| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
A previous commit mistakenly conflated the wrapping parameters for
DES and DES3 cases, resulting in incorrect data being stored if the
storage was successful at all. This broke ipa vault and probably
also token key archival and recovery.
This patch sets the right parameters for the 3DES case again.
Part of BZ# 1458043
Change-Id: Iae884715a0f510a4d492d64fac3d82cb8100deb4
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 633c7c6519c925af7e3700adff29961d72435c7f changed the PKCS #12
file handing to never deal with raw private key material.
PKCS12Util.addKeyBag() was changed to export the PrivateKey handle,
or fail. This change missed this case where a PKCS #12 file is
loaded from file, possibly modified, then written back to a file,
without involving an NSSDB. One example is pkcs12-cert-del which
deletes a certificate and associated key from a PKCS #12 file.
Fix the PKCS12Util.addKeyBag() method to use the stored
EncryptedPricateKeyInfo if available, otherwise export the
PrivateKey handle.
Fixes: https://pagure.io/dogtagpki/issue/2741
Change-Id: Ib8098126bc5a79b5dae19103e25b270e2f10ab5a
|
| |
|
|
|
|
|
| |
The server is modified to read the new OIDs in the PKIArchiveOptions
and handle them correctly.
Change-Id: I328df4d6588b3c2c26a387ab2e9ed742d36824d4
|
| |
|
|
|
|
| |
proof
This patch implements the self-signed CMC requests, where the request is signed by the public key of the underlying request (PKCS#10 or CRMF). The scenario for when this method is used is when there was no existing signing cert for the user has been issued before, and once it is issued, it can be used to sign subsequent cert requests by the same user. The new enrollment profile introduced is : caFullCMCSelfSignedCert.cfg The new option introduced to both CRMFPopClient and PKCS10Client is "-y" which will add the required SubjectKeyIdentifier to the underlying request. When a CMC request is self-signed, no auditSubjectID is available until Identification Proof (v2) is verified, however, the cert subject DN is recorded in log as soon as it was available for additional information. Auditing is adjusted. More will come in the next couple CMC patches.
|
| |
|
|
|
|
|
| |
Part of: https://pagure.io/dogtagpki/issue/2610
Change-Id: Ic35a81c4c4dd49622bfdeb677d588641594b7ec6
(cherry picked from commit 507908d1aac8f9db6c380f5cae634521608043e8)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update PKCS12Util to use AES-256-CBC to encrypt private keys.
Use JSS CryptoStore methods to ensure that all key wrapping and
unwrapping is done on the token.
Specifically, CryptoStore.getEncryptedPrivateKeyInfo replaces the
previous process where a symmetric key was generated, the private
key wrapped to the symmetric key, then decryted into Dogtag's
memory, then re-encrypted under the supplied passphrase. Now the
key gets wrapped directly to the supplied passphrase.
Similarly, for import, the EncryptedPrivateKeyInfo was decrypted
using the supplied passphrase, then encrypted to a freshly generated
symmetric key, which was then used to unwrap the key into the token.
Now, the new JSS method CryptoStore.importEncryptedPrivateKeyInfo is
used to unwrap the EncryptedPrivateKeyInfo directly into the token,
using the supplied passphrase.
As a result, the PKCS12KeyInfo class, which previously stored
unencrypted key material (a PrivateKeyInfo object), it now only
deals with PrivateKey (an opaque handle to an PKCS #11 object)
on export and encoded (byte[]) EncryptedPrivateKeyInfo data on
import. This split suggests that PKCS12KeyInfo should be decomposed
into two classes - one containing a PrivateKey and the other
containing a byte[] encryptedPrivateKeyInfo - but this refactoring
is left for another day.
