Blame SOURCES/pki-core-10.5.9-alpha.patch

efb1ef
From 2d40c57887f7801f2ab0a8065b3b471bb7eafe80 Mon Sep 17 00:00:00 2001
efb1ef
From: Christina Fu <cfu@redhat.com>
efb1ef
Date: Tue, 19 Jun 2018 15:21:54 -0700
efb1ef
Subject: [PATCH 1/7] Ticket 3037 CMC SharedToken SubjectDN default
efb1ef
efb1ef
This patch adds proper subjectDN to CMC requests authenticated via ShardToken.
efb1ef
Specifically, the AuthTokenSubjectNameDefault profile default is added to
efb1ef
the default CMC profiles that authenticates via SharedToken.
efb1ef
Code were added to ensure that the proper subjectDN retrieved from the
efb1ef
mapped user entry is added to the AuthToken for such utilization.
efb1ef
efb1ef
Fixes https://pagure.io/dogtagpki/issue/3037
efb1ef
efb1ef
Change-Id: Id92d9496ab5b41ea7b5dcffb8d73d3ffe8b29fbc
efb1ef
---
efb1ef
 .../ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg |  4 ++--
efb1ef
 base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg  |  4 ++--
efb1ef
 .../netscape/certsrv/authentication/ISharedToken.java   |  2 +-
efb1ef
 .../com/netscape/cms/authentication/SharedSecret.java   | 17 ++++++++++++++---
efb1ef
 .../com/netscape/cms/profile/common/EnrollProfile.java  | 12 ++++++++++--
efb1ef
 .../cms/servlet/profile/ProfileSubmitCMCServlet.java    |  1 +
efb1ef
 6 files changed, 30 insertions(+), 10 deletions(-)
efb1ef
efb1ef
diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
efb1ef
index d0a3c25..144c05c 100644
efb1ef
--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
efb1ef
+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
efb1ef
@@ -13,8 +13,8 @@ policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
efb1ef
 policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
efb1ef
 policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
efb1ef
 policyset.cmcUserCertSet.1.constraint.params.accept=true
efb1ef
-policyset.cmcUserCertSet.1.constraint.params.pattern=.*
efb1ef
-policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
efb1ef
+policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
efb1ef
+policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
efb1ef
 policyset.cmcUserCertSet.1.default.name=Subject Name Default
efb1ef
 policyset.cmcUserCertSet.1.default.params.name=
efb1ef
 policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
efb1ef
diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
efb1ef
index 6b2da33..bdcdc24 100644
efb1ef
--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
efb1ef
+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
efb1ef
@@ -12,9 +12,9 @@ policyset.list=cmcUserCertSet
efb1ef
 policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
efb1ef
 policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
efb1ef
 policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
efb1ef
+policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
efb1ef
 policyset.cmcUserCertSet.1.constraint.params.accept=true
efb1ef
-policyset.cmcUserCertSet.1.constraint.params.pattern=.*
efb1ef
-policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
efb1ef
+policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
efb1ef
 policyset.cmcUserCertSet.1.default.name=Subject Name Default
efb1ef
 policyset.cmcUserCertSet.1.default.params.name=
efb1ef
 policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
efb1ef
diff --git a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java
efb1ef
index 761c344..13f2286 100644
efb1ef
--- a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java
efb1ef
+++ b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java
efb1ef
@@ -28,7 +28,7 @@ import com.netscape.certsrv.base.EBaseException;
efb1ef
 public interface ISharedToken {
efb1ef
 
efb1ef
     // support for id_cmc_identification
efb1ef
-    public char[] getSharedToken(String identification)
efb1ef
+    public char[] getSharedToken(String identification, IAuthToken authToken)
efb1ef
             throws EBaseException;
efb1ef
 
efb1ef
     public char[] getSharedToken(PKIData cmcData)
efb1ef
diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
efb1ef
index 1a3d877..e304b74 100644
efb1ef
--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
efb1ef
+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
efb1ef
@@ -33,6 +33,7 @@ import com.netscape.certsrv.apps.CMS;
efb1ef
 import com.netscape.certsrv.authentication.AuthToken;
efb1ef
 import com.netscape.certsrv.authentication.EInvalidCredentials;
efb1ef
 import com.netscape.certsrv.authentication.IAuthCredentials;
efb1ef
+import com.netscape.certsrv.authentication.IAuthToken;
efb1ef
 import com.netscape.certsrv.authentication.ISharedToken;
efb1ef
 import com.netscape.certsrv.base.EBaseException;
efb1ef
 import com.netscape.certsrv.base.IConfigStore;
efb1ef
@@ -233,18 +234,25 @@ public class SharedSecret extends DirBasedAuthentication
efb1ef
     }
efb1ef
 
