| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
The duplicate code for configuring default SSL version ranges has
been merged into reusable methods in CryptoUtil.
|
|
|
|
|
| |
The default pki.conf has been modified to export the environment
variables such that they can be used by PKI client.
|
|
|
|
|
|
|
|
|
|
| |
Wrapping params can now be specified in CS.cfg as per design.
The default will be AES. If the parameters are not set, then the
old mechanism (DES) will be used instead.
A migration script will be created in a separate commit.
Change-Id: I01a74b99c4ed127d66e5b766357af59a1147839d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many parts of Dogtag expect an IAuthToken, which represents the
authenticated user. The sole implementation, AuthToken, uses some
concepts that do not carry across to externally authenticated
principals, e.g. an external principal does not have an associated
IAuthManager that was used to authenticate the principal. Therefore
something different is needed.
Implement ExternalAuthToken which wraps a GenericPrincipal and
provides access to the data therein.
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
|
|
|
|
|
| |
Small refactor to define the auth token keys set by
AgentCertAuthentication in IAuthToken, so that consumers do not need
to import AgentCertAuthentication directly, or redefine the
constants.
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
|
|
|
|
|
| |
The PKI CLI has been modified to support cascading configuration
files: default, system-wide, and user-specific configuration.
The existing Python-based PKI CLI was moved into pki.cli.main
module. A new shell script was added as a replacement which will
read the configuration files and invoke the Python module.
|
|
|
|
|
| |
A new constructor has been added into EInvalidCredentials to
support exception chaining.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Developer keyset token operations and key change over supported.
Caveats.
-The diversification step going from master key to card key uses DES3 as required for the token.
-After that point, everything is scp03 to the spec with minor excpetions so far.
Supports 128 bit AES for now. Will resolve this.
Minor config tweaks:
TPS
Symmetric Key Changeover
Use this applet for scp03:
RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc
TKS:
Symmetric Key Changeover
tks.mk_mappings.#02#03=internal:new_master
tks.defKeySet.mk_mappings.#02#03=internal:new_master
Use the uncommented one because scp03 returns a different key set data string.
ToDo:
-Support the rest of the AES sizes other than 128.
-Support optional RMAC apdu.
-Test and adjust the config capability for other tokens.
-Support AES master key. Right now the standard key ends up creating AES card and session keys.
|
|
|
|
| |
Change-Id: I6024ca5a32769b460d578dfad46598432381784c
|
|
|
|
|
|
| |
Move some of the crypto functions in EncryptionUnit to CryptoUtil.
Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62
|
|
|
|
|
|
|
|
|
|
|
| |
On the security data recovery service, the client can now specify the
encryption and wrapping algorithms to be used when wrapping the key,
rather than assuming DES. The server will use the specified wrapping
algorithm (and key).
If the algorithms are not specified, then the old mechanism is assumed.
Change-Id: I793c120e99d819403fdf7ca925e26f0f7d50fcc7
|
|
|
|
|
|
|
|
| |
The PKIArchiveOptions object contains an OID for the encryption algorithm.
Use this to create the correct WrappingParam for the tranport unit instead
of defaulting to DES3.
Change-Id: Id591fff8b7fc5e4506afbe619621904e4937c44f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are several changes in this patch:
1. Simplify EncryptionUnit by moving the methods called by either the StorageUnit or the
TransportUnit into those classes. This helps to determine which methods are called by
which class (because in general they require different arguments). It may be possible
to later simplify and reduce code repetition by pulling core functionality back into
the EncryptionUnit.
2. Add methods to WrappingParameters and KeyRecord to store the Wrapping Parameter values
as part of the KeyRecord when the key is stored. On retrieval, this data is read and
used to extract the data. If the data is not present, then use the old DES3 parameters.
3. Change the internal (storageUnit) wrapping to use AES-CBC for encryption and AES-KeyWrap
for storage by default. If a parameter kra.storageUnit.useOldWrapping=true, then
the old wrapping will be used instead.
Change-Id: I098b0b3bd3b0ad917483e4e07925adfedacc3562
|
|
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/2601
|
|
|
|
|
| |
Exceptions should be bubbled up and not swallowed at the EncryptionUnit
level. This will help in diagnosing issues.
|
|
|
|
| |
The crypto functions to unwrap the session key have been parameterized.
|
|
|
|
|
| |
Theis patch parametrizes some of the encryption functions, for key
wrapping and storage.
|
|
|
|
|
|
|
| |
EncryptionUnit is a bit of a mess right now. Refactored so that
crypto specific code is in a few functions. These can now be
parameterized to allow selection of parameters for wrapping method,
algorithm etc.
|
| |
|
|
|
|
|
|
| |
The code that loads the password.conf in PKIInstance.load() has
been converted into a general purpose load_properties() method.
A corresponding store_properties() method has been added as well.
|
|
|
|
|
|
|
|
|
|
|
| |
New REST services classes have been added to PKIApplication.
The InfoService provides general information about the server
including version number and access banner. The LoginService
provides a way to notify the server that the banner has been
displayed on the client, which in that case the InfoService
will no longer return the banner again in the same session.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
|
| |
Remove an unused constructor from CertRetrievalRequest, and add a
constructor that receives the CertId, simplifying usage.
