| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
The audit events classes have been modified to inherit from
SignedAuditEvent class since AuditEvent class is actually used
for transaction log.
https://pagure.io/dogtagpki/issue/2689
Change-Id: If41c99c1d165075d330033d44799145c784c2905
|
|
|
|
|
|
|
|
|
| |
Duplicate log() methods for audit events have been merged into the
Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I7a5147ff3221a52a82e69f56faf2156c04256db2
|
|
|
|
|
|
|
|
|
| |
A new LogEvent class has been added as the base for all log events.
Common fields and methods have been moved into the base class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I775556edf367b972ad56b35f4b4ea025a72e962f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Signed audit logger creation has been simplified into:
Logger signedAuditLogger = SignedAuditLogger.getLogger();
The null checks on signed audit logger have been removed since
it cannot be null. Audit messages can be logged as follows:
signedAuditLogger.log(message);
https://pagure.io/dogtagpki/issue/2689
Change-Id: I3bf781b0194a6cbb166f71751c098d1c2a3a657a
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch contains the following update:
* Structurely, CMCStatusInfo to CMCStatusInfoV2 update; no extendedFailInfo has been added at this point
* In case of EncryptedPOP, instead of returning with CMCStatus pending where
PendInfo contains the requestID, it now returns CMCStatus failed whith
responseInfo control contains the requestID. On the client side, CMCRequest
now processes the responseInfo and returns the DecryptedPOP with requestID in
the regInfo control. CMCResponse has been updated to handle the new controls
as well.
* A number of fail info codes are now being supported by the server to add
clarity to CMC failed status, including:
badMessageCheck, badRequest, unsuportedExt, badIdentity, popRequired, and popFailed.
|
|
|
|
|
|
|
|
|
|
| |
The Logger class has been modified to provide an interface to
create a Logger instance that stores the log category and log
source.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I1dadcdf35af0f0a17e02328c73ef6d95ca691e7f
|
|
|
|
|
|
|
|
|
| |
A LogSource enumeration has been added to replace the integer
log source in the Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I6f69219fbbfa00d83f26a32174c75ff2782eb6af
|
|
|
|
|
|
|
|
|
| |
A LogCategory enumeration has been added to replace the integer
log category in the Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: Ic92e64c3abdf859841eaf1006afc61bbf573086d
|
|
|
|
|
|
|
|
|
|
| |
The pki ca-authority-find CLI has been modified to provide search
filter based on the authority ID, parent ID, authority DN, and
issuer DN.
https://pagure.io/dogtagpki/issue/2652
Change-Id: I563a0b93eb7a00ae4771069812455ecc552f407c
|
|
|
|
|
| |
This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert.
Some auditing adjustments are also done.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code that reads the access banner from file has been modified
to explicitly use UTF-8 encoding.
The Info class and the PKI UI have been modified not to encode the
access banner in Base64 since it is not necessary.
https://pagure.io/dogtagpki/issue/2671
Change-Id: I5f41a8ebac0bc91623b27f14608bca294bc9bc38
|
|
|
|
|
|
|
|
|
|
| |
The Info service and client have been modified to transmit access
banner in Base64-encoded form. The PKI UI has been modified to
decode the access banner properly.
https://pagure.io/dogtagpki/issue/2671
Change-Id: Ic8526bac4c4d6b99e627aced64ab24cf675f5d50
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First of all, the original CMC revocation only supports agent-signed CMC revocation requests from the UI where CMCRevReqServlet handles it with CMCAuth. It is in violation with https://tools.ietf.org/html/rfc5273 CMC Transport Protocols, as for HTTP/HTTPS, the body of the message is the binary value of the BER encoding of the PKI Request or Response,so HTML is not an approved method.The other way is through profileSubmitCMCFullServlet (or maybe not, as it was completely broken).
One thing that's much less crucial, but goes along with rfc update is the name of the revocation request ASN1 structure. In the new rfc5272, it is now called RevokeRequest insead of RevRequest.
This patch revamped the CMC revocation provision and fixing what's broken and adding what's missing.
On the client side:
CMCRequest
- Commented out the code where it made an assumption to use OtherMsg for the signer information. This makes no sense as the outer layer SignedData would have the same information when signing happens.