efb1ef
     /**
efb1ef
-     * getSharedToken(String identification) provides
efb1ef
+     * getSharedToken(String identification, IAuthToken authToken) provides
efb1ef
      *  support for id_cmc_identification shared secret based enrollment
efb1ef
      *
efb1ef
+     * @param identification maps to the uid in user's ldap record
efb1ef
+     * @param authToken the IAuthToken that will be filled with the DN
efb1ef
+     *        in user's ldap record
efb1ef
+     *
efb1ef
      * Note: caller should clear the memory for the returned token
efb1ef
      *       after each use
efb1ef
      */
efb1ef
-    public char[] getSharedToken(String identification)
efb1ef
+    public char[] getSharedToken(String identification, IAuthToken authToken)
efb1ef
             throws EBaseException {
efb1ef
-        String method = "SharedSecret.getSharedToken(String identification): ";
efb1ef
+        String method = "SharedSecret.getSharedToken(String identification, IAuthToken authToken): ";
efb1ef
         String msg = "";
efb1ef
         CMS.debug(method + "begins.");
efb1ef
 
efb1ef
+        if ((identification == null) || (authToken == null)) {
efb1ef
+            throw new EBaseException(method + "paramsters identification or authToken cannot be null");
efb1ef
+        }
efb1ef
         LDAPConnection shrTokLdapConnection = null;
efb1ef
         LDAPSearchResults res = null;
efb1ef
         LDAPEntry entry = null;
efb1ef
@@ -287,6 +295,9 @@ public class SharedSecret extends DirBasedAuthentication
efb1ef
                 throw new EBaseException(msg);
efb1ef
             }
efb1ef
 
efb1ef
+            CMS.debug(method + "found user ldap entry: userdn = " + userdn);
efb1ef
+            authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn);
efb1ef
+
efb1ef
             res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE,
efb1ef
                     "(objectclass=*)", new String[] { mShrTokAttr }, false);
efb1ef
             if (res != null && res.hasMoreElements()) {
efb1ef
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
efb1ef
index caa466c..929e629 100644
efb1ef
--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
efb1ef
+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
efb1ef
@@ -1412,10 +1412,14 @@ public abstract class EnrollProfile extends BasicProfile
efb1ef
                     CMS.debug(method + " Failed to retrieve shared secret authentication plugin class");
efb1ef
                     sharedSecretFound = false;
efb1ef
                 }
efb1ef
+
efb1ef
+                IAuthToken authToken = (IAuthToken)
efb1ef
+                    context.get(SessionContext.AUTH_TOKEN);
efb1ef
+
efb1ef
                 ISharedToken tokenClass = (ISharedToken) sharedTokenAuth;
efb1ef
 
efb1ef
                 if (ident_string != null) {
efb1ef
-                    sharedSecret = tokenClass.getSharedToken(ident_string);
efb1ef
+                    sharedSecret = tokenClass.getSharedToken(ident_string, authToken);
efb1ef
                 } else {
efb1ef
                     sharedSecret = tokenClass.getSharedToken(mCMCData);
efb1ef
                 }
efb1ef
@@ -1709,12 +1713,16 @@ public abstract class EnrollProfile extends BasicProfile
efb1ef
                 signedAuditLogger.log(auditMessage);
efb1ef
                 return false;
efb1ef
             }
efb1ef
+
efb1ef
+            IAuthToken authToken = (IAuthToken)
efb1ef
+                sessionContext.get(SessionContext.AUTH_TOKEN);
efb1ef
+
efb1ef
             ISharedToken tokenClass = (ISharedToken) sharedTokenAuth;
efb1ef
 
efb1ef
             char[] token = null;
efb1ef
             if (ident_string != null) {
efb1ef
                 auditAttemptedCred = ident_string;
efb1ef
-                token = tokenClass.getSharedToken(ident_string);
efb1ef
+                token = tokenClass.getSharedToken(ident_string, authToken);
efb1ef
             } else
efb1ef
                 token = tokenClass.getSharedToken(mCMCData);
efb1ef
 
