| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
The FeatureCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
| |
The AuthorityCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the storage unit reuses the same IV each time a record
is stored. This works (probably) for DES3, but not for AES.
The getWrappingParams() method is modified to check the config as follows
(in order):
-- if the iv is defined, use that iv
-- if the length is defined, generate a byte array of that length
-- return null
To ensure that the same IV used to encrypt the secret is stored in the
DB, the wrapping param is defined once in the archival process, and
passed in to the wrapping functions in storageUnit.
Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also made a couple of small changes to WrappingParams.
* Set the wrapIV to null when AES KeyWrap is used. Trying to unpack
the PKIArchiveOptions package with this IV set to null fails.
* removed superfluous this modifiers.
Added a parameter KEY_WRAP_PARAMETER_SET which is set in /etc/pki/pki.conf.
If this parameter is set to 0, we will use the old DES3 algorithms. This
can be set by clients talking to old servers.
CRMFPopClient has the ability to automatically submit requests to
a CA. In this case, we shouldcontact the server and determine the
version using InfoClient, and choose the algorithm accordingly.
We will implement this in a separate patch.
Change-Id: Ib4a99545cb59b62a96c272311595e96dda10979e
|
| |\ |
|
| | |
| |
| |
| |
| | |
The UserCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The SecurityDomainCLI and its submodule have been modified to use
lazy initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The KRA KeyCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The CertCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The CA CertCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| |
| | |
The SubsystemCLI and its subclasses have been modified to use
lazy initialization to get the PKIClient object. They also have
been simplified by moving common methods to the base class.
|
| | |
| |
| |
| |
| | |
The ProxyCLI has been modified to use lazy initialization to get
the PKIClient object.
|
| | |
| |
| |
| |
| | |
The ClientCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The CLI.getClient() has been modified to return the parent CLI's
PKIClient object if available.
|
| | |
| |
| |
| |
| | |
A new CLI.getConfig() has been added to return the parent CLI's
configuration if available.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Refactor code in CryptoUtil to parametrize the algorithms used.
* Moved WrappingParams to utils jar to allow correct compilation.
* Removed code that created a PKIArchiveOptions structure from
CRMFPopClient and replaced with calls to CryptoUtil methods.
Note that the algorithms have been left as DES3. They will be
changed to AES in the next patch.
* Converted code in AuthorityKeyExportCLI to use the new methods
in CryptoUtil.
* Removed DRMTest this code is no longer maintained or used.
Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
|
| |
|
|
| |
Change-Id: I862c86994e6268860380404113a9bea0d237d60e
|
| |
|
|
|
|
| |
Also used the infoClient in the KeyClient
Change-Id: Ie81ee731903cf8d2068783a9a09cdcbaaffc0630
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Changed the client to use AES-128-CBC-PAD rather than DES-3.
Because AES-256-CBC-PAD has no OID defined, we use the following
hack:
* Pass in the AES-256-CBC OID as the encrypt algorithm OID
* Use PKCS#1.5 Padding.
* Changed the client to use AES for the wrapping key on retrieval.
* Changed the server to implicitly assume PKCS#1.5 (and a key size
of 128) when recieving the OID for AES.
* Changed the client to send, and the server to pass through
the encryption algorithm expected when retrieving the key.
* Fixed the generate_iv() function to generate an appropriately
sized IV on retrieval.
This code has been tested to successfully create and retrieve
secrets using AES. Ideally, we'd be using GCM rather than CBC,
which then requires no padding - and no hack needed. Hopefully,
we can get that working in a subsequent commit.
Change-Id: Ic9e8d50169be0fe357a48a5a1b1c452c7a3dfad0
|
| |
|
|
|
| |
The CryptoUtil.setSSLCiphers() has been modified to support a "-"
sign in front of the cipher name or ID to disable the cipher.
|
| |
|
|
|
| |
The CryptoUtil.setSSLCipher() has been modified to support ciphers
specified using hex ID.
|
| |
|
|
|
| |
The PKI CLI has been modified to support client cert authentication
without NSS database password.
|
| |
|
|
|
| |
The pki.nssdb module has been modified to support operations
without NSS database password.
|
| |
|
|
|
| |
The pki client-init has been modified to support creating NSS
database without password.
|
| |
|
|
|
| |
The minimum SSL version for datagram should have been TLS 1.1 to
match the default in pki.conf.
