it has already been replaced with
the profile framework.
https://fedorahosted.org/pki/ticket/6
|
|
|
|
|
| |
If a retrieval is non-sychronous, we create a non-ephemeral recovery
request and return this Request ID to the client.
|
|
|
|
|
|
| |
Continuation of the previous patch. These are client changes
to allow the client to pass through an approved recovery request
to retrieveKey()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When clients call retrieveKey(), three possible alternatives
now obtain:
1. client passes in an approved request. Request is processed
and the secret is retrieved.
2. client passes in key_id and wrapping parameters and either:
a) request can be processed immediately and synchronously
and request is created, and secret is returned.
b) request cannot be processed immediately. Recovery request
is created and request_id returned to the client
Depending on server configuration, the requests in case (2a)
will be stored in ldap or will be ephemeral (in memory only).
More complicated realm based logic to determine if requests
can be processed synchronously or ephemerally will be added in
a later patch.
|
|
|
|
|
|
|
| |
The deprecated DefaultHttpClient in SubsystemClient, CRMFPopClient,
and OCSPProcessor has been replaced with HttpClientBuilder.
https://fedorahosted.org/pki/ticket/2531
|
|
|
|
| |
This reverts commit f979c3b436e9a12e8c71ba0abab5c892d375f945.
|
|
|
|
|
|
|
| |
To help troubleshooting, the EPropertyException has been modified
to provide constructors to chain the original exception.
https://fedorahosted.org/pki/ticket/2463
|
|
|
|
|
|
|
|
|
| |
Based on investigation and solution provided by cfu and jmagne,
the SecurityDataRecoveryService.serviceRequest() has been modified
to use EncryptionUnit.unwrap_temp() for key recovery via CLI in
FIPS mode.
https://fedorahosted.org/pki/ticket/2500
|