summaryrefslogtreecommitdiffstats
path: root/base/server/cms/src
Commit message (Collapse)AuthorAgeFilesLines
...
* Moved TokenServlet into pki-tks package.Endi S. Dewata2017-05-232-3236/+14
| | | | | | | | | | | | The TokenServlet has been moved into pki-tks package in order to use the JssSubsystem in pki-cmscore package. Some constants in SecureChannelProtocol have been made public so they can be accessed by the TokenServlet. https://pagure.io/dogtagpki/issue/2695 Change-Id: I5542e5dcf09c3d081a131af042d833203bcc086c
* Encapsulate recovery request approval audit logsAde Lee2017-05-231-54/+11
| | | | | | | | The audit logs where an agent grants an asynchronous recovery request and the case where recovery request is appproved from the REST API are consolidated and encapsulated in a class. Change-Id: I237c1dcfc413012d421f3ccc64e21c7caf5a7701
* Encapsulate key retrieval audit eventsAde Lee2017-05-232-27/+24
| | | | | | | | | | | Key retrieval is when the key/secret is extracted and returned to the client (once the recovery request is approved). We combine SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. Note: an analysis of the key retrieval rest flow (and the auditing there will be done in a subsequent patch). Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c
* Encapsulate the archival audit logAde Lee2017-05-232-30/+20
| | | | | | | | | | | | | This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
* Ticket#2618 feature: pre-signed CMC renewal requestChristina Fu2017-05-222-37/+112
| | | | | | | This patch provides the feature implementation to allow CA to process pre-signed CMC renewal requests. In the world of CMC, renewal request are full CMC requests that are signed by previously issued signing certificate. The implementation approach is to use the caFullCMCUserSignedCert with the enhanced profile constraint: UniqueKeyConstraint. UniqueKeyConstraint has been updated to disallow renewal of same key shared by a revoked certificate. It also saves the origNotAfter of the newest certificate sharing the same key in the request to be used by the RenewGracePeriodConstraint. To not interfere with the existing "renewal by serial" flow, if an existing origNotAfter is found, it is not overwritten. The profile caFullCMCUserSignedCert.cfg has been updated to have both UniqueKeyConstraint and RenewGracePeriodConstraint. They must be placed in the correct order. By default in the UniqueKeyConstraint the constraint parameter allowSameKeyRenewal=true.
* Added debug logs for UpdateCRL servlet.Endi S. Dewata2017-05-191-3/+43
| | | | | | | | | Some debug logs have been added into UpdateCRL servlet to improve code clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4dc92d574b8ce93f2964663d36ca28851e400839
* Added CertStatusChangeRequestProcessedEvent.Endi S. Dewata2017-05-174-67/+46
| | | | | | | | | A new CertStatusChangeRequestProcessedEvent class has been added to encapsulate the CERT_STATUS_CHANGE_REQUEST_PROCESSED events. https://pagure.io/dogtagpki/issue/2636 Change-Id: I41cf0ce94b176a2036b9f1f433212bf3c414fb0b
* Fixed CERT_REQUEST_PROCESSED events in ConnectorServlet.Endi S. Dewata2017-05-171-14/+5
| | | | | | | | | | | | | | | | | The code that generates CERT_REQUEST_PROCESSED events in ConnectorServlet.processRequest() has been moved into a finally- clause that wraps around IRequestQueue.processRequest() to ensure that the events are generated properly. If a cert was issued for the request that has just been processed the event outcome is a Success, otherwise it's a Failure. Any exception thrown by the IRequestQueue.processRequest() will be passed to the ConnectorServlet.processRequest()'s callers. https://pagure.io/dogtagpki/issue/2690 Change-Id: I07454afb75328fbee3e50e5852adb5085be0613e
* Tocket2673- CMC: allow enrollment key signed (self-signed) CMC with identity ↵Christina Fu2017-05-177-298/+629
| | | | | | proof This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
