| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
New audit(AuditEvent) methods have been added alongside the
existing audit(String) methods.
Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
|
| |
|
|
|
|
|
| |
The CMS.getLogMessage() has been generalized to take an array of
Objects instead of Strings.
Change-Id: Ifcb96d47983a67961efa27325b8ae0a88d9e0231
|
| |
|
|
| |
Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
|
| |
|
|
| |
Change-Id: Ib4586443f7e6f759d227975f9736cdd30b8f32e8
|
| |
|
|
| |
Change-Id: I407a7a13c4e428e01632536faa27583e7c6d577e
|
| |
|
|
| |
Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
|
| |
|
|
| |
Change-Id: I3eb97554a1d0f4b86c981692ab0130b28c9c5288
|
| |
|
|
| |
Change-Id: I7fee37c8369945c6aedae78bd56063bc4488c0f7
|
| |
|
|
| |
Change-Id: Ic4a79b0c73812c7b89daca3c804e6a88c738536a
|
| |
|
|
| |
Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb
|
| |
|
|
| |
Change-Id: I73b3a69ffc289ad6bf89eebaa2d95237df25551f
|
| |
|
|
|
|
|
|
|
|
| |
This resource (which will be accessed at /ca/rest/info)
will initially return the mechanism for archival.
This is needed by clients to know how to package secrets when
archiving. We may add the transport cert later.
Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b
|
| |
|
|
|
|
|
|
|
|
| |
This resource (which will be accessed at /kra/rest/info)
will initially return the mechanism for archival or retrieval.
This is needed by clients to know how to package secrets when
archiving.
Change-Id: I6990ebb9c9dafc4158e51ba61a30e773d1d953ec
|
| |
|
|
|
|
|
| |
A new pki-server <subsystem>-audit-file-verify CLI has been added
to verify audit log files on the server.
Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
|
| |
|
|
|
|
|
| |
A new pki-server <subsystem>-audit-file-find CLI has been added
to list audit log files on the server.
Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
|
| |
|
|
|
|
|
|
|
|
| |
A new function has been added to generate a random password that
meets FIPS requirements for a strong password. This function is
used to generate NSS database password during installation.
https://pagure.io/dogtagpki/issue/2556
Change-Id: I64dd36125ec968f6253f90835e6065325d720032
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The PKIServerSocketListener.alertReceived() has been fixed to
generate audit log when the SSL socket is closed by the client.
The log message has been modified to include the reason for the
termination.
https://pagure.io/dogtagpki/issue/2602
Change-Id: Ief2817f2b2b31cf6f60fae0ee4c55c17024f7988
|
| |
|
|
|
|
|
| |
New pki audit commands have been added to list and retrieve audit
log files.
Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
|
| |
|
|
|
|
|
| |
A new PKIRESTProvider has been added to send and receive
StreamingOutput object through REST API.
Change-Id: Iefc513aacb9fc26bc7c8c5cbfb4550a4a98da52e
|
| |
|
|
|
|
|
| |
All subclasses of PKIService have been modified to remove the
Context attribute since they have been declared in the base class.
Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
|
| |
|
|
|
| |
Added 'pylint: disable=no-member' whenever module 're'
attempts to reference its 'MULTILINE' member.
|
| | |
|
| |
|
|
|
|
| |
https://pagure.io/dogtagpki/issue/2627
Change-Id: Icd47be636c78224328438a8091c7c3bdd07c06bd
|
| |
|
|
| |
Change-Id: Ife9108019994b385fc452da0f29dee64d0ccc5d3
|
| |
|
|
| |
Change-Id: Ic2aa92985e8aee9b5405ad542c640ca67a0047c6
|
| |
|
|
| |
Change-Id: I66b369ec33f97dab96f6d832e2eb9ab0c6cdbe98
|
| |
|
|
| |
error checking and debugging
|
| |
|
|
| |
requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
|
| |
|
|
| |
adds both client and server support for two cmc controls: id-cmc-identityProofV2 - for supporting RFC5272, and id-cmc-identification - for assisting in shared secret search; Note: for client, only CMCRequest is updated in this patch
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CMSStartServlet has been modified to register an SSL socket
listener called PKIServerSocketListener to TomcatJSS.
The PKIServerSocketListener will receive the alerts generated by
SSL server sockets and generate ACCESS_SESSION_* audit logs.
The CS.cfg for all subsystems have been modified to include
ACCESS_SESSION_* audit events.
https://pagure.io/dogtagpki/issue/2602
Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the storage unit reuses the same IV each time a record
is stored. This works (probably) for DES3, but not for AES.
The getWrappingParams() method is modified to check the config as follows
(in order):
-- if the iv is defined, use that iv
-- if the length is defined, generate a byte array of that length
-- return null
To ensure that the same IV used to encrypt the secret is stored in the
DB, the wrapping param is defined once in the archival process, and
passed in to the wrapping functions in storageUnit.
Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Refactor code in CryptoUtil to parametrize the algorithms used.
* Moved WrappingParams to utils jar to allow correct compilation.
* Removed code that created a PKIArchiveOptions structure from
CRMFPopClient and replaced with calls to CryptoUtil methods.
Note that the algorithms have been left as DES3. They will be
changed to AES in the next patch.
