summaryrefslogtreecommitdiffstats
path: root/base
Commit message (Collapse)AuthorAgeFilesLines
...
* Added infoClient to PKIClient to get server infoAde Lee2017-03-212-11/+8
| | | | | | Also used the infoClient in the KeyClient Change-Id: Ie81ee731903cf8d2068783a9a09cdcbaaffc0630
* Fix Java client to use AESAde Lee2017-03-218-50/+267
| | | | | | | | | | | | | | | | | | | | | | * Changed the client to use AES-128-CBC-PAD rather than DES-3. Because AES-256-CBC-PAD has no OID defined, we use the following hack: * Pass in the AES-256-CBC OID as the encrypt algorithm OID * Use PKCS#1.5 Padding. * Changed the client to use AES for the wrapping key on retrieval. * Changed the server to implicitly assume PKCS#1.5 (and a key size of 128) when recieving the OID for AES. * Changed the client to send, and the server to pass through the encryption algorithm expected when retrieving the key. * Fixed the generate_iv() function to generate an appropriately sized IV on retrieval. This code has been tested to successfully create and retrieve secrets using AES. Ideally, we'd be using GCM rather than CBC, which then requires no padding - and no hack needed. Hopefully, we can get that working in a subsequent commit. Change-Id: Ic9e8d50169be0fe357a48a5a1b1c452c7a3dfad0
* Added support for disabling SSL ciphers in pki.conf.Endi S. Dewata2017-03-212-2/+10
| | | | | The CryptoUtil.setSSLCiphers() has been modified to support a "-" sign in front of the cipher name or ID to disable the cipher.
* Added support for hex cipher IDs in pki.conf.Endi S. Dewata2017-03-212-4/+10
| | | | | The CryptoUtil.setSSLCipher() has been modified to support ciphers specified using hex ID.
* Allowing client cert auth without NSS database password.Endi S. Dewata2017-03-211-11/+0
| | | | | The PKI CLI has been modified to support client cert authentication without NSS database password.
* Allowing pki pkcs12-import without NSS database password.Endi S. Dewata2017-03-211-1/+1
| | | | | The pki.nssdb module has been modified to support operations without NSS database password.
* Allowing pki client-init without NSS database password.Endi S. Dewata2017-03-211-10/+20
| | | | | The pki client-init has been modified to support creating NSS database without password.
* Fixed default value for SSL datagram.Endi S. Dewata2017-03-201-1/+1
| | | | | The minimum SSL version for datagram should have been TLS 1.1 to match the default in pki.conf.
* Added hard-coded default values for SSL parameters in PKI CLI.Endi S. Dewata2017-03-201-5/+5
| | | | | The PKI CLI has been modified to use hard-coded default values in case the pki.conf is not available (e.g. in Eclipse).
* Added pki.conf parameter for default SSL ciphers.Endi S. Dewata2017-03-192-1/+11
| | | | | A new parameter has been added to pki.conf to enable/disable the default SSL ciphers for PKI CLI.
* Added pki.conf parameter for SSL ciphers.Endi S. Dewata2017-03-193-0/+22
| | | | | A new parameter has been added to pki.conf to configure the SSL ciphers used by PKI CLI in addition to the default ciphers.
* Refactored CryptoUtil.setClientCiphers().Endi S. Dewata2017-03-191-6/+11
| | | | | | The code that converts cipher name into cipher ID and enables the cipher in CryptoUtil.setClientCiphers() has been moved into a separate method.
* Fixed error handling in CryptoUtil.setClientCiphers().Endi S. Dewata2017-03-191-1/+3
| | | | | The CryptoUtil.setClientCiphers() has been modified to throw an exception on unsupported cipher.
* Fixed error handling in CryptoUtil.unsetSSLCiphers().Endi S. Dewata2017-03-191-7/+7
| | | | | The CryptoUtil.unsetSSLCiphers() has been modified not to ignore exceptions.
* Renamed CryptoUtil.setClientCiphers().Endi S. Dewata2017-03-194-5/+5
| | | | | The setClientCiphers() in CryptoUtil has been renamed to setDefaultSSLCiphers() for clarity.
* Added configuration parameters for SSL version ranges.Endi S. Dewata2017-03-192-2/+32
| | | | | The hard-coded SSL version ranges in PKI CLI have been converted into configurable parameters in the pki.conf.
* Fixed PKIClient initialization in PKI CLI.Endi S. Dewata2017-03-193-2/+13
| | | | | | | | The PKI CLI has been modified such that it initializes the PKIClient (and retrieves the access banner) only if the CLI needs to access the PKI server. https://pagure.io/dogtagpki/issue/2612
* Cleaned up CryptoUtil.setClientCiphers(String).Endi S. Dewata2017-03-181-24/+17
| | | | | The CryptoUtil.setClientCiphers(String) has been reformatted to simplify future refactoring.