- removed the revRequest.nickname parameter from the configuration. From the code it seems like it expects the certificate to be revoked to exist in the user database, and it uses the same certificate to sign the revocation request. The RFC does allow for self-signed revocation, but it also allows for signing with another certificate provided that it has same subject. By removing the revRequest.nickname parameter, I am using the "nickname" parameter as the signer cert, which may or may not be the same certificate specified in revRequest.serial. It is less confusing. The change also eliminate the need for the cert to be revoked to be present in the db. In addition, revRequest.issuer only needs to be specified if revRequest.sharedSecret is used. The code will extract the issuer info from the signing cert.
- added support for unsigned data in support of shared secret in both CMCRequest and server; The original code assumed that a cmc revocation request that relies on shared secret still requires agent signing.
CMCRevoke
- The original code assumed that the nss db password is the same as Shared Secret (!!). This patch added a "-t" to accept shred secret, and keep the -p for the nss db password.
- The original code printed out b64 encoded request to the screen output as well as the file CMCRevoke.out. Both are unusable directly. This patch fixes it so that the output to the screen can be directly copied and pasted into the CMC revocate ui at ee (processed by CMCRevReqServlet); Again, this is not RFC conforming, but I fixed it anyways;
- The output to the file CMCRevoke.out has been fixed so that it is the BER encoding of the request, which can be fed directly into the updated server that now conforms to the RFC (see below)
- This code still requires the signer certificate nickname to run, making the shared secret method moot. Since CMCRequest has been updated to work properly, we can leave this for now.
On the server side.
CMCUserSignedAuth has been updated to handle unsigned DATA; Recall that the original CMC revocation only handled SIGNED_DATA (making assumption that agent always signs the requests). This addition is important to support shared secrets properly.
Another thing that's important change on the server side is that it now checks the revoking cert's subject against the signer's subject, if authenticated by CMCUserSignedAuth. The original code did not do that, I think it is because it always checks if it's an agent or not.
Something that could be improved on is to have its own servlet. However, due to the time restriction, I only updated existing EnrollProfile, ProfileSubmitCMCServlet, and CMCOutputTemplate to handle the rfc conforming cmc revocation requests.
The shared secret handling is left in the CMCOutputTemplate for now. Logically it would make sense to go into CMCUserSignedAuth. This could be left as a possible later ticket for improvement. Shared Token plugin implementation will be added in later ticket as well.
Previously missed signing cert validation is also added for more complete check.
Some SHA1 are turned into SHA2
Finally, some auditing are added, but it is not finalized. It will be done in the next ticket(s).
|
|
|
|
|
|
|
| |
The server is modified to read the new OIDs in the PKIArchiveOptions
and handle them correctly.
Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is simpler to simply tell the client which
algorithm to use for key wrapping and encryption, rather
than use key sets. Therefore:
* KRAInfo and CAInfo are refactored to provide the
algorithms required for key wrapping and encryption.
* Client is modified to use these parameters to determine
which algorithms to use.
* We specify the OIDs that will be used in the PKIARchiveOptions
more correctly. The options are basically:
AES-128-CBC, DES3-CBC, AES KeyWrap/Pad
Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
|
|
|
|
|
|
|
|
|
| |
A new SCHEDULE_CRL_GENERATION audit event has been added which
will be generated when CRL generation is scheduled manually.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a
|
|
|
|
|
|
|
|
|
| |
A new FULL_CRL_PUBLISHING audit event has been added which will
be generated when full CRL publishing is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082
|
|
|
|
|
|
|
|
|
| |
A new FULL_CRL_GENERATION audit event has been added which will
be generated when full CRL generation is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I74b083721e477ad72fe5a787935af617e89a6968
|
|
|
|
|
|
|
|
|
| |
A new DELTA_CRL_PUBLISHING audit event has been added which will
be generated when delta CRL publishing is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372
|
|
|
|
|
|
|
|
|
| |
A new DELTA_CRL_GENERATION audit event has been added which will
be generated when delta CRL generation is complete.
https://pagure.io/dogtagpki/issue/2651
Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f
|
|
|
|
|
|
|
|
|
| |
The ECAException constructor has been modified to accept a more
generic Throwable instead of Exception.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I2a63fad2f8a3216fe8d33f550d3571d2fec2c4ee
|
|
|
|
|
|
|
|
|
| |
This encapsulates key gen events for the token servlets.
