| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
On the security data recovery service, the client can now specify the
encryption and wrapping algorithms to be used when wrapping the key,
rather than assuming DES. The server will use the specified wrapping
algorithm (and key).
If the algorithms are not specified, then the old mechanism is assumed.
Change-Id: I793c120e99d819403fdf7ca925e26f0f7d50fcc7
|
| | |
| |
| |
| |
| |
| |
| |
| | |
The PKIArchiveOptions object contains an OID for the encryption algorithm.
Use this to create the correct WrappingParam for the tranport unit instead
of defaulting to DES3.
Change-Id: Id591fff8b7fc5e4506afbe619621904e4937c44f
|
| | |
| |
| |
| |
| |
| | |
This allows generating and storing symmetirc keys using AES.
Change-Id: I62c03aeffd127afac626759b0d826c284e01af12
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There are several changes in this patch:
1. Simplify EncryptionUnit by moving the methods called by either the StorageUnit or the
TransportUnit into those classes. This helps to determine which methods are called by
which class (because in general they require different arguments). It may be possible
to later simplify and reduce code repetition by pulling core functionality back into
the EncryptionUnit.
2. Add methods to WrappingParameters and KeyRecord to store the Wrapping Parameter values
as part of the KeyRecord when the key is stored. On retrieval, this data is read and
used to extract the data. If the data is not present, then use the old DES3 parameters.
3. Change the internal (storageUnit) wrapping to use AES-CBC for encryption and AES-KeyWrap
for storage by default. If a parameter kra.storageUnit.useOldWrapping=true, then
the old wrapping will be used instead.
Change-Id: I098b0b3bd3b0ad917483e4e07925adfedacc3562
|
| | |
| |
| |
| |
| | |
Refactor key recovery to put al crypto specific operations
in a few fucntions, which are parameterized for algorithm types.
|
| | |
| |
| |
| |
| | |
Exceptions should be bubbled up and not swallowed at the EncryptionUnit
level. This will help in diagnosing issues.
|
| | |
| |
| |
| |
| |
| | |
The current exception handling really does nothing other than clutter
up the file. Really, we should be passing up the exceptions, rather
than catching them at this level. Subsequent patches will fix this.
|
| | |
| |
| |
| | |
The crypto functions to unwrap the session key have been parameterized.
|
| | |
| |
| |
| | |
Most of the methods to unwrap the payload are parameterized.
|
| | |
| |
| |
| |
| | |
Theis patch parametrizes some of the encryption functions, for key
wrapping and storage.
|
| | |
| |
| |
| |
| |
| |
| | |
EncryptionUnit is a bit of a mess right now. Refactored so that
crypto specific code is in a few functions. These can now be
parameterized to allow selection of parameters for wrapping method,
algorithm etc.
|
| | | |
|
| | |
| |
| |
| |
| | |
Refactor key recovery to put al crypto specific operations
in a few fucntions, which are parameterized for algorithm types.
|
| | |
| |
| |
| |
| | |
Exceptions should be bubbled up and not swallowed at the EncryptionUnit
level. This will help in diagnosing issues.
|
| | |
| |
| |
| |
| |
| | |
The current exception handling really does nothing other than clutter
up the file. Really, we should be passing up the exceptions, rather
than catching them at this level. Subsequent patches will fix this.
|
| | |
| |
| |
| | |
The crypto functions to unwrap the session key have been parameterized.
|
| | |
| |
| |
| | |
Most of the methods to unwrap the payload are parameterized.
|
| | |
| |
| |
| |
| | |
Theis patch parametrizes some of the encryption functions, for key
wrapping and storage.
|
| | |
| |
| |
| |
| |
| |
| | |
EncryptionUnit is a bit of a mess right now. Refactored so that
crypto specific code is in a few functions. These can now be
parameterized to allow selection of parameters for wrapping method,
algorithm etc.
|
| |/ |
|
| |
|
|
|
|
|
| |
All pages in KRA UI have been modified to retrieve access banner
and display it once at the beginning of the SSL connection.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
| |
The CMake create_symlink commands do not work on RHEL if the
source does not exist yet, so they have been replaced with regular
ln commands.
|
| |
|
|
|
|
|
| |
The index.html files in KRA UI have been renamed to index.jsp such
that they can be protected by access banner.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
|
|
|
| |
The subsystem-based methods and fields in PKIService class have
been moved into a new SubsystemService class to allow creating
more generic non-subsystem-based services.
