From 65b1242cd139e6306fb3e039193a3a6b223ea9b1 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Mon, 26 Jun 2017 18:09:55 -0700 Subject: Ticket #2757 CMC enrollment profiles for system certificates This patch supports CMC-based system certificate requests. This patch contains the following: * The code in CMCAuth (agent-based) to check ssl client auth cert against the CMC signing cert * The cmc-based system enrollment profiles: caCMCauditSigningCert.cfg caCMCcaCert.cfg caCMCkraStorageCert.cfg caCMCkraTransportCert.cfg caCMCocspCert.cfg caCMCserverCert.cfg caCMCsubsystemCert.cfg * new URI's in web.xml as new access points Usage example can be found here: http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Examples_.28System_Certificates.29 --- base/ca/shared/conf/CS.cfg | 20 ++- .../shared/profiles/ca/caCMCauditSigningCert.cfg | 80 +++++++++ base/ca/shared/profiles/ca/caCMCcaCert.cfg | 96 ++++++++++ base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 86 +++++++++ .../shared/profiles/ca/caCMCkraTransportCert.cfg | 86 +++++++++ base/ca/shared/profiles/ca/caCMCocspCert.cfg | 71 ++++++++ base/ca/shared/profiles/ca/caCMCserverCert.cfg | 90 ++++++++++ base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg | 86 +++++++++ base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 4 +- .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 2 +- base/ca/shared/webapps/ca/WEB-INF/web.xml | 196 +++++++++++++++++++++ .../src/com/netscape/cmstools/CMCRequest.java | 2 +- .../com/netscape/cms/authentication/CMCAuth.java | 48 ++++- .../cms/authentication/CMCUserSignedAuth.java | 2 + .../netscape/cms/profile/common/EnrollProfile.java | 12 ++ .../servlet/profile/ProfileSubmitCMCServlet.java | 2 +- 16 files changed, 872 insertions(+), 11 deletions(-) create mode 100644 base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg create mode 100644 base/ca/shared/profiles/ca/caCMCcaCert.cfg create mode 100644 base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg create mode 100644 base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg create mode 100644 base/ca/shared/profiles/ca/caCMCocspCert.cfg create mode 100644 base/ca/shared/profiles/ca/caCMCserverCert.cfg create mode 100644 base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg (limited to 'base') diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 5a244d7bb..89765753e 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -969,7 +969,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 os.userid=nobody -profile.list=caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment +profile.list=caCMCserverCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment profile.caUUIDdeviceCert.class_id=caEnrollImpl profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg profile.caManualRenewal.class_id=caEnrollImpl @@ -988,12 +988,26 @@ profile.caAgentServerCert.class_id=caEnrollImpl profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAgentServerCert.cfg profile.caRAserverCert.class_id=caEnrollImpl profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAserverCert.cfg +profile.caCMCUserCert.class_id=caEnrollImpl +profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg +profile.caCMCauditSigningCert.class_id=caEnrollImpl +profile.caCMCauditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCauditSigningCert.cfg +profile.caCMCcaCert.class_id=caEnrollImpl +profile.caCMCcaCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCcaCert.cfg +profile.caCMCkraStorageCert.class_id=caEnrollImpl +profile.caCMCkraStorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCkraStorageCert.cfg +profile.caCMCkraTransportCert.class_id=caEnrollImpl +profile.caCMCkraTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCkraTransportCert.cfg +profile.caCMCocspCert.class_id=caEnrollImpl +profile.caCMCocspCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCocspCert.cfg +profile.caCMCserverCert.class_id=caEnrollImpl +profile.caCMCserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCserverCert.cfg +profile.caCMCsubsystemCert.class_id=caEnrollImpl +profile.caCMCsubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCsubsystemCert.cfg profile.caCACert.class_id=caEnrollImpl profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCACert.cfg profile.caInstallCACert.class_id=caEnrollImpl profile.caInstallCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInstallCACert.cfg -profile.caCMCUserCert.class_id=caEnrollImpl -profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg profile.caCrossSignedCACert.class_id=caEnrollImpl profile.caCrossSignedCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCrossSignedCACert.cfg profile.caDirBasedDualCert.class_id=caEnrollImpl diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg new file mode 100644 index 000000000..ed5a1b2a2 --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg @@ -0,0 +1,80 @@ +desc=This certificate profile is for enrolling audit signing certificates using CMC. +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=Audit Signing Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=auditSigningCertSet +policyset.auditSigningCertSet.list=1,2,3,4,5,6,9 +policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint +policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.