| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
The code that concatenates lines has been simplified using
String.replace().
Change-Id: Ib8532b12594604e3b013b5ac0ef30ce45f1351ea
|
| |
|
|
|
|
|
|
|
| |
The connectionTimeout parameter has been restored to 80 seconds.
The keepAliveTimeout parameter has been set to 5 minutes.
https://pagure.io/dogtagpki/issue/2643
Change-Id: I05bca0284ad946d833ed144e2f93a4ef4b9b6f0f
|
| |
|
|
|
|
|
|
|
| |
The default SSL connection timeout has been changed to 5 minutes
to improve PKI console usability.
https://pagure.io/dogtagpki/issue/2643
Change-Id: I905ca855285ddd655d965488b175c2d11fe407fd
|
| |
|
|
|
|
|
|
|
|
| |
The PKI console has been modified to display an error message and
exit to the system if the SSL connection has been closed (e.g.
due to timeout).
https://pagure.io/dogtagpki/issue/2643
Change-Id: I4507b42cc4e2e706762159321e6991ae5ec68602
|
| |
|
|
|
|
| |
A new method has been added to set AuditEvent's parameters.
Change-Id: I1b1e23030a819160b035ed67e908b6fbadedd714
|
| |
|
|
| |
Change-Id: I83c1adae3ec900d9c9806def518f6277ce6dedca
|
| |
|
|
|
|
|
|
| |
When an exception is thrown, the connection is currently
not closed, leading to Invalid State exceptions when the
next connection is attempted. This resolves this issue.
Change-Id: I531881434a73affb1c6536dfbb05bce151c854fb
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
CRMFPopClient and the pki cert client both can send a CRMF request
to a CA directly. Logic is added to check the CA for the required
KRA wrapping params and use those in place of any that have been
provided by the environment or command line.
Also, additional data for the supported KRA keyset has been added to
the CAInfoService. This will need to be managed by the admin. The
default is "1" which corresponds to AES.
Change-Id: I186f9c610005ec300bccf1b07470493ce7cdfeb4
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To process a cert request immediately (rather than having it queued
as pending), the user must be authenticated *by the profile*; auth
tokens from the main authentication system are not used.
For external authentication support it is possible that the external
authentication is sufficient to authenticate use of a problem;
especially when the profile uses componenets like
ExternalProcessConstraint to perform validation of the cert request
against external sources of information.
To support this use case, add the SessionAuthentication profile
authenticator, which merely reuses the IAuthToken from the session
context, if present.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
| |
Add the ExternalProcessConstraint profile policy constraint class.
It can be configured to execute an arbitrary program that performs
additional request validation, rejecting the request if it
terminates with a nonzero exit status. Information about the
request is conveyed in the subprocess' environment.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
|
| |
When processing a certificate request, if the authenticated
principal is an ExternalPrincipal, add its whole attribute map to
the IRequest. This provides a way for AJP request attributes to be
propagated through the profile system to profile components like
ExternalProcessConstraint. One such attribute that is needed for
GSS-API support is "KRB5CCNAME".
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a certificate request comes with additional data in the
'cert-request' query param, add that to the request. Profile
components can then use this data.
This is needed to convey the subject principal name to the
ExternalProcessConstraint, when validating FreeIPA certificate
requests after we switch to GSS-API authentication.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CMS.getLogMessage performs message formatting via MessageFormat,
then the message gets logged via a Logger. The Logger also performs
message formatting via MessageFormat. If the formatted log message
contains '{' or '}' (e.g. if it contains JSON) the MessageFormat
implementation interprets these as FormatElement delimiters and
parsing fails.
Update CMS.getLogMessage() to scan arguments for unsafe characters
and if found, escape the whole message so that subsequent logging
will succeed.
Part of: https://pagure.io/dogtagpki/issue/1359
|
| |
|
|
|
|
|
|
|
|
| |
The PKIServerSocketListener has been modified to use WeakHashMap
to store socket info that might not be available after the socket
has been closed.
https://pagure.io/dogtagpki/issue/2642
Change-Id: I7e86a9bbc46e7bba4cec36664780c52bf0e88416
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The previous commit added a field in the KeyRecord to
specify whether or not a key was encrypted or key wrapped
when archived. This patch modifies the recovery servlets
to use this field to determine how to decrypt/unwrap the
key for transport.
Absence of this field in the key record implies that is
an old record - and we use the value of the CS.cfg parameter
as the default.
Change-Id: Ia8ae679e8b3fe8462d42848d614bff863ef68e50
|
| |
|
|
| |
provides the feature for CMC on handling id-cmc-popLinkWitnessV2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Whether a secret was encrypted or wrapped in the storage unit
depends on a parameter in CS.cfg. If that parameter is changed,
the Storage unit may use the wrong mechanism to try to decrypt
the stored key. Thats ok for encrypt/wrap using DES or AES-CBC,
but not for AES KeyWrap.
