| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using an HSM, AES KeyWrapping is not available and so
some different code paths were exercised. Fixing bugs in those
paths uncovered a case where we were calling unwrapSymmetric()
with bits and not bytes for the key length.
This does not matter for 3DES, where JSS expects a length of 0,
but very much matters for AES. Fixing this - and the KeyClient
to actually use the returned wrapping algorithm to unwrap, allows
us now to return generated symmetric keys correctly.
Bugzilla BZ#1448521
Pagure: 2690
Change-Id: I2c5c87e28f6f36798b16de238bbaa21da90e7890
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When AES-KW or AES-KWP is not available, we need to be sure to use
a key wrap algorithm that is available for keywrap. This would
be AES-CBC. Removes some TODOs.
Refactor so that getWrappingParams is only defined on the StorageUnit,
which is where it makes sense in any case.
Part of Bugzilla BZ# 1386303
Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In HSMs, we were not able to retrieve asym keys that were
generated from the AsymKeyGenService, because the right
flags were not set (ie. set like in the server side
keygen case).
To do this, I extracted the key generation function from
NetKeygenService to KeyRecoveryAuthority, so that it could
be used by both services.
Bugzilla BZ# 1386303
Change-Id: I13b5f4b602217a685acada94091e91df75e25eff
|
| |
|
|
|
|
|
|
| |
pki.authority was mistakenly sending headers as POST body instead of
sending an empty POST body with right headers.
Change-Id: I6a5089e55233cf72f4d8e79832150e7c45f0fdae
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch provides implementation that allows user-signed CMC requests
to be processed; The resulting certificate will bear the same subjectDN
as that of the signing cert;
The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull
where the new profile is to be used: caFullCMCUserSignedCert.cfg
which utilizes the new authentication plugin: CMCUserSignedAuth
and new profile default plugin: CMCUserSignedSubjectNameDefault
and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
|
| |
|
|
|
|
|
|
| |
This is tested using Barbican as a client. We are simply
reverting to the same behavior we had before for the
NSS Crypto provider case.
Change-Id: I11300b3bea5670c783e1b4736d98f35f30ecf2ce
|
| |
|
|
|
|
|
|
|
| |
Incorrect key size lead to errors when the client side
was set to use 3DES. Also deprecate not providing an
encryption algorithm OID explcitly in
archive_encrypted_data()
Change-Id: I51e8ee2aed1d0cddd9d37d91a93c920be901fdb9
|
| |
|
|
|
|
|
| |
When no algorithm OID is provided, we used to default to 3DES.
We need to continue to do this to not break IPA.
Change-Id: I620c3d7cec71be1a529056acc6bf3940e25f2f9d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SourceConfigStore load() method does not clear the config store,
but this might be necessary to avoid stale data if wanting to
perform a complete replacement of the data (e.g. reload from file).
We should not change the behaviour of load() in case some code is
relying on the current behaviour, so add the clear() method to the
interface.
Part of: https://fedorahosted.org/pki/ticket/2588
Change-Id: Ia139a49f1a23c4f9410d7b94c9a4c8f14f29fe93
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A new CertRequestProcessedEvent constructor has been added to
encapsulate CERT_REQUEST_PROCESSED events that takes an IRequest
object.
The auditInfoValue() method in CAProcessor has been moved into
CertRequestProcessedEvent.
https://pagure.io/dogtagpki/issue/2636
Change-Id: I892f1476835b45910fdc3e64bd9f6fc9e2f016fb
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A new CertRequestProcessedEvent constructor has been added to
encapsulate CERT_REQUEST_PROCESSED events that take an X509CertImpl
object.
Copies of auditInfoCertValue() method in various classes have been
combined and moved into CertRequestProcessedEvent.
https://pagure.io/dogtagpki/issue/2636
Change-Id: Ie234bdb9f1b52399dad4bd1e20f57dcb99d86091
|
| |
|
|
|
|
|
|
|
| |
A new SignedAuditConfigRoleEvent class of has been added to
encapsulate the CONFIG_SIGNED_AUDIT events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I95b897fa0bb73007a7cec009c43ade4cc860f0cd
|
| |
|
|
|
|
|
|
|
| |
A new CertRequestProcessedEvent class of has been added to
encapsulate the CERT_REQUEST_PROCESSED events.