* +policyset.auditSigningCertSet.1.constraint.params.accept=true +policyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.auditSigningCertSet.1.default.name=Subject Name Default +policyset.auditSigningCertSet.1.default.params.name= +policyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl +policyset.auditSigningCertSet.2.constraint.name=Validity Constraint +policyset.auditSigningCertSet.2.constraint.params.range=720 +policyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false +policyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false +policyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl +policyset.auditSigningCertSet.2.default.name=Validity Default +policyset.auditSigningCertSet.2.default.params.range=720 +policyset.auditSigningCertSet.2.default.params.startTime=0 +policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl +policyset.auditSigningCertSet.3.constraint.name=Key Constraint +policyset.auditSigningCertSet.3.constraint.params.keyType=RSA +policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl +policyset.auditSigningCertSet.3.default.name=Key Default +policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl +policyset.auditSigningCertSet.4.constraint.name=No Constraint +policyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default +policyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl +policyset.auditSigningCertSet.5.constraint.name=No Constraint +policyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.auditSigningCertSet.5.default.name=AIA Extension Default +policyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false +policyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true +policyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.auditSigningCertSet.6.default.name=Key Usage Default +policyset.auditSigningCertSet.6.default.params.keyUsageCritical=true +policyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false +policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.auditSigningCertSet.9.constraint.name=No Constraint +policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.auditSigningCertSet.9.default.name=Signing Alg +policyset.auditSigningCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg new file mode 100644 index 000000000..f6df36fbb --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg @@ -0,0 +1,96 @@ +desc=This certificate profile is for enrolling Certificate Authority certificates using CMC. +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=Certificate Manager Signing Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=caCertSet +policyset.caCertSet.list=1,2,3,4,5,6,8,9,10 +policyset.caCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.caCertSet.1.constraint.name=Subject Name Constraint +policyset.caCertSet.1.constraint.params.pattern=CN=.* +policyset.caCertSet.1.constraint.params.accept=true +policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.caCertSet.1.default.name=Subject Name Default +policyset.caCertSet.1.default.params.name= +policyset.caCertSet.2.constraint.class_id=validityConstraintImpl +policyset.caCertSet.2.constraint.name=Validity Constraint +policyset.caCertSet.2.constraint.params.range=7305 +policyset.caCertSet.2.constraint.params.notBeforeCheck=false +policyset.caCertSet.2.constraint.params.notAfterCheck=false +policyset.caCertSet.2.default.class_id=caValidityDefaultImpl +policyset.caCertSet.2.default.name=CA Certificate Validity Default +policyset.caCertSet.2.default.params.range=7305 +policyset.caCertSet.2.default.params.startTime=0 +policyset.caCertSet.3.constraint.class_id=keyConstraintImpl +policyset.caCertSet.3.constraint.name=Key Constraint +policyset.caCertSet.3.constraint.params.keyType=- +policyset.caCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 +policyset.caCertSet.3.default.class_id=userKeyDefaultImpl +policyset.caCertSet.3.default.name=Key Default +policyset.caCertSet.4.constraint.class_id=noConstraintImpl +policyset.caCertSet.4.constraint.name=No Constraint +policyset.caCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.caCertSet.4.default.name=Authority Key Identifier Default +policyset.caCertSet.5.constraint.class_id=basicConstraintsExtConstraintImpl +policyset.caCertSet.5.constraint.name=Basic Constraint Extension Constraint +policyset.caCertSet.5.constraint.params.basicConstraintsCritical=true +policyset.caCertSet.5.constraint.params.basicConstraintsIsCA=true +policyset.caCertSet.5.constraint.params.basicConstraintsMinPathLen=-1 +policyset.caCertSet.5.constraint.params.basicConstraintsMaxPathLen=-1 +policyset.caCertSet.5.default.class_id=basicConstraintsExtDefaultImpl +policyset.caCertSet.5.default.name=Basic Constraints Extension Default +policyset.caCertSet.5.default.params.basicConstraintsCritical=true +policyset.caCertSet.5.default.params.basicConstraintsIsCA=true +policyset.caCertSet.5.default.params.basicConstraintsPathLen=-1 +policyset.caCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.caCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.caCertSet.6.constraint.params.keyUsageCritical=true +policyset.caCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.caCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.caCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.caCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.caCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.caCertSet.6.constraint.params.keyUsageKeyCertSign=true +policyset.caCertSet.6.constraint.params.keyUsageCrlSign=true +policyset.caCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.caCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.caCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.caCertSet.6.default.name=Key Usage Default +policyset.caCertSet.6.default.params.keyUsageCritical=true +policyset.caCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.caCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.caCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.caCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.caCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.caCertSet.6.default.params.keyUsageKeyCertSign=true +policyset.caCertSet.6.default.params.keyUsageCrlSign=true +policyset.caCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.caCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.caCertSet.8.constraint.class_id=noConstraintImpl +policyset.caCertSet.8.constraint.name=No Constraint +policyset.caCertSet.8.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default +policyset.caCertSet.8.default.params.critical=false +policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.caCertSet.9.constraint.name=No Constraint +policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.caCertSet.9.default.name=Signing Alg +policyset.caCertSet.9.default.params.signingAlg=- +policyset.caCertSet.10.constraint.class_id=noConstraintImpl +policyset.caCertSet.10.constraint.name=No Constraint +policyset.caCertSet.10.default.class_id=authInfoAccessExtDefaultImpl +policyset.caCertSet.10.default.name=AIA Extension Default +policyset.caCertSet.10.default.params.authInfoAccessADEnable_0=true +policyset.caCertSet.10.default.params.authInfoAccessADLocationType_0=URIName +policyset.caCertSet.10.default.params.authInfoAccessADLocation_0= +policyset.caCertSet.10.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.caCertSet.10.default.params.authInfoAccessCritical=false +policyset.caCertSet.10.default.params.authInfoAccessNumADs=1 diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg new file mode 100644 index 000000000..259430bfe --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling KRA storage certificates using CMC +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=KRA storage Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=drmStorageCertSet +policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 +policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint +policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* +policyset.drmStorageCertSet.1.constraint.params.accept=true +policyset.drmStorageCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.drmStorageCertSet.1.default.name=Subject Name Default +policyset.drmStorageCertSet.1.default.params.name= +policyset.drmStorageCertSet.2.constraint.class_id=validityConstraintImpl +policyset.drmStorageCertSet.2.constraint.name=Validity Constraint +policyset.drmStorageCertSet.2.constraint.params.range=720 +policyset.drmStorageCertSet.2.constraint.params.notBeforeCheck=false +policyset.drmStorageCertSet.2.constraint.params.notAfterCheck=false +policyset.drmStorageCertSet.2.default.class_id=validityDefaultImpl +policyset.drmStorageCertSet.2.default.name=Validity Default +policyset.drmStorageCertSet.2.default.params.range=720 +policyset.drmStorageCertSet.2.default.params.startTime=0 +policyset.drmStorageCertSet.3.constraint.class_id=keyConstraintImpl +policyset.drmStorageCertSet.3.constraint.name=Key Constraint +policyset.drmStorageCertSet.3.constraint.params.keyType=RSA +policyset.drmStorageCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.drmStorageCertSet.3.default.class_id=userKeyDefaultImpl +policyset.drmStorageCertSet.3.default.name=Key Default +policyset.drmStorageCertSet.4.constraint.class_id=noConstraintImpl +policyset.drmStorageCertSet.4.constraint.name=No Constraint +policyset.drmStorageCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.drmStorageCertSet.4.default.name=Authority Key Identifier Default +policyset.drmStorageCertSet.5.constraint.class_id=noConstraintImpl +policyset.drmStorageCertSet.5.constraint.name=No Constraint +policyset.drmStorageCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.drmStorageCertSet.5.default.name=AIA Extension Default +policyset.drmStorageCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.drmStorageCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.drmStorageCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.drmStorageCertSet.5.default.params.authInfoAccessCritical=false +policyset.drmStorageCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.drmStorageCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.drmStorageCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.drmStorageCertSet.6.constraint.params.keyUsageCritical=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.drmStorageCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.drmStorageCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.drmStorageCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.drmStorageCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.drmStorageCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.drmStorageCertSet.6.default.name=Key