summaryrefslogtreecommitdiffstats
path: root/base/server/cms/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Fixed ClientIP field in SSL session audit log.Endi S. Dewata2017-04-131-8/+3
| | | | | | | | | The PKIServerSocketListener has been fixed to obtain the correct client IP address from SSL socket. https://pagure.io/dogtagpki/issue/2602 Change-Id: I7d3b2dc14d6f442830ee5911613a0e9fc360cfba
* SCP03 support for g&d sc 7 card.Jack Magne2017-04-124-113/+149
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows the use of the g&d 7 card. This will require the following: 1. An out of band method is needed to generate an AES based master key. We do not as of yet have support with tkstool for this: Ex: /usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16 2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards: Ex: tks.defKeySet._005=## tks.prot3 , protocol 3 specific settings tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one. tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys. tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key. tks.defKeySet._010=## tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings tks.defKeySet._013=## Smart Cafe 6 settings: tks.defKeySet._014=## tks.defKeySet.prot3.divers=emv tks.defKeySet._015=## tks.defKeySet.prot3.diversVer1Keys=emv tks.defKeySet._016=## tks.defKeySet.prot3.devKeyType=DES3 tks.defKeySet._017=## tks.defKeySet.prot3.masterKeyType=DES3 tks.defKeySet._018=##Smart Cafe 7 settings: tks.defKeySet._019=## tks.defKeySet.prot3.divers=none tks.defKeySet._020=## tks.defKeySet.prot3.diversVer1Keys=none tks.defKeySet._021=## tks.defKeySet.prot3.devKeyType=AES tks.defKeySet._022=## tks.defKeySet.prot3.masterKeyType=AES tks.defKeySet._023=## tks.defKeySet._024=##
* Added methods to log AuditEvent object.Endi S. Dewata2017-04-1311-8/+120
| | | | | | | New audit(AuditEvent) methods have been added alongside the existing audit(String) methods. Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
* Reorganized audit event constants for configuration.Endi S. Dewata2017-04-1223-442/+396
| | | | Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
* Reorganized additional audit event constants for KRA.Endi S. Dewata2017-04-126-42/+25
| | | | Change-Id: Ib4586443f7e6f759d227975f9736cdd30b8f32e8
* Reorganized audit event constants for CA.Endi S. Dewata2017-04-1213-146/+117
| | | | Change-Id: I407a7a13c4e428e01632536faa27583e7c6d577e
* Reorganized audit event constants for authentication.Endi S. Dewata2017-04-1210-122/+85
| | | | Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
* Reorganized audit event constants for OCSP.Endi S. Dewata2017-04-124-55/+39
| | | | Change-Id: I3eb97554a1d0f4b86c981692ab0130b28c9c5288
* Reorganized audit event constants for TKS.Endi S. Dewata2017-04-121-54/+19
| | | | Change-Id: I7fee37c8369945c6aedae78bd56063bc4488c0f7
* Reorganized audit event constants for KRA.Endi S. Dewata2017-04-123-14/+10
| | | | Change-Id: Ic4a79b0c73812c7b89daca3c804e6a88c738536a
* Added audit event constants for TPS.Endi S. Dewata2017-04-121-1/+2
| | | | Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb
* Added audit event constants for SSL session.Endi S. Dewata2017-04-122-7/+6
| | | | Change-Id: I73b3a69ffc289ad6bf89eebaa2d95237df25551f
* Add CAInfo resourceAde Lee2017-04-111-0/+64
| | | | | | | | | | This resource (which will be accessed at /ca/rest/info) will initially return the mechanism for archival. This is needed by clients to know how to package secrets when archiving. We may add the transport cert later. Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b
* Add KRAInfo resourceAde Lee2017-04-111-0/+67
| | | | | | | | | | This resource (which will be accessed at /kra/rest/info) will initially return the mechanism for archival or retrieval. This is needed by clients to know how to package secrets when archiving. Change-Id: I6990ebb9c9dafc4158e51ba61a30e773d1d953ec
* Fixed PKIServerSocketListener.Endi S. Dewata2017-04-051-1/+38
| | | | | | | | | | | | The PKIServerSocketListener.alertReceived() has been fixed to generate audit log when the SSL socket is closed by the client. The log message has been modified to include the reason for the termination. https://pagure.io/dogtagpki/issue/2602 Change-Id: Ief2817f2b2b31cf6f60fae0ee4c55c17024f7988
* Added CLIs to access audit log files.Endi S. Dewata2017-04-042-0/+108
| | | | | | | New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
* Added PKIRESTProvider.Endi S. Dewata2017-04-041-7/+0
| | | | | | | A new PKIRESTProvider has been added to send and receive StreamingOutput object through REST API. Change-Id: Iefc513aacb9fc26bc7c8c5cbfb4550a4a98da52e
