summaryrefslogtreecommitdiffstats
path: root/base/java-tools/src/com
Commit message (Collapse)AuthorAgeFilesLines
* Modify cert clients to check server for wrapping paramsAde Lee2017-04-192-19/+84
| | | | | | | | | | | | | CRMFPopClient and the pki cert client both can send a CRMF request to a CA directly. Logic is added to check the CA for the required KRA wrapping params and use those in place of any that have been provided by the environment or command line. Also, additional data for the supported KRA keyset has been added to the CAInfoService. This will need to be managed by the admin. The default is "1" which corresponds to AES. Change-Id: I186f9c610005ec300bccf1b07470493ce7cdfeb4
* Ticket #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation This patch ↵Christina Fu2017-04-133-44/+446
| | | | provides the feature for CMC on handling id-cmc-popLinkWitnessV2
* Modified CRMFPopClient to use correct wrapping for encrypt caseAde Lee2017-04-122-8/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the server cannot do key wrapping using the AES KeyWrap, probably because the backend HSM cannot do key wrapping, then there is a setting to allow it to use encrypt/decrypt instead. If the key wrap algorithm is something simple like 3DES or AES-CBC, then the client can just use key wrapping to wrap the key on its token, and the server can use an encryption algorithm to decrypt. The client does not need to know that the server cannot handle a key wrap, because keywrapping and encryption are pretty much the same mechanism - just either in server memory or not. When we do key wrapping using AES KeyWrap though, there is no corresponding encryption algorithm used to decrypt. So the server cannot simply decrypt a message wrapped with AES Keywrap (or at least not in any obvious way). So in this case, the client needs to know if the server can handle keywrap. The patch therefore does the following: 1. For CRMFPopClient, adds a command line option to specify if key wrapping or encryption is required. 2. Reads an environment variable if no option is provided. 3. If encryption is specified, uses key wrapping using AES-CBC which can be decrypted on the server side. 4. For cert-client, contacts the server to determine from the CAInfoResource if keywrapping is supported. Change-Id: If66f51c929cfde1c0ff3b9f39cb57b92fcdc150c
* Deprecated -t option for pki CLI.Endi S. Dewata2017-04-101-4/+6
| | | | | | | The MainCLI has been modified to generate a deprecation warning for the -t option. Change-Id: I28ac45954a900f6944528ef52913982d72896c92
* Fixed pki user and group commands.Endi S. Dewata2017-04-102-2/+4
| | | | | | | | | The UserCLI and GroupCLI have been fixed to use the subsystem name in the client configuration object if available. https://pagure.io/dogtagpki/issue/2626 Change-Id: Ibf099cefe880a238468fad7fb2aabc9cc2d55c1f
* Added CLIs to access audit log files.Endi S. Dewata2017-04-043-0/+188
| | | | | | | New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
* Added audit service and CLI to all subsystems.Endi S. Dewata2017-04-044-0/+8
| | | | | | | Previously the audit service and CLI were only available on TPS. Now they have been added to all subsystems. Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
* Fix generation of CRMF request for ECC keysAde Lee2017-04-031-15/+1
| | | | | | | | | | | Old CRMFPopClients add the OID for ECC public keys in the encryption algorithm OID for no obvious reason (considering the OID was never read on the server side to begin with). Now that we do read and use that field, we need to set it properly, and also special case on the server side to handle old clients. Change-Id: I0d753e572206e9062746c879ce683978e5e657bd
* Refactored AuditCLI.Endi S. Dewata2017-03-311-3/+7
| | | | | | | The AuditCLI has been modified to create the AuditClient with lazy initialization. Change-Id: I61b08e92a2f2de983fc77513dde89e1d5e1254b9
* Fixed default subsystems for top-level CLI commands.Endi S. Dewata2017-03-315-10/+39
| | | | | | | | | | The top-level CLI commands have been modified to get the subsystem name from the parent subsystem CLI if available, otherwise they will use a hard-coded default value. https://pagure.io/dogtagpki/issue/2626 Change-Id: Ieef45abfdfb4a6fc63fd06a6ccda4e70366de4a0
