summaryrefslogtreecommitdiffstats
path: root/base/common
Commit message (Collapse)AuthorAgeFilesLines
* Added CertRequestProcessedEvent constructor for X509CertImpl.Endi S. Dewata2017-04-251-0/+71
| | | | | | | | | | | | | A new CertRequestProcessedEvent constructor has been added to encapsulate CERT_REQUEST_PROCESSED events that take an X509CertImpl object. Copies of auditInfoCertValue() method in various classes have been combined and moved into CertRequestProcessedEvent. https://pagure.io/dogtagpki/issue/2636 Change-Id: Ie234bdb9f1b52399dad4bd1e20f57dcb99d86091
* Added ConfigSignedAuditEvent.Endi S. Dewata2017-04-251-0/+39
| | | | | | | | | A new SignedAuditConfigRoleEvent class of has been added to encapsulate the CONFIG_SIGNED_AUDIT events. https://pagure.io/dogtagpki/issue/2641 Change-Id: I95b897fa0bb73007a7cec009c43ade4cc860f0cd
* Added CertRequestProcessedEvent.Endi S. Dewata2017-04-241-0/+43
| | | | | | | | | A new CertRequestProcessedEvent class of has been added to encapsulate the CERT_REQUEST_PROCESSED events. https://pagure.io/dogtagpki/issue/2636 Change-Id: Ia79e6ae13d09a3ec6509c60435fc24d5a2fee38f
* Added ConfigRoleEvent.Endi S. Dewata2017-04-241-0/+39
| | | | | | | | | A new ConfigRoleEvent class of has been added to encapsulate the CONFIG_ROLE events. https://pagure.io/dogtagpki/issue/2641 Change-Id: Ie0932131d75897f58afdd8217454c6cf6970d738
* Added RoleAssumeEvent.Endi S. Dewata2017-04-241-0/+39
| | | | | | | | | A new RoleAssumeEvent class of has been added to encapsulate the ROLE_ASSUME events. https://pagure.io/dogtagpki/issue/2641 Change-Id: I12e47ea13198b6532b1fdfee2e20765c0cab15e9
* Added AuthzFailEvent.Endi S. Dewata2017-04-241-0/+59
| | | | | | | | | A new AuthzFailEvent class of has been added to encapsulate the AUTHZ_FAIL events. https://pagure.io/dogtagpki/issue/2641 Change-Id: Id4ab9bd889a1a9314264c0ef2ff7b2389aed8f9c
* Added AuthzSuccessEvent.Endi S. Dewata2017-04-241-0/+59
| | | | | | | | | A new AuthzSuccessEvent class of has been added to encapsulate the AUTHZ_SUCCESS events. https://pagure.io/dogtagpki/issue/2641 Change-Id: I2f45fb2c3ba8acdc82777644cf4ad0ec2eff35a5
* Added AuthFailEvent.Endi S. Dewata2017-04-241-0/+41
| | | | | | | | | A new AuthFailEvent class of has been added to encapsulate the AUTH_FAIL events. https://pagure.io/dogtagpki/issue/2641 Change-Id: I870398f6a56df007c9520e50947a7b3c85baf79b
* Added AuthSuccessEvent.Endi S. Dewata2017-04-241-0/+39
| | | | | | | | | A new AuthSuccessEvent class of has been added to encapsulate the AUTH_SUCCESS events. https://pagure.io/dogtagpki/issue/2641 Change-Id: Ie7cc751728ac079e30ece354ca44c5266474bcd3
* Fixed missing IAuditor.log(AuditEvent).Endi S. Dewata2017-04-211-0/+2
| | | | | | | The IAuditor has been modified to define a log() method for AuditEvent object. Change-Id: Ie1ad720bd6d3bcd71a4567eed477f0e34a8274c9
* Added AuditEvent.setParameters().Endi S. Dewata2017-04-191-0/+7
| | | | | | A new method has been added to set AuditEvent's parameters. Change-Id: I1b1e23030a819160b035ed67e908b6fbadedd714
* Make sure connection is always closedAde Lee2017-04-191-10/+20
| | | | | | | | When an exception is thrown, the connection is currently not closed, leading to Invalid State exceptions when the next connection is attempted. This resolves this issue. Change-Id: I531881434a73affb1c6536dfbb05bce151c854fb
* Modify cert clients to check server for wrapping paramsAde Lee2017-04-191-0/+16
| | | | | | | | | | | | | CRMFPopClient and the pki cert client both can send a CRMF request to a CA directly. Logic is added to check the CA for the required KRA wrapping params and use those in place of any that have been provided by the environment or command line. Also, additional data for the supported KRA keyset has been added to the CAInfoService. This will need to be managed by the admin. The default is "1" which corresponds to AES. Change-Id: I186f9c610005ec300bccf1b07470493ce7cdfeb4
* Allow arbitrary user data in cert requestFraser Tweedale2017-04-192-0/+10