* Reformatted UpdateCRL.process().Endi S. Dewata2017-05-171-174/+174
| | | | | | | | | The UpdateCRL.process() has been reformatted to adjust the indentations after refactoring. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic67376678d442b9e2a79f9375aef61eab99d1b5c
* Refactored UpdateCRL.process() (part 3).Endi S. Dewata2017-05-171-2/+4
| | | | | | | | | The UpdateCRL.process() has been refactored to reduce deeply nested if-statements with early return. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ie3aa5f9154eec78e994cf89cc33616d2c5cbaf47
* Refactored UpdateCRL.process() (part 2).Endi S. Dewata2017-05-171-16/+16
| | | | | | | | | The UpdateCRL.process() has been refactored to reduce deeply nested if-statements with early return. https://pagure.io/dogtagpki/issue/2651 Change-Id: I5591bf08e617614ca7def5ce5fff61e0925e4fc5
* Refactored UpdateCRL.process() (part 1).Endi S. Dewata2017-05-171-3/+5
| | | | | | | | | The UpdateCRL.process() has been refactored to reduce deeply nested if-statements with early return. https://pagure.io/dogtagpki/issue/2651 Change-Id: I507bf72e28c3ba0ab98f24466bac2a40f1e6b198
* Fixed audit event outcome for agent-canceled cert request.Endi S. Dewata2017-05-171-1/+1
| | | | | | | | | The outcome of CERT_REQUEST_PROCESSED event has been changed to Failure when the certificate request is canceled by an agent. https://pagure.io/dogtagpki/issue/2694 Change-Id: Iad25a135851188cc97106d81800e3b8443a2970a
* Fixed audit event outcome for agent-rejected cert request.Endi S. Dewata2017-05-171-1/+1
| | | | | | | | | The outcome of CERT_REQUEST_PROCESSED event has been changed to Failure when the certificate request is rejected by an agent. https://pagure.io/dogtagpki/issue/2693 Change-Id: I530de4fe08ba97a8676d56a6aaf6c11ab7c36e40
* Added ConfigTrustedPublicKeyEvent.Endi S. Dewata2017-05-161-146/+72
| | | | | | | | | A new ConfigTrustedPublicKeyEvent class of has been added to encapsulate the CONFIG_TRUSTED_PUBLIC_KEY events. https://pagure.io/dogtagpki/issue/2641 Change-Id: I2fb4b46dfd63daf3c0c08dc08b3dbac9108ec908
* Simplified conditions to log CERT_REQUEST_PROCESSED.Endi S. Dewata2017-05-163-68/+47
| | | | | | | | | | The conditions to log CERT_REQUEST_PROCESSED have been simplified since the auditInfoCertValue() will return SIGNED_AUDIT_EMPTY_VALUE if the certificate object is not available in the request object. https://pagure.io/dogtagpki/issue/2636 Change-Id: I946481c17729d2c349c949def113fc5563ec90ad
* Added log messages for server shutdown.Endi S. Dewata2017-05-162-0/+4
| | | | | | | Some log messages have been added to help troubleshoot the cause of server shutdown. Change-Id: Ie2a91647a0986fdb11cafed2aec48cce208ef1a2
* Delete unused methodsFraser Tweedale2017-05-051-103/+0
| | | | Change-Id: I81d3aa98a05208b2f5b1be3700c2e0759b387203
* Fix PKCS #12 import during clone installationFraser Tweedale2017-05-051-22/+10
| | | | | | | | | | | | PKCS #12 export was updated to use AES / PBES2 encryption for the key bags, but an import code path used when spawning a clone was missed, and now fails (because it doesn't grok PBES2). Update it to use CryptoStore.importEncryptedPrivateKeyInfo() instead, fixing the problem. Fixes: https://pagure.io/dogtagpki/issue/2677 Change-Id: I11f26ae8a4811f27690541f2c70b3a2adb6264e9
* CAInfoService: retrieve info from KRAFraser Tweedale2017-05-051-17/+126
| | | | | | | | | | | | | | | | | | | | | | | | The CAInfoService returns CA configuration info, including KRA-related values the CA clients may need to know (e.g. for generating a CRMF cert request that will cause keys to be archived in KRA). Currently that information is statically configured and does not respect the actual configuration of the KRA. Update the service to retrieve info from the KRA, which is queried according to the KRA Connector configuration. After the KRA has been successfully contacted, the recorded KRA-related settings are regarded as authoritative. The KRA is contacted ONLY if the current info is NOT authoritative, otherwise the currently recorded values are used. This means that any change to relevant KRA configuration (which should occur seldom if ever) necessitates restart of the CA subsystem. If this is unsuccessful (e.g. if the KRA is down or the connector is misconfigured) we use the default values, which may be incorrect. Fixes: https://pagure.io/dogtagpki/issue/2665 Change-Id: I30a37c42ef9327471e8cce8a171f79f388fec746
