pki.git - Unnamed repository; edit this file 'description' to name the repository.

	Commit message (Collapse)	Author	Age	Files	Lines
*	PKCS12Util: use AES to encrypt private keys	Fraser Tweedale	2017-04-29	2	-3/+2
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Update PKCS12Util to use AES-256-CBC to encrypt private keys. Use JSS CryptoStore methods to ensure that all key wrapping and unwrapping is done on the token. Specifically, CryptoStore.getEncryptedPrivateKeyInfo replaces the previous process where a symmetric key was generated, the private key wrapped to the symmetric key, then decryted into Dogtag's memory, then re-encrypted under the supplied passphrase. Now the key gets wrapped directly to the supplied passphrase. Similarly, for import, the EncryptedPrivateKeyInfo was decrypted using the supplied passphrase, then encrypted to a freshly generated symmetric key, which was then used to unwrap the key into the token. Now, the new JSS method CryptoStore.importEncryptedPrivateKeyInfo is used to unwrap the EncryptedPrivateKeyInfo directly into the token, using the supplied passphrase. As a result, the PKCS12KeyInfo class, which previously stored unencrypted key material (a PrivateKeyInfo object), it now only deals with PrivateKey (an opaque handle to an PKCS #11 object) on export and encoded (byte[]) EncryptedPrivateKeyInfo data on import. This split suggests that PKCS12KeyInfo should be decomposed into two classes - one containing a PrivateKey and the other containing a byte[] encryptedPrivateKeyInfo - but this refactoring is left for another day. Part of: https://pagure.io/dogtagpki/issue/2610 Change-Id: I75d48de4d7040c9fb3a9a6d1e920c191aa757b70 (cherry picked from commit 2e198ddbe9ec5000ee7e14df0aa364b600d3aa92)
*	Cleaned up error handling in client and PKCS12 CLIs.	Endi S. Dewata	2017-02-02	9	-183/+47
\| \| \| \| \| \|	The client and PKCS12 CLIs have been modified to use Exceptions instead of System.exit() such that errors can be handled consistently.
*	Fixed KRA cloning issue.	Endi S. Dewata	2016-06-29	1	-2/+4
\| \| \| \| \| \| \| \| \| \| \| \| \|	The pki pkcs12-import CLI has been modified not to import certificates that already exist in the NSS database unless specifically requested with the --overwrite parameter. This will avoid changing the trust flags of the CA signing certificate during KRA cloning. The some other classes have been modified to provide better debugging information. https://fedorahosted.org/pki/ticket/2374
*	Added pki pkcs12-cert-mod command.	Endi S. Dewata	2016-06-16	2	-0/+175
\| \| \| \| \|	A new CLI has been added to update the certificate trust flags in PKCS #12 file which will be useful to import OpenSSL certificates.
*	Fixed PKCS #12 export options.	Endi S. Dewata	2016-04-20	1	-1/+1
\| \| \| \| \| \| \| \|	The CLIs for exporting PKCS #12 file have been modified to accept options to export without trust flags, keys, and/or certificate chain. https://fedorahosted.org/pki/ticket/1736
*	Updated pki pkcs12-export CLI.	Endi S. Dewata	2016-04-15	1	-7/+7
\| \| \| \| \| \| \| \| \| \| \| \|	For consistency the pki pkcs12-export has been modified to overwrite the PKCS #12 output file by default. A new option has been added to append the exported certificates and keys into the output file if the file already exists. The same option has been added to the The pki-server instance-cert-export and subsystem-cert-export commands. https://fedorahosted.org/pki/ticket/1736
*	Fixed missing trust flags in certificate backup.	Endi S. Dewata	2016-04-04	2	-5/+14
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The ConfigurationUtils.backupKeys() has been modified to use PKCS12Util to export the certificates and their trust flags into a PKCS #12 file such that the file can be used for cloning. The code to generate PFX object has been refactored from the PKCS12Util.storeIntoFile() into a separate generatePFX() method. The PKCS12Util.loadCertFromNSS() has been modified to provide options to load a certificate from NSS database without the key or the certificate chain. The CLIs have been modified to provide the same options. The PKCS12Util.getCertInfo() has modified to ignore missing certificate attributes in the PKCS #12 file and generate a new local ID. https://fedorahosted.org/pki/ticket/2255
*	Added support for cloning 3rd-party CA certificates.	Endi S. Dewata	2016-03-18	3	-20/+59
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The installation code has been modified such that it imports all CA certificates from the PKCS #12 file for cloning before the server is started using certutil. The user certificates will continue to be imported using the existing JSS code after the server is started. This is necessary since JSS is unable to preserve the CA certificate nicknames. The PKCS12Util has been modified to support multiple certificates with the same nicknames. The pki pkcs12-cert-find has been modified to show certificate ID and another field indicating whether the certificate has a key. The pki pkcs12-cert-export has been modified to accept either certificate nickname or ID. The pki pkcs12-import has been modified to provide options for importing only user certificates or CA certificates. https://fedorahosted.org/pki/ticket/1742
