summaryrefslogtreecommitdiffstats
path: root/base/common
Commit message (Collapse)AuthorAgeFilesLines
...
* Refactor code that creates PKIArchiveOptions objectsAde Lee2017-03-237-205/+8
| | | | | | | | | | | | | | * Refactor code in CryptoUtil to parametrize the algorithms used. * Moved WrappingParams to utils jar to allow correct compilation. * Removed code that created a PKIArchiveOptions structure from CRMFPopClient and replaced with calls to CryptoUtil methods. Note that the algorithms have been left as DES3. They will be changed to AES in the next patch. * Converted code in AuthorityKeyExportCLI to use the new methods in CryptoUtil. * Removed DRMTest this code is no longer maintained or used. Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
* Added comparator function to versionAde Lee2017-03-222-20/+54
| | | | Change-Id: I862c86994e6268860380404113a9bea0d237d60e
* Added infoClient to PKIClient to get server infoAde Lee2017-03-212-11/+8
| | | | | | Also used the infoClient in the KeyClient Change-Id: Ie81ee731903cf8d2068783a9a09cdcbaaffc0630
* Fix Java client to use AESAde Lee2017-03-215-34/+238
| | | | | | | | | | | | | | | | | | | | | | * Changed the client to use AES-128-CBC-PAD rather than DES-3. Because AES-256-CBC-PAD has no OID defined, we use the following hack: * Pass in the AES-256-CBC OID as the encrypt algorithm OID * Use PKCS#1.5 Padding. * Changed the client to use AES for the wrapping key on retrieval. * Changed the server to implicitly assume PKCS#1.5 (and a key size of 128) when recieving the OID for AES. * Changed the client to send, and the server to pass through the encryption algorithm expected when retrieving the key. * Fixed the generate_iv() function to generate an appropriately sized IV on retrieval. This code has been tested to successfully create and retrieve secrets using AES. Ideally, we'd be using GCM rather than CBC, which then requires no padding - and no hack needed. Hopefully, we can get that working in a subsequent commit. Change-Id: Ic9e8d50169be0fe357a48a5a1b1c452c7a3dfad0
* Added support for disabling SSL ciphers in pki.conf.Endi S. Dewata2017-03-211-1/+2
| | | | | The CryptoUtil.setSSLCiphers() has been modified to support a "-" sign in front of the cipher name or ID to disable the cipher.
* Added support for hex cipher IDs in pki.conf.Endi S. Dewata2017-03-211-1/+1
| | | | | The CryptoUtil.setSSLCipher() has been modified to support ciphers specified using hex ID.
* Allowing pki pkcs12-import without NSS database password.Endi S. Dewata2017-03-211-1/+1
| | | | | The pki.nssdb module has been modified to support operations without NSS database password.
* Added pki.conf parameter for default SSL ciphers.Endi S. Dewata2017-03-191-0/+5
| | | | | A new parameter has been added to pki.conf to enable/disable the default SSL ciphers for PKI CLI.
* Added pki.conf parameter for SSL ciphers.Endi S. Dewata2017-03-191-0/+7
| | | | | A new parameter has been added to pki.conf to configure the SSL ciphers used by PKI CLI in addition to the default ciphers.
* Added configuration parameters for SSL version ranges.Endi S. Dewata2017-03-191-0/+14
| | | | | The hard-coded SSL version ranges in PKI CLI have been converted into configurable parameters in the pki.conf.
* pagure#2605 CMC feature: id-cmc-identityProofV2 per rfc5272 (part 1)Christina Fu2017-03-171-0/+15
| | | | | | This patch provides methods that can be shared between the CA and the ISharedToken plugins: 1. the convenience routines for quick encryption, decryption, hashing methods that take default algorithms. 2. The establishment of Issuance Protection Certificate
* Moved default SSL configuration out of PKIConnection.Endi S. Dewata2017-03-171-6/+0
| | | | | | | To prevent conflicts, the code that configures the default SSL version ranges and ciphers for all SSL sockets created afterwards has been moved out of PKIConnection into the main program (i.e. PKI CLI).