The classes that use these methods and fields have been updated
accordingly.
|
| |
|
|
|
|
| |
To improve consistency across platforms the code in RPM spec that
creates the links to subsystem library files has been converted
into CMake scripts.
|
| |
|
|
|
|
|
|
|
| |
Direct invocations of CryptoManager.getTokenByName() have been
replaced with CryptoUtil.getCryptoToken() and getKeyStorageToken()
to ensure that internal token names are handled consistently both
in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
|
| |
The codes that detect internal token name have been modified to
use CryptoUtil.isInternalToken() such that the comparison can be
done consistently both in normal mode and FIPS mode.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The internal token short name literals have been replaced with
CryptoUtil.INTERNAL_TOKEN_NAME.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The KeyRecoveryAuthority.PR_INTERNAL_TOKEN_NAME has been replaced
with CryptoUtil.INTERNAL_TOKEN_NAME since they are identical.
https://fedorahosted.org/pki/ticket/2556
|
| |
|
|
|
|
|
| |
The CMake scripts have been modified to remove redundant
invocations of find_file() to find Tomcat libraries.
https://fedorahosted.org/pki/ticket/2560
|
| |
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1359
|
| |
|
|
|
|
|
| |
Commit f9ddb2e875355e882b14529979f6c9ae03cf720e has been reverted
due to build issue on RHEL/CentOS.
https://fedorahosted.org/pki/ticket/2535
|
| |
|
|
|
|
|
| |
When request was approved and retrieved through the rest
interface, the corresponding volatile requests object was not
created due to the new flow. This makes sure the volatile request
is created.
|
| |
|
|
|
|
|
| |
The logging.properties files in CA and KRA folders are never
deployed so they have been removed.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
| |
To discourage the use of policy framework, the framework classes
have been moved into org.dogtagpki.legacy.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
| |
The list of source and class files in some CMake files have been
generalized to allow renaming Java packages without changing the
CMake files again.
https://fedorahosted.org/pki/ticket/6
|
| |
|
|
|
|
|
|
|
| |
To reduce Eclipse warnings, classes and methods related to policy
framework have been undeprecated. In the future the policy
framework may be removed since it has already been replaced with
the profile framework.
https://fedorahosted.org/pki/ticket/6
|
| | |
|
| |
|
|
|
|
|
| |
A bug in the approval code for asynchronous requests
results in the number of agents needed being calculated incorrectly
for SECURITY DATA (REST based) requests. This one liner
fixes this problem.
|
| |
|
|
|
| |
If a retrieval is non-sychronous, we create a non-ephemeral recovery
request and return this Request ID to the client.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When clients call retrieveKey(), three possible alternatives
now obtain:
1. client passes in an approved request. Request is processed
and the secret is retrieved.
2. client passes in key_id and wrapping parameters and either:
a) request can be processed immediately and synchronously
and request is created, and secret is returned.
b) request cannot be processed immediately. Recovery request
is created and request_id returned to the client
Depending on server configuration, the requests in case (2a)
will be stored in ldap or will be ephemeral (in memory only).
More complicated realm based logic to determine if requests
can be processed synchronously or ephemerally will be added in
a later patch.
|
| |
|
|
|
|
|
| |
Put logic in a Processor, so that it can be reused for synchronous
requests. The only differerence between synchronous and asynchronous
requests will be that forsynchronous requests, the request will be
triggered from and updated on the request queue.
|
| |
|
|
|
|
| |
The deprecated ProxyParser has been replaced with DefaultParser.
https://fedorahosted.org/pki/ticket/2535
|
| |
|
|
|
|
|
|
|
| |
Based on investigation and solution provided by cfu and jmagne,
the SecurityDataRecoveryService.serviceRequest() has been modified
to use EncryptionUnit.unwrap_temp() for key recovery via CLI in
FIPS mode.
https://fedorahosted.org/pki/ticket/2500
|
| |
|
|
|
|
|
| |
The code in SecurityDataRecoveryService.serviceRequest() has been
reformatted for clarity.
https://fedorahosted.org/pki/ticket/2500
|
| |
|
|
|
|
|
| |
The CMake scripts have been modified to store compiled Java classes
in separate folders for each JAR files to avoid duplicates.
https://fedorahosted.org/pki/ticket/2505
|
| |
|
|
|
|
|
|
| |
Look for the right JAX-RS API JAR (it has moved in Fedora 25).
Also remove a lot of redundant 'find_file' operations for this JAR.
Fixes: https://fedorahosted.org/pki/ticket/2373
|
| | |
|
| |
|
|
|
|
|
|
| |
Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working.
Since this class no longer works, we felt it best to just remove it from the server.
This patch removes the references and files associated with this auth method.
|
| |
|
|
| |
https://fedorahosted.org/pki/ticket/2363
|