Part of: https://fedorahosted.org/pki/ticket/2601
|
|
|
|
|
|
| |
A sample program has been added to show how to use CertClient.
https://fedorahosted.org/pki/ticket/2584
|
|
|
|
|
|
| |
A sample program has been added to show how to use CAClient.
https://fedorahosted.org/pki/ticket/2584
|
|
|
|
|
| |
The SubsystemClient.login() method has been modified to return
the AccountInfo obtained from AccountClient.login().
|
|
|
|
|
|
|
|
| |
The serverURI field in ClientConfig has been replaced with
serverURL since it actually stores the location of the server.
New methods have been added to access the serverURL field.
Existing methods for serverURI are retained for backward
compatibility.
|
|
|
|
|
| |
KEY_USAGE was accidentally added and verify usage was left off.
This results in BZ#1238684
|
|
|
|
|
|
| |
Currently, PKIConnection does not allow to have client certificate
and private key stored in different files. However, python-requests
library allows this separation so it should be made possible.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the migration case, it is useful to delete the initially
created signing certificate database record and have that be
imported through the ldif data import instead.
Therefore, we add an option to remove this entry. The user
also needs to provide the serial number for the entry.
This resolves the following tickets/BZs:
BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed
on CA website incorrect
BZ# 1409946/Trac 2571 - Request ID undefined for CA signing
certificate
|
|
|
|
|
|
|
| |
The internal token full name literals have been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
| |
The ConfigurationRequest.TOKEN_DEFAULT has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
| |
The Constants.PR_FULL_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
| |
The Constants.PR_INTERNAL_TOKEN_NAME has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
| |
The Constants.PR_INTERNAL_TOKEN has been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
|
|
|
|
|
|
|
| |
An upgrade script has been added to replace IPv4- and IPv6-specific
AJP loopback address with a more generic "localhost" in existing
instances.
https://fedorahosted.org/pki/ticket/2570
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new tcp.keepAlive parameter has been added for CS.cfg to
configure the TCP Keep-Alive option for all LDAP connections
created by PKI server. By default the option is enabled.
The LdapJssSSLSocketFactory has been modified to support both
plain and secure sockets. For clarity, the socket factory has been
renamed to PKISocketFactory.
All codes that create LDAP connections have been modified to use
PKISocketFactory such that the TCP Keep-Alive option can be applied
globally.
https://fedorahosted.org/pki/ticket/2564
|
|
|
|
|
| |
This is the dogtag upstream side of the TPS portion of this ticket.
This fix also involves an applet fix, handled in another bug.
|
|
|
|
|
|
| |
The pki_copytree() has been moved from pkihelper.py into
pki/util.py such that it can be reused in non-deployment
scenarios.
|
|
|
|
|
|
|
| |
The CMake scripts have been modified to remove redundant
invocations of find_file() to find Tomcat libraries.
https://fedorahosted.org/pki/ticket/2560
|
|
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
|
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
|
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
|
|
|
|
|
|
|
|
| |
The getAuthzManagerByRealm public method is defined in
AuthzSubsystem but to support external principals we want to make
this part of the IAuthzSubsystem interface, so other classes (e.g.
ACLInterceptor) can use it.
Part of: https://fedorahosted.org/pki/ticket/1359
|
|
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
|
|
|
|
|
|
| |
Commit db58e6071f6bb57de006e6499c0a0c6a8c8e67bf has been reverted
due to build issue on RHEL/CentOS.
https://fedorahosted.org/pki/ticket/2531
|
|
|
|
|
|
|
| |
Commit f9ddb2e875355e882b14529979f6c9ae03cf720e has been reverted
due to build issue on RHEL/CentOS.
https://fedorahosted.org/pki/ticket/2535
|
|
|
|
|
|
|
|
|
|
| |
Previously the pki user-cert-add fails to check whether the server
has a CA subsystem when it's invoked over SSL. That is because the
CLI tries to establish a new but improperly set up SSL connection.
Now the CLI has been modified to use the existing server
connection.
https://fedorahosted.org/pki/ticket/1517
|
|
|
|
|
|
|
|
|
| |
The PKIConnection has been modified to provide two get() methods:
one returning a generic Response object wnd the other returning an
object with the specified type. The ConfigurationUtils has been
modified accordingly.
https://fedorahosted.org/pki/ticket/1517
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TPS throws "err=6" when attempting to format and enroll G&D Cards.
https://bugzilla.redhat.com/show_bug.cgi?id=1320283
This fix addresses this bug , but also:
Fixes this issue:
Applet upgrade during rekey operation results in formatted token.
Also, it takes care of a related issue where the new apdu needed for the
lifecycle state causes the testing tool "tpslcient" to seg fault.
The fix here is a minimal fix to have tpsclient return an error when it gets
this apdu it can't handle, instead of crashing.
|
|
|
|
|
|
|
|
| |
The AccountInfo has been changed to extend the ResourceMessage
such that it can be used to pass the list of accessible
components as an attribute.
https://fedorahosted.org/pki/ticket/2523
|