https://pagure.io/dogtagpki/issue/2636
Change-Id: Ia79e6ae13d09a3ec6509c60435fc24d5a2fee38f
|
| |
|
|
|
|
|
|
|
| |
A new ConfigRoleEvent class of has been added to encapsulate the
CONFIG_ROLE events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Ie0932131d75897f58afdd8217454c6cf6970d738
|
| |
|
|
|
|
|
|
|
| |
A new RoleAssumeEvent class of has been added to encapsulate the
ROLE_ASSUME events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I12e47ea13198b6532b1fdfee2e20765c0cab15e9
|
| |
|
|
|
|
|
|
|
| |
A new AuthzFailEvent class of has been added to encapsulate the
AUTHZ_FAIL events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Id4ab9bd889a1a9314264c0ef2ff7b2389aed8f9c
|
| |
|
|
|
|
|
|
|
| |
A new AuthzSuccessEvent class of has been added to encapsulate the
AUTHZ_SUCCESS events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I2f45fb2c3ba8acdc82777644cf4ad0ec2eff35a5
|
| |
|
|
|
|
|
|
|
| |
A new AuthFailEvent class of has been added to encapsulate the
AUTH_FAIL events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I870398f6a56df007c9520e50947a7b3c85baf79b
|
| |
|
|
|
|
|
|
|
| |
A new AuthSuccessEvent class of has been added to encapsulate the
AUTH_SUCCESS events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Ie7cc751728ac079e30ece354ca44c5266474bcd3
|
| |
|
|
|
|
|
| |
The IAuditor has been modified to define a log() method for
AuditEvent object.
Change-Id: Ie1ad720bd6d3bcd71a4567eed477f0e34a8274c9
|
| |
|
|
|
|
| |
A new method has been added to set AuditEvent's parameters.
Change-Id: I1b1e23030a819160b035ed67e908b6fbadedd714
|
| |
|
|
|
|
|
|
| |
When an exception is thrown, the connection is currently
not closed, leading to Invalid State exceptions when the
next connection is attempted. This resolves this issue.
Change-Id: I531881434a73affb1c6536dfbb05bce151c854fb
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
CRMFPopClient and the pki cert client both can send a CRMF request
to a CA directly. Logic is added to check the CA for the required
KRA wrapping params and use those in place of any that have been
provided by the environment or command line.
Also, additional data for the supported KRA keyset has been added to
the CAInfoService. This will need to be managed by the admin. The
default is "1" which corresponds to AES.
Change-Id: I186f9c610005ec300bccf1b07470493ce7cdfeb4
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a certificate request comes with additional data in the
'cert-request' query param, add that to the request. Profile
components can then use this data.
This is needed to convey the subject principal name to the
ExternalProcessConstraint, when validating FreeIPA certificate
requests after we switch to GSS-API authentication.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous commit added a field in the KeyRecord to
specify whether or not a key was encrypted or key wrapped
when archived. This patch modifies the recovery servlets
to use this field to determine how to decrypt/unwrap the
key for transport.
Absence of this field in the key record implies that is
an old record - and we use the value of the CS.cfg parameter
as the default.
Change-Id: Ia8ae679e8b3fe8462d42848d614bff863ef68e50
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Whether a secret was encrypted or wrapped in the storage unit
depends on a parameter in CS.cfg. If that parameter is changed,
the Storage unit may use the wrong mechanism to try to decrypt
the stored key. Thats ok for encrypt/wrap using DES or AES-CBC,
but not for AES KeyWrap.
In this patch, we add a field in the Key record to specify whether
the secret was encrypted with stored (or keywrapped if false).
A subsequent patch will change the logic when decrypting to use
this field.
Change-Id: If535156179bd1259cfaaf5e56fd4d36ffdb0eb0e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keys (like symmetric keys and asymmetric keys) are returned
from the KRA either encrypted or key wrapped. Because the
AES keywrapping algorithm cannot be decrypted using AES CBC,
we need special logic to unwrap the keys.
The flow here is as follows:
1. When a key retrieval request is sent to the server,
the client sends the encryption and key wrapping
algorithms it requires the key to be wrapped along
with the wrapping key.
2. If no encryption algorithm or key wrap algorithm is
recieved, the server assumes its talking to an old
client and uses DES3.
3. The key is retrieved and (on server's choice) is wrapped
or encrypted. The return package will have either
encryption or key wrap algorithm set (depending on how
the key was encrypted/wrapped.)
4. client uses that to determine how to unwrap key.
This patch:
1. Makes sure the key wrap algorithm requested by client
is passed through and used to wrap the retrieved key.
2. Adds logic in the python client to unwrap/decrypt.
3. As python-cryptography does not yet support
AES KeyWrap with padding, the python client is configured
to request AES-CBC by default.
Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1
|
| |
|
|
|
|
|
| |
subprocess returns bytes in Python 3. Make sure to
decode first when returning env variables.