Consolidated the success and failure cases. Note that this
event can likely later be replaced with security_data_keygen
events. Leaving separate for now.
Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf
|
|
|
|
| |
Change-Id: I57b30cdff571056d0a95436858308872a8dc007b
|
|
|
|
| |
Change-Id: Ifc8d05bd1d2d34bb0ef25877f838731bed58d00e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was some confusion in the previous commit for archival
logging. The archivalID is the id provided by the CA for the archival
and is its requestID. This allows the cert request operation
to be tracked through the archival.
Made sure therefore, that we have two fields - one for the archivalID
and one for the requestId (which is the KRA archival request ID)
In addition, some of the archival events occur in the CA component
just before the request id sent to the KRA. These events will not
be displayed unless the audit event is added to the CA CS.cfg.
Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
|
|
|
|
|
|
|
|
| |
The audit logs where an agent grants an asynchronous recovery request
and the case where recovery request is appproved from the REST API
are consolidated and encapsulated in a class.
Change-Id: I237c1dcfc413012d421f3ccc64e21c7caf5a7701
|
|
|
|
|
|
|
|
|
|
|
|
| |
The auditing in retrieveKey is all messed up.
* Added new audit event to track accesses to KeyInfo queries.
They may produce a lot of events, especially if events are
generated for every listing of data. By default, this event
may be turned off.
* Added audit events for generation and processing of key
recovery requests.
Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182
|
|
|
|
|
|
|
|
|
|
|
| |
Key retrieval is when the key/secret is extracted and returned
to the client (once the recovery request is approved). We combine
SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events.
Note: an analysis of the key retrieval rest flow (and the auditing
there will be done in a subsequent patch).
Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c
|
|
|
|
|
|
|
|
|
| |
There are now many ways to recover keys. From an
auditing point of view, its not helpful to distinguish
between sync or async requests. So we just use
SECURITY_DATA ...
Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089
|
|
|
|
|
|
|
|
| |
This creates audit events for KEY_RECOVERY_PROCESSED and
SECURITY_DATA_RECOVERY_PROCESSED audit logs. We simplify by
reducing the logs to the SECURITY_DATA ones.
Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb
|
|
|
|
|
|
|
|
| |
Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and
KEY_RECOVERY_REQUEST audit events as audit event objects.
We have collapse to a single audit event type.
Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac
|
|
|
|
|
|
|
|
| |
Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED. We have merged the
two audit events.
Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and
PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events.
The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the
SECURITY_DATA ones to simplify the whole structure. They
used to provide an archivalID parameter which was pretty much
meaningless as it was at best just the same as the request id
which is alreadty logged. So this is now dropped.
Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
|
|
|
|
|
|
|
|
|
| |
A new CertStatusChangeRequestProcessedEvent class has been added to
encapsulate the CERT_STATUS_CHANGE_REQUEST_PROCESSED events.
https://pagure.io/dogtagpki/issue/2636
Change-Id: I41cf0ce94b176a2036b9f1f433212bf3c414fb0b
|
|
|
|
|
|
| |
proof
This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
|
|
|
|
|
|
|
|
|
|
| |
The CertRequestProcessedEvent constructor that takes a certificate
object was modified to log the certificate serial number instead of
the base64-encoded certificate data.
https://pagure.io/dogtagpki/issue/2655
Change-Id: I67f33a7d435d0e5accdb646bdd20bae99d123472
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CertRequestProcessedEvent constructors have been modified to
log the info attributes using the new AuditEvent attributes.
The logging property for CERT_REQUEST_PROCESSED event has been
modified to accept a list of attributes as a single string instead
of individual info attributes.
The CERT_REQUEST_PROCESSED constant in AuditEvent has been replaced
with a constant in CertRequestProcessedEvent class which points to
the new logging property.
https://pagure.io/dogtagpki/issue/2655
Change-Id: I981212af7fca58916c73ccdeba9919a4d051af3c
|
|
|
|
|
|
|
|
|
| |
A new ConfigTrustedPublicKeyEvent class of has been added to
encapsulate the CONFIG_TRUSTED_PUBLIC_KEY events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I2fb4b46dfd63daf3c0c08dc08b3dbac9108ec908
|
|
|
|
|
|
|
|
|
|
| |
The AuditEvent class has been modified to support variable number
of event attributes which can be used to generate more flexible
audit log entries.