Part of: https://pagure.io/dogtagpki/issue/2610
Change-Id: I75d48de4d7040c9fb3a9a6d1e920c191aa757b70
(cherry picked from commit 2e198ddbe9ec5000ee7e14df0aa364b600d3aa92)
|
| |
|
|
|
|
|
|
|
|
|
| |
Old CRMFPopClients add the OID for ECC public keys in the encryption
algorithm OID for no obvious reason (considering the OID was never
read on the server side to begin with).
Now that we do read and use that field, we need to set it properly,
and also special case on the server side to handle old clients.
Change-Id: I0d753e572206e9062746c879ce683978e5e657bd
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Up to now, we have only ever used the same algorithm (DES3_CBC)
for key wrapping and encryption. With the change to use AES Keywrap
and AES CBC, we need to know which mechanism was used to encrypt/wrap
the secrets when returned to the client.
This means passing back more information to the client with the key
data, and also modifying the client to use this information to decode
the data correctly.
Change-Id: I7232085c1eedf38c63abad81db08acc912fa1da1
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also made a couple of small changes to WrappingParams.
* Set the wrapIV to null when AES KeyWrap is used. Trying to unpack
the PKIArchiveOptions package with this IV set to null fails.
* removed superfluous this modifiers.
Added a parameter KEY_WRAP_PARAMETER_SET which is set in /etc/pki/pki.conf.
If this parameter is set to 0, we will use the old DES3 algorithms. This
can be set by clients talking to old servers.
CRMFPopClient has the ability to automatically submit requests to
a CA. In this case, we shouldcontact the server and determine the
version using InfoClient, and choose the algorithm accordingly.
We will implement this in a separate patch.
Change-Id: Ib4a99545cb59b62a96c272311595e96dda10979e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Refactor code in CryptoUtil to parametrize the algorithms used.
* Moved WrappingParams to utils jar to allow correct compilation.
* Removed code that created a PKIArchiveOptions structure from
CRMFPopClient and replaced with calls to CryptoUtil methods.
Note that the algorithms have been left as DES3. They will be
changed to AES in the next patch.
* Converted code in AuthorityKeyExportCLI to use the new methods
in CryptoUtil.
* Removed DRMTest this code is no longer maintained or used.
Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
|
| |
|
|
|
|
| |
Move some of the crypto functions in EncryptionUnit to CryptoUtil.
Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To implement a profile default that copies the CN to a SAN dNSName,
we need to examine the CN values present in the Subject DN.
Specifically, we want to look at the "most specific" CN value. The
'getCommonName' method returns the "least specific" value in the
name, thus is not suitable.
Add the 'getAttributesForOid(ObjectIdentifier)' method, which
returns an ordered list of values of the given name attribute type,
from least specific to most specific.
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To implement a profile default that copies CN to SAN dNSName, we
need to read and set the 'GeneralNames' of the extension. This can
be done via the 'get' and 'set' methods but this interface is
awkward and requires the caller to deal with exceptions that aren't
fundamental to the get/set actions.
Add the 'setGeneralNames' and 'getGeneralNames' methods.
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 'GeneralNameInterface' interface represents a single X.509
General Name value. Various types are supported. The 'GeneralName'
class (which also implements 'GeneralNameInterface') is a singleton
container for another 'GeneralNameInterface' value.
To implement a profile component that copies CN to a SAN dNSName, we
need to examine existing General Names in the SAN extension (if
present), to avoid duplicate values. We can iterate 'GeneralNames',
but if the value is of type 'GeneralName' we need a way to "unwrap"
the value, down to the innermost value which will be of a specific
General Name type.
Add the 'unwrap' method to 'GeneralName'.
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
|
|
| |
To implement a profile default that copies CN to SAN dNSName, we
need to examine existing dNSName values. To support this, add the
'getValue()' method to 'DNSName'.
Part of: https://fedorahosted.org/pki/ticket/1710
|
| |
|
|
|
|
| |
Per rfc5758, When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or ecdsa-with-SHA512 algorithm identifier appears in the algorithm field as an AlgorithmIdentifier, the encoding MUST omit the parameters field.