* pagure#2605 (add one missing method) CMC feature: id-cmc-identityProofV2 per ↵Christina Fu2017-03-171-0/+5
| | | | rfc5272 (part 1)
* pagure#2605 CMC feature: id-cmc-identityProofV2 per rfc5272 (part 1)Christina Fu2017-03-173-1/+220
| | | | | | This patch provides methods that can be shared between the CA and the ISharedToken plugins: 1. the convenience routines for quick encryption, decryption, hashing methods that take default algorithms. 2. The establishment of Issuance Protection Certificate
* Moved default SSL configuration out of PKIConnection.Endi S. Dewata2017-03-172-6/+5
| | | | | | | To prevent conflicts, the code that configures the default SSL version ranges and ciphers for all SSL sockets created afterwards has been moved out of PKIConnection into the main program (i.e. PKI CLI).
* Default NSS database for PKI CLI.Endi S. Dewata2017-03-171-4/+24
| | | | | | The PKI CLI has been modified to create a default NSS database without a password if there is no existing database at the expected location.
* Cleaned up CryptoUtil.setClientCiphers().Endi S. Dewata2017-03-171-19/+23
| | | | | The CryptoUtil.setClientCiphers() has been reformatted to simplify future refactoring.
* Removed duplicate code to configure SSL version ranges.Endi S. Dewata2017-03-174-75/+75
| | | | | The duplicate code for configuring default SSL version ranges has been merged into reusable methods in CryptoUtil.
* Merge pull request #1 from amolkahat/pki_manEndi S. Dewata2017-03-161-1/+7
|\ | | | | Added -t and --token information in pki man page.
| * Added -t and --token information in pki man page.Amol Kahat2017-03-081-1/+7
| |
* | Exporting environment variables for PKI client.Endi S. Dewata2017-03-162-21/+13
| | | | | | | | | | The default pki.conf has been modified to export the environment variables such that they can be used by PKI client.
* | Add config options to allow storage wrappings to be setAde Lee2017-03-164-11/+70
| | | | | | | | | | | | | | | | | | | | Wrapping params can now be specified in CS.cfg as per design. The default will be AES. If the parameters are not set, then the old mechanism (DES) will be used instead. A migration script will be created in a separate commit. Change-Id: I01a74b99c4ed127d66e5b766357af59a1147839d
* | Update ACLInterceptor to support external principalsFraser Tweedale2017-03-161-12/+29
| | | | | | | | | | | | | | | | | | | | | | For external principal support, ACLInterceptor must handle GenericPrincipal instances in addition to PKIPrincipal. Specifically, if the principal is a GenericPrincipal, the auth token is set to an ExternalAuthToken, and the authz manager is looked up by the realm of the principal (it is assumed that the principal name has the form "id@realm"). Part of: https://pagure.io/dogtagpki/issue/1359
* | Update SessionContextInterceptor to handle external principalsFraser Tweedale2017-03-161-9/+10
| | | | | | | | Part of: https://pagure.io/dogtagpki/issue/1359
* | Update AuthMethodInterceptor to handle external principalsFraser Tweedale2017-03-161-11/+16
| | | | | | | | | | | | | | Update AuthMethodInterceptor to handle externally authenticated principals. For now, access is unconditionally granted. Part of: https://pagure.io/dogtagpki/issue/1359
* | Add IAuthToken implementation for external principalsFraser Tweedale2017-03-161-0/+154
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Many parts of Dogtag expect an IAuthToken, which represents the authenticated user. The sole implementation, AuthToken, uses some concepts that do not carry across to externally authenticated principals, e.g. an external principal does not have an associated IAuthManager that was used to authenticate the principal. Therefore something different is needed. Implement ExternalAuthToken which wraps a GenericPrincipal and provides access to the data therein. Part of: https://pagure.io/dogtagpki/issue/1359
* | Add groups and request attributes to external principalsFraser Tweedale2017-03-164-0/+133
| | | | | | | | | | | | | | | | | | | | | | | | Add the ExternalAuthenticationValve valve, which, if an externally authenticated principal is available, reads the REMOTE_USER_GROUP information from the Coyote request and adds the groups ("roles" in Tomcat terminology) to the principal. It also saves a complete copy of the request attribute map in the princpial. The new class ExternalPrincipal is used to achieve this. Part of: https://pagure.io/dogtagpki/issue/1359
* | CertProcessor: extract method setAuthTokenIntoRequestFraser Tweedale2017-03-161-34/+34
| | | | | | | | | | | | | | | | | | | | | | | | The "set auth token into request" logic is extensive and warrants extraction. It also has a separate concern mixed in with it: the self-assignment of the request if the authenticated user is a "Registration Manager Agent". Separate these concerns and extract the setAuthTokenIntoRequest method. Part of: https://pagure.io/dogtagpki/issue/1359
* | Define AgentCertAuthentication token keys in IAuthTokenFraser Tweedale2017-03-162-12/+8
| | | | | | | | | | | | | | | | | | Small refactor to define the auth token keys set by AgentCertAuthentication in IAuthToken, so that consumers do not need to import AgentCertAuthentication directly, or redefine the constants. Part of: https://pagure.io/dogtagpki/issue/1359
* | Merge branch 'master' of github.com:dogtagpki/pkiAde Lee2017-03-1557-1472/+4836
|\ \
| * | Added cascading configuration for PKI CLI.Endi S. Dewata2017-03-152-215/+254
| | | | | | | | | | | | | | | | | | | | | | | | | | | The PKI CLI has been modified to support cascading configuration files: default, system-wide, and user-specific configuration. The existing Python-based PKI CLI was moved into pki.cli.main module. A new shell script was added as a replacement which will read the configuration files and invoke the Python module.