https://pagure.io/dogtagpki/issue/2655
Change-Id: I565062bd7d635c0cbff0e6a7e71477648c9d3212
|
|
|
|
|
|
|
|
|
|
| |
The conditions to log CERT_REQUEST_PROCESSED have been simplified
since the auditInfoCertValue() will return SIGNED_AUDIT_EMPTY_VALUE
if the certificate object is not available in the request object.
https://pagure.io/dogtagpki/issue/2636
Change-Id: I946481c17729d2c349c949def113fc5563ec90ad
|
|
|
|
|
|
|
| |
Some log messages have been added to help troubleshoot the cause
of server shutdown.
Change-Id: Ie2a91647a0986fdb11cafed2aec48cce208ef1a2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using an HSM, AES KeyWrapping is not available and so
some different code paths were exercised. Fixing bugs in those
paths uncovered a case where we were calling unwrapSymmetric()
with bits and not bytes for the key length.
This does not matter for 3DES, where JSS expects a length of 0,
but very much matters for AES. Fixing this - and the KeyClient
to actually use the returned wrapping algorithm to unwrap, allows
us now to return generated symmetric keys correctly.
Bugzilla BZ#1448521
Pagure: 2690
Change-Id: I2c5c87e28f6f36798b16de238bbaa21da90e7890
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When AES-KW or AES-KWP is not available, we need to be sure to use
a key wrap algorithm that is available for keywrap. This would
be AES-CBC. Removes some TODOs.
Refactor so that getWrappingParams is only defined on the StorageUnit,
which is where it makes sense in any case.
Part of Bugzilla BZ# 1386303
Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In HSMs, we were not able to retrieve asym keys that were
generated from the AsymKeyGenService, because the right
flags were not set (ie. set like in the server side
keygen case).
To do this, I extracted the key generation function from
NetKeygenService to KeyRecoveryAuthority, so that it could
be used by both services.
Bugzilla BZ# 1386303
Change-Id: I13b5f4b602217a685acada94091e91df75e25eff
|
|
|
|
|
|
|
|
|
|
|
| |
This patch provides implementation that allows user-signed CMC requests
to be processed; The resulting certificate will bear the same subjectDN
as that of the signing cert;
The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull
where the new profile is to be used: caFullCMCUserSignedCert.cfg
which utilizes the new authentication plugin: CMCUserSignedAuth
and new profile default plugin: CMCUserSignedSubjectNameDefault
and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SourceConfigStore load() method does not clear the config store,
but this might be necessary to avoid stale data if wanting to
perform a complete replacement of the data (e.g. reload from file).
We should not change the behaviour of load() in case some code is
relying on the current behaviour, so add the clear() method to the
interface.
Part of: https://fedorahosted.org/pki/ticket/2588
Change-Id: Ia139a49f1a23c4f9410d7b94c9a4c8f14f29fe93
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new CertRequestProcessedEvent constructor has been added to
encapsulate CERT_REQUEST_PROCESSED events that takes an IRequest
object.
The auditInfoValue() method in CAProcessor has been moved into
CertRequestProcessedEvent.
https://pagure.io/dogtagpki/issue/2636
Change-Id: I892f1476835b45910fdc3e64bd9f6fc9e2f016fb
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new CertRequestProcessedEvent constructor has been added to
encapsulate CERT_REQUEST_PROCESSED events that take an X509CertImpl
object.
Copies of auditInfoCertValue() method in various classes have been
combined and moved into CertRequestProcessedEvent.
https://pagure.io/dogtagpki/issue/2636
Change-Id: Ie234bdb9f1b52399dad4bd1e20f57dcb99d86091
|
|
|
|
|
|
|
|
|
| |
A new SignedAuditConfigRoleEvent class of has been added to
encapsulate the CONFIG_SIGNED_AUDIT events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I95b897fa0bb73007a7cec009c43ade4cc860f0cd
|
|
|
|
|
|
|
|
|
| |
A new CertRequestProcessedEvent class of has been added to
encapsulate the CERT_REQUEST_PROCESSED events.
https://pagure.io/dogtagpki/issue/2636
Change-Id: Ia79e6ae13d09a3ec6509c60435fc24d5a2fee38f
|