Usage Default +policyset.drmStorageCertSet.6.default.params.keyUsageCritical=true +policyset.drmStorageCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.drmStorageCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.drmStorageCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.drmStorageCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.drmStorageCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false +policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl +policyset.drmStorageCertSet.7.constraint.name=No Constraint +policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default +policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false +policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.drmStorageCertSet.9.constraint.name=No Constraint +policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.drmStorageCertSet.9.default.name=Signing Alg +policyset.drmStorageCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg new file mode 100644 index 000000000..ec54f9cf8 --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling Key Archival Authority transport certificates using CMC. +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=Key Archival Authority Transport Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=transportCertSet +policyset.transportCertSet.list=1,2,3,4,5,6,7,8 +policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.transportCertSet.1.constraint.name=Subject Name Constraint +policyset.transportCertSet.1.constraint.params.pattern=CN=.* +policyset.transportCertSet.1.constraint.params.accept=true +policyset.transportCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.transportCertSet.1.default.name=Subject Name Default +policyset.transportCertSet.1.default.params.name= +policyset.transportCertSet.2.constraint.class_id=validityConstraintImpl +policyset.transportCertSet.2.constraint.name=Validity Constraint +policyset.transportCertSet.2.constraint.params.range=720 +policyset.transportCertSet.2.constraint.params.notBeforeCheck=false +policyset.transportCertSet.2.constraint.params.notAfterCheck=false +policyset.transportCertSet.2.default.class_id=validityDefaultImpl +policyset.transportCertSet.2.default.name=Validity Default +policyset.transportCertSet.2.default.params.range=720 +policyset.transportCertSet.2.default.params.startTime=0 +policyset.transportCertSet.3.constraint.class_id=keyConstraintImpl +policyset.transportCertSet.3.constraint.name=Key Constraint +policyset.transportCertSet.3.constraint.params.keyType=RSA +policyset.transportCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +policyset.transportCertSet.3.default.class_id=userKeyDefaultImpl +policyset.transportCertSet.3.default.name=Key Default +policyset.transportCertSet.4.constraint.class_id=noConstraintImpl +policyset.transportCertSet.4.constraint.name=No Constraint +policyset.transportCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.transportCertSet.4.default.name=Authority Key Identifier Default +policyset.transportCertSet.5.constraint.class_id=noConstraintImpl +policyset.transportCertSet.5.constraint.name=No Constraint +policyset.transportCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.transportCertSet.5.default.name=AIA Extension Default +policyset.transportCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.transportCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.transportCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.transportCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.transportCertSet.5.default.params.authInfoAccessCritical=false +policyset.transportCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.transportCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.transportCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.transportCertSet.6.constraint.params.keyUsageCritical=true +policyset.transportCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.transportCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.transportCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.transportCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.transportCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.transportCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.transportCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.transportCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.transportCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.transportCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.transportCertSet.6.default.name=Key Usage Default +policyset.transportCertSet.6.default.params.keyUsageCritical=true +policyset.transportCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.transportCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.transportCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.transportCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.transportCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.transportCertSet.6.default.params.keyUsageCrlSign=false +policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.transportCertSet.7.constraint.class_id=noConstraintImpl +policyset.transportCertSet.7.constraint.name=No