efb1ef
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
efb1ef
index 7d75e31..f469a66 100644
efb1ef
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
efb1ef
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
efb1ef
@@ -446,6 +446,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
                 // authentication success
efb1ef
                 if (authToken != null) {
efb1ef
                     auditSubjectID = authToken.getInString(IAuthToken.USER_ID);
efb1ef
+                    context.put(SessionContext.AUTH_TOKEN, authToken);
efb1ef
                 }
efb1ef
             } catch (EBaseException e) {
efb1ef
                 CMCOutputTemplate template = new CMCOutputTemplate();
efb1ef
-- 
efb1ef
1.8.3.1
efb1ef
efb1ef
efb1ef
From 2a228b4a8e1af920e577d007be87291831c635d5 Mon Sep 17 00:00:00 2001
efb1ef
From: Christina Fu <cfu@redhat.com>
efb1ef
Date: Wed, 20 Jun 2018 18:59:28 -0700
efb1ef
Subject: [PATCH 2/7] Ticket 2920 Part2 of SharedToken Audit
efb1ef
efb1ef
This patch addresses the issue that the original audit message for failure
efb1ef
got overwritten for SharedToken.
efb1ef
efb1ef
fixes https://pagure.io/dogtagpki/issue/2920
efb1ef
efb1ef
Change-Id: I0c09fbcc39135dc9aeee8a49a40772565af996c4
efb1ef
---
efb1ef
 .../netscape/cms/authentication/SharedSecret.java  |  5 ++
efb1ef
 .../def/CMCUserSignedSubjectNameDefault.java       |  7 ++-
efb1ef
 .../cms/servlet/common/CMCOutputTemplate.java      |  9 ++--
efb1ef
 .../servlet/profile/ProfileSubmitCMCServlet.java   | 63 ++++++++++++++--------
efb1ef
 4 files changed, 57 insertions(+), 27 deletions(-)
efb1ef
efb1ef
diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
efb1ef
index e304b74..5ebc213 100644
efb1ef
--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
efb1ef
+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
efb1ef
@@ -406,6 +406,11 @@ public class SharedSecret extends DirBasedAuthentication
efb1ef
         String method = "SharedSecret.getSharedToken(BigInteger serial): ";
efb1ef
         String msg = "";
efb1ef
 
efb1ef
+        if (serial == null) {
efb1ef
+            throw new EBaseException(method + "paramster serial cannot be null");
efb1ef
+        }
efb1ef
+        CMS.debug(method + serial.toString());
efb1ef
+
efb1ef
         ICertRecord record = null;
efb1ef
         try {
efb1ef
             record = certRepository.readCertificateRecord(serial);
efb1ef
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java
efb1ef
index a0816ea..f1810b0 100644
efb1ef
--- a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java
efb1ef
+++ b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java
efb1ef
@@ -137,12 +137,17 @@ public class CMCUserSignedSubjectNameDefault extends EnrollDefault {
efb1ef
         String msg = "";
efb1ef
         CMS.debug(method + "begins");
efb1ef
 
efb1ef
-        String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT);
efb1ef
         if (info == null) {
efb1ef
             msg = method + "info null";
efb1ef
             CMS.debug(msg);
efb1ef
             throw new EProfileException(msg);
efb1ef
         }
efb1ef
+        String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT);
efb1ef
+        if (signingUserSerial == null) {
efb1ef
+            msg = method + "signing user serial not found; request was unsigned?";
efb1ef
+            CMS.debug(msg);
efb1ef
+            throw new EProfileException(msg);
efb1ef
+        }
efb1ef
 
efb1ef
         CertificateSubjectName certSN = null;
efb1ef
         try {
efb1ef
diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
efb1ef
index a0a946d..154cd33 100644
efb1ef
--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
efb1ef
+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
efb1ef
@@ -1103,14 +1103,15 @@ public class CMCOutputTemplate {
efb1ef
 
efb1ef
                     char[] sharedSecret = null;
efb1ef
                     try {
efb1ef
-                       sharedSecret = tokenClass.getSharedToken(revokeSerial);
efb1ef
+                        sharedSecret = tokenClass.getSharedToken(revokeSerial);
efb1ef
                     } catch (Exception eShrTok) {
efb1ef
-                        CMS.debug("CMCOutputTemplate: " + eShrTok.toString());
efb1ef
+                        msg = "CMCOutputTemplate: " + eShrTok.toString();
efb1ef
                     }
efb1ef
 