*	Additional clean-ups for PKCS #12 utilities.	Endi S. Dewata	2016-03-18	2	-3/+14
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The pki_server_external_cert_path has been renamed to pki_server_external_certs_path to match the file name. A default pki_server_external_certs_path has been added to default.cfg. The pki pkcs12-export has been modified to export into existing PKCS #12 file by default. The pki-server instance-cert-export has been modified to accept a list of nicknames to export. https://fedorahosted.org/pki/ticket/1742
*	Renamed PKCS #12 options for consistency.	Endi S. Dewata	2016-03-18	8	-16/+16
\| \| \| \| \| \| \|	The pki CLI's --pkcs12 options has been renamed to --pkcs12-file for consistency with pki-server CLI options. https://fedorahosted.org/pki/ticket/1742
*	Added workaround for JSS limitation in pki pkcs12-import.	Endi S. Dewata	2016-02-26	3	-3/+189
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Currently JSS is unable to import CA certificates while preserving their nicknames. As a workaround, the pki pkcs12-import has been modified such that it exports individual CA certificates from PKCS The remaining user certificates will continue to be imported using JSS. A new pki pkcs12-cert-export command has been added to export individual certificates from PKCS #12 file into PEM files. The pki pkcs12-import has been modified to take a list of nicknames of the certificates to be imported into NSS database. https://fedorahosted.org/pki/ticket/1742
*	Updated PKCS12Util.	Endi S. Dewata	2016-02-24	2	-17/+21
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	The PKCSUtil has been updated to match the functionality provided by JSS. In order to import a certificate properly, the certificate needs to be exported with its private key and certificate chain, so the option to export without key or without the certificate chain has been removed. The option to export only the certificate chain has also been removed since it can be done by exporting the complete certificate chain, then remove the leaf certificate while keeping the chain. The pki pkcs12-cert-add has been modified to provide an option to create a new PKCS #12 file to store the certificate. The pki pkcs12-export has been modified to always overwrite existing file to match the behavior of PKCS12Export. It also has been modified to accept a list of nicknames of certificates to export. https://fedorahosted.org/pki/ticket/1742
*	Added CLI to manage keys in PKCS #12 file.	Endi S. Dewata	2016-02-19	2	-0/+151
\| \| \| \| \| \| \|	A new CLI has been added to remove a key from a PKCS #12 file based on the key ID. https://fedorahosted.org/pki/ticket/1742
*	Added CLI to manage certs in PKCS #12 file.	Endi S. Dewata	2016-02-19	4	-1/+329
\| \| \| \| \| \| \|	New CLIs have been added to add a certificate from NSS database and to remove a certificate from the PKCS #12 file. https://fedorahosted.org/pki/ticket/1742
*	Refactored PKCS12Util to use PKCS12 object.	Endi S. Dewata	2016-02-19	6	-19/+72
\| \| \| \| \| \| \| \| \| \| \| \|	The PKCS12Util has been modified such that it stores the certs and keys in PKCS12 object instead of PFX object. The PKCS12 object can be loaded either from NSS database or PKCS #12 file. The PKCS12 object can later be stored into NSS database or PKCS #12 file. The pki pkcs12-cert-find and pkcs12-key-find commands were modified to require PKCS #12 password. https://fedorahosted.org/pki/ticket/1742
*	Refactored PKCS12CertInfo and PKCS12KeyInfo classes.	Endi S. Dewata	2016-02-19	4	-13/+13
\| \| \| \| \| \| \| \| \| \|	The PKCS12CertInfo and PKCS12KeyInfo classes have been moved out of PKCS12Util into separate classes. The createLocalKeyID() has been modified to return BigInteger instead of byte array. https://fedorahosted.org/pki/ticket/1742
*	Added PKCS #12 attribute to store certificate trust flags.	Endi S. Dewata	2016-02-17	4	-3/+19
\| \| \| \| \| \| \| \| \|	A new PKCS #12 attribute has been defined to store NSS certificate trust flags in PKCS #12 file. The PKCS12Util has been modified to store the trust flags during export and reset the trust flags in NSS database during import. https://fedorahosted.org/pki/ticket/1742
*	Added CLIs to import and export PKCS #12.	Endi S. Dewata	2016-02-17	3	-0/+266
\| \| \| \| \| \| \| \|	The pki pkcs12-import and pki pkcs12-export commands have been added to import and export PKCS #12 file into and from NSS database. https://fedorahosted.org/pki/ticket/1742
*	Added CLIs to inspect PKCS #12 file.	Endi S. Dewata	2016-02-12	5	-0/+412
	The pki pkcs12-cert-find and pki pkcs12-key-find commands have been added to list the certificates and keys in a PKCS #12 file. https://fedorahosted.org/pki/ticket/1742