| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
The python-cryptography provider is added. It will use AES
mechanisms by default. The eventual goal is to use this
provider by default, and to obsolete the NSS CryptoProvider.
Added some methods to determine which crypto keyset levels are
supported by the crypto provider.
Change-Id: Ifd47f0de765a9f0d157e8be678d5d06437bda819
|
| |
|
|
|
|
|
| |
New pki audit commands have been added to list and retrieve audit
log files.
Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
This is needed to set the same environment as the pki CLI
and pick up any client specific changes.
Change-Id: I92b4df75f2e3ee5112499a1d138e7e649a1214fc
|
| |\| |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add python client code to read from the InfoResource class and get
the server version. As the PKIConnection in the python client
currently requires a subsystem, it is difficult to add an infoclient
to an existing KRAClient (or any other client).
To get around this, I modified the PKIConnection to allow using the
rootURI.
Change-Id: Ided75f45f741e2ba3fc86acec715d24b829c8a97
|
| |/
|
|
|
|
|
| |
A new PKIRESTProvider has been added to send and receive
StreamingOutput object through REST API.
Change-Id: Iefc513aacb9fc26bc7c8c5cbfb4550a4a98da52e
|
| |
|
|
|
|
|
| |
The AuditCLI has been modified to create the AuditClient with lazy
initialization.
Change-Id: I61b08e92a2f2de983fc77513dde89e1d5e1254b9
|
| | |
|
| |
|
|
|
|
| |
https://pagure.io/dogtagpki/issue/2627
Change-Id: I3111e78fc0afb63799e7bd707274ec7a9e8624ac
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Up to now, we have only ever used the same algorithm (DES3_CBC)
for key wrapping and encryption. With the change to use AES Keywrap
and AES CBC, we need to know which mechanism was used to encrypt/wrap
the secrets when returned to the client.
This means passing back more information to the client with the key
data, and also modifying the client to use this information to decode
the data correctly.
Change-Id: I7232085c1eedf38c63abad81db08acc912fa1da1
|
| |
|
|
| |
adds both client and server support for two cmc controls: id-cmc-identityProofV2 - for supporting RFC5272, and id-cmc-identification - for assisting in shared secret search; Note: for client, only CMCRequest is updated in this patch
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CMSStartServlet has been modified to register an SSL socket
listener called PKIServerSocketListener to TomcatJSS.
The PKIServerSocketListener will receive the alerts generated by
SSL server sockets and generate ACCESS_SESSION_* audit logs.
The CS.cfg for all subsystems have been modified to include
ACCESS_SESSION_* audit events.
https://pagure.io/dogtagpki/issue/2602
Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the storage unit reuses the same IV each time a record
is stored. This works (probably) for DES3, but not for AES.
The getWrappingParams() method is modified to check the config as follows
(in order):
-- if the iv is defined, use that iv
-- if the length is defined, generate a byte array of that length
-- return null
To ensure that the same IV used to encrypt the secret is stored in the
DB, the wrapping param is defined once in the archival process, and
passed in to the wrapping functions in storageUnit.
Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also made a couple of small changes to WrappingParams.
* Set the wrapIV to null when AES KeyWrap is used. Trying to unpack
the PKIArchiveOptions package with this IV set to null fails.
* removed superfluous this modifiers.
Added a parameter KEY_WRAP_PARAMETER_SET which is set in /etc/pki/pki.conf.
If this parameter is set to 0, we will use the old DES3 algorithms. This
can be set by clients talking to old servers.
CRMFPopClient has the ability to automatically submit requests to
a CA. In this case, we shouldcontact the server and determine the
version using InfoClient, and choose the algorithm accordingly.
We will implement this in a separate patch.
Change-Id: Ib4a99545cb59b62a96c272311595e96dda10979e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Refactor code in CryptoUtil to parametrize the algorithms used.
* Moved WrappingParams to utils jar to allow correct compilation.
* Removed code that created a PKIArchiveOptions structure from
CRMFPopClient and replaced with calls to CryptoUtil methods.