* Bug 1447145 - CMC: cmc.popLinkWitnessRequired=false would cause errorChristina Fu2017-05-021-5/+3
| | | | | This patch would fix the issue. It also adds the CMCUserSignedAuth authentication instance that was missed in the CS.cfg
* Ticket #2717 CMC user-signed enrollment requestChristina Fu2017-04-289-152/+1832
| | | | | | | | | | | This patch provides implementation that allows user-signed CMC requests to be processed; The resulting certificate will bear the same subjectDN as that of the signing cert; The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull where the new profile is to be used: caFullCMCUserSignedCert.cfg which utilizes the new authentication plugin: CMCUserSignedAuth and new profile default plugin: CMCUserSignedSubjectNameDefault and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
* CA in the certificate profiles the startTime parameter is not working as ↵Jack Magne2017-04-284-14/+14
| | | | | | expected. This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than ValidityDefault.java, there were possibly some values that could be changed from int to long. Due to the complexity of some of the calculations involved in some of those cases, it is best to fix the exact issue at hand instead of introducing some other possible side effects.
* Added CertRequestProcessedEvent constructor for IRequest.Endi S. Dewata2017-04-252-44/+2
| | | | | | | | | | | | | A new CertRequestProcessedEvent constructor has been added to encapsulate CERT_REQUEST_PROCESSED events that takes an IRequest object. The auditInfoValue() method in CAProcessor has been moved into CertRequestProcessedEvent. https://pagure.io/dogtagpki/issue/2636 Change-Id: I892f1476835b45910fdc3e64bd9f6fc9e2f016fb
* Added CertRequestProcessedEvent constructor for X509CertImpl.Endi S. Dewata2017-04-257-287/+20
| | | | | | | | | | | | | A new CertRequestProcessedEvent constructor has been added to encapsulate CERT_REQUEST_PROCESSED events that take an X509CertImpl object. Copies of auditInfoCertValue() method in various classes have been combined and moved into CertRequestProcessedEvent. https://pagure.io/dogtagpki/issue/2636 Change-Id: Ie234bdb9f1b52399dad4bd1e20f57dcb99d86091
* Added ConfigSignedAuditEvent.Endi S. Dewata2017-04-252-244/+146
| | | | | | | | | A new SignedAuditConfigRoleEvent class of has been added to encapsulate the CONFIG_SIGNED_AUDIT events. https://pagure.io/dogtagpki/issue/2641 Change-Id: I95b897fa0bb73007a7cec009c43ade4cc860f0cd
* Updated debug logs in SystemConfigService.Endi S. Dewata2017-04-251-2/+9
| | | | Change-Id: Id73bd6d3c0874c327bc27260318a2c671f0f0177
* Added CertRequestProcessedEvent.Endi S. Dewata2017-04-246-205/+95
| | | | | | | | | A new CertRequestProcessedEvent class of has been added to encapsulate the CERT_REQUEST_PROCESSED events. https://pagure.io/dogtagpki/issue/2636 Change-Id: Ia79e6ae13d09a3ec6509c60435fc24d5a2fee38f
* Added ConfigRoleEvent.Endi S. Dewata2017-04-248-447/+225
| | | | | | | | | A new ConfigRoleEvent class of has been added to encapsulate the CONFIG_ROLE events. https://pagure.io/dogtagpki/issue/2641 Change-Id: Ie0932131d75897f58afdd8217454c6cf6970d738
* Added RoleAssumeEvent.Endi S. Dewata2017-04-244-105/+49
| | | | | | | | | A new RoleAssumeEvent class of has been added to encapsulate the ROLE_ASSUME events. https://pagure.io/dogtagpki/issue/2641 Change-Id: I12e47ea13198b6532b1fdfee2e20765c0cab15e9