| | | | | | | | | | | | If a certificate request comes with additional data in the 'cert-request' query param, add that to the request. Profile components can then use this data. This is needed to convey the subject principal name to the ExternalProcessConstraint, when validating FreeIPA certificate requests after we switch to GSS-API authentication. Part of: https://pagure.io/dogtagpki/issue/1359
* Allow key recovery to use encrypted field in key recordAde Lee2017-04-131-0/+2
| | | | | | | | | | | | | | The previous commit added a field in the KeyRecord to specify whether or not a key was encrypted or key wrapped when archived. This patch modifies the recovery servlets to use this field to determine how to decrypt/unwrap the key for transport. Absence of this field in the key record implies that is an old record - and we use the value of the CS.cfg parameter as the default. Change-Id: Ia8ae679e8b3fe8462d42848d614bff863ef68e50
* Add field to indicate if key was encrypted or wrappedAde Lee2017-04-131-1/+1
| | | | | | | | | | | | | | | | Whether a secret was encrypted or wrapped in the storage unit depends on a parameter in CS.cfg. If that parameter is changed, the Storage unit may use the wrong mechanism to try to decrypt the stored key. Thats ok for encrypt/wrap using DES or AES-CBC, but not for AES KeyWrap. In this patch, we add a field in the Key record to specify whether the secret was encrypted with stored (or keywrapped if false). A subsequent patch will change the logic when decrypting to use this field. Change-Id: If535156179bd1259cfaaf5e56fd4d36ffdb0eb0e
* Fix symkey retrieval in python clientAde Lee2017-04-133-12/+99
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Keys (like symmetric keys and asymmetric keys) are returned from the KRA either encrypted or key wrapped. Because the AES keywrapping algorithm cannot be decrypted using AES CBC, we need special logic to unwrap the keys. The flow here is as follows: 1. When a key retrieval request is sent to the server, the client sends the encryption and key wrapping algorithms it requires the key to be wrapped along with the wrapping key. 2. If no encryption algorithm or key wrap algorithm is recieved, the server assumes its talking to an old client and uses DES3. 3. The key is retrieved and (on server's choice) is wrapped or encrypted. The return package will have either encryption or key wrap algorithm set (depending on how the key was encrypted/wrapped.) 4. client uses that to determine how to unwrap key. This patch: 1. Makes sure the key wrap algorithm requested by client is passed through and used to wrap the retrieved key. 2. Adds logic in the python client to unwrap/decrypt. 3. As python-cryptography does not yet support AES KeyWrap with padding, the python client is configured to request AES-CBC by default. Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1
* Fix python issues identified in reviewAde Lee2017-04-131-5/+4
| | | | | | | subprocess returns bytes in Python 3. Make sure to decode first when returning env variables. Change-Id: I225044c0463f0a84ac5ffb77b28391fac269598d
* Updated CMS.getLogMessage().Endi S. Dewata2017-04-132-2/+2
| | | | | | | The CMS.getLogMessage() has been generalized to take an array of Objects instead of Strings. Change-Id: Ifcb96d47983a67961efa27325b8ae0a88d9e0231
* Modified CRMFPopClient to use correct wrapping for encrypt caseAde Lee2017-04-122-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the server cannot do key wrapping using the AES KeyWrap, probably because the backend HSM cannot do key wrapping, then there is a setting to allow it to use encrypt/decrypt instead. If the key wrap algorithm is something simple like 3DES or AES-CBC, then the client can just use key wrapping to wrap the key on its token, and the server can use an encryption algorithm to decrypt. The client does not need to know that the server cannot handle a key wrap, because keywrapping and encryption are pretty much the same mechanism - just either in server memory or not. When we do key wrapping using AES KeyWrap though, there is no corresponding encryption algorithm used to decrypt. So the server cannot simply decrypt a message wrapped with AES Keywrap (or at least not in any obvious way). So in this case, the client needs to know if the server can handle keywrap. The patch therefore does the following: 1. For CRMFPopClient, adds a command line option to specify if key wrapping or encryption is required. 2. Reads an environment variable if no option is provided. 3. If encryption is specified, uses key wrapping using AES-CBC which can be decrypted on the server side. 4. For cert-client, contacts the server to determine from the CAInfoResource if keywrapping is supported. Change-Id: If66f51c929cfde1c0ff3b9f39cb57b92fcdc150c
