| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add python client code to read from the InfoResource class and get
the server version. As the PKIConnection in the python client
currently requires a subsystem, it is difficult to add an infoclient
to an existing KRAClient (or any other client).
To get around this, I modified the PKIConnection to allow using the
rootURI.
Change-Id: Ided75f45f741e2ba3fc86acec715d24b829c8a97
|
| | |
| |
| |
| |
| |
| |
| | |
A new PKIRESTProvider has been added to send and receive
StreamingOutput object through REST API.
Change-Id: Iefc513aacb9fc26bc7c8c5cbfb4550a4a98da52e
|
| |/
|
|
|
|
|
| |
Previously the audit service and CLI were only available on TPS.
Now they have been added to all subsystems.
Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
|
| |
|
|
|
|
|
| |
Most of the research out there seems to indicate that AES-128 is
more than sufficient for security. Use this as default.
Change-Id: Ie333282eacc5ce628c90296561e4cd6a76dcbd8e
|
| |
|
|
|
|
|
|
|
|
|
| |
Old CRMFPopClients add the OID for ECC public keys in the encryption
algorithm OID for no obvious reason (considering the OID was never
read on the server side to begin with).
Now that we do read and use that field, we need to set it properly,
and also special case on the server side to handle old clients.
Change-Id: I0d753e572206e9062746c879ce683978e5e657bd
|
| |
|
|
|
|
|
| |
The AuditCLI has been modified to create the AuditClient with lazy
initialization.
Change-Id: I61b08e92a2f2de983fc77513dde89e1d5e1254b9
|
| |
|
|
|
|
|
| |
All subclasses of PKIService have been modified to remove the
Context attribute since they have been declared in the base class.
Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
|
| |
|
|
|
| |
Added 'pylint: disable=no-member' whenever module 're'
attempts to reference its 'MULTILINE' member.
|
| | |
|
| |
|
|
|
|
| |
https://pagure.io/dogtagpki/issue/2627
Change-Id: I3111e78fc0afb63799e7bd707274ec7a9e8624ac
|
| |
|
|
|
|
| |
https://pagure.io/dogtagpki/issue/2627
Change-Id: Icd47be636c78224328438a8091c7c3bdd07c06bd
|
| |
|
|
|
|
|
|
|
|
| |
The top-level CLI commands have been modified to get the subsystem
name from the parent subsystem CLI if available, otherwise they
will use a hard-coded default value.
https://pagure.io/dogtagpki/issue/2626
Change-Id: Ieef45abfdfb4a6fc63fd06a6ccda4e70366de4a0
|
| |
|
|
| |
Change-Id: Ife9108019994b385fc452da0f29dee64d0ccc5d3
|
| |
|
|
| |
Change-Id: Ic2aa92985e8aee9b5405ad542c640ca67a0047c6
|
| |
|
|
| |
Change-Id: I66b369ec33f97dab96f6d832e2eb9ab0c6cdbe98
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Up to now, we have only ever used the same algorithm (DES3_CBC)
for key wrapping and encryption. With the change to use AES Keywrap
and AES CBC, we need to know which mechanism was used to encrypt/wrap
the secrets when returned to the client.
This means passing back more information to the client with the key
data, and also modifying the client to use this information to decode
the data correctly.
Change-Id: I7232085c1eedf38c63abad81db08acc912fa1da1
|
| |
|
|
| |
error checking and debugging
|
| |
|
|
| |
requests CMC encryptedPOP and decrypedPOP (Phase 1) also disable lraPOPwitness This patch implements the Proof of Possession for encryption only keys. This is a preliminary implementation with limitations. It does not support more than one request. ECC keys are untested. This version only uses default algorithms at some internal places. Not all limitations are listed here.
|
| |
|
|
| |
adds both client and server support for two cmc controls: id-cmc-identityProofV2 - for supporting RFC5272, and id-cmc-identification - for assisting in shared secret search; Note: for client, only CMCRequest is updated in this patch
|
| |
|
|
|
| |
The TPS ConnectorCLI and its submodules have been modified to use
lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The TPS TokenCLI and its submodules have been modified to use
lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The TPS ProfileCLI and its submodules have been modified to use
lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The TPS ConfigCLI and its submodules have been modified to use
lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The TPSCertCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
| |
The AuthenticatorCLI and its submodules have been modified to use
lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The AuditCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
| |
The ActivityCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CMSStartServlet has been modified to register an SSL socket
listener called PKIServerSocketListener to TomcatJSS.