Constraint +policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default +policyset.transportCertSet.7.default.params.exKeyUsageCritical=false +policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.transportCertSet.8.constraint.name=No Constraint +policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.transportCertSet.8.default.name=Signing Alg +policyset.transportCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg new file mode 100644 index 000000000..8afbd464d --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg @@ -0,0 +1,71 @@ +desc=This certificate profile is for enrolling OCSP Responder signing certificates using CMC. +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=OCSP Responder Signing Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=ocspCertSet +policyset.ocspCertSet.list=1,2,3,4,5,6,8,9 +policyset.ocspCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.ocspCertSet.1.constraint.name=Subject Name Constraint +policyset.ocspCertSet.1.constraint.params.pattern=CN=.* +policyset.ocspCertSet.1.constraint.params.accept=true +policyset.ocspCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.ocspCertSet.1.default.name=Subject Name Default +policyset.ocspCertSet.1.default.params.name= +policyset.ocspCertSet.2.constraint.class_id=validityConstraintImpl +policyset.ocspCertSet.2.constraint.name=Validity Constraint +policyset.ocspCertSet.2.constraint.params.range=720 +policyset.ocspCertSet.2.constraint.params.notBeforeCheck=false +policyset.ocspCertSet.2.constraint.params.notAfterCheck=false +policyset.ocspCertSet.2.default.class_id=validityDefaultImpl +policyset.ocspCertSet.2.default.name=Validity Default +policyset.ocspCertSet.2.default.params.range=720 +policyset.ocspCertSet.2.default.params.startTime=0 +policyset.ocspCertSet.3.constraint.class_id=keyConstraintImpl +policyset.ocspCertSet.3.constraint.name=Key Constraint +policyset.ocspCertSet.3.constraint.params.keyType=- +policyset.ocspCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 +policyset.ocspCertSet.3.default.class_id=userKeyDefaultImpl +policyset.ocspCertSet.3.default.name=Key Default +policyset.ocspCertSet.4.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.4.constraint.name=No Constraint +policyset.ocspCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.ocspCertSet.4.default.name=Authority Key Identifier Default +policyset.ocspCertSet.5.constraint.class_id=noConstraintImpl +policyset.ocspCertSet.5.constraint.name=No Constraint +policyset.ocspCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.ocspCertSet.5.default.name=AIA Extension Default +policyset.ocspCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.ocspCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.ocspCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.ocspCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.ocspCertSet.5.default.params.authInfoAccessCritical=false +policyset.ocspCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.ocspCertSet.6.constraint.class_id=extendedKeyUsageExtConstraintImpl +policyset.ocspCertSet.6.constraint.name=Extended Key Usage Extension +policyset.ocspCertSet.6.constraint.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.6.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.ocspCertSet.6.default.name=Extended Key Usage Default +policyset.ocspCertSet.6.default.params.exKeyUsageCritical=false +policyset.ocspCertSet.6.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.9 +policyset.ocspCertSet.8.constraint.class_id=extensionConstraintImpl +policyset.ocspCertSet.8.constraint.name=No Constraint +policyset.ocspCertSet.8.constraint.params.extCritical=false +policyset.ocspCertSet.8.constraint.params.extOID=1.3.6.1.5.5.7.48.1.5 +policyset.ocspCertSet.8.default.class_id=ocspNoCheckExtDefaultImpl +policyset.ocspCertSet.8.default.name=OCSP No Check Extension +policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false +policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.ocspCertSet.9.constraint.name=No Constraint +policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.ocspCertSet.9.default.name=Signing Alg +policyset.ocspCertSet.9.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg new file mode 100644 index 000000000..8215d6502 --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg @@ -0,0 +1,90 @@ +desc=This certificate profile is for enrolling server certificates using CMC. +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=Server Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl +policyset.serverCertSet.9.default.name=copy CN to SAN Default diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg new file mode 100644 index 000000000..f473f984e --- /dev/null +++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg @@ -0,0 +1,86 @@ +desc=This certificate profile is for enrolling subsystem certificates using CMC. +visible=false +enable=true +enableBy=admin +auth.instance_id=CMCAuth +authz.acl=group="Certificate Manager Agents" +name=Subsystem Certificate Enrollment using CMC +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=.