Note that the algorithms have been left as DES3. They will be
changed to AES in the next patch.
* Converted code in AuthorityKeyExportCLI to use the new methods
in CryptoUtil.
* Removed DRMTest this code is no longer maintained or used.
Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
|
| |
|
|
| |
Change-Id: I862c86994e6268860380404113a9bea0d237d60e
|
| |
|
|
|
|
| |
Also used the infoClient in the KeyClient
Change-Id: Ie81ee731903cf8d2068783a9a09cdcbaaffc0630
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Changed the client to use AES-128-CBC-PAD rather than DES-3.
Because AES-256-CBC-PAD has no OID defined, we use the following
hack:
* Pass in the AES-256-CBC OID as the encrypt algorithm OID
* Use PKCS#1.5 Padding.
* Changed the client to use AES for the wrapping key on retrieval.
* Changed the server to implicitly assume PKCS#1.5 (and a key size
of 128) when recieving the OID for AES.
* Changed the client to send, and the server to pass through
the encryption algorithm expected when retrieving the key.
* Fixed the generate_iv() function to generate an appropriately
sized IV on retrieval.
This code has been tested to successfully create and retrieve
secrets using AES. Ideally, we'd be using GCM rather than CBC,
which then requires no padding - and no hack needed. Hopefully,
we can get that working in a subsequent commit.
Change-Id: Ic9e8d50169be0fe357a48a5a1b1c452c7a3dfad0
|
| |
|
|
|
| |
The CryptoUtil.setSSLCiphers() has been modified to support a "-"
sign in front of the cipher name or ID to disable the cipher.
|
| |
|
|
|
| |
The CryptoUtil.setSSLCipher() has been modified to support ciphers
specified using hex ID.
|
| |
|
|
|
| |
The pki.nssdb module has been modified to support operations
without NSS database password.
|
| |
|
|
|
| |
A new parameter has been added to pki.conf to enable/disable the
default SSL ciphers for PKI CLI.
|
| |
|
|
|
| |
A new parameter has been added to pki.conf to configure the SSL
ciphers used by PKI CLI in addition to the default ciphers.
|
| |
|
|
|
| |
The hard-coded SSL version ranges in PKI CLI have been converted
into configurable parameters in the pki.conf.
|
| |
|
|
|
|
| |
This patch provides methods that can be shared between the CA and the ISharedToken plugins:
1. the convenience routines for quick encryption, decryption, hashing methods that take default algorithms.
2. The establishment of Issuance Protection Certificate
|
| |
|
|
|
|
|
| |
To prevent conflicts, the code that configures the default SSL
version ranges and ciphers for all SSL sockets created afterwards
has been moved out of PKIConnection into the main program (i.e.
PKI CLI).
|
| |
|
|
|
| |
The duplicate code for configuring default SSL version ranges has
been merged into reusable methods in CryptoUtil.
|
| |
|
|
|
| |
The default pki.conf has been modified to export the environment
variables such that they can be used by PKI client.
|
| |
|
|
|
|
|
|
|
|
| |
Wrapping params can now be specified in CS.cfg as per design.
The default will be AES. If the parameters are not set, then the
old mechanism (DES) will be used instead.
A migration script will be created in a separate commit.
Change-Id: I01a74b99c4ed127d66e5b766357af59a1147839d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many parts of Dogtag expect an IAuthToken, which represents the
authenticated user. The sole implementation, AuthToken, uses some
concepts that do not carry across to externally authenticated
principals, e.g. an external principal does not have an associated
IAuthManager that was used to authenticate the principal. Therefore
something different is needed.
Implement ExternalAuthToken which wraps a GenericPrincipal and
provides access to the data therein.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
| |
Small refactor to define the auth token keys set by
AgentCertAuthentication in IAuthToken, so that consumers do not need
to import AgentCertAuthentication directly, or redefine the
constants.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
| |
The PKI CLI has been modified to support cascading configuration
files: default, system-wide, and user-specific configuration.