* Removed redundant Context attributes.Endi S. Dewata2017-03-316-102/+0
| | | | | | | All subclasses of PKIService have been modified to remove the Context attribute since they have been declared in the base class. Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
* Removed duplicate PROP_EXPIRATION_TIME constant.Endi S. Dewata2017-03-302-7/+6
| | | | Change-Id: Ife9108019994b385fc452da0f29dee64d0ccc5d3
* Removed duplicate PROP_MAX_FILE_SIZE constant.Endi S. Dewata2017-03-301-5/+4
| | | | Change-Id: Ic2aa92985e8aee9b5405ad542c640ca67a0047c6
* Removed duplicate PROP_ROLLOVER_INTERVAL constant.Endi S. Dewata2017-03-302-10/+10
| | | | Change-Id: I66b369ec33f97dab96f6d832e2eb9ab0c6cdbe98
* Bug #2615 CMC: cleanup code for Encrypted Decrypted POP This patch adds more ↵Christina Fu2017-03-282-43/+222
| | | | error checking and debugging
* Bug 1419742: CMC RFE: provide Proof of Possession for encryption cert ↵Christina Fu2017-03-283-83/+547
| | | | requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
* Bug 1419734 CMC: id-cmc-identityProofV2 feature implementation This patch ↵Christina Fu2017-03-282-33/+206
| | | | adds both client and server support for two cmc controls: id-cmc-identityProofV2 - for supporting RFC5272, and id-cmc-identification - for assisting in shared secret search; Note: for client, only CMCRequest is updated in this patch
* Added audit logs for SSL/TLS events.Endi S. Dewata2017-03-283-1/+143
| | | | | | | | | | | | | | | The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
* Modify storage unit to generate a new IVAde Lee2017-03-241-0/+2
| | | | | | | | | | | | | | | | | Currently, the storage unit reuses the same IV each time a record is stored. This works (probably) for DES3, but not for AES. The getWrappingParams() method is modified to check the config as follows (in order): -- if the iv is defined, use that iv -- if the length is defined, generate a byte array of that length -- return null To ensure that the same IV used to encrypt the secret is stored in the DB, the wrapping param is defined once in the archival process, and passed in to the wrapping functions in storageUnit. Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854
* Refactor code that creates PKIArchiveOptions objectsAde Lee2017-03-231-2/+1
| | | | | | | | | | | | | | * Refactor code in CryptoUtil to parametrize the algorithms used. * Moved WrappingParams to utils jar to allow correct compilation. * Removed code that created a PKIArchiveOptions structure from CRMFPopClient and replaced with calls to CryptoUtil methods. Note that the algorithms have been left as DES3. They will be changed to AES in the next patch. * Converted code in AuthorityKeyExportCLI to use the new methods in CryptoUtil. * Removed DRMTest this code is no longer maintained or used. Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
* Fix Java client to use AESAde Lee2017-03-211-0/+9
| | | | | | | | | | | | | | | | | | | | | | * Changed the client to use AES-128-CBC-PAD rather than DES-3. Because AES-256-CBC-PAD has no OID defined, we use the following hack: * Pass in the AES-256-CBC OID as the encrypt algorithm OID * Use PKCS#1.5 Padding. * Changed the client to use AES for the wrapping key on retrieval. * Changed the server to implicitly assume PKCS#1.5 (and a key size of 128) when recieving the OID for AES. * Changed the client to send, and the server to pass through the encryption algorithm expected when retrieving the key. * Fixed the generate_iv() function to generate an appropriately sized IV on retrieval. This code has been tested to successfully create and retrieve secrets using AES. Ideally, we'd be using GCM rather than CBC, which then requires no padding - and no hack needed. Hopefully, we can get that working in a subsequent commit. Change-Id: Ic9e8d50169be0fe357a48a5a1b1c452c7a3dfad0
* Update ACLInterceptor to support external principalsFraser Tweedale2017-03-161-12/+29
| | | | | | | | | | | For external principal support, ACLInterceptor must handle GenericPrincipal instances in addition to PKIPrincipal. Specifically, if the principal is a GenericPrincipal, the auth token is set to an ExternalAuthToken, and the authz manager is looked up by the realm of the principal (it is assumed that the principal name has the form "id@realm"). Part of: https://pagure.io/dogtagpki/issue/1359
* Update SessionContextInterceptor to handle external principalsFraser Tweedale2017-03-161-9/+10
| | | | Part of: https://pagure.io/dogtagpki/issue/1359
* Update AuthMethodInterceptor to handle external principalsFraser Tweedale2017-03-161-11/+16