* Fix retrieval for symmetric keysAde Lee2017-03-281-1/+1
| | | | | | | | | | | | | Up to now, we have only ever used the same algorithm (DES3_CBC) for key wrapping and encryption. With the change to use AES Keywrap and AES CBC, we need to know which mechanism was used to encrypt/wrap the secrets when returned to the client. This means passing back more information to the client with the key data, and also modifying the client to use this information to decode the data correctly. Change-Id: I7232085c1eedf38c63abad81db08acc912fa1da1
* Bug 1419742: CMC RFE: provide Proof of Possession for encryption cert ↵Christina Fu2017-03-283-242/+683
| | | | requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
* Bug 1419734 CMC: id-cmc-identityProofV2 feature implementation This patch ↵Christina Fu2017-03-281-5/+179
| | | | adds both client and server support for two cmc controls: id-cmc-identityProofV2 - for supporting RFC5272, and id-cmc-identification - for assisting in shared secret search; Note: for client, only CMCRequest is updated in this patch
* Refactored TPS ConnectorCLI.Endi S. Dewata2017-03-286-9/+22
| | | | | The TPS ConnectorCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored TPS TokenCLI.Endi S. Dewata2017-03-286-9/+23
| | | | | The TPS TokenCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored TPS ProfileCLI.Endi S. Dewata2017-03-286-9/+22
| | | | | The TPS ProfileCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored TPS ConfigCLI.Endi S. Dewata2017-03-283-5/+12
| | | | | The TPS ConfigCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored TPSCertCLI.Endi S. Dewata2017-03-283-5/+12
| | | | | The TPSCertCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored AuthenticatorCLI.Endi S. Dewata2017-03-286-9/+22
| | | | | The AuthenticatorCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored AuditCLI.Endi S. Dewata2017-03-283-6/+13
| | | | | The AuditCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored ActivityCLI.Endi S. Dewata2017-03-283-5/+12
| | | | | The ActivityCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored TPSConnectorCLI for TKS.Endi S. Dewata2017-03-276-8/+21
| | | | | The TPSConnectorCLI for TKS and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored SelfTestCLI.Endi S. Dewata2017-03-274-7/+16
| | | | | The SelfTestCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored CA ProfileMappingCLI.Endi S. Dewata2017-03-276-9/+22
| | | | | The CA ProfileMappingCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored CA ProfileCLI.Endi S. Dewata2017-03-279-18/+41
| | | | | The CA ProfileCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored KRAConnectorCLI for CA.Endi S. Dewata2017-03-274-9/+19
| | | | | The KRAConnectorCLI for CA and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored FeatureCLI.Endi S. Dewata2017-03-273-5/+14
| | | | | The FeatureCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Refactored AuthorityCLI.Endi S. Dewata2017-03-277-9/+26
| | | | | The AuthorityCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
* Change CRMFPopClient to use AES-KeyWrap with paddingAde Lee2017-03-241-16/+40
| | | | | | | | | | | | | | | | | | Also made a couple of small changes to WrappingParams. * Set the wrapIV to null when AES KeyWrap is used. Trying to unpack the PKIArchiveOptions package with this IV set to null fails. * removed superfluous this modifiers. Added a parameter KEY_WRAP_PARAMETER_SET which is set in /etc/pki/pki.conf. If this parameter is set to 0, we will use the old DES3 algorithms. This can be set by clients talking to old servers. CRMFPopClient has the ability to automatically submit requests to a CA. In this case, we shouldcontact the server and determine the version using InfoClient, and choose the algorithm accordingly. We will implement this in a separate patch. Change-Id: Ib4a99545cb59b62a96c272311595e96dda10979e
* Merge github.com:dogtagpki/pkiAde Lee2017-03-2466-229/+306
|\
| * Refactored UserCLI.Endi S. Dewata2017-03-2415-38/+57
| | | | | | | | | | The UserCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
| * Refactored SecurityDomainCLI.Endi S. Dewata2017-03-242-4/+9
| | | | | | | | | | The SecurityDomainCLI and its submodule have been modified to use lazy initialization to get the PKIClient object.