efb1ef
                     if (sharedSecret == null) {
efb1ef
-                        msg = " shared secret not found";
efb1ef
-                        CMS.debug(method + msg);
efb1ef
+                        if (msg.equals("")) // don't overwrite the msg
efb1ef
+                            msg = " shared secret not found";
efb1ef
+                        CMS.debug(msg);
efb1ef
                         audit(new CertStatusChangeRequestProcessedEvent(
efb1ef
                                 auditSubjectID,
efb1ef
                                 ILogger.FAILURE,
efb1ef
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
efb1ef
index f469a66..12fd294 100644
efb1ef
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
efb1ef
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
efb1ef
@@ -533,10 +533,16 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
             CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth");
efb1ef
             ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
efb1ef
         }
efb1ef
+
efb1ef
+        String errorCode = null;
efb1ef
+        String errorReason = null;
efb1ef
+        String auditRequesterID = ILogger.UNIDENTIFIED;
efb1ef
+
efb1ef
         try {
efb1ef
             reqs = profile.createRequests(ctx, locale);
efb1ef
         } catch (ECMCBadMessageCheckException e) {
efb1ef
-            CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString());
efb1ef
+            errorReason = e.toString();
efb1ef
+            CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason);
efb1ef
             CMCOutputTemplate template = new CMCOutputTemplate();
efb1ef
             SEQUENCE seq = new SEQUENCE();
efb1ef
             seq.addElement(new INTEGER(0));
efb1ef
@@ -547,9 +553,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
             }
efb1ef
             template.createFullResponseWithFailedStatus(response, seq,
efb1ef
                     OtherInfo.BAD_MESSAGE_CHECK, s);
efb1ef
-            return;
efb1ef
         } catch (ECMCBadIdentityException e) {
efb1ef
-            CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString());
efb1ef
+            errorReason = e.toString();
efb1ef
+            CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason);
efb1ef
             CMCOutputTemplate template = new CMCOutputTemplate();
efb1ef
             SEQUENCE seq = new SEQUENCE();
efb1ef
             seq.addElement(new INTEGER(0));
efb1ef
@@ -560,9 +566,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
             }
efb1ef
             template.createFullResponseWithFailedStatus(response, seq,
efb1ef
                     OtherInfo.BAD_IDENTITY, s);
efb1ef
-            return;
efb1ef
         } catch (ECMCPopFailedException e) {
efb1ef
-            CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString());
efb1ef
+            errorReason = e.toString();
efb1ef
+            CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason);
efb1ef
             CMCOutputTemplate template = new CMCOutputTemplate();
efb1ef
             SEQUENCE seq = new SEQUENCE();
efb1ef
             seq.addElement(new INTEGER(0));
efb1ef
@@ -573,9 +579,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
             }
efb1ef
             template.createFullResponseWithFailedStatus(response, seq,
efb1ef
                     OtherInfo.POP_FAILED, s);
efb1ef
-            return;
efb1ef
         } catch (ECMCBadRequestException e) {
efb1ef
-            CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString());
efb1ef
+            errorReason = e.toString();
efb1ef
+            CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason);
efb1ef
             CMCOutputTemplate template = new CMCOutputTemplate();
efb1ef
             SEQUENCE seq = new SEQUENCE();
efb1ef
             seq.addElement(new INTEGER(0));
efb1ef
@@ -586,9 +592,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
             }
efb1ef
             template.createFullResponseWithFailedStatus(response, seq,
efb1ef
                     OtherInfo.BAD_REQUEST, s);
efb1ef
-            return;
efb1ef
         } catch (EProfileException e) {
efb1ef
-            CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString());
efb1ef
+            errorReason = e.toString();
efb1ef
+            CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason);
efb1ef
             CMCOutputTemplate template = new CMCOutputTemplate();
efb1ef
             SEQUENCE seq = new SEQUENCE();
efb1ef
             seq.addElement(new INTEGER(0));
efb1ef
@@ -599,9 +605,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
             }
efb1ef
             template.createFullResponseWithFailedStatus(response, seq,
efb1ef
                     OtherInfo.INTERNAL_CA_ERROR, s);
efb1ef
-            return;
efb1ef
         } catch (Throwable e) {
efb1ef
-            CMS.debug("ProfileSubmitCMCServlet: createRequests - " + e.toString());
efb1ef
+            errorReason = e.toString();
efb1ef
+            CMS.debug("ProfileSubmitCMCServlet: createRequests - " + errorReason);
efb1ef
             CMCOutputTemplate template = new CMCOutputTemplate();
efb1ef
             SEQUENCE seq = new SEQUENCE();
efb1ef
             seq.addElement(new INTEGER(0));
efb1ef
@@ -612,7 +618,15 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
             }
efb1ef
             template.createFullResponseWithFailedStatus(response, seq,
efb1ef
                     OtherInfo.INTERNAL_CA_ERROR, s);
efb1ef
-            return;
efb1ef
+        }
efb1ef
+
efb1ef
+        if (errorReason != null) {
efb1ef
+            audit(CertRequestProcessedEvent.createFailureEvent(
efb1ef
+                        auditSubjectID,
efb1ef
+                        auditRequesterID,
efb1ef
+                        ILogger.SIGNED_AUDIT_REJECTION,
efb1ef
+                        errorReason));
efb1ef
+                return;
efb1ef
         }
efb1ef
 