| * | Troubleshooting improvement for ClientCertValidateCLI.Endi S. Dewata2017-03-151-3/+6
| | | | | | | | | | | | | | | The ClientCertValidateCLI has been modified to display the NSS error code and error message for invalid certificates.
| * | Added exception chaining for EInvalidCredentials.Endi S. Dewata2017-03-153-8/+12
| | | | | | | | | | | | | | | A new constructor has been added into EInvalidCredentials to support exception chaining.
| * | First cut of scp03 support. Supports the g&d smartcafe out of the box.Jack Magne2017-03-1419-163/+3347
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Developer keyset token operations and key change over supported. Caveats. -The diversification step going from master key to card key uses DES3 as required for the token. -After that point, everything is scp03 to the spec with minor excpetions so far. Supports 128 bit AES for now. Will resolve this. Minor config tweaks: TPS Symmetric Key Changeover Use this applet for scp03: RSA/KeyRecovery/GP211/SCP02/SCP03 applet : 1.5.558cdcff.ijc TKS: Symmetric Key Changeover tks.mk_mappings.#02#03=internal:new_master tks.defKeySet.mk_mappings.#02#03=internal:new_master Use the uncommented one because scp03 returns a different key set data string. ToDo: -Support the rest of the AES sizes other than 128. -Support optional RMAC apdu. -Test and adjust the config capability for other tokens. -Support AES master key. Right now the standard key ends up creating AES card and session keys.
| * | Continue to move more crypto into CryptoUtilAde Lee2017-03-149-123/+112
| | | | | | | | | | | | Change-Id: I6024ca5a32769b460d578dfad46598432381784c
| * | Refactor crypto codeAde Lee2017-03-1413-376/+244
| | | | | | | | | | | | | | | | | | Move some of the crypto functions in EncryptionUnit to CryptoUtil. Change-Id: Iee391392fb88a87f6af3b450b69508fd52729a62
| * | Fix wrapping params on the security data recovery serviceAde Lee2017-03-147-47/+117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On the security data recovery service, the client can now specify the encryption and wrapping algorithms to be used when wrapping the key, rather than assuming DES. The server will use the specified wrapping algorithm (and key). If the algorithms are not specified, then the old mechanism is assumed. Change-Id: I793c120e99d819403fdf7ca925e26f0f7d50fcc7
| * | Change transport unit to create wrapping parameters based on incoming dataAde Lee2017-03-144-30/+69
| | | | | | | | | | | | | | | | | | | | | | | | The PKIArchiveOptions object contains an OID for the encryption algorithm. Use this to create the correct WrappingParam for the tranport unit instead of defaulting to DES3. Change-Id: Id591fff8b7fc5e4506afbe619621904e4937c44f
| * | Fix incorrect function in generating symmetric keys.Ade Lee2017-03-141-1/+1
| | | | | | | | | | | | | | | | | | This allows generating and storing symmetirc keys using AES. Change-Id: I62c03aeffd127afac626759b0d826c284e01af12
| * | Change internal wrapping to AESAde Lee2017-03-1417-598/+716
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There are several changes in this patch: 1. Simplify EncryptionUnit by moving the methods called by either the StorageUnit or the TransportUnit into those classes. This helps to determine which methods are called by which class (because in general they require different arguments). It may be possible to later simplify and reduce code repetition by pulling core functionality back into the EncryptionUnit. 2. Add methods to WrappingParameters and KeyRecord to store the Wrapping Parameter values as part of the KeyRecord when the key is stored. On retrieval, this data is read and used to extract the data. If the data is not present, then use the old DES3 parameters. 3. Change the internal (storageUnit) wrapping to use AES-CBC for encryption and AES-KeyWrap for storage by default. If a parameter kra.storageUnit.useOldWrapping=true, then the old wrapping will be used instead. Change-Id: I098b0b3bd3b0ad917483e4e07925adfedacc3562
| * | pki_default.cfg.5: fix ca_signing tag nameFraser Tweedale2017-03-141-1/+1
| | |
| * | pkispawn.8: fix setup-ds.pl command nameFraser Tweedale2017-03-141-1/+1
| | |
| * | Include revocation reason in REST cert dataFraser Tweedale2017-03-142-0/+28
| | | | | | | | | | | | Fixes: https://fedorahosted.org/pki/ticket/2601
| * | Refactor key recovery to centralize crypt functionsAde Lee2017-03-071-43/+49
| | | | | | | | | | | | | | | Refactor key recovery to put al crypto specific operations in a few fucntions, which are parameterized for algorithm types.
generated by cgit (git 2.34.1) at 2025-09-26 22:39:33 +0000