* Removed duplicate code to configure SSL version ranges.Endi S. Dewata2017-03-171-21/+6
| | | | | The duplicate code for configuring default SSL version ranges has been merged into reusable methods in CryptoUtil.
* Exporting environment variables for PKI client.Endi S. Dewata2017-03-162-21/+13
| | | | | The default pki.conf has been modified to export the environment variables such that they can be used by PKI client.
* Add config options to allow storage wrappings to be setAde Lee2017-03-161-1/+1
| | | | | | | | | | Wrapping params can now be specified in CS.cfg as per design. The default will be AES. If the parameters are not set, then the old mechanism (DES) will be used instead. A migration script will be created in a separate commit. Change-Id: I01a74b99c4ed127d66e5b766357af59a1147839d
* Add IAuthToken implementation for external principalsFraser Tweedale2017-03-161-0/+154
| | | | | | | | | | | | | | Many parts of Dogtag expect an IAuthToken, which represents the authenticated user. The sole implementation, AuthToken, uses some concepts that do not carry across to externally authenticated principals, e.g. an external principal does not have an associated IAuthManager that was used to authenticate the principal. Therefore something different is needed. Implement ExternalAuthToken which wraps a GenericPrincipal and provides access to the data therein. Part of: https://pagure.io/dogtagpki/issue/1359
* Define AgentCertAuthentication token keys in IAuthTokenFraser Tweedale2017-03-161-0/+3
| | | | | | | | | Small refactor to define the auth token keys set by AgentCertAuthentication in IAuthToken, so that consumers do not need to import AgentCertAuthentication directly, or redefine the constants. Part of: https://pagure.io/dogtagpki/issue/1359
* Added cascading configuration for PKI CLI.Endi S. Dewata2017-03-151-0/+236
| | | | | | | | | The PKI CLI has been modified to support cascading configuration files: default, system-wide, and user-specific configuration. The existing Python-based PKI CLI was moved into pki.cli.main module. A new shell script was added as a replacement which will read the configuration files and invoke the Python module.
* Added exception chaining for EInvalidCredentials.Endi S. Dewata2017-03-151-0/+4
| | | | | A new constructor has been added into EInvalidCredentials to support exception chaining.
* First cut of scp03 support. Supports the g&d smartcafe out of the box.Jack Magne2017-03-144-8/+640
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Developer keyset token operations and key change over supported. Caveats. -The diversification step going from master key to card key uses DES3 as required for the token. -After that point, everything is scp03 to the spec with minor excpetions so far. Supports 128 bit AES for now. Will resolve this. Minor config tweaks: TPS Symmetric Key Changeover Use this applet for scp03: RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc TKS: Symmetric Key Changeover tks.mk_mappings.#02#03=internal:new_master tks.defKeySet.mk_mappings.#02#03=internal:new_master Use the uncommented one because scp03 returns a different key set data string. ToDo: -Support the rest of the AES sizes other than 128. -Support optional RMAC apdu. -Test and adjust the config capability for other tokens. -Support AES master key. Right now the standard key ends up creating AES card and session keys.