* +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name= +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=720 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=720 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=- +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg index 29baeed26..90cb4243e 100644 --- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg +++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg @@ -1,7 +1,7 @@ -desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. +desc=This certificate profile is for enrolling user certificates by using the agent-signed CMC certificate request with CMC Signature authentication. enable=true enableBy=admin -name=Signed CMC-Authenticated User Certificate Enrollment +name=Agent-Signed CMC-Authenticated User Certificate Enrollment visible=false auth.instance_id=CMCAuth input.list=i1,i2 diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg index 63a4bcaf2..7bfad9c2d 100644 --- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg @@ -1,4 +1,4 @@ -desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with user CMC Signature authentication. +desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication. enable=true enableBy=admin name=User-Signed CMC-Authenticated User Certificate Enrollment diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml index a55014215..266604985 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -1552,6 +1552,167 @@ ee + + caProfileSubmitCMCFullCACert + com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet + GetClientCert + false + cert_request_type + cmc + profileId + caCMCcaCert + AuthzMgr + BasicAclAuthz + authorityId + ca + ID + caProfileSubmitCMCFull + templatePath + /ee/ca/ProfileSubmit.template + resourceID + certServer.ee.profile + interface + ee + + + + caProfileSubmitCMCFullServerCert + com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet + GetClientCert + false + cert_request_type + cmc + profileId + caCMCserverCert + AuthzMgr + BasicAclAuthz + authorityId + ca + ID + caProfileSubmitCMCFull + templatePath + /ee/ca/ProfileSubmit.template + resourceID + certServer.ee.profile + interface + ee + + + + caProfileSubmitCMCFullOCSPCert + com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet + GetClientCert + false + cert_request_type + cmc + profileId + caCMCocspCert + AuthzMgr + BasicAclAuthz + authorityId + ca + ID + caProfileSubmitCMCFull + templatePath + /ee/ca/ProfileSubmit.template + resourceID + certServer.ee.profile + interface + ee + + + + caProfileSubmitCMCFullSubsystemCert + com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet + GetClientCert + false + cert_request_type + cmc + profileId + caCMCsubsystemCert + AuthzMgr + BasicAclAuthz + authorityId + ca + ID + caProfileSubmitCMCFull + templatePath + /ee/ca/ProfileSubmit.template + resourceID + certServer.ee.profile + interface + ee + + + + caProfileSubmitCMCFullAuditSigningCert + com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet + GetClientCert + false + cert_request_type + cmc + profileId + caCMCauditSigningCert + AuthzMgr + BasicAclAuthz + authorityId + ca + ID + caProfileSubmitCMCFull + templatePath + /ee/ca/ProfileSubmit.template + resourceID + certServer.ee.profile + interface + ee + + + + caProfileSubmitCMCFullKRATransportCert + com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet + GetClientCert + false + cert_request_type + cmc + profileId + caCMCkraTransportCert + AuthzMgr + BasicAclAuthz + authorityId + ca + ID + caProfileSubmitCMCFull + templatePath + /ee/ca/ProfileSubmit.template + resourceID + certServer.ee.profile + interface + ee + + + + caProfileSubmitCMCFullKRAstorageCert + com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet + GetClientCert + false + cert_request_type + cmc + profileId + caCMCkraStorageCert + AuthzMgr + BasicAclAuthz + authorityId + ca + ID + caProfileSubmitCMCFull + templatePath + /ee/ca/ProfileSubmit.template + resourceID + certServer.ee.profile + interface + ee + + caProfileSubmitUserSignedCMCFull com.netscape.cms.servlet.profile.ProfileSubmitCMCServlet @@ -2302,6 +2463,41 @@ /ee/ca/profileSubmitCMCFull + + caProfileSubmitCMCFullCACert + /ee/ca/profileSubmitCMCFullCACert + + + + caProfileSubmitCMCFullServerCert + /ee/ca/profileSubmitCMCFullServerCert + + + + caProfileSubmitCMCFullOCSPCert + /ee/ca/profileSubmitCMCFullOCSPCert + + + + caProfileSubmitCMCFullSubsystemCert + /ee/ca/profileSubmitCMCFullSubsystemCert + + + + caProfileSubmitCMCFullAuditSigningCert + /ee/ca/profileSubmitCMCFullAuditSigningCert + + + + caProfileSubmitCMCFullKRATransportCert + /ee/ca/profileSubmitCMCFullKRAtransportCert + + + + caProfileSubmitCMCFullKRAstorageCert + /ee/ca/profileSubmitCMCFullKRAstorageCert + + caProfileSubmitUserSignedCMCFull /ee/ca/profileSubmitUserSignedCMCFull diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java index fd59aa174..9fcb8dbd7 100644 --- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java @@ -2393,7 +2393,7 @@ public class CMCRequest { System.out.println(""); System.out.println(""); System.out.println("The CMC enrollment request in binary format is stored in " + - ofilename + "."); + ofilename); } catch (IOException e) { System.out.println("CMCRequest: unable to open file " + ofilename + " for writing:\n" + e); diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java index 66a356965..97d51715d 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java @@ -29,6 +29,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.math.BigInteger; +import java.security.cert.X509Certificate; import java.security.MessageDigest; import java.security.PublicKey; import java.util.Enumeration; @@ -247,6 +248,10 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String auditCertSubject = ILogger.UNIDENTIFIED; String auditSignerInfo = ILogger.UNIDENTIFIED; + SessionContext auditContext = SessionContext.getExistingContext(); + X509Certificate clientCert = + (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); + // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures try { @@ -362,7 +367,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, String userid = "defUser"; String uid = "defUser"; if (checkSignerInfo) { - IAuthToken agentToken = verifySignerInfo(authToken, cmcFullReq); + IAuthToken agentToken = verifySignerInfo(auditContext, authToken, cmcFullReq); if (agentToken == null) { CMS.debug(method + "agentToken null"); throw new EBaseException("CMCAuth: agent verifySignerInfo failure"); @@ -813,8 +818,12 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, level, "CMC Authentication: " + msg); } - protected IAuthToken verifySignerInfo(AuthToken authToken, SignedData cmcFullReq) throws EBaseException { - + protected IAuthToken verifySignerInfo( + SessionContext auditContext, + AuthToken authToken, + SignedData cmcFullReq) throws EBaseException { + String method = "CMCAuth: verifySignerInfo: "; + String msg = ""; EncapsulatedContentInfo ci = cmcFullReq.getContentInfo(); OBJECT_IDENTIFIER id = ci.getContentType(); OCTET_STRING content = ci.getContent(); @@ -823,6 +832,11 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, CryptoToken signToken = null; CryptoToken savedToken = null; CryptoManager cm = null; + + if (auditContext == null) { + CMS.debug(method + " auditConext can't be null"); + return null; + } try { cm = CryptoManager.getInstance(); ByteArrayInputStream s = new ByteArrayInputStream(content.toByteArray()); @@ -910,6 +924,34 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, si.verify(digest, id); } else { CMS.debug("CMCAuth: found signing cert... verifying"); + + X509Certificate clientCert = + (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); + if (clientCert == null) { + // createAuditSubjectFromCert(auditContext, x509Certs[0]); + msg = "missing SSL client authentication certificate;"; + CMS.debug(method + msg); + s.close(); + throw new EMissingCredential( + CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); + } + netscape.security.x509.X500Name clientPrincipal = + (X500Name) clientCert.getSubjectDN(); + + netscape.security.x509.X500Name cmcPrincipal = + (X500Name) x509Certs[0].getSubjectDN(); + + // check ssl client cert against cmc signer + if (!clientPrincipal.equals(cmcPrincipal)) { + msg = "SSL client authentication certificate and CMC signer do not match"; + CMS.debug(method + msg); + s.close(); + throw new EInvalidCredentials( + CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } else { + CMS.debug(method + "ssl client cert principal and cmc signer principal match"); + } + PublicKey signKey = cert.getPublicKey(); PrivateKey.Type keyType = null; String alg = signKey.getAlgorithm(); diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java index ab9a94ab8..ff82ade9c 100644 --- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java @@ -1078,6 +1078,8 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, s.close(); throw new EInvalidCredentials( CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); + } else { + CMS.debug(method + "ssl client cert principal and cmc signer principal match"); } PublicKey signKey = cert.getPublicKey(); diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java index 7dfaddac4..93d0a74ae 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -198,6 +198,7 @@ public abstract class EnrollProfile extends BasicProfile if (signingUserSerial != null) { donePOI = true; } + // catch for invalid request cmc_msgs = parseCMC(locale, cert_request, donePOI); if (cmc_msgs == null) { @@ -723,6 +724,17 @@ public abstract class EnrollProfile extends BasicProfile byte randomSeed[] = null; UTF8String ident_s = null; SessionContext context = SessionContext.getContext(); + String authManagerId = (String) context.get(SessionContext.AUTH_MANAGER_ID); + if (authManagerId == null) { + CMS.debug(method + "authManagerId null.????"); + //unlikely, but... + authManagerId = "none"; + } else { + CMS.debug(method + "authManagerId =" + authManagerId); + } + if(authManagerId.equals("CMCAuth")) { + donePOI = true; + } boolean id_cmc_revokeRequest = false; if (!context.containsKey("numOfControls")) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java index ded237b8d..63c9b82d2 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java @@ -494,7 +494,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { /////////////////////////////////////////////// String tmpCertSerialS = ctx.get(IAuthManager.CRED_CMC_SIGNING_CERT); if (tmpCertSerialS != null) { - // unlikely to happenm, but do this just in case + // unlikely to happen, but do this just in case CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth:" + tmpCertSerialS); CMS.debug("ProfileSubmitCMCServlet: null it out"); ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); -- cgit