| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
The CertUtil.updateLocalRequest() has been modified to return
silently if the certificate does not have a corresponding request
record.
https://pagure.io/dogtagpki/issue/2280
Change-Id: I0d225a6db84d2d719091dbd84ee76b73bfb4408c
|
|
|
|
|
|
|
|
|
| |
The code in SystemConfigService.processCert() that handles external
cert has been reorganized for clarity.
https://pagure.io/dogtagpki/issue/2280
Change-Id: Ia1800cc6560dce1757959bea9e352a2e6d30307e
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code in SystemConfigService.processCert() that loads or
generates key pair has been moved into processKeyPair().
The code that sets key pair properties in createECCKeyPair() and
createRSAKeyPair() has been replaced with storeKeyPair().
The processCert() has been modified to return a Cert object.
Some debug messages have been added for clarity.
https://pagure.io/dogtagpki/issue/2280
Change-Id: Ica16c7ce4f33fb23df2813a8b65d66fc2d4ea198
|
|
|
|
|
|
|
|
|
|
| |
The exception handler in SystemConfigService.processCerts() has
been removed since it's redundant and generates misleading error
message.
https://pagure.io/dogtagpki/issue/2280
Change-Id: I3aa4f0414519a7cd2c53481663f4880c5c1dafd0
|
|
|
|
|
|
|
|
|
| |
The ConfigurationUtils.updateCloneConfig() invocation has been
modified such that it will only be executed once.
https://pagure.io/dogtagpki/issue/2280
Change-Id: I1d42acb8cf7c7ffedcd109fcd5252a03fb9622e7
|
|
|
|
|
|
|
|
|
|
| |
The code that updates serverCertNick.conf has been moved into
ConfigurationUtils.updateServerCertNickConf() and will only be
executed once.
https://pagure.io/dogtagpki/issue/2280
Change-Id: Iaae4429724ece683939aea8defe6fceeca237c4b
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch supports CMC-based system certificate requests.
This patch contains the following:
* The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert
* The cmc-based system enrollment profiles:
caCMCauditSigningCert.cfg
caCMCcaCert.cfg
caCMCkraStorageCert.cfg
caCMCkraTransportCert.cfg
caCMCocspCert.cfg
caCMCserverCert.cfg
caCMCsubsystemCert.cfg
* new URI's in web.xml as new access points
Usage example can be found here:
http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29
|
|
|
|
|
|
|
| |
The CertUtil.updateLocalRequest() has been modified to no longer
ignore exceptions.
Change-Id: I57907a54f51f65369a062dfc396741d87874660c
|
|
|
|
|
|
|
|
|
|
|
| |
The code that sets the certificate request extra data has been
moved into CertUtil.createLocalRequest().
The incorrect profile ID in subsystemCert.profile has been fixed.
https://pagure.io/dogtagpki/issue/2280
Change-Id: Ic76ac3dfcbf0c4ab95abea0680697d87f00f292b
|
|
|
|
|
|
|
|
|
| |
The code for creating and importing local cert into NSS database
has been moved into ConfigurationUtils.handleLocalCert().
https://pagure.io/dogtagpki/issue/2280
Change-Id: Idac7bc3e08e95f94fe50c417898ef12b2288d17c
|
|
|
|
|
|
|
|
|
| |
The code for importing external cert into NSS database has been
moved into CertUtil.importExternalCert().
https://pagure.io/dogtagpki/issue/2280
Change-Id: Icb347943fc432ad97105229c14768822b070d99f
|
|
|
|
|
|
|
|
|
| |
The code for importing certificate into NSS database has been
moved into CertUtil.importCert().
https://pagure.io/dogtagpki/issue/2280
Change-Id: I6a7a01b9170a5c0e9973ab1d5a7484349765dc5e
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following methods have been moved into CertUtil for clarity:
* ConfigurationUtils.findCertificate()
* ConfigurationUtils.findBootstrapServerCert()
* ConfigurationUtils.deleteCert()
* ConfigurationUtils.deleteBootstrapServerCert()
https://pagure.io/dogtagpki/issue/2280
Change-Id: I860cacd3dd34144ce92c674e9ff08cb46ee2194b
|
|
|
|
|
|
|
|
|
| |
Unused methods and variables related to CertUtil.createLocalCert()
have been removed for clarity.