The existing Python-based PKI CLI was moved into pki.cli.main
module. A new shell script was added as a replacement which will
read the configuration files and invoke the Python module.
|
| |
|
|
|
| |
A new constructor has been added into EInvalidCredentials to
support exception chaining.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Developer keyset token operations and key change over supported.
Caveats.
-The diversification step going from master key to card key uses DES3 as required for the token.
-After that point, everything is scp03 to the spec with minor excpetions so far.
Supports 128 bit AES for now. Will resolve this.
Minor config tweaks:
TPS
Symmetric Key Changeover
Use this applet for scp03:
RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc
TKS:
Symmetric Key Changeover
tks.mk_mappings.#02#03=internal:new_master
tks.defKeySet.mk_mappings.#02#03=internal:new_master
Use the uncommented one because scp03 returns a different key set data string.
ToDo:
-Support the rest of the AES sizes other than 128.
-Support optional RMAC apdu.
-Test and adjust the config capability for other tokens.
-Support AES master key. Right now the standard key ends up creating AES card and session keys.
|
| |
|
|
| |
Change-Id: I6024ca5a32769b460d578dfad46598432381784c
|
| |
|
|
|
|
| |
Move some of the crypto functions in EncryptionUnit to CryptoUtil.
Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62
|
| |
|
|
|
|
|
|
|
|
|
| |
On the security data recovery service, the client can now specify the
encryption and wrapping algorithms to be used when wrapping the key,
rather than assuming DES. The server will use the specified wrapping
algorithm (and key).
If the algorithms are not specified, then the old mechanism is assumed.
Change-Id: I793c120e99d819403fdf7ca925e26f0f7d50fcc7
|
| |
|
|
|
|
|
|
| |
The PKIArchiveOptions object contains an OID for the encryption algorithm.
Use this to create the correct WrappingParam for the tranport unit instead
of defaulting to DES3.
Change-Id: Id591fff8b7fc5e4506afbe619621904e4937c44f
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are several changes in this patch:
1. Simplify EncryptionUnit by moving the methods called by either the StorageUnit or the
TransportUnit into those classes. This helps to determine which methods are called by
which class (because in general they require different arguments). It may be possible
to later simplify and reduce code repetition by pulling core functionality back into
the EncryptionUnit.
2. Add methods to WrappingParameters and KeyRecord to store the Wrapping Parameter values
as part of the KeyRecord when the key is stored. On retrieval, this data is read and
used to extract the data. If the data is not present, then use the old DES3 parameters.
3. Change the internal (storageUnit) wrapping to use AES-CBC for encryption and AES-KeyWrap
for storage by default. If a parameter kra.storageUnit.useOldWrapping=true, then
the old wrapping will be used instead.
Change-Id: I098b0b3bd3b0ad917483e4e07925adfedacc3562
|
| |
|
|
| |
Fixes: https://fedorahosted.org/pki/ticket/2601
|
| |
|
|
|
| |
Exceptions should be bubbled up and not swallowed at the EncryptionUnit
level. This will help in diagnosing issues.
|
| |
|
|
| |
The crypto functions to unwrap the session key have been parameterized.
|
| |
|
|
|
| |
Theis patch parametrizes some of the encryption functions, for key
wrapping and storage.
|
| |
|
|
|
|
|
| |
EncryptionUnit is a bit of a mess right now. Refactored so that
crypto specific code is in a few functions. These can now be
parameterized to allow selection of parameters for wrapping method,
algorithm etc.
|
| | |
|
| |
|
|
|
|
| |
The code that loads the password.conf in PKIInstance.load() has
been converted into a general purpose load_properties() method.
A corresponding store_properties() method has been added as well.
|
| |
|
|
|
|
|
|
|
|
|
| |
New REST services classes have been added to PKIApplication.
The InfoService provides general information about the server
including version number and access banner. The LoginService
provides a way to notify the server that the banner has been
displayed on the client, which in that case the InfoService
will no longer return the banner again in the same session.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
|
| |
Remove an unused constructor from CertRetrievalRequest, and add a
constructor that receives the CertId, simplifying usage.
Part of: https://fedorahosted.org/pki/ticket/2601
|