efb1ef
         TaggedAttribute attr =
efb1ef
@@ -684,13 +698,11 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
             }
efb1ef
         }
efb1ef
 
efb1ef
-        String errorCode = null;
efb1ef
-        String errorReason = null;
efb1ef
-
efb1ef
         ///////////////////////////////////////////////
efb1ef
         // populate request
efb1ef
         ///////////////////////////////////////////////
efb1ef
         for (int k = 0; (!isRevoke) && (provedReq == null) &&(k < reqs.length); k++) {
efb1ef
+            auditRequesterID = auditRequesterID(reqs[k]);
efb1ef
             // adding parameters to request
efb1ef
             setInputsIntoRequest(request, profile, reqs[k]);
efb1ef
 
efb1ef
@@ -769,7 +781,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
                 profile.populateInput(ctx, reqs[k]);
efb1ef
                 profile.populate(reqs[k]);
efb1ef
             } catch (ECMCPopFailedException e) {
efb1ef
-                CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString());
efb1ef
+                errorReason = e.toString();
efb1ef
+                CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason);
efb1ef
                 CMCOutputTemplate template = new CMCOutputTemplate();
efb1ef
                 SEQUENCE seq = new SEQUENCE();
efb1ef
                 seq.addElement(new INTEGER(0));
efb1ef
@@ -780,9 +793,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
                 }
efb1ef
                 template.createFullResponseWithFailedStatus(response, seq,
efb1ef
                         OtherInfo.POP_FAILED, s);
efb1ef
-                return;
efb1ef
             } catch (EProfileException e) {
efb1ef
-                CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString());
efb1ef
+                errorReason = e.toString();
efb1ef
+                CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason);
efb1ef
                 CMCOutputTemplate template = new CMCOutputTemplate();
efb1ef
                 SEQUENCE seq = new SEQUENCE();
efb1ef
                 seq.addElement(new INTEGER(0));
efb1ef
@@ -793,9 +806,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
                 }
efb1ef
                 template.createFullResponseWithFailedStatus(response, seq,
efb1ef
                         OtherInfo.BAD_REQUEST, s);
efb1ef
-                return;
efb1ef
             } catch (Throwable e) {
efb1ef
-                CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString());
efb1ef
+                errorReason = e.toString();
efb1ef
+                CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason);
efb1ef
                 //  throw new IOException("Profile " + profileId +
efb1ef
                 //          " cannot populate");
efb1ef
                 CMCOutputTemplate template = new CMCOutputTemplate();
efb1ef
@@ -808,12 +821,18 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
efb1ef
                 }
efb1ef
                 template.createFullResponseWithFailedStatus(response, seq,
efb1ef
                         OtherInfo.INTERNAL_CA_ERROR, s);
efb1ef
+            }
efb1ef
+
efb1ef
+            if (errorReason != null) {
efb1ef
+                audit(CertRequestProcessedEvent.createFailureEvent(
efb1ef
+                        auditSubjectID,
efb1ef
+                        auditRequesterID,
efb1ef
+                        ILogger.SIGNED_AUDIT_REJECTION,
efb1ef
+                        errorReason));
efb1ef
                 return;
efb1ef
             }
efb1ef
         } //for
efb1ef
 