* Reorganized audit event constants for configuration.Endi S. Dewata2017-04-122-3/+37
| | | | Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
* Reorganized additional audit event constants for KRA.Endi S. Dewata2017-04-121-0/+27
| | | | Change-Id: Ib4586443f7e6f759d227975f9736cdd30b8f32e8
* Reorganized audit event constants for CA.Endi S. Dewata2017-04-121-0/+11
| | | | Change-Id: I407a7a13c4e428e01632536faa27583e7c6d577e
* Reorganized audit event constants for authentication.Endi S. Dewata2017-04-121-0/+19
| | | | Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
* Reorganized audit event constants for OCSP.Endi S. Dewata2017-04-121-0/+17
| | | | Change-Id: I3eb97554a1d0f4b86c981692ab0130b28c9c5288
* Reorganized audit event constants for TKS.Endi S. Dewata2017-04-121-0/+25
| | | | Change-Id: I7fee37c8369945c6aedae78bd56063bc4488c0f7
* Reorganized audit event constants for KRA.Endi S. Dewata2017-04-121-0/+28
| | | | Change-Id: Ic4a79b0c73812c7b89daca3c804e6a88c738536a
* Added audit event constants for TPS.Endi S. Dewata2017-04-121-0/+51
| | | | Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb
* Added audit event constants for SSL session.Endi S. Dewata2017-04-121-4/+10
| | | | Change-Id: I73b3a69ffc289ad6bf89eebaa2d95237df25551f
* Add CAInfo resourceAde Lee2017-04-113-0/+205
| | | | | | | | | | This resource (which will be accessed at /ca/rest/info) will initially return the mechanism for archival. This is needed by clients to know how to package secrets when archiving. We may add the transport cert later. Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b
* Add KRAInfo resourceAde Lee2017-04-114-0/+227
| | | | | | | | | | This resource (which will be accessed at /kra/rest/info) will initially return the mechanism for archival or retrieval. This is needed by clients to know how to package secrets when archiving. Change-Id: I6990ebb9c9dafc4158e51ba61a30e773d1d953ec
* Added FIPS-compliant password generator.Endi S. Dewata2017-04-111-0/+63
| | | | | | | | | | A new function has been added to generate a random password that meets FIPS requirements for a strong password. This function is used to generate NSS database password during installation. https://pagure.io/dogtagpki/issue/2556 Change-Id: I64dd36125ec968f6253f90835e6065325d720032
* Added SSLSocketListener for PKIConnection.Endi S. Dewata2017-04-071-0/+40
| | | | | | | | | | To help troubleshooting the PKIConnection has been modified to register an SSL socket listener which will display SSL alerts that it has received or sent. https://pagure.io/dogtagpki/issue/2625 Change-Id: I8f2e4f55a3d6bc8a7360f666c9b18e4c0d6c6d83
* Add code in KRA python client to support multiple crypto algorithmsAde Lee2017-04-063-36/+144
| | | | | | | | | | | | | | Added code to: * Add an InfoClient to the KRAClient * Check the server, client and crypto provider keyset levels and select the highest possible level accordingly. * Added new fields as returned by the server for retrieval. * Added new fields to KeyRecoveryRequest as added in AES changes. Changes to decode keywrapped symmetirc and asymmetric keys will be added in subsequent patches. Right now, encrypt/decrypt works. Change-Id: Ifa7748d822c6b6f9a7c4afb395fb1388c587174d
* Add python-cryptography crypto providerAde Lee2017-04-063-17/+197
| | | | | | | | | | | The python-cryptography provider is added. It will use AES mechanisms by default. The eventual goal is to use this provider by default, and to obsolete the NSS CryptoProvider. Added some methods to determine which crypto keyset levels are supported by the crypto provider. Change-Id: Ifd47f0de765a9f0d157e8be678d5d06437bda819
* Added CLIs to access audit log files.Endi S. Dewata2017-04-044-1/+190
| | | | | | | New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