In this patch, we add a field in the Key record to specify whether
the secret was encrypted with stored (or keywrapped if false).
A subsequent patch will change the logic when decrypting to use
this field.
Change-Id: If535156179bd1259cfaaf5e56fd4d36ffdb0eb0e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Keys (like symmetric keys and asymmetric keys) are returned
from the KRA either encrypted or key wrapped. Because the
AES keywrapping algorithm cannot be decrypted using AES CBC,
we need special logic to unwrap the keys.
The flow here is as follows:
1. When a key retrieval request is sent to the server,
the client sends the encryption and key wrapping
algorithms it requires the key to be wrapped along
with the wrapping key.
2. If no encryption algorithm or key wrap algorithm is
recieved, the server assumes its talking to an old
client and uses DES3.
3. The key is retrieved and (on server's choice) is wrapped
or encrypted. The return package will have either
encryption or key wrap algorithm set (depending on how
the key was encrypted/wrapped.)
4. client uses that to determine how to unwrap key.
This patch:
1. Makes sure the key wrap algorithm requested by client
is passed through and used to wrap the retrieved key.
2. Adds logic in the python client to unwrap/decrypt.
3. As python-cryptography does not yet support
AES KeyWrap with padding, the python client is configured
to request AES-CBC by default.
Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1
|
| |
|
|
|
|
|
|
|
| |
The PKIServerSocketListener has been fixed to obtain the correct
client IP address from SSL socket.
https://pagure.io/dogtagpki/issue/2602
Change-Id: I7d3b2dc14d6f442830ee5911613a0e9fc360cfba
|
| |
|
|
|
|
|
| |
subprocess returns bytes in Python 3. Make sure to
decode first when returning env variables.
Change-Id: I225044c0463f0a84ac5ffb77b28391fac269598d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows the use of the g&d 7 card.
This will require the following:
1. An out of band method is needed to generate an AES based master key.
We do not as of yet have support with tkstool for this:
Ex:
/usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16
2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards:
Ex:
tks.defKeySet._005=## tks.prot3 , protocol 3 specific settings
tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one.
tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset
tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys.
tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key.
tks.defKeySet._010=##
tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings
tks.defKeySet._013=## Smart Cafe 6 settings:
tks.defKeySet._014=## tks.defKeySet.prot3.divers=emv
tks.defKeySet._015=## tks.defKeySet.prot3.diversVer1Keys=emv
tks.defKeySet._016=## tks.defKeySet.prot3.devKeyType=DES3
tks.defKeySet._017=## tks.defKeySet.prot3.masterKeyType=DES3
tks.defKeySet._018=##Smart Cafe 7 settings:
tks.defKeySet._019=## tks.defKeySet.prot3.divers=none
tks.defKeySet._020=## tks.defKeySet.prot3.diversVer1Keys=none
tks.defKeySet._021=## tks.defKeySet.prot3.devKeyType=AES
tks.defKeySet._022=## tks.defKeySet.prot3.masterKeyType=AES
tks.defKeySet._023=##
tks.defKeySet._024=##
|
| |
|
|
|
|
|
| |
New audit(AuditEvent) methods have been added alongside the
existing audit(String) methods.
Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
|
| |
|
|
|
|
|
| |
The CMS.getLogMessage() has been generalized to take an array of
Objects instead of Strings.
Change-Id: Ifcb96d47983a67961efa27325b8ae0a88d9e0231
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the server cannot do key wrapping using the AES KeyWrap,
probably because the backend HSM cannot do key wrapping, then
there is a setting to allow it to use encrypt/decrypt instead.
If the key wrap algorithm is something simple like 3DES or AES-CBC,
then the client can just use key wrapping to wrap the key on its
token, and the server can use an encryption algorithm to decrypt.
The client does not need to know that the server cannot handle a
key wrap, because keywrapping and encryption are pretty much the
same mechanism - just either in server memory or not.
When we do key wrapping using AES KeyWrap though, there is no
corresponding encryption algorithm used to decrypt. So the server
cannot simply decrypt a message wrapped with AES Keywrap (or at least
not in any obvious way). So in this case, the client needs to know
if the server can handle keywrap.
The patch therefore does the following:
1. For CRMFPopClient, adds a command line option to specify if key
wrapping or encryption is required.
2. Reads an environment variable if no option is provided.
3. If encryption is specified, uses key wrapping using AES-CBC
which can be decrypted on the server side.