efb1ef
-        String auditRequesterID = ILogger.UNIDENTIFIED;
efb1ef
-
efb1ef
         try {
efb1ef
             ///////////////////////////////////////////////
efb1ef
             // submit request
efb1ef
-- 
efb1ef
1.8.3.1
efb1ef
efb1ef
efb1ef
From a85486cfc7644b6a1caac6f5a2b34c4516ea1288 Mon Sep 17 00:00:00 2001
efb1ef
From: Fraser Tweedale <ftweedal@redhat.com>
efb1ef
Date: Fri, 15 Jun 2018 00:28:43 +1000
efb1ef
Subject: [PATCH 3/7] IPAddressName: fix construction from String
efb1ef
efb1ef
The IPAddressName(String) constructor (the non-netmask case) was
efb1ef
broken by commit 628ace0c90073a8a1d90e96fae0aab9e43903fd6.  Fix it,
efb1ef
and rename one of the helper methods to clarify its behaviour.
efb1ef
efb1ef
Fixes: https://pagure.io/dogtagpki/issue/2922
efb1ef
Change-Id: I711cf6845496f54c86b10d2d01368912084f96ea
efb1ef
---
efb1ef
 base/util/src/netscape/security/x509/IPAddressName.java | 8 ++++----
efb1ef
 1 file changed, 4 insertions(+), 4 deletions(-)
efb1ef
efb1ef
diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java
efb1ef
index a343a5f..b227af0 100644
efb1ef
--- a/base/util/src/netscape/security/x509/IPAddressName.java
efb1ef
+++ b/base/util/src/netscape/security/x509/IPAddressName.java
efb1ef
@@ -76,7 +76,7 @@ public class IPAddressName implements GeneralNameInterface {
efb1ef
      * @param netmask the netmask address in the format: n.n.n.n or x:x:x:x:x:x:x:x (RFC 1884)
efb1ef
      */
efb1ef
     public IPAddressName(String s, String netmask) {
efb1ef
-        address = initAddress(true, s);
efb1ef
+        address = parseAddress(true, s);
efb1ef
         if (address.length == IPv4_LEN * 2)
efb1ef
             fillIPv4Address(netmask, address, address.length / 2);
efb1ef
         else
efb1ef
@@ -90,7 +90,7 @@ public class IPAddressName implements GeneralNameInterface {
efb1ef
      * @param mask a CIDR netmask
efb1ef
      */
efb1ef
     public IPAddressName(String s, CIDRNetmask mask) {
efb1ef
-        address = initAddress(true, s);
efb1ef
+        address = parseAddress(true, s);
efb1ef
         mask.write(ByteBuffer.wrap(
efb1ef
                     address, address.length / 2, address.length / 2));
efb1ef
     }
efb1ef
@@ -102,7 +102,7 @@ public class IPAddressName implements GeneralNameInterface {
efb1ef
      * @param s the ip address in the format: n.n.n.n or x:x:x:x:x:x:x:x
efb1ef
      */
efb1ef
     public IPAddressName(String s) {
efb1ef
-        initAddress(false, s);
efb1ef
+        address = parseAddress(false, s);
efb1ef
     }
efb1ef
 
efb1ef
     /**
efb1ef
@@ -113,7 +113,7 @@ public class IPAddressName implements GeneralNameInterface {
efb1ef
      * @return byte[] of length 4 or 16 if withNetmask == false,
efb1ef
      *         or length 8 or 32 if withNetmask == true.
efb1ef
      */
efb1ef
-    private static byte[] initAddress(boolean withNetmask, String s) {
efb1ef
+    private static byte[] parseAddress(boolean withNetmask, String s) {
efb1ef
         if (s.indexOf(':') != -1) {
efb1ef
             byte[] address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)];
efb1ef
             fillIPv6Address(s, address, 0);
efb1ef
-- 
efb1ef
1.8.3.1
efb1ef
efb1ef
efb1ef
From 1f5e857759cb822093cdc20125fa4d0990432356 Mon Sep 17 00:00:00 2001
efb1ef
From: Christina Fu <cfu@redhat.com>
efb1ef
Date: Mon, 25 Jun 2018 16:46:36 -0700
efb1ef
Subject: [PATCH 4/7] Ticket 3003 AuditVerify failure due to line breaks
efb1ef
efb1ef
This patch normalizes the CONFIG_ROLE audit event params to eliminate line breaks
efb1ef
in audit entry from running pki ca-user-cert-add which would cause AuditVerify
efb1ef
to fail. (note: adding user cert via the java console does not have such issue)
efb1ef
efb1ef
fixes https://pagure.io/dogtagpki/issue/3003
efb1ef
efb1ef
Change-Id: I52814714acebd29774abf0eb66aef3655ef2adb9
efb1ef
---
efb1ef
 .../com/netscape/certsrv/logging/event/ConfigRoleEvent.java  |  3 ++-
efb1ef
 base/util/src/com/netscape/cmsutil/util/Utils.java           | 12 +++++++++++-
efb1ef
 2 files changed, 13 insertions(+), 2 deletions(-)
efb1ef
efb1ef
diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java
efb1ef
index cc5f0b7..0ac71a8 100644
efb1ef
--- a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java
efb1ef
+++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java
efb1ef
@@ -18,6 +18,7 @@
efb1ef
 package com.netscape.certsrv.logging.event;
efb1ef
 
efb1ef
 import com.netscape.certsrv.logging.SignedAuditEvent;
efb1ef
+import com.netscape.cmsutil.util.Utils;
efb1ef
 
efb1ef
 public class ConfigRoleEvent extends SignedAuditEvent {
efb1ef
 
efb1ef
@@ -35,6 +36,6 @@ public class ConfigRoleEvent extends SignedAuditEvent {
efb1ef
 
