| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
|
| |
|
|
|
|
|
|
|
|
| |
The CertRequestProcessedEvent constructor that takes a certificate
object was modified to log the certificate serial number instead of
the base64-encoded certificate data.
https://pagure.io/dogtagpki/issue/2655
Change-Id: I67f33a7d435d0e5accdb646bdd20bae99d123472
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CertRequestProcessedEvent constructors have been modified to
log the info attributes using the new AuditEvent attributes.
The logging property for CERT_REQUEST_PROCESSED event has been
modified to accept a list of attributes as a single string instead
of individual info attributes.
The CERT_REQUEST_PROCESSED constant in AuditEvent has been replaced
with a constant in CertRequestProcessedEvent class which points to
the new logging property.
https://pagure.io/dogtagpki/issue/2655
Change-Id: I981212af7fca58916c73ccdeba9919a4d051af3c
|
| |
|
|
|
|
|
|
|
| |
A new ConfigTrustedPublicKeyEvent class of has been added to
encapsulate the CONFIG_TRUSTED_PUBLIC_KEY events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I2fb4b46dfd63daf3c0c08dc08b3dbac9108ec908
|
| |
|
|
|
|
|
|
|
|
| |
The AuditEvent class has been modified to support variable number
of event attributes which can be used to generate more flexible
audit log entries.
https://pagure.io/dogtagpki/issue/2655
Change-Id: I565062bd7d635c0cbff0e6a7e71477648c9d3212
|
| |
|
|
|
|
|
|
|
|
| |
The conditions to log CERT_REQUEST_PROCESSED have been simplified
since the auditInfoCertValue() will return SIGNED_AUDIT_EMPTY_VALUE
if the certificate object is not available in the request object.
https://pagure.io/dogtagpki/issue/2636
Change-Id: I946481c17729d2c349c949def113fc5563ec90ad
|
| |
|
|
|
|
|
| |
Some log messages have been added to help troubleshoot the cause
of server shutdown.
Change-Id: Ie2a91647a0986fdb11cafed2aec48cce208ef1a2
|
| |
|
|
|
| |
Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
|
| |
|
|
|
|
|
|
|
| |
The finalization scriptlet now waits after service has been restarted.
Change-Id: Id462728386b9d7e6b3364e1651ef6676115dd1de
Bugzilla: BZ#1446364
Pagure: 2644
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using an HSM, AES KeyWrapping is not available and so
some different code paths were exercised. Fixing bugs in those
paths uncovered a case where we were calling unwrapSymmetric()
with bits and not bytes for the key length.
This does not matter for 3DES, where JSS expects a length of 0,
but very much matters for AES. Fixing this - and the KeyClient
to actually use the returned wrapping algorithm to unwrap, allows
us now to return generated symmetric keys correctly.
Bugzilla BZ#1448521
Pagure: 2690
Change-Id: I2c5c87e28f6f36798b16de238bbaa21da90e7890
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When AES-KW or AES-KWP is not available, we need to be sure to use
a key wrap algorithm that is available for keywrap. This would
be AES-CBC. Removes some TODOs.
Refactor so that getWrappingParams is only defined on the StorageUnit,
which is where it makes sense in any case.
Part of Bugzilla BZ# 1386303
Change-Id: I28711f7fe0a00e9d12d26c6e170fb125418d6d51
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In HSMs, we were not able to retrieve asym keys that were
generated from the AsymKeyGenService, because the right
flags were not set (ie. set like in the server side
keygen case).
To do this, I extracted the key generation function from
NetKeygenService to KeyRecoveryAuthority, so that it could
be used by both services.
Bugzilla BZ# 1386303
Change-Id: I13b5f4b602217a685acada94091e91df75e25eff
|
| |
|
|
|
|
| |
Ticket 1663 Add SCP03 support: https://pagure.io/dogtagpki/issue/1663
We discovered a minor issue when trying to log values that don't exist when performing the non server side keygen case. For instance , we don't need to generate a kek session key in this case, and we were trying to print info about it to the logs. This fix allows this case to work without issue.
|
| |
|
|
| |
Change-Id: I81d3aa98a05208b2f5b1be3700c2e0759b387203
|
| |
|
|
|
|
|
|
|
|
|
|
| |
PKCS #12 export was updated to use AES / PBES2 encryption for the
key bags, but an import code path used when spawning a clone was
missed, and now fails (because it doesn't grok PBES2).