https://pagure.io/dogtagpki/issue/2280
Change-Id: If71e909f05b7e51288c444d67cbbba7fce2cfd81
|
|
|
|
|
|
|
|
|
| |
The code in CertUtil.createLocalCert() has been reformatted
for clarity.
https://pagure.io/dogtagpki/issue/2280
Change-Id: I9fd18fac7313a0c41cf6e061ae7608722cf76894
|
|
|
|
|
|
|
|
|
|
| |
The error handling in CertUtil.createLocalCert() has been modified
such that errors are no longer ignored. The changes also guarantee
that some variable cannot be null, so the code can be simplified.
https://pagure.io/dogtagpki/issue/2280
Change-Id: I9f1961d538cdbba99c8e3474ba3c601eb8416baf
|
|
|
|
|
|
| |
Ticket #2764.
This relatively simple fix involves making sure the correct crypto token is being used to search for the master key int the case of symmetric key changover where the master key resides on an HSM.
|
|
|
|
|
|
|
|
|
| |
Some code in ConfigurationUtils.configCert() has been moved into
a new configRemoteCert() for clarity.
https://pagure.io/dogtagpki/issue/2280
Change-Id: Ie0b04f8c2445ee088782ed10391a250f45a6bebf
|
|
|
|
|
|
|
|
|
| |
Some code in ConfigurationUtils.configCert() has been moved into
a new configLocalCert() for clarity.
https://pagure.io/dogtagpki/issue/2280
Change-Id: I3473aa5f1a1d64b3714257d3fc285660ac1d955a
|
|
|
|
|
|
|
|
|
| |
To help troubleshooting the error message on invalid log type has
been modified to include the invalid value.
https://pagure.io/dogtagpki/issue/2689
Change-Id: Ie245bd9e3a3925979af4708fa911697a9746e54b
|
|
|
|
|
|
|
|
|
| |
Duplicate log() methods for audit events have been merged into the
Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I7a5147ff3221a52a82e69f56faf2156c04256db2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Signed audit logger creation has been simplified into:
Logger signedAuditLogger = SignedAuditLogger.getLogger();
The null checks on signed audit logger have been removed since
it cannot be null. Audit messages can be logged as follows:
signedAuditLogger.log(message);
https://pagure.io/dogtagpki/issue/2689
Change-Id: I3bf781b0194a6cbb166f71751c098d1c2a3a657a
|
|
|
|
|
|
|
|
|
| |
The Logger class has been modified to provide a way to specify
the default log level.
https://pagure.io/dogtagpki/issue/2689
Change-Id: Iaab5d95b7dfa1bfa814c7270259e01e019a33678
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch contains the following update:
* Structurely, CMCStatusInfo to CMCStatusInfoV2 update; no extendedFailInfo has been added at this point
* In case of EncryptedPOP, instead of returning with CMCStatus pending where
PendInfo contains the requestID, it now returns CMCStatus failed whith
responseInfo control contains the requestID. On the client side, CMCRequest
now processes the responseInfo and returns the DecryptedPOP with requestID in
the regInfo control. CMCResponse has been updated to handle the new controls
as well.
* A number of fail info codes are now being supported by the server to add
clarity to CMC failed status, including:
badMessageCheck, badRequest, unsuportedExt, badIdentity, popRequired, and popFailed.
|
|
|
|
|
|
|
|
|
| |
Some Logger classes have been moved into com.netscape.cms.logging
due to dependency requirements in subsequent changes.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I1e8ec247764d344647a519618a7523c51799f3de
|
|
|
|
|
|
|
|
|
| |
To help troubleshoot build issues the CMake script for pki-cms.jar
has been modified to run after building the client tools.
https://pagure.io/dogtagpki/issue/2689
Change-Id: Icf1aea2a14d9502a6ab791331fcfe49d7ecdab21
|
|
|
|
|
|
|
|
|
| |
A LogSource enumeration has been added to replace the integer
log source in the Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I6f69219fbbfa00d83f26a32174c75ff2782eb6af
|
|
|
|
|
|
|
|
|
| |
A LogCategory enumeration has been added to replace the integer
log category in the Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: Ic92e64c3abdf859841eaf1006afc61bbf573086d
|
| |
|
|
|
|
|
|
|
|
|
| |
Some OCSP-related classes have been modified to detect errors and
handle exceptions properly.
https://pagure.io/dogtagpki/issue/2652
Change-Id: Ifd054c47d04ff106120df2d7f3705366c7de9da9
|
|
|
|
|
|
|
|
|
| |
Some log messages have been added into OCSP-related classes for
clarity.
https://pagure.io/dogtagpki/issue/2652
Change-Id: I7eda806a3103ac235a5d3e073db8c60a9b3d482d
|
|
|
|
|
| |
This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert.