Note: Since we do not support DSA, this patch does not attempt to address them.
Also, while we do not claim to support sha224, the patch adds enough code to process the OID just for completeness. However, it does not attempt to offer it as part of the signing algorithms.
|
| |
|
|
|
|
|
|
|
| |
The PKCS12Util class has been modified to use SLF4J logging
framework. The CMake scripts has been modified to include SLF4J
libraries in the classpath. The spec file has been modified to
add SLF4J dependencies.
https://fedorahosted.org/pki/ticket/195
|
| |
|
|
|
|
|
|
|
|
| |
The InhibitAnyPolicyExtension has been modified to always close
the DerOutputStream instance.
The InhibitAnyPolicyExtDefault has been modified to wrap the
original exception.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
|
|
|
| |
The ExtendedKeyUsageExtension has been modified to always close
the DerOutputStream instance.
The ExtendedKeyUsageExt has been modified to wrap the original
exception.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
|
|
|
| |
The OCSPNoCheckExtension has been modified to always close the
DerOutputStream instance.
The OCSPNoCheckExt has been modified to wrap the original
exception.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
| |
The GenericASN1Extension has been modified to always close the
DerOutputStream instance.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
| |
The OtherName has been modified to always close the
DerOutputStream instances.
https://fedorahosted.org/pki/ticket/2530
|
| |
|
|
|
|
|
|
| |
For clarity the PKCS12Util.loadFromByteArray() has been modified
to generate a more accurate exception message on PKCS #12
verification failure.
https://fedorahosted.org/pki/ticket/2476
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The pki pkcs12-import CLI has been modified not to import
certificates that already exist in the NSS database unless
specifically requested with the --overwrite parameter. This
will avoid changing the trust flags of the CA signing
certificate during KRA cloning.
The some other classes have been modified to provide better
debugging information.
https://fedorahosted.org/pki/ticket/2374
|
| |
|
|
| |
This patch adds support for SHA384withRSA signing algorithm.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add the framework for key retrieval when a lightweight CA is missing
its signing key. This includes all the bits for loading a
KeyRetriever implementation, initiating retrieval in a thread and
updating the record of which clones possess the key if retrieval was
successful.
It does not include a KeyRetriever implementation. A subsequent
commit will provide this.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
|
|
|
| |
The CLIs for exporting PKCS #12 file have been modified to accept
options to export without trust flags, keys, and/or certificate
chain.
https://fedorahosted.org/pki/ticket/1736
|
| |
|
|
|
|
|
| |
The CertificateExtensions.parseExtension() and some extension
classes have been modified to chain the original exception.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
|
|
| |
The methods in X509CertInfo have been modified to chain the
original exception.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For backward compatibility the pki pkcs12-import has been modified
to generate default nicknames and trust flags for CA certificates
if they are not specified in the PKCS #12 file. The PKCS12Util was
also modified to find the certificate corresponding to a key more
accurately using the local ID instead of the subject DN.
The configuration servlet has been modified to provide better
debugging information when updating the security domain.
https://fedorahosted.org/pki/ticket/2255
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigurationUtils.backupKeys() has been modified to use
PKCS12Util to export the certificates and their trust flags into
a PKCS #12 file such that the file can be used for cloning.
The code to generate PFX object has been refactored from the
PKCS12Util.storeIntoFile() into a separate generatePFX() method.
The PKCS12Util.loadCertFromNSS() has been modified to provide
options to load a certificate from NSS database without the key
or the certificate chain. The CLIs have been modified to provide
the same options.
The PKCS12Util.getCertInfo() has modified to ignore missing
certificate attributes in the PKCS #12 file and generate a new
local ID.
https://fedorahosted.org/pki/ticket/2255
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is possible to encounter a case where the
CRLDistributionPointsExtension static initialiser, which adds the
class to the OIDMap, has not been invoked. This can cause a
ClassCastException, e.g. in CRLDistributionPointsExtDefault.