Update it to use CryptoStore.importEncryptedPrivateKeyInfo()
instead, fixing the problem.
Fixes: https://pagure.io/dogtagpki/issue/2677
Change-Id: I11f26ae8a4811f27690541f2c70b3a2adb6264e9
|
| |
|
|
|
|
|
|
| |
pki.authority was mistakenly sending headers as POST body instead of
sending an empty POST body with right headers.
Change-Id: I6a5089e55233cf72f4d8e79832150e7c45f0fdae
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CAInfoService returns CA configuration info, including
KRA-related values the CA clients may need to know (e.g. for
generating a CRMF cert request that will cause keys to be archived
in KRA). Currently that information is statically configured and
does not respect the actual configuration of the KRA.
Update the service to retrieve info from the KRA, which is queried
according to the KRA Connector configuration. After the KRA has
been successfully contacted, the recorded KRA-related settings are
regarded as authoritative.
The KRA is contacted ONLY if the current info is NOT authoritative,
otherwise the currently recorded values are used. This means that
any change to relevant KRA configuration (which should occur seldom
if ever) necessitates restart of the CA subsystem.
If this is unsuccessful (e.g. if the KRA is down or the connector is
misconfigured) we use the default values, which may be incorrect.
Fixes: https://pagure.io/dogtagpki/issue/2665
Change-Id: I30a37c42ef9327471e8cce8a171f79f388fec746
|
| |
|
|
|
| |
This patch would fix the issue. It also adds the CMCUserSignedAuth
authentication instance that was missed in the CS.cfg
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The KRA has two private key recovery code paths: one dealing with
keys wrapped to the storage key, and one dealing with symmetrically
encrypted keys. Each has a separate function for constructing a
PKCS #12 file for the recovered key.
This commit updates the PKCS #12 generation for wrapped keys to use
AES encryption. The JSS PBE facility is not expressive enough to
handle PBES2 encryption, which is necessary for many algorithms
including AES, so we now use CryptoStore.getEncryptedPrivateKeyInfo.
Part of: https://pagure.io/dogtagpki/issue/2610
Change-Id: Iba67f15642338316e4a6d09f78504327e8853b85
(cherry picked from commit 8e663b6270d9a9409a04bfcb445318a6d5622b52)
|
| |
|
|
|
|
|
| |
Part of: https://pagure.io/dogtagpki/issue/2610
Change-Id: Ic35a81c4c4dd49622bfdeb677d588641594b7ec6
(cherry picked from commit 507908d1aac8f9db6c380f5cae634521608043e8)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update PKCS12Util to use AES-256-CBC to encrypt private keys.
Use JSS CryptoStore methods to ensure that all key wrapping and
unwrapping is done on the token.
Specifically, CryptoStore.getEncryptedPrivateKeyInfo replaces the
previous process where a symmetric key was generated, the private
key wrapped to the symmetric key, then decryted into Dogtag's
memory, then re-encrypted under the supplied passphrase. Now the
key gets wrapped directly to the supplied passphrase.
Similarly, for import, the EncryptedPrivateKeyInfo was decrypted
using the supplied passphrase, then encrypted to a freshly generated
symmetric key, which was then used to unwrap the key into the token.
Now, the new JSS method CryptoStore.importEncryptedPrivateKeyInfo is
used to unwrap the EncryptedPrivateKeyInfo directly into the token,
using the supplied passphrase.
As a result, the PKCS12KeyInfo class, which previously stored
unencrypted key material (a PrivateKeyInfo object), it now only
deals with PrivateKey (an opaque handle to an PKCS #11 object)
on export and encoded (byte[]) EncryptedPrivateKeyInfo data on
import. This split suggests that PKCS12KeyInfo should be decomposed
into two classes - one containing a PrivateKey and the other
containing a byte[] encryptedPrivateKeyInfo - but this refactoring
is left for another day.