The PKIServerSocketListener will receive the alerts generated by
SSL server sockets and generate ACCESS_SESSION_* audit logs.
The CS.cfg for all subsystems have been modified to include
ACCESS_SESSION_* audit events.
https://pagure.io/dogtagpki/issue/2602
Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
|
| |
|
|
|
| |
The TPSConnectorCLI for TKS and its submodules have been modified
to use lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The SelfTestCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
| |
The CA ProfileMappingCLI and its submodules have been modified to
use lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The CA ProfileCLI and its submodules have been modified to use
lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The KRAConnectorCLI for CA and its submodules have been modified
to use lazy initialization to get the PKIClient object.
|
| |
|
|
|
| |
The FeatureCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
| |
The AuthorityCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the storage unit reuses the same IV each time a record
is stored. This works (probably) for DES3, but not for AES.
The getWrappingParams() method is modified to check the config as follows
(in order):
-- if the iv is defined, use that iv
-- if the length is defined, generate a byte array of that length
-- return null
To ensure that the same IV used to encrypt the secret is stored in the
DB, the wrapping param is defined once in the archival process, and
passed in to the wrapping functions in storageUnit.
Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also made a couple of small changes to WrappingParams.
* Set the wrapIV to null when AES KeyWrap is used. Trying to unpack
the PKIArchiveOptions package with this IV set to null fails.
* removed superfluous this modifiers.
Added a parameter KEY_WRAP_PARAMETER_SET which is set in /etc/pki/pki.conf.
If this parameter is set to 0, we will use the old DES3 algorithms. This
can be set by clients talking to old servers.
CRMFPopClient has the ability to automatically submit requests to
a CA. In this case, we shouldcontact the server and determine the
version using InfoClient, and choose the algorithm accordingly.
We will implement this in a separate patch.
Change-Id: Ib4a99545cb59b62a96c272311595e96dda10979e
|
| |\ |
|
| | |
| |
| |
| |
| | |
The UserCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The SecurityDomainCLI and its submodule have been modified to use
lazy initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The KRA KeyCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The CertCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The CA CertCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| |
| | |
The SubsystemCLI and its subclasses have been modified to use
lazy initialization to get the PKIClient object. They also have
been simplified by moving common methods to the base class.
|
| | |
| |
| |
| |
| | |
The ProxyCLI has been modified to use lazy initialization to get
the PKIClient object.
|
| | |
| |
| |
| |
| | |
The ClientCLI and its submodules have been modified to use lazy
initialization to get the PKIClient object.
|
| | |
| |
| |
| |
| | |
The CLI.getClient() has been modified to return the parent CLI's
PKIClient object if available.
|
| | |
| |
| |
| |
| | |
A new CLI.getConfig() has been added to return the parent CLI's
configuration if available.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Refactor code in CryptoUtil to parametrize the algorithms used.
* Moved WrappingParams to utils jar to allow correct compilation.
* Removed code that created a PKIArchiveOptions structure from
CRMFPopClient and replaced with calls to CryptoUtil methods.
Note that the algorithms have been left as DES3. They will be
changed to AES in the next patch.
* Converted code in AuthorityKeyExportCLI to use the new methods
in CryptoUtil.
* Removed DRMTest this code is no longer maintained or used.
Change-Id: I8f625f0310877dca68f6a01285b6ff4e27e7f34a
|
| |
|
|
| |
Change-Id: I862c86994e6268860380404113a9bea0d237d60e
|