| | | | | | | Update AuthMethodInterceptor to handle externally authenticated principals. For now, access is unconditionally granted. Part of: https://pagure.io/dogtagpki/issue/1359
* CertProcessor: extract method setAuthTokenIntoRequestFraser Tweedale2017-03-161-34/+34
| | | | | | | | | | | | The "set auth token into request" logic is extensive and warrants extraction. It also has a separate concern mixed in with it: the self-assignment of the request if the authenticated user is a "Registration Manager Agent". Separate these concerns and extract the setAuthTokenIntoRequest method. Part of: https://pagure.io/dogtagpki/issue/1359
* Define AgentCertAuthentication token keys in IAuthTokenFraser Tweedale2017-03-161-12/+5
| | | | | | | | | Small refactor to define the auth token keys set by AgentCertAuthentication in IAuthToken, so that consumers do not need to import AgentCertAuthentication directly, or redefine the constants. Part of: https://pagure.io/dogtagpki/issue/1359
* Added exception chaining for EInvalidCredentials.Endi S. Dewata2017-03-152-8/+8
| | | | | A new constructor has been added into EInvalidCredentials to support exception chaining.
* First cut of scp03 support. Supports the g&d smartcafe out of the box.Jack Magne2017-03-148-94/+2131
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Developer keyset token operations and key change over supported. Caveats. -The diversification step going from master key to card key uses DES3 as required for the token. -After that point, everything is scp03 to the spec with minor excpetions so far. Supports 128 bit AES for now. Will resolve this. Minor config tweaks: TPS Symmetric Key Changeover Use this applet for scp03: RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc TKS: Symmetric Key Changeover tks.mk_mappings.#02#03=internal:new_master tks.defKeySet.mk_mappings.#02#03=internal:new_master Use the uncommented one because scp03 returns a different key set data string. ToDo: -Support the rest of the AES sizes other than 128. -Support optional RMAC apdu. -Test and adjust the config capability for other tokens. -Support AES master key. Right now the standard key ends up creating AES card and session keys.
* Continue to move more crypto into CryptoUtilAde Lee2017-03-141-15/+4
| | | | Change-Id: I6024ca5a32769b460d578dfad46598432381784c
* Change transport unit to create wrapping parameters based on incoming dataAde Lee2017-03-141-0/+1
| | | | | | | | The PKIArchiveOptions object contains an OID for the encryption algorithm. Use this to create the correct WrappingParam for the tranport unit instead of defaulting to DES3. Change-Id: Id591fff8b7fc5e4506afbe619621904e4937c44f
* Change internal wrapping to AESAde Lee2017-03-141-0/+12
| | | | | | | | | | | | | | | | | There are several changes in this patch: 1. Simplify EncryptionUnit by moving the methods called by either the StorageUnit or the TransportUnit into those classes. This helps to determine which methods are called by which class (because in general they require different arguments). It may be possible to later simplify and reduce code repetition by pulling core functionality back into the EncryptionUnit. 2. Add methods to WrappingParameters and KeyRecord to store the Wrapping Parameter values as part of the KeyRecord when the key is stored. On retrieval, this data is read and used to extract the data. If the data is not present, then use the old DES3 parameters. 3. Change the internal (storageUnit) wrapping to use AES-CBC for encryption and AES-KeyWrap for storage by default. If a parameter kra.storageUnit.useOldWrapping=true, then the old wrapping will be used instead. Change-Id: I098b0b3bd3b0ad917483e4e07925adfedacc3562
* Added InfoService and LoginService.Endi S. Dewata2017-02-245-2/+129
| | | | | | | | | | | New REST services classes have been added to PKIApplication. The InfoService provides general information about the server including version number and access banner. The LoginService provides a way to notify the server that the banner has been displayed on the client, which in that case the InfoService will no longer return the banner again in the same session. https://fedorahosted.org/pki/ticket/2582
* Added PKIApplication.Endi S. Dewata2017-02-231-0/+50
| | | | | | | A new PKIApplication class has been added into /pki web application to define common PKI REST services such as access banner. https://fedorahosted.org/pki/ticket/2582
* Added log message in CMCAuth.Endi S. Dewata2017-02-171-0/+2
| | | | | To help troubleshooting the CMCAuth has been modified to log a message when the CMC is missing.