Part of: https://pagure.io/dogtagpki/issue/2610
Change-Id: I75d48de4d7040c9fb3a9a6d1e920c191aa757b70
(cherry picked from commit 2e198ddbe9ec5000ee7e14df0aa364b600d3aa92)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch provides implementation that allows user-signed CMC requests
to be processed; The resulting certificate will bear the same subjectDN
as that of the signing cert;
The new uri to access is /ca/ee/ca/profileSubmitUserSignedCMCFull
where the new profile is to be used: caFullCMCUserSignedCert.cfg
which utilizes the new authentication plugin: CMCUserSignedAuth
and new profile default plugin: CMCUserSignedSubjectNameDefault
and new profile constraint plugin: CMCUserSignedSubjectNameConstraint
|
| |
|
|
|
|
|
|
| |
This is tested using Barbican as a client. We are simply
reverting to the same behavior we had before for the
NSS Crypto provider case.
Change-Id: I11300b3bea5670c783e1b4736d98f35f30ecf2ce
|
| |
|
|
|
|
| |
expected.
This simple fix addresses an overflow in the "startTime" paramenter in 4 places in the code. I felt that honing in only on the startTime value was the best way to go. In some of the files other than ValidityDefault.java, there were possibly some values that could be changed from int to long. Due to the complexity of some of the calculations involved in some of those cases, it is best to fix the exact issue at hand instead of introducing some other possible side effects.
|
| |
|
|
|
|
|
|
|
| |
Incorrect key size lead to errors when the client side
was set to use 3DES. Also deprecate not providing an
encryption algorithm OID explcitly in
archive_encrypted_data()
Change-Id: I51e8ee2aed1d0cddd9d37d91a93c920be901fdb9
|
| |
|
|
|
|
| |
Part of: https://pagure.io/dogtagpki/issue/1408
Change-Id: Iaa1c2c3b6f7de178bd38c2b5b8df57a2a99f64b1
|
| |
|
|
|
|
|
| |
When no algorithm OID is provided, we used to default to 3DES.
We need to continue to do this to not break IPA.
Change-Id: I620c3d7cec71be1a529056acc6bf3940e25f2f9d
|
| |
|
|
|
|
|
|
|
|
| |
When using token-based unwrapping of archived keys, the key is being
stored in the token. We do not want to accumulate the keys here;
make them temporary.
Part of: https://pagure.io/dogtagpki/issue/2610
Change-Id: Ic12a4db7238512b4fec5d6fdb023b20195c2d438
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When modifying a profile, attributes are not cleared. Attributes
that were removed in the updated profile configuration are not
actually removed.
When updating a profile via PUT /ca/rest/profiles/{id}/raw, clear
the config store before loading the new configuration.
Fixes: https://fedorahosted.org/pki/ticket/2588
Change-Id: I4988315c57bb5d5a44deb04d41603adb39780f19
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The SourceConfigStore load() method does not clear the config store,
but this might be necessary to avoid stale data if wanting to
perform a complete replacement of the data (e.g. reload from file).
We should not change the behaviour of load() in case some code is
relying on the current behaviour, so add the clear() method to the
interface.
Part of: https://fedorahosted.org/pki/ticket/2588
Change-Id: Ia139a49f1a23c4f9410d7b94c9a4c8f14f29fe93
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/2588
Change-Id: I1ac9a3d89c93832ef6b6b48b89138495ef4892fb
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A new CertRequestProcessedEvent constructor has been added to
encapsulate CERT_REQUEST_PROCESSED events that takes an IRequest
object.
The auditInfoValue() method in CAProcessor has been moved into
CertRequestProcessedEvent.
https://pagure.io/dogtagpki/issue/2636
Change-Id: I892f1476835b45910fdc3e64bd9f6fc9e2f016fb
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A new CertRequestProcessedEvent constructor has been added to
encapsulate CERT_REQUEST_PROCESSED events that take an X509CertImpl
object.