Some auditing adjustments are also done.
|
|
|
|
|
|
|
|
|
|
| |
The LogFile has been modified to set up log signing during its
initialization to ensure the signing works properly during log
rotation.
https://pagure.io/dogtagpki/issue/2561
Change-Id: I69d54a359ebe74557ca9b12ea7582f712fb31949
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code that reads the access banner from file has been modified
to explicitly use UTF-8 encoding.
The Info class and the PKI UI have been modified not to encode the
access banner in Base64 since it is not necessary.
https://pagure.io/dogtagpki/issue/2671
Change-Id: I5f41a8ebac0bc91623b27f14608bca294bc9bc38
|
|
|
|
|
|
|
|
|
|
| |
The PKIService has been modified to trim whitespaces in access
banner before returning the value to the client. The clients
have been modified to no longer trim the banner.
https://pagure.io/dogtagpki/issue/2671
Change-Id: I51c5e78d11c89c711e369328def27bb352aa49e6
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First of all, the original CMC revocation only supports agent-signed CMC revocation requests from the UI where CMCRevReqServlet handles it with CMCAuth. It is in violation with https://tools.ietf.org/html/rfc5273 CMC Transport Protocols, as for HTTP/HTTPS, the body of the message is the binary value of the BER encoding of the PKI Request or Response,so HTML is not an approved method.The other way is through profileSubmitCMCFullServlet (or maybe not, as it was completely broken).
One thing that's much less crucial, but goes along with rfc update is the name of the revocation request ASN1 structure. In the new rfc5272, it is now called RevokeRequest insead of RevRequest.
This patch revamped the CMC revocation provision and fixing what's broken and adding what's missing.
On the client side:
CMCRequest
- Commented out the code where it made an assumption to use OtherMsg for the signer information. This makes no sense as the outer layer SignedData would have the same information when signing happens.
- removed the revRequest.nickname parameter from the configuration. From the code it seems like it expects the certificate to be revoked to exist in the user database, and it uses the same certificate to sign the revocation request. The RFC does allow for self-signed revocation, but it also allows for signing with another certificate provided that it has same subject. By removing the revRequest.nickname parameter, I am using the "nickname" parameter as the signer cert, which may or may not be the same certificate specified in revRequest.serial. It is less confusing. The change also eliminate the need for the cert to be revoked to be present in the db. In addition, revRequest.issuer only needs to be specified if revRequest.sharedSecret is used. The code will extract the issuer info from the signing cert.
- added support for unsigned data in support of shared secret in both CMCRequest and server; The original code assumed that a cmc revocation request that relies on shared secret still requires agent signing.
CMCRevoke
- The original code assumed that the nss db password is the same as Shared Secret (!!). This patch added a "-t" to accept shred secret, and keep the -p for the nss db password.
- The original code printed out b64 encoded request to the screen output as well as the file CMCRevoke.out. Both are unusable directly. This patch fixes it so that the output to the screen can be directly copied and pasted into the CMC revocate ui at ee (processed by CMCRevReqServlet); Again, this is not RFC conforming, but I fixed it anyways;
- The output to the file CMCRevoke.out has been fixed so that it is the BER encoding of the request, which can be fed directly into the updated server that now conforms to the RFC (see below)
- This code still requires the signer certificate nickname to run, making the shared secret method moot. Since CMCRequest has been updated to work properly, we can leave this for now.
On the server side.
CMCUserSignedAuth has been updated to handle unsigned DATA; Recall that the original CMC revocation only handled SIGNED_DATA (making assumption that agent always signs the requests). This addition is important to support shared secrets properly.
Another thing that's important change on the server side is that it now checks the revoking cert's subject against the signer's subject, if authenticated by CMCUserSignedAuth. The original code did not do that, I think it is because it always checks if it's an agent or not.
Something that could be improved on is to have its own servlet. However, due to the time restriction, I only updated existing EnrollProfile, ProfileSubmitCMCServlet, and CMCOutputTemplate to handle the rfc conforming cmc revocation requests.