| * Refactored KRA KeyCLI.Endi S. Dewata2017-03-2411-31/+56
| | | | | | | | | | The KRA KeyCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
| * Refactored GroupCLI.Endi S. Dewata2017-03-2411-28/+43
| | | | | | | | | | The CertCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
| * Refactored CA CertCLI.Endi S. Dewata2017-03-2412-39/+61
| | | | | | | | | | The CA CertCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
| * Refactored SubsystemCLI.Endi S. Dewata2017-03-246-70/+52
| | | | | | | | | | | | The SubsystemCLI and its subclasses have been modified to use lazy initialization to get the PKIClient object. They also have been simplified by moving common methods to the base class.
| * Refactored ProxyCLI.Endi S. Dewata2017-03-241-2/+2
| | | | | | | | | | The ProxyCLI has been modified to use lazy initialization to get the PKIClient object.
| * Refactored ClientCLI.Endi S. Dewata2017-03-246-14/+12
| | | | | | | | | | The ClientCLI and its submodules have been modified to use lazy initialization to get the PKIClient object.
| * Refactored CLI.getClient().Endi S. Dewata2017-03-242-3/+4
| | | | | | | | | | The CLI.getClient() has been modified to return the parent CLI's PKIClient object if available.
| * Added CLI.getConfig().Endi S. Dewata2017-03-242-0/+10
| | | | | | | | | | A new CLI.getConfig() has been added to return the parent CLI's configuration if available.
* | Refactor code that creates PKIArchiveOptions objectsAde Lee2017-03-233-75/+56
|/ | | | | | | | | | | | | | * Refactor code in CryptoUtil to parametrize the algorithms used. * Moved WrappingParams to utils jar to allow correct compilation. * Removed code that created a PKIArchiveOptions structure from CRMFPopClient and replaced with calls to CryptoUtil methods. Note that the algorithms have been left as DES3. They will be changed to AES in the next patch. * Converted code in AuthorityKeyExportCLI to use the new methods in CryptoUtil. * Removed DRMTest this code is no longer maintained or used. Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
* Allowing client cert auth without NSS database password.Endi S. Dewata2017-03-211-11/+0
| | | | | The PKI CLI has been modified to support client cert authentication without NSS database password.
* Allowing pki client-init without NSS database password.Endi S. Dewata2017-03-211-10/+20
| | | | | The pki client-init has been modified to support creating NSS database without password.
* Fixed default value for SSL datagram.Endi S. Dewata2017-03-201-1/+1
| | | | | The minimum SSL version for datagram should have been TLS 1.1 to match the default in pki.conf.
* Added hard-coded default values for SSL parameters in PKI CLI.Endi S. Dewata2017-03-201-5/+5
| | | | | The PKI CLI has been modified to use hard-coded default values in case the pki.conf is not available (e.g. in Eclipse).
* Added pki.conf parameter for default SSL ciphers.Endi S. Dewata2017-03-191-1/+6
| | | | | A new parameter has been added to pki.conf to enable/disable the default SSL ciphers for PKI CLI.
* Added pki.conf parameter for SSL ciphers.Endi S. Dewata2017-03-191-0/+3
| | | | | A new parameter has been added to pki.conf to configure the SSL ciphers used by PKI CLI in addition to the default ciphers.
* Renamed CryptoUtil.setClientCiphers().Endi S. Dewata2017-03-192-2/+2
| | | | | The setClientCiphers() in CryptoUtil has been renamed to setDefaultSSLCiphers() for clarity.
* Added configuration parameters for SSL version ranges.Endi S. Dewata2017-03-191-2/+18
| | | | | The hard-coded SSL version ranges in PKI CLI have been converted into configurable parameters in the pki.conf.
* Fixed PKIClient initialization in PKI CLI.Endi S. Dewata2017-03-193-2/+13
| | | | | | | | The PKI CLI has been modified such that it initializes the PKIClient (and retrieves the access banner) only if the CLI needs to access the PKI server. https://pagure.io/dogtagpki/issue/2612
generated by cgit (git 2.34.1) at 2026-02-17 17:15:13 +0000