Change-Id: I225044c0463f0a84ac5ffb77b28391fac269598d
|
| |
|
|
|
|
|
| |
The CMS.getLogMessage() has been generalized to take an array of
Objects instead of Strings.
Change-Id: Ifcb96d47983a67961efa27325b8ae0a88d9e0231
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the server cannot do key wrapping using the AES KeyWrap,
probably because the backend HSM cannot do key wrapping, then
there is a setting to allow it to use encrypt/decrypt instead.
If the key wrap algorithm is something simple like 3DES or AES-CBC,
then the client can just use key wrapping to wrap the key on its
token, and the server can use an encryption algorithm to decrypt.
The client does not need to know that the server cannot handle a
key wrap, because keywrapping and encryption are pretty much the
same mechanism - just either in server memory or not.
When we do key wrapping using AES KeyWrap though, there is no
corresponding encryption algorithm used to decrypt. So the server
cannot simply decrypt a message wrapped with AES Keywrap (or at least
not in any obvious way). So in this case, the client needs to know
if the server can handle keywrap.
The patch therefore does the following:
1. For CRMFPopClient, adds a command line option to specify if key
wrapping or encryption is required.
2. Reads an environment variable if no option is provided.
3. If encryption is specified, uses key wrapping using AES-CBC
which can be decrypted on the server side.
4. For cert-client, contacts the server to determine from the
CAInfoResource if keywrapping is supported.
Change-Id: If66f51c929cfde1c0ff3b9f39cb57b92fcdc150c
|
| |
|
|
| |
Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
|
| |
|
|
| |
Change-Id: Ib4586443f7e6f759d227975f9736cdd30b8f32e8
|
| |
|
|
| |
Change-Id: I407a7a13c4e428e01632536faa27583e7c6d577e
|
| |
|
|
| |
Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
|
| |
|
|
| |
Change-Id: I3eb97554a1d0f4b86c981692ab0130b28c9c5288
|
| |
|
|
| |
Change-Id: I7fee37c8369945c6aedae78bd56063bc4488c0f7
|
| |
|
|
| |
Change-Id: Ic4a79b0c73812c7b89daca3c804e6a88c738536a
|
| |
|
|
| |
Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb
|
| |
|
|
| |
Change-Id: I73b3a69ffc289ad6bf89eebaa2d95237df25551f
|
| |
|
|
|
|
|
|
|
|
| |
This resource (which will be accessed at /ca/rest/info)
will initially return the mechanism for archival.
This is needed by clients to know how to package secrets when
archiving. We may add the transport cert later.
Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b
|
| |
|
|
|
|
|
|
|
|
| |
This resource (which will be accessed at /kra/rest/info)
will initially return the mechanism for archival or retrieval.
This is needed by clients to know how to package secrets when
archiving.
Change-Id: I6990ebb9c9dafc4158e51ba61a30e773d1d953ec
|
| |
|
|
|
|
|
|
|
|
| |
A new function has been added to generate a random password that
meets FIPS requirements for a strong password. This function is
used to generate NSS database password during installation.
https://pagure.io/dogtagpki/issue/2556
Change-Id: I64dd36125ec968f6253f90835e6065325d720032
|
| |
|
|
|
|
|
|
|
|
| |
To help troubleshooting the PKIConnection has been modified to
register an SSL socket listener which will display SSL alerts
that it has received or sent.
https://pagure.io/dogtagpki/issue/2625
Change-Id: I8f2e4f55a3d6bc8a7360f666c9b18e4c0d6c6d83
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added code to:
* Add an InfoClient to the KRAClient
* Check the server, client and crypto provider keyset levels and
select the highest possible level accordingly.
* Added new fields as returned by the server for retrieval.
* Added new fields to KeyRecoveryRequest as added in AES changes.
Changes to decode keywrapped symmetirc and asymmetric keys will
be added in subsequent patches. Right now, encrypt/decrypt works.
Change-Id: Ifa7748d822c6b6f9a7c4afb395fb1388c587174d
|
| |
|
|
|
|
|
|
|
|
|
| |
The python-cryptography provider is added. It will use AES
mechanisms by default. The eventual goal is to use this
provider by default, and to obsolete the NSS CryptoProvider.
Added some methods to determine which crypto keyset levels are
supported by the crypto provider.
Change-Id: Ifd47f0de765a9f0d157e8be678d5d06437bda819
|
| |
|
|
|
|
|
| |
New pki audit commands have been added to list and retrieve audit
log files.
Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
This is needed to set the same environment as the pki CLI
and pick up any client specific changes.
Change-Id: I92b4df75f2e3ee5112499a1d138e7e649a1214fc
|
| |\| |
|