|
| |
|
|
|
| |
The PKI CLI has been modified to use hard-coded default values
in case the pki.conf is not available (e.g. in Eclipse).
|
| |
|
|
|
| |
A new parameter has been added to pki.conf to enable/disable the
default SSL ciphers for PKI CLI.
|
| |
|
|
|
| |
A new parameter has been added to pki.conf to configure the SSL
ciphers used by PKI CLI in addition to the default ciphers.
|
| |
|
|
|
|
| |
The code that converts cipher name into cipher ID and enables
the cipher in CryptoUtil.setClientCiphers() has been moved into
a separate method.
|
| |
|
|
|
| |
The CryptoUtil.setClientCiphers() has been modified to throw
an exception on unsupported cipher.
|
| |
|
|
|
| |
The CryptoUtil.unsetSSLCiphers() has been modified not to ignore
exceptions.
|
| |
|
|
|
| |
The setClientCiphers() in CryptoUtil has been renamed to
setDefaultSSLCiphers() for clarity.
|
| |
|
|
|
| |
The hard-coded SSL version ranges in PKI CLI have been converted
into configurable parameters in the pki.conf.
|
| |
|
|
|
|
|
|
| |
The PKI CLI has been modified such that it initializes the
PKIClient (and retrieves the access banner) only if the CLI
needs to access the PKI server.
https://pagure.io/dogtagpki/issue/2612
|
| |
|
|
|
| |
The CryptoUtil.setClientCiphers(String) has been reformatted to
simplify future refactoring.
|
| |
|
|
| |
rfc5272 (part 1)
|
| |
|
|
|
|
| |
This patch provides methods that can be shared between the CA and the ISharedToken plugins:
1. the convenience routines for quick encryption, decryption, hashing methods that take default algorithms.
2. The establishment of Issuance Protection Certificate
|
| |
|
|
|
|
|
| |
To prevent conflicts, the code that configures the default SSL
version ranges and ciphers for all SSL sockets created afterwards
has been moved out of PKIConnection into the main program (i.e.
PKI CLI).
|
| |
|
|
|
|
| |
The PKI CLI has been modified to create a default NSS database
without a password if there is no existing database at the
expected location.
|
| |
|
|
|
| |
The CryptoUtil.setClientCiphers() has been reformatted to simplify
future refactoring.
|
| |
|
|
|
| |
The duplicate code for configuring default SSL version ranges has
been merged into reusable methods in CryptoUtil.
|
| |\
| |
| | |
Added -t and --token information in pki man page.
|
| | | |
|
| | |
| |
| |
| |
| | |
The default pki.conf has been modified to export the environment
variables such that they can be used by PKI client.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Wrapping params can now be specified in CS.cfg as per design.
The default will be AES. If the parameters are not set, then the
old mechanism (DES) will be used instead.
A migration script will be created in a separate commit.
Change-Id: I01a74b99c4ed127d66e5b766357af59a1147839d
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
For external principal support, ACLInterceptor must handle
GenericPrincipal instances in addition to PKIPrincipal.
Specifically, if the principal is a GenericPrincipal, the auth token
is set to an ExternalAuthToken, and the authz manager is looked up
by the realm of the principal (it is assumed that the principal name
has the form "id@realm").
Part of: https://pagure.io/dogtagpki/issue/1359
|
| | |
| |
| |
| | |
Part of: https://pagure.io/dogtagpki/issue/1359
|
| | |
| |
| |
| |
| |
| |
| | |
Update AuthMethodInterceptor to handle externally authenticated
principals. For now, access is unconditionally granted.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Many parts of Dogtag expect an IAuthToken, which represents the
authenticated user. The sole implementation, AuthToken, uses some
concepts that do not carry across to externally authenticated
principals, e.g. an external principal does not have an associated
IAuthManager that was used to authenticate the principal. Therefore
something different is needed.
Implement ExternalAuthToken which wraps a GenericPrincipal and
provides access to the data therein.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add the ExternalAuthenticationValve valve, which, if an externally
authenticated principal is available, reads the REMOTE_USER_GROUP
information from the Coyote request and adds the groups ("roles" in
Tomcat terminology) to the principal.
It also saves a complete copy of the request attribute map in the
princpial. The new class ExternalPrincipal is used to achieve this.
Part of: https://pagure.io/dogtagpki/issue/1359
|