* Continue to move more crypto into CryptoUtilAde Lee2017-03-142-2/+4
| | | | Change-Id: I6024ca5a32769b460d578dfad46598432381784c
* Refactor crypto codeAde Lee2017-03-141-16/+11
| | | | | | Move some of the crypto functions in EncryptionUnit to CryptoUtil. Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62
* Fix wrapping params on the security data recovery serviceAde Lee2017-03-143-7/+45
| | | | | | | | | | | On the security data recovery service, the client can now specify the encryption and wrapping algorithms to be used when wrapping the key, rather than assuming DES. The server will use the specified wrapping algorithm (and key). If the algorithms are not specified, then the old mechanism is assumed. Change-Id: I793c120e99d819403fdf7ca925e26f0f7d50fcc7
* Change transport unit to create wrapping parameters based on incoming dataAde Lee2017-03-141-0/+39
| | | | | | | | The PKIArchiveOptions object contains an OID for the encryption algorithm. Use this to create the correct WrappingParam for the tranport unit instead of defaulting to DES3. Change-Id: Id591fff8b7fc5e4506afbe619621904e4937c44f
* Change internal wrapping to AESAde Lee2017-03-145-196/+206
| | | | | | | | | | | | | | | | | There are several changes in this patch: 1. Simplify EncryptionUnit by moving the methods called by either the StorageUnit or the TransportUnit into those classes. This helps to determine which methods are called by which class (because in general they require different arguments). It may be possible to later simplify and reduce code repetition by pulling core functionality back into the EncryptionUnit. 2. Add methods to WrappingParameters and KeyRecord to store the Wrapping Parameter values as part of the KeyRecord when the key is stored. On retrieval, this data is read and used to extract the data. If the data is not present, then use the old DES3 parameters. 3. Change the internal (storageUnit) wrapping to use AES-CBC for encryption and AES-KeyWrap for storage by default. If a parameter kra.storageUnit.useOldWrapping=true, then the old wrapping will be used instead. Change-Id: I098b0b3bd3b0ad917483e4e07925adfedacc3562
* Include revocation reason in REST cert dataFraser Tweedale2017-03-141-0/+10
| | | | Fixes: https://fedorahosted.org/pki/ticket/2601
* Refactor exception handling in the EncryptionUnitAde Lee2017-03-062-23/+22
| | | | | Exceptions should be bubbled up and not swallowed at the EncryptionUnit level. This will help in diagnosing issues.
* Parameterize crypto functions, part 3Ade Lee2017-03-062-3/+4
| | | | The crypto functions to unwrap the session key have been parameterized.
* Parametrize the encryption functionsAde Lee2017-03-061-0/+94
| | | | | Theis patch parametrizes some of the encryption functions, for key wrapping and storage.
* Refactored EncryptionUnitAde Lee2017-03-062-2/+3
| | | | | | | EncryptionUnit is a bit of a mess right now. Refactored so that crypto specific code is in a few functions. These can now be parameterized to allow selection of parameters for wrapping method, algorithm etc.
* Remove unused methodAde Lee2017-03-061-10/+0
|
* Refactored PKIInstance.load().Endi S. Dewata2017-03-011-0/+33
| | | | | | The code that loads the password.conf in PKIInstance.load() has been converted into a general purpose load_properties() method. A corresponding store_properties() method has been added as well.
* Added InfoService and LoginService.Endi S. Dewata2017-02-246-1/+308
| | | | | | | | | | | New REST services classes have been added to PKIApplication. The InfoService provides general information about the server including version number and access banner. The LoginService provides a way to notify the server that the banner has been displayed on the client, which in that case the InfoService will no longer return the banner again in the same session. https://fedorahosted.org/pki/ticket/2582
* Refactor CertRetrievalRequest constructionFraser Tweedale2017-02-221-13/+2
| | | | | | | Remove an unused constructor from CertRetrievalRequest, and add a constructor that receives the CertId, simplifying usage. Part of: https://fedorahosted.org/pki/ticket/2601
* Added CACertClientExample.Endi S. Dewata2017-02-161-0/+76
| | | | | | A sample program has been added to show how to use CertClient. https://fedorahosted.org/pki/ticket/2584
* Added CAClientExample.Endi S. Dewata2017-02-163-0/+107
| | | | | | A sample program has been added to show how to use CAClient. https://fedorahosted.org/pki/ticket/2584
* Refactored SubsystemClient.Endi S. Dewata2017-02-161-2/+3
| | | | | The SubsystemClient.login() method has been modified to return the AccountInfo obtained from AccountClient.login().