* Fix pylint errorsAde Lee2017-04-042-1/+2
|
* Merge "Add util code to source environment files"Ade Lee2017-04-041-0/+28
|\
| * Add util code to source environment filesAde Lee2017-04-031-0/+28
| | | | | | | | | | | | | | This is needed to set the same environment as the pki CLI and pick up any client specific changes. Change-Id: I92b4df75f2e3ee5112499a1d138e7e649a1214fc
* | Merge "Added python info client"Ade Lee2017-04-042-11/+138
|\|
| * Added python info clientAde Lee2017-04-032-11/+138
| | | | | | | | | | | | | | | | | | | | | | | | Add python client code to read from the InfoResource class and get the server version. As the PKIConnection in the python client currently requires a subsystem, it is difficult to add an infoclient to an existing KRAClient (or any other client). To get around this, I modified the PKIConnection to allow using the rootURI. Change-Id: Ided75f45f741e2ba3fc86acec715d24b829c8a97
* | Added PKIRESTProvider.Endi S. Dewata2017-04-043-3/+121
|/ | | | | | | A new PKIRESTProvider has been added to send and receive StreamingOutput object through REST API. Change-Id: Iefc513aacb9fc26bc7c8c5cbfb4550a4a98da52e
* Refactored AuditCLI.Endi S. Dewata2017-03-311-2/+0
| | | | | | | The AuditCLI has been modified to create the AuditClient with lazy initialization. Change-Id: I61b08e92a2f2de983fc77513dde89e1d5e1254b9
* Misc pylint, flake8 and tox fixesChristian Heimes2017-03-314-3/+6
|
* Fixed pylint error in pki.authority.Endi S. Dewata2017-03-311-1/+1
| | | | | | https://pagure.io/dogtagpki/issue/2627 Change-Id: I3111e78fc0afb63799e7bd707274ec7a9e8624ac
* Fix retrieval for symmetric keysAde Lee2017-03-286-6/+197
| | | | | | | | | | | | | Up to now, we have only ever used the same algorithm (DES3_CBC) for key wrapping and encryption. With the change to use AES Keywrap and AES CBC, we need to know which mechanism was used to encrypt/wrap the secrets when returned to the client. This means passing back more information to the client with the key data, and also modifying the client to use this information to decode the data correctly. Change-Id: I7232085c1eedf38c63abad81db08acc912fa1da1
* Bug 1419734 CMC: id-cmc-identityProofV2 feature implementation This patch ↵Christina Fu2017-03-281-0/+3
| | | | adds both client and server support for two cmc controls: id-cmc-identityProofV2 - for supporting RFC5272, and id-cmc-identification - for assisting in shared secret search; Note: for client, only CMCRequest is updated in this patch
* Added audit logs for SSL/TLS events.Endi S. Dewata2017-03-281-0/+3
| | | | | | | | | | | | | | | The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
* Modify storage unit to generate a new IVAde Lee2017-03-241-4/+7
| | | | | | | | | | | | | | | | | Currently, the storage unit reuses the same IV each time a record is stored. This works (probably) for DES3, but not for AES. The getWrappingParams() method is modified to check the config as follows (in order): -- if the iv is defined, use that iv -- if the length is defined, generate a byte array of that length -- return null To ensure that the same IV used to encrypt the secret is stored in the DB, the wrapping param is defined once in the archival process, and passed in to the wrapping functions in storageUnit. Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854
* Change CRMFPopClient to use AES-KeyWrap with paddingAde Lee2017-03-241-0/+16
| | | | | | | | | | | | | | | | | | Also made a couple of small changes to WrappingParams. * Set the wrapIV to null when AES KeyWrap is used. Trying to unpack the PKIArchiveOptions package with this IV set to null fails. * removed superfluous this modifiers. Added a parameter KEY_WRAP_PARAMETER_SET which is set in /etc/pki/pki.conf. If this parameter is set to 0, we will use the old DES3 algorithms. This can be set by clients talking to old servers. CRMFPopClient has the ability to automatically submit requests to a CA. In this case, we shouldcontact the server and determine the version using InfoClient, and choose the algorithm accordingly. We will implement this in a separate patch. Change-Id: Ib4a99545cb59b62a96c272311595e96dda10979e
generated by cgit (git 2.34.1) at 2025-09-27 13:19:11 +0000