The shared secret handling is left in the CMCOutputTemplate for now. Logically it would make sense to go into CMCUserSignedAuth. This could be left as a possible later ticket for improvement. Shared Token plugin implementation will be added in later ticket as well.
Previously missed signing cert validation is also added for more complete check.
Some SHA1 are turned into SHA2
Finally, some auditing are added, but it is not finalized. It will be done in the next ticket(s).
|
|
|
|
|
|
| |
Bugzilla #BZ 1458055
Change-Id: I229d7f18c46f0b55ec83f051614de1b59e125b82
|
|
|
|
|
|
|
| |
The server is modified to read the new OIDs in the PKIArchiveOptions
and handle them correctly.
Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is simpler to simply tell the client which
algorithm to use for key wrapping and encryption, rather
than use key sets. Therefore:
* KRAInfo and CAInfo are refactored to provide the
algorithms required for key wrapping and encryption.
* Client is modified to use these parameters to determine
which algorithms to use.
* We specify the OIDs that will be used in the PKIARchiveOptions
more correctly. The options are basically:
AES-128-CBC, DES3-CBC, AES KeyWrap/Pad
Change-Id: Ic3fca902bbc45f7f72bcd4676c994f8a89c3a409
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When the Authority Key Identifier extension cannot be instantiated,
we currently fail with a generic "extension not found" error
message. Throw a better exception for this case in particular, and
improve the exception message for the general case of attempting to
add a null exception.
Fixes: https://pagure.io/dogtagpki/issue/2705
Change-Id: Ic79742d8a228391275ffe5bfeef0a324f6b431bd
|
|
|
|
|
|
|
|
|
| |
The pki CLI has been modified to use CT,C,C as the default trust
flags for CA certificate import operations.
https://pagure.io/dogtagpki/issue/2726
Change-Id: I68c5a0303459319cc746a77703d0a420f4f68377
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Switched out CrytoUtil calls that use DES and replaced them
with AES equivalents. Removed these now unneeded methods.
* Added 16 byte constant IV for AES operations. This must be
replaced by a randomly generated IV. Added TODOs where IVs
should be replaced.
* Corrected misspellings of "enreypted" in both request fields
and variable names
* Removed some code from null checks where the result could
never be null. These cases were flagged in eclipse as dead
code.
Change-Id: Iec0c0e86fd772af8b3c9588f11a0ea1e517776fb
|
|
|
|
|
|
|
|
|
| |
A new SCHEDULE_CRL_GENERATION audit event has been added which
will be generated when CRL generation is scheduled manually.
https://pagure.io/dogtagpki/issue/2651
Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a
|
|
|
|
| |
Fixes: https://pagure.io/dogtagpki/issue/2711
|
|
|
|
|
|
|
|
|
| |
Some log messages in OCSP-related code have been updated for
clarity.
https://pagure.io/dogtagpki/issue/2652
Change-Id: Ie81b95906a0d9aef6126fb205a4bcec028731e39
|
|
|
|
|
|
|
|
|
| |
Some nested if-statements in DefStore.processRequest() has been
merged for clarity.
https://pagure.io/dogtagpki/issue/2652
Change-Id: Iedbda7d884cd4735a9c591a57d05b1086b4cb36d
|
|
|
|
|
|
|
|
|
|
| |
An if-statement in DefStore.processRequest() has been modified
to return early for clarity. The code indentation has been adjusted
accordingly.
https://pagure.io/dogtagpki/issue/2652
Change-Id: Ife5a1e3c2d4a09a687acc2714948b670fd31bfe3
|
|
|
|
|
|
|
|
|
|
| |
An if-statement in DefStore.processRequest() has been modified
to return early for clarity. The code indentation has been adjusted
accordingly.
https://pagure.io/dogtagpki/issue/2652
Change-Id: Ib506bdac88e017197b2a192e952b54be1456eac0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There was some confusion in the previous commit for archival
logging. The archivalID is the id provided by the CA for the archival
and is its requestID. This allows the cert request operation
to be tracked through the archival.
Made sure therefore, that we have two fields - one for the archivalID
and one for the requestId (which is the KRA archival request ID)
In addition, some of the archival events occur in the CA component
just before the request id sent to the KRA. These events will not
be displayed unless the audit event is added to the CA CS.cfg.
Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08
|