* Refactored ClientConfig.Endi S. Dewata2017-02-161-11/+42
| | | | | | | | The serverURI field in ClientConfig has been replaced with serverURL since it actually stores the location of the server. New methods have been added to access the serverURL field. Existing methods for serverURI are retained for backward compatibility.
* Fix allowed key usages list for symkey generationAde Lee2017-02-021-1/+1
| | | | | KEY_USAGE was accidentally added and verify usage was left off. This results in BZ#1238684
* PKIConnection: allow separation of client cert and pkeyStanislav Laznicka2017-01-311-3/+9
| | | | | | Currently, PKIConnection does not allow to have client certificate and private key stored in different files. However, python-requests library allows this separation so it should be made possible.
* Add option to remove signing cert entryAde Lee2017-01-241-0/+32
| | | | | | | | | | | | | | | In the migration case, it is useful to delete the initially created signing certificate database record and have that be imported through the ldif data import instead. Therefore, we add an option to remove this entry. The user also needs to provide the serial number for the entry. This resolves the following tickets/BZs: BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed on CA website incorrect BZ# 1409946/Trac 2571 - Request ID undefined for CA signing certificate
* Replaced internal token full name literals.Endi S. Dewata2017-01-241-33/+33
| | | | | | | The internal token full name literals have been replaced with CryptoUtil.INTERNAL_TOKEN_FULL_NAME. https://fedorahosted.org/pki/ticket/2556
* Refactored ConfigurationRequest.TOKEN_DEFAULT.Endi S. Dewata2017-01-212-10/+12
| | | | | | | The ConfigurationRequest.TOKEN_DEFAULT has been replaced with CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Refactored Constants.PR_FULL_INTERNAL_TOKEN_NAME.Endi S. Dewata2017-01-211-1/+0
| | | | | | | The Constants.PR_FULL_INTERNAL_TOKEN_NAME has been replaced with CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Refactored Constants.PR_INTERNAL_TOKEN_NAME.Endi S. Dewata2017-01-211-2/+0
| | | | | | | The Constants.PR_INTERNAL_TOKEN_NAME has been replaced with CryptoUtil.INTERNAL_TOKEN_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Refactored Constants.PR_INTERNAL_TOKEN.Endi S. Dewata2017-01-211-1/+0
| | | | | | | The Constants.PR_INTERNAL_TOKEN has been replaced with CryptoUtil.INTERNAL_TOKEN_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Added upgrade script to update AJP loopback address.Endi S. Dewata2017-01-201-0/+4
| | | | | | | | An upgrade script has been added to replace IPv4- and IPv6-specific AJP loopback address with a more generic "localhost" in existing instances. https://fedorahosted.org/pki/ticket/2570
* Added global TCP Keep-Alive option.Endi S. Dewata2017-01-182-0/+13
| | | | | | | | | | | | | | | | A new tcp.keepAlive parameter has been added for CS.cfg to configure the TCP Keep-Alive option for all LDAP connections created by PKI server. By default the option is enabled. The LdapJssSSLSocketFactory has been modified to support both plain and secure sockets. For clarity, the socket factory has been renamed to PKISocketFactory. All codes that create LDAP connections have been modified to use PKISocketFactory such that the TCP Keep-Alive option can be applied globally. https://fedorahosted.org/pki/ticket/2564
* Ticket #2569: Token memory not wiped after key deletionJack Magne2017-01-112-1/+26
| | | | | This is the dogtag upstream side of the TPS portion of this ticket. This fix also involves an applet fix, handled in another bug.
* Refactored pki_copytree().Endi S. Dewata2016-12-211-0/+76
| | | | | | The pki_copytree() has been moved from pkihelper.py into pki/util.py such that it can be reused in non-deployment scenarios.
generated by cgit (git 2.34.1) at 2025-09-27 15:07:58 +0000