Update OIDMap to add CRLDistributionPointsExtension in its own
static initialiser.
Fixes: https://fedorahosted.org/pki/ticket/2237
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The utility for exporting certs and keys to a PKCS12 file
did not handle the signing certificate correctly. This is
because the signing certificate was imported multiple times
during the export process - either with its key (and key id set)
or as part of the cert chain for the other system certs (with
no key set).
Each import would override the previous import - so whether
or not the key_id was set would depend on the order in which
the certificates were imported.
This becomes an issue for import into a clone certdb, because in
the new mechanism, we rely on the cert attributes (ie. key_id) to
determine if a key is to be imported or not.
We fix this by specifying whether the entry in the export should
be overwritten or not.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently JSS is unable to import CA certificates while preserving
their nicknames. As a workaround, the pki pkcs12-import has been
modified such that it exports individual CA certificates from PKCS
The remaining user certificates will continue to be imported using
JSS.
A new pki pkcs12-cert-export command has been added to export
individual certificates from PKCS #12 file into PEM files.
The pki pkcs12-import has been modified to take a list of nicknames
of the certificates to be imported into NSS database.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCSUtil has been updated to match the functionality provided
by JSS.
In order to import a certificate properly, the certificate needs
to be exported with its private key and certificate chain, so the
option to export without key or without the certificate chain has
been removed. The option to export only the certificate chain has
also been removed since it can be done by exporting the complete
certificate chain, then remove the leaf certificate while keeping
the chain.
The pki pkcs12-cert-add has been modified to provide an option
to create a new PKCS #12 file to store the certificate.
The pki pkcs12-export has been modified to always overwrite
existing file to match the behavior of PKCS12Export. It also has
been modified to accept a list of nicknames of certificates to
export.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
| |
New CLIs have been added to add a certificate from NSS database and
to remove a certificate from the PKCS #12 file.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The PKCS12Util has been modified such that it stores the certs and
keys in PKCS12 object instead of PFX object. The PKCS12 object can
be loaded either from NSS database or PKCS #12 file. The PKCS12
object can later be stored into NSS database or PKCS #12 file.
The pki pkcs12-cert-find and pkcs12-key-find commands were modified
to require PKCS #12 password.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
| |
The PKCS12CertInfo and PKCS12KeyInfo classes have been moved out
of PKCS12Util into separate classes.
The createLocalKeyID() has been modified to return BigInteger
instead of byte array.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
| |
A new PKCS #12 attribute has been defined to store NSS certificate
trust flags in PKCS #12 file. The PKCS12Util has been modified to
store the trust flags during export and reset the trust flags in
NSS database during import.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
| |
The pki pkcs12-import and pki pkcs12-export commands have been
added to import and export PKCS #12 file into and from NSS
database.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
| |
The pki pkcs12-cert-find and pki pkcs12-key-find commands have
been added to list the certificates and keys in a PKCS #12 file.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The code to export NSS database into PKCS #12 file in PKCS12Export
tool has been refactored into PKCS12Util class to simplify further
enhancements.
The PKCS12Export tool has also been modified to use Java Logging
API. A default logging configuration file has been added. The
command-line wrapper has been modified to get the path to the
logging configuration file from pki.conf.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
| |
- patch ported from https://bugzilla.redhat.com/show_bug.cgi?id=1011984
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The PKCS #9 challengePassword attribute has DirectoryString syntax.
Dogtag currently attempts only to decode it as a PrintableString,
causing failures when the attribute is encoded as a UTF8String.
Add method DerValue.getDirectoryString() to decode any of the valid
DirectoryString encodings and update ChallengePassword to use it.
https://fedorahosted.org/pki/ticket/1221
|
| | |
|
| |
|
|
|
|
| |
- Removed dependency on removed internal junit class
- moved cmake reference to junit4.jar to junit.jar
- Disambiguate a couple of references
|
| | |
|