efb1ef
         setAttribute("SubjectID", subjectID);
efb1ef
         setAttribute("Outcome", outcome);
efb1ef
-        setAttribute("ParamNameValPairs", params);
efb1ef
+        setAttribute("ParamNameValPairs", Utils.normalizeString(params, true /*keep space*/));
efb1ef
     }
efb1ef
 }
efb1ef
diff --git a/base/util/src/com/netscape/cmsutil/util/Utils.java b/base/util/src/com/netscape/cmsutil/util/Utils.java
efb1ef
index 5ff78ad..9d0f9eb 100644
efb1ef
--- a/base/util/src/com/netscape/cmsutil/util/Utils.java
efb1ef
+++ b/base/util/src/com/netscape/cmsutil/util/Utils.java
efb1ef
@@ -336,15 +336,24 @@ public class Utils {
efb1ef
      * Normalize B64 input String
efb1ef
      *
efb1ef
      * @pram string base-64 string
efb1ef
+     * @param keepspace a boolean variable to control whether to keep spaces or not
efb1ef
      * @return normalized string
efb1ef
      */
efb1ef
     public static String normalizeString(String string) {
efb1ef
+        return normalizeString(string, false /*keepSpace*/);
efb1ef
+    }
efb1ef
+
efb1ef
+    public static String normalizeString(String string, Boolean keepSpace) {
efb1ef
         if (string == null) {
efb1ef
             return string;
efb1ef
         }
efb1ef
 
efb1ef
         StringBuffer sb = new StringBuffer();
efb1ef
-        StringTokenizer st = new StringTokenizer(string, "\r\n ");
efb1ef
+        StringTokenizer st = null;
efb1ef
+        if (keepSpace)
efb1ef
+            st = new StringTokenizer(string, "\r\n");
efb1ef
+        else
efb1ef
+            st = new StringTokenizer(string, "\r\n ");
efb1ef
 
efb1ef
         while (st.hasMoreTokens()) {
efb1ef
             String nextLine = st.nextToken();
efb1ef
@@ -353,4 +362,5 @@ public class Utils {
efb1ef
         }
efb1ef
         return sb.toString();
efb1ef
     }
efb1ef
+
efb1ef
 }
efb1ef
-- 
efb1ef
1.8.3.1
efb1ef
efb1ef
efb1ef
From cf1b83ed6e7be07636c3deac770d586433d80f9e Mon Sep 17 00:00:00 2001
efb1ef
From: Christina Fu <cfu@redhat.com>
efb1ef
Date: Tue, 26 Jun 2018 15:16:53 -0700
efb1ef
Subject: [PATCH 5/7] Ticket 2992 CMC Simple request profiles and CMCResponse
efb1ef
 to support simple response
efb1ef
efb1ef
This patch fixes the broken profiles resulted from https://pagure.io/dogtagpki/issue/3018.
efb1ef
efb1ef
In addition, CMCResponse has been improved to handle CMC simple response.
efb1ef
efb1ef
fixes https://pagure.io/dogtagpki/issue/2992
efb1ef
efb1ef
Change-Id: If72aa08f044c96e4e5bd5ed98512d2936fe0d50a
efb1ef
---
efb1ef
 .../shared/profiles/ca/caECSimpleCMCUserCert.cfg   |  6 +--
efb1ef
 base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg |  6 +--
efb1ef
 .../src/com/netscape/cmstools/CMCResponse.java     | 46 +++++++++++++---------
efb1ef
 3 files changed, 34 insertions(+), 24 deletions(-)
efb1ef
efb1ef
diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
efb1ef
index 64a6ad9..8df3576 100644
efb1ef
--- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
efb1ef
+++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
efb1ef
@@ -1,11 +1,11 @@
efb1ef
-desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.
efb1ef
+desc=This certificate profile is for enrolling user certificates by using the CMC simple certificate request with agent authentication.
efb1ef
 enable=true
efb1ef
 enableBy=admin
efb1ef
 name=Simple CMC Enrollment Request for User Certificate
efb1ef
 visible=false
efb1ef
-auth.instance_id=
efb1ef
+auth.instance_id=AgentCertAuth
efb1ef
 input.list=i1
efb1ef
-input.i1.class_id=cmcCertReqInputImpl
efb1ef
+input.i1.class_id=certReqInputImpl
efb1ef
 output.list=o1
efb1ef
 output.o1.class_id=certOutputImpl
efb1ef
 policyset.list=cmcUserCertSet
efb1ef
diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
efb1ef
index 0628a36..a55873f 100644
efb1ef
--- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
efb1ef
+++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
efb1ef
@@ -1,11 +1,11 @@
efb1ef
-desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.
efb1ef
+desc=This certificate profile is for enrolling user certificates by using the CMC Simple certificate request with agent authentication.
efb1ef
 enable=true
efb1ef
 enableBy=admin
efb1ef
 name=Simple CMC Enrollment Request for User Certificate
efb1ef
 visible=false
efb1ef
-auth.instance_id=
efb1ef
+auth.instance_id=AgentCertAuth
efb1ef
 input.list=i1
efb1ef
-input.i1.class_id=cmcCertReqInputImpl
efb1ef
+input.i1.class_id=certReqInputImpl
efb1ef
 output.list=o1
efb1ef
 output.o1.class_id=certOutputImpl
efb1ef
 policyset.list=cmcUserCertSet
efb1ef
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java
efb1ef
index 945f09f..5d4f6c6 100644
efb1ef
--- a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java
efb1ef
+++ b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java
efb1ef
@@ -82,14 +82,20 @@ public class CMCResponse {
efb1ef
 