Copies of auditInfoCertValue() method in various classes have been
combined and moved into CertRequestProcessedEvent.
https://pagure.io/dogtagpki/issue/2636
Change-Id: Ie234bdb9f1b52399dad4bd1e20f57dcb99d86091
|
| |
|
|
|
|
|
|
|
| |
A new SignedAuditConfigRoleEvent class of has been added to
encapsulate the CONFIG_SIGNED_AUDIT events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I95b897fa0bb73007a7cec009c43ade4cc860f0cd
|
| |
|
|
| |
Change-Id: Id73bd6d3c0874c327bc27260318a2c671f0f0177
|
| |
|
|
|
|
|
|
|
| |
A new CertRequestProcessedEvent class of has been added to
encapsulate the CERT_REQUEST_PROCESSED events.
https://pagure.io/dogtagpki/issue/2636
Change-Id: Ia79e6ae13d09a3ec6509c60435fc24d5a2fee38f
|
| |
|
|
|
|
|
|
|
| |
A new ConfigRoleEvent class of has been added to encapsulate the
CONFIG_ROLE events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Ie0932131d75897f58afdd8217454c6cf6970d738
|
| |
|
|
|
|
|
|
|
| |
A new RoleAssumeEvent class of has been added to encapsulate the
ROLE_ASSUME events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I12e47ea13198b6532b1fdfee2e20765c0cab15e9
|
| |
|
|
|
|
|
|
|
| |
A new AuthzFailEvent class of has been added to encapsulate the
AUTHZ_FAIL events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Id4ab9bd889a1a9314264c0ef2ff7b2389aed8f9c
|
| |
|
|
|
|
|
|
|
| |
A new AuthzSuccessEvent class of has been added to encapsulate the
AUTHZ_SUCCESS events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I2f45fb2c3ba8acdc82777644cf4ad0ec2eff35a5
|
| |
|
|
|
|
|
|
|
| |
A new AuthFailEvent class of has been added to encapsulate the
AUTH_FAIL events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I870398f6a56df007c9520e50947a7b3c85baf79b
|
| |
|
|
|
|
|
|
|
| |
A new AuthSuccessEvent class of has been added to encapsulate the
AUTH_SUCCESS events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Ie7cc751728ac079e30ece354ca44c5266474bcd3
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fix Python 3 support for pkispawn: Config values are text values. Therefore
the config file has to be written as text file.
Test Python 3 support in Travis CI. The little script py3rewrite copies
pki.server Python files and rewrites pkispawn and pkidestroy to use
Python 3.
Change-Id: Ia516f80df94cacc2acfa70929ad16bb5b9c39ddf
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
| |
The IAuditor has been modified to define a log() method for
AuditEvent object.
Change-Id: Ie1ad720bd6d3bcd71a4567eed477f0e34a8274c9
|
| |
|
|
|
|
|
| |
The ProfileSubmitCMCServlet.auditInfoCertValue() has been modified
to accept X509CertImpl like CAProcessor.auditInfoCertValue().
Change-Id: Ib3b4c4c19250df73a769590488cb5716a50a065b
|
| |
|
|
|
|
|
| |
The ConnectorServlet.auditInfoCertValue() has been refactored to
accept X509CertImpl like CAProcessor.auditInfoCertValue().
Change-Id: I42f4a17a20f43a8c9dd2b329b07de3a23da7ca33
|
| |
|
|
|
|
|
| |
The auditInfoCertValue(IRequest) in CAProcessor has been merged
into auditInfoCertValue(X509CertImpl) since they are identical.
Change-Id: Iccdad7a3c1ff3bc05f1f0ac1830eada21337dfca
|
| |
|
|
|
|
|
| |
A new audit() methods have been added to log AuditEvents in
AdminServlet.
Change-Id: I92a259363bdda553621491e46122365c7097946a
|
| |
|
|
|
|
|
| |
The code that concatenates lines has been simplified using
String.replace().
Change-Id: Id376f089cb9b8a78cfd9b3fb922e9cd9055c0e74
|