4. For cert-client, contacts the server to determine from the
CAInfoResource if keywrapping is supported.
Change-Id: If66f51c929cfde1c0ff3b9f39cb57b92fcdc150c
|
| |
|
|
| |
Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
|
| |
|
|
| |
Change-Id: Ib4586443f7e6f759d227975f9736cdd30b8f32e8
|
| |
|
|
| |
Change-Id: I407a7a13c4e428e01632536faa27583e7c6d577e
|
| |
|
|
| |
Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
|
| |
|
|
| |
Change-Id: I3eb97554a1d0f4b86c981692ab0130b28c9c5288
|
| |
|
|
| |
Change-Id: I7fee37c8369945c6aedae78bd56063bc4488c0f7
|
| |
|
|
| |
Change-Id: Ic4a79b0c73812c7b89daca3c804e6a88c738536a
|
| |
|
|
| |
Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb
|
| |
|
|
| |
Change-Id: I73b3a69ffc289ad6bf89eebaa2d95237df25551f
|
| |
|
|
|
|
|
|
|
|
| |
This resource (which will be accessed at /ca/rest/info)
will initially return the mechanism for archival.
This is needed by clients to know how to package secrets when
archiving. We may add the transport cert later.
Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b
|
| |
|
|
|
|
|
|
|
|
| |
This resource (which will be accessed at /kra/rest/info)
will initially return the mechanism for archival or retrieval.
This is needed by clients to know how to package secrets when
archiving.
Change-Id: I6990ebb9c9dafc4158e51ba61a30e773d1d953ec
|
| |
|
|
|
|
|
| |
A new pki-server <subsystem>-audit-file-verify CLI has been added
to verify audit log files on the server.
Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
|
| |
|
|
|
|
|
| |
A new pki-server <subsystem>-audit-file-find CLI has been added
to list audit log files on the server.
Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
|
| |
|
|
|
|
|
|
|
|
| |
A new function has been added to generate a random password that
meets FIPS requirements for a strong password. This function is
used to generate NSS database password during installation.
https://pagure.io/dogtagpki/issue/2556
Change-Id: I64dd36125ec968f6253f90835e6065325d720032
|
| |
|
|
|
|
|
| |
The MainCLI has been modified to generate a deprecation warning
for the -t option.
Change-Id: I28ac45954a900f6944528ef52913982d72896c92
|
| |
|
|
|
|
|
|
|
| |
The UserCLI and GroupCLI have been fixed to use the subsystem name
in the client configuration object if available.
https://pagure.io/dogtagpki/issue/2626
Change-Id: Ibf099cefe880a238468fad7fb2aabc9cc2d55c1f
|
| |
|
|
|
|
|
|
|
|
| |
To help troubleshooting the PKIConnection has been modified to
register an SSL socket listener which will display SSL alerts
that it has received or sent.
https://pagure.io/dogtagpki/issue/2625
Change-Id: I8f2e4f55a3d6bc8a7360f666c9b18e4c0d6c6d83
|
| |
|
|
|
|
|
| |
The pki_console_wrapper script has been fixed to load cascading
pki.conf properly and to set the logging configuration property.
Change-Id: Ie7b83f3c87bea133ee61d018457d7d4daf0fb757
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added code to:
* Add an InfoClient to the KRAClient
* Check the server, client and crypto provider keyset levels and
select the highest possible level accordingly.
* Added new fields as returned by the server for retrieval.
* Added new fields to KeyRecoveryRequest as added in AES changes.
Changes to decode keywrapped symmetirc and asymmetric keys will
be added in subsequent patches. Right now, encrypt/decrypt works.
Change-Id: Ifa7748d822c6b6f9a7c4afb395fb1388c587174d
|
| |
|
|
|
|
|
|
|
|
|
| |
The python-cryptography provider is added. It will use AES
mechanisms by default. The eventual goal is to use this
provider by default, and to obsolete the NSS CryptoProvider.
Added some methods to determine which crypto keyset levels are
supported by the crypto provider.
Change-Id: Ifd47f0de765a9f0d157e8be678d5d06437bda819
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The PKIServerSocketListener.alertReceived() has been fixed to
generate audit log when the SSL socket is closed by the client.
The log message has been modified to include the reason for the
termination.
https://pagure.io/dogtagpki/issue/2602
Change-Id: Ief2817f2b2b31cf6f60fae0ee4c55c17024f7988
|
| |
|
|
|
|
|
| |
New pki audit commands have been added to list and retrieve audit
log files.
Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
|
| | |
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| | |
This is needed to set the same environment as the pki CLI
and pick up any client specific changes.
Change-Id: I92b4df75f2e3ee5112499a1d138e7e649a1214fc
|
| |\| |
|