* Converted code in AuthorityKeyExportCLI to use the new methods
in CryptoUtil.
* Removed DRMTest this code is no longer maintained or used.
Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Changed the client to use AES-128-CBC-PAD rather than DES-3.
Because AES-256-CBC-PAD has no OID defined, we use the following
hack:
* Pass in the AES-256-CBC OID as the encrypt algorithm OID
* Use PKCS#1.5 Padding.
* Changed the client to use AES for the wrapping key on retrieval.
* Changed the server to implicitly assume PKCS#1.5 (and a key size
of 128) when recieving the OID for AES.
* Changed the client to send, and the server to pass through
the encryption algorithm expected when retrieving the key.
* Fixed the generate_iv() function to generate an appropriately
sized IV on retrieval.
This code has been tested to successfully create and retrieve
secrets using AES. Ideally, we'd be using GCM rather than CBC,
which then requires no padding - and no hack needed. Hopefully,
we can get that working in a subsequent commit.
Change-Id: Ic9e8d50169be0fe357a48a5a1b1c452c7a3dfad0
|
| |
|
|
|
|
|
|
|
|
|
| |
For external principal support, ACLInterceptor must handle
GenericPrincipal instances in addition to PKIPrincipal.
Specifically, if the principal is a GenericPrincipal, the auth token
is set to an ExternalAuthToken, and the authz manager is looked up
by the realm of the principal (it is assumed that the principal name
has the form "id@realm").
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
| |
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
| |
Update AuthMethodInterceptor to handle externally authenticated
principals. For now, access is unconditionally granted.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add the ExternalAuthenticationValve valve, which, if an externally
authenticated principal is available, reads the REMOTE_USER_GROUP
information from the Coyote request and adds the groups ("roles" in
Tomcat terminology) to the principal.
It also saves a complete copy of the request attribute map in the
princpial. The new class ExternalPrincipal is used to achieve this.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The "set auth token into request" logic is extensive and warrants
extraction. It also has a separate concern mixed in with it: the
self-assignment of the request if the authenticated user is a
"Registration Manager Agent".
Separate these concerns and extract the setAuthTokenIntoRequest
method.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
| |
Small refactor to define the auth token keys set by
AgentCertAuthentication in IAuthToken, so that consumers do not need
to import AgentCertAuthentication directly, or redefine the
constants.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
| |
A new constructor has been added into EInvalidCredentials to
support exception chaining.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Developer keyset token operations and key change over supported.
Caveats.
-The diversification step going from master key to card key uses DES3 as required for the token.
-After that point, everything is scp03 to the spec with minor excpetions so far.
Supports 128 bit AES for now. Will resolve this.
Minor config tweaks:
TPS
Symmetric Key Changeover
Use this applet for scp03:
RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc
TKS:
Symmetric Key Changeover
tks.mk_mappings.#02#03=internal:new_master
tks.defKeySet.mk_mappings.#02#03=internal:new_master
Use the uncommented one because scp03 returns a different key set data string.
ToDo:
-Support the rest of the AES sizes other than 128.
-Support optional RMAC apdu.
-Test and adjust the config capability for other tokens.
-Support AES master key. Right now the standard key ends up creating AES card and session keys.
|
| |
|
|
| |
Change-Id: I6024ca5a32769b460d578dfad46598432381784c
|
| |
|
|
|
|
|
|
| |
The PKIArchiveOptions object contains an OID for the encryption algorithm.
Use this to create the correct WrappingParam for the tranport unit instead
of defaulting to DES3.
Change-Id: Id591fff8b7fc5e4506afbe619621904e4937c44f
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are several changes in this patch:
1. Simplify EncryptionUnit by moving the methods called by either the StorageUnit or the
TransportUnit into those classes. This helps to determine which methods are called by
which class (because in general they require different arguments). It may be possible
to later simplify and reduce code repetition by pulling core functionality back into
the EncryptionUnit.
2. Add methods to WrappingParameters and KeyRecord to store the Wrapping Parameter values
as part of the KeyRecord when the key is stored. On retrieval, this data is read and
used to extract the data. If the data is not present, then use the old DES3 parameters.
3. Change the internal (storageUnit) wrapping to use AES-CBC for encryption and AES-KeyWrap
for storage by default. If a parameter kra.storageUnit.useOldWrapping=true, then
the old wrapping will be used instead.
Change-Id: I098b0b3bd3b0ad917483e4e07925adfedacc3562
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The code that loads the password.conf in PKIInstance.load() has
been converted into a general purpose load_properties() method.
A corresponding store_properties() method has been added as well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The PKI UI main page has been modified to retrieve access banner
and display it in a dialog box. After displaying the banner it
will notify the server such that the banner is not returned again
in the same server session.
To prevent displaying multiple dialog boxes in pages with frames
the critical code is locked such that only one frame can actually
display the banner.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
|
|
|
|
|
| |
New REST services classes have been added to PKIApplication.
The InfoService provides general information about the server
including version number and access banner. The LoginService
provides a way to notify the server that the banner has been
displayed on the client, which in that case the InfoService
will no longer return the banner again in the same session.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
|
| |
A new PKIApplication class has been added into /pki web application
to define common PKI REST services such as access banner.
https://fedorahosted.org/pki/ticket/2582
|