* Added AuthzFailEvent.Endi S. Dewata2017-04-244-98/+59
| | | | | | | | | A new AuthzFailEvent class of has been added to encapsulate the AUTHZ_FAIL events. https://pagure.io/dogtagpki/issue/2641 Change-Id: Id4ab9bd889a1a9314264c0ef2ff7b2389aed8f9c
* Added AuthzSuccessEvent.Endi S. Dewata2017-04-244-42/+30
| | | | | | | | | A new AuthzSuccessEvent class of has been added to encapsulate the AUTHZ_SUCCESS events. https://pagure.io/dogtagpki/issue/2641 Change-Id: I2f45fb2c3ba8acdc82777644cf4ad0ec2eff35a5
* Added AuthFailEvent.Endi S. Dewata2017-04-244-95/+61
| | | | | | | | | A new AuthFailEvent class of has been added to encapsulate the AUTH_FAIL events. https://pagure.io/dogtagpki/issue/2641 Change-Id: I870398f6a56df007c9520e50947a7b3c85baf79b
* Added AuthSuccessEvent.Endi S. Dewata2017-04-244-41/+22
| | | | | | | | | A new AuthSuccessEvent class of has been added to encapsulate the AUTH_SUCCESS events. https://pagure.io/dogtagpki/issue/2641 Change-Id: Ie7cc751728ac079e30ece354ca44c5266474bcd3
* Refactored ProfileSubmitCMCServlet.auditInfoCertValue().Endi S. Dewata2017-04-201-10/+6
| | | | | | | The ProfileSubmitCMCServlet.auditInfoCertValue() has been modified to accept X509CertImpl like CAProcessor.auditInfoCertValue(). Change-Id: Ib3b4c4c19250df73a769590488cb5716a50a065b
* Refactored ConnectorServlet.auditInfoCertValue().Endi S. Dewata2017-04-201-12/+8
| | | | | | | The ConnectorServlet.auditInfoCertValue() has been refactored to accept X509CertImpl like CAProcessor.auditInfoCertValue(). Change-Id: I42f4a17a20f43a8c9dd2b329b07de3a23da7ca33
* Refactored CAProcessor.auditInfoCertValue().Endi S. Dewata2017-04-202-60/+5
| | | | | | | The auditInfoCertValue(IRequest) in CAProcessor has been merged into auditInfoCertValue(X509CertImpl) since they are identical. Change-Id: Iccdad7a3c1ff3bc05f1f0ac1830eada21337dfca
* Added AdminServlet.audit(AuditEvent).Endi S. Dewata2017-04-201-0/+10
| | | | | | | A new audit() methods have been added to log AuditEvents in AdminServlet. Change-Id: I92a259363bdda553621491e46122365c7097946a
* Refactored additional line concatenation.Endi S. Dewata2017-04-204-44/+16
| | | | | | | The code that concatenates lines has been simplified using String.replace(). Change-Id: Id376f089cb9b8a78cfd9b3fb922e9cd9055c0e74
* Refactored line concatenation.Endi S. Dewata2017-04-204-43/+13
| | | | | | | The code that concatenates lines has been simplified using String.replace(). Change-Id: Ib8532b12594604e3b013b5ac0ef30ce45f1351ea
* Modify cert clients to check server for wrapping paramsAde Lee2017-04-191-0/+10
| | | | | | | | | | | | | CRMFPopClient and the pki cert client both can send a CRMF request to a CA directly. Logic is added to check the CA for the required KRA wrapping params and use those in place of any that have been provided by the environment or command line. Also, additional data for the supported KRA keyset has been added to the CAInfoService. This will need to be managed by the admin. The default is "1" which corresponds to AES. Change-Id: I186f9c610005ec300bccf1b07470493ce7cdfeb4
* Add authn manager that reuses auth token from sessionFraser Tweedale2017-04-191-0/+167
| | | | | | | | | | | | | | | | | | To process a cert request immediately (rather than having it queued as pending), the user must be authenticated *by the profile*; auth tokens from the main authentication system are not used. For external authentication support it is possible that the external authentication is sufficient to authenticate use of a problem; especially when the profile uses componenets like ExternalProcessConstraint to perform validation of the cert request against external sources of information. To support this use case, add the SessionAuthentication profile authenticator, which merely reuses the IAuthToken from the session context, if present. Part of: https://pagure.io/dogtagpki/issue/1359
* Add ExternalProcessConstraint for request validationFraser Tweedale2017-04-191-0/+178