* Refactored PKIService class.Endi S. Dewata2017-02-155-92/+111
| | | | | | | | | The subsystem-based methods and fields in PKIService class have been moved into a new SubsystemService class to allow creating more generic non-subsystem-based services. The classes that use these methods and fields have been updated accordingly.
* Allow DirAclAuthz to be configured to read alternative entryFraser Tweedale2017-02-101-3/+23
| | | | | | | | | | Add the `searchBase' parameter for DirAclAuthz instances. If specified, it prepends the searchBase to the baseDN. This allows reusing an existing LDAP connection config (e.g. "internaldb") whilst changing where the instances loads the ACLs from. Part of: https://fedorahosted.org/pki/ticket/1359 Fixes: https://fedorahosted.org/pki/ticket/2525
* Add profile component that copies CN to SAN dNSNameFraser Tweedale2017-02-091-0/+215
| | | | | | | | | | | | | Add the 'CommonNameToSANDefault' profile default class. When used on a profile, this will examine the (most-specific) Common Name in the Subject DN, and if it looks like a DNS name, will add it to the Subject Alternative Name extension, creating the extension if it does not already exist. Also add upgrade scriptlet to add the component to registry.cfg in existing installations. Fixes: https://fedorahosted.org/pki/ticket/1710
* Troubleshooting improvements for CAEnrollProfile.Endi S. Dewata2017-02-021-13/+18
| | | | | To help troubleshooting the CAEnrollProfile class has been modified to chain the original exceptions.
* Replaced CryptoManager.getTokenByName().Endi S. Dewata2017-01-2710-62/+22
| | | | | | | | | Direct invocations of CryptoManager.getTokenByName() have been replaced with CryptoUtil.getCryptoToken() and getKeyStorageToken() to ensure that internal token names are handled consistently both in normal mode and FIPS mode. https://fedorahosted.org/pki/ticket/2556
* Fixed problem searching the latest certificate request.Endi S. Dewata2017-01-271-0/+6
| | | | | | | | | | | Previously if a certificate request page only has one entry the entry itself will be removed from the page, resulting in a blank page. The QueryReq.trim() has been modified not to remove the marker entry if it's the only entry in the page. https://fedorahosted.org/pki/ticket/2450
* Fixed inconsistent internal token detection.Endi S. Dewata2017-01-2613-57/+50
| | | | | | | | The codes that detect internal token name have been modified to use CryptoUtil.isInternalToken() such that the comparison can be done consistently both in normal mode and FIPS mode. https://fedorahosted.org/pki/ticket/2556
* Updated CryptoUtil.Endi S. Dewata2017-01-261-1/+1
| | | | | | | | | | | | | | | | | | | The CryptoUtil has been modified to provide two separate methods to obtain a token given the token name: - getCryptoToken() returns crypto token - getKeyStorageToken() returns key storage token The getKeyStorageToken() was renamed from the existing getTokenByName(). All codes using the old method have been updated accordingly. If the provided token name matches internal token name the methods will return the corresponding internal crypto/key storage token. The isInternalToken() was modified to check for empty string in addition to the short and full name of the internal token. https://fedorahosted.org/pki/ticket/2556
* Replaced internal token short name literals.Endi S. Dewata2017-01-2411-51/+56
| | | | | | | The internal token short name literals have been replaced with CryptoUtil.INTERNAL_TOKEN_NAME. https://fedorahosted.org/pki/ticket/2556
generated by cgit (git 2.34.1) at 2026-02-06 09:44:15 +0000