| | | | | | | | | | Add the ExternalProcessConstraint profile policy constraint class. It can be configured to execute an arbitrary program that performs additional request validation, rejecting the request if it terminates with a nonzero exit status. Information about the request is conveyed in the subprocess' environment. Part of: https://pagure.io/dogtagpki/issue/1359
* CertProcessor: set external principal attributes into requestFraser Tweedale2017-04-191-0/+21
| | | | | | | | | | | When processing a certificate request, if the authenticated principal is an ExternalPrincipal, add its whole attribute map to the IRequest. This provides a way for AJP request attributes to be propagated through the profile system to profile components like ExternalProcessConstraint. One such attribute that is needed for GSS-API support is "KRB5CCNAME". Part of: https://pagure.io/dogtagpki/issue/1359
* Allow arbitrary user data in cert requestFraser Tweedale2017-04-192-0/+8
| | | | | | | | | | | | If a certificate request comes with additional data in the 'cert-request' query param, add that to the request. Profile components can then use this data. This is needed to convey the subject principal name to the ExternalProcessConstraint, when validating FreeIPA certificate requests after we switch to GSS-API authentication. Part of: https://pagure.io/dogtagpki/issue/1359
* Fixed missing IP addresses and subject ID in audit log.Endi S. Dewata2017-04-181-38/+66
| | | | | | | | | | The PKIServerSocketListener has been modified to use WeakHashMap to store socket info that might not be available after the socket has been closed. https://pagure.io/dogtagpki/issue/2642 Change-Id: I7e86a9bbc46e7bba4cec36664780c52bf0e88416
* Ticket #2614 CMC: id-cmc-popLinkWitnessV2 feature implementation This patch ↵Christina Fu2017-04-132-111/+322
| | | | provides the feature for CMC on handling id-cmc-popLinkWitnessV2
* Add field to indicate if key was encrypted or wrappedAde Lee2017-04-131-0/+1
| | | | | | | | | | | | | | | | Whether a secret was encrypted or wrapped in the storage unit depends on a parameter in CS.cfg. If that parameter is changed, the Storage unit may use the wrong mechanism to try to decrypt the stored key. Thats ok for encrypt/wrap using DES or AES-CBC, but not for AES KeyWrap. In this patch, we add a field in the Key record to specify whether the secret was encrypted with stored (or keywrapped if false). A subsequent patch will change the logic when decrypting to use this field. Change-Id: If535156179bd1259cfaaf5e56fd4d36ffdb0eb0e
* Fix symkey retrieval in python clientAde Lee2017-04-131-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Keys (like symmetric keys and asymmetric keys) are returned from the KRA either encrypted or key wrapped. Because the AES keywrapping algorithm cannot be decrypted using AES CBC, we need special logic to unwrap the keys. The flow here is as follows: 1. When a key retrieval request is sent to the server, the client sends the encryption and key wrapping algorithms it requires the key to be wrapped along with the wrapping key. 2. If no encryption algorithm or key wrap algorithm is recieved, the server assumes its talking to an old client and uses DES3. 3. The key is retrieved and (on server's choice) is wrapped or encrypted. The return package will have either encryption or key wrap algorithm set (depending on how the key was encrypted/wrapped.) 4. client uses that to determine how to unwrap key. This patch: 1. Makes sure the key wrap algorithm requested by client is passed through and used to wrap the retrieved key. 2. Adds logic in the python client to unwrap/decrypt. 3. As python-cryptography does not yet support AES KeyWrap with padding, the python client is configured to request AES-CBC by default. Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1
generated by cgit (git 2.34.1) at 2026-02-02 05:46:13 +0000