efb1ef
     public Collection<CMCStatusInfoV2> getStatusInfos() throws IOException, InvalidBERException {
efb1ef
 
efb1ef
-        Collection<CMCStatusInfoV2> list = new ArrayList<>();
efb1ef
-
efb1ef
-        // assume full CMC response
efb1ef
-
efb1ef
         SignedData signedData = (SignedData) contentInfo.getInterpretedContent();
efb1ef
         EncapsulatedContentInfo eci = signedData.getContentInfo();
efb1ef
 
efb1ef
+        Collection<CMCStatusInfoV2> list = new ArrayList<>();
efb1ef
+
efb1ef
         OCTET_STRING content = eci.getContent();
efb1ef
+        if (content == null) {
efb1ef
+            System.out.println("CMC Simple Response.");
efb1ef
+            // No EncapsulatedContentInfo content; Assume simple response;
efb1ef
+            return null;
efb1ef
+        }
efb1ef
+        // assume full CMC response
efb1ef
+        System.out.println("CMC Full Response.");
efb1ef
+
efb1ef
         ByteArrayInputStream is = new ByteArrayInputStream(content.toByteArray());
efb1ef
         ResponseBody responseBody = (ResponseBody) (new ResponseBody.Template()).decode(is);
efb1ef
 
efb1ef
@@ -166,8 +172,10 @@ public class CMCResponse {
efb1ef
                 System.out.println("Invalid CMC Response Format");
efb1ef
             }
efb1ef
 
efb1ef
-            if (!ci.hasContent())
efb1ef
+            if (!ci.hasContent()) {
efb1ef
+                // No EncapsulatedContentInfo content; Assume simple response
efb1ef
                 return;
efb1ef
+            }
efb1ef
 
efb1ef
             OCTET_STRING content1 = ci.getContent();
efb1ef
             ByteArrayInputStream bbis = new ByteArrayInputStream(content1.toByteArray());
efb1ef
@@ -371,23 +379,25 @@ public class CMCResponse {
efb1ef
 
efb1ef
         // terminate if any of the statuses is not a SUCCESS
efb1ef
         Collection<CMCStatusInfoV2> statusInfos = response.getStatusInfos();
efb1ef
-        for (CMCStatusInfoV2 statusInfo : statusInfos) {
efb1ef
+        if (statusInfos != null) { // full response
efb1ef
+            for (CMCStatusInfoV2 statusInfo : statusInfos) {
efb1ef
 
efb1ef
-            int status = statusInfo.getStatus();
efb1ef
-            if (status == CMCStatusInfoV2.SUCCESS) {
efb1ef
-                continue;
efb1ef
-            }
efb1ef
+                int status = statusInfo.getStatus();
efb1ef
+                if (status == CMCStatusInfoV2.SUCCESS) {
efb1ef
+                    continue;
efb1ef
+                }
efb1ef
 
efb1ef
-            SEQUENCE bodyList = statusInfo.getBodyList();
efb1ef
+                SEQUENCE bodyList = statusInfo.getBodyList();
efb1ef
 
efb1ef
-            Collection<INTEGER> list = new ArrayList<>();
efb1ef
-            for (int i = 0; i < bodyList.size(); i++) {
efb1ef
-                INTEGER n = (INTEGER) bodyList.elementAt(i);
efb1ef
-                list.add(n);
efb1ef
-            }
efb1ef
+                Collection<INTEGER> list = new ArrayList<>();
efb1ef
+                for (int i = 0; i < bodyList.size(); i++) {
efb1ef
+                    INTEGER n = (INTEGER) bodyList.elementAt(i);
efb1ef
+                    list.add(n);
efb1ef
+                }
efb1ef
 
efb1ef
-            System.err.println("ERROR: CMC status for " + list + ": " + CMCStatusInfoV2.STATUS[status]);
efb1ef
-            System.exit(1);
efb1ef
+                System.err.println("ERROR: CMC status for " + list + ": " + CMCStatusInfoV2.STATUS[status]);
efb1ef
+                System.exit(1);
efb1ef
+            }
efb1ef
         }
efb1ef
 
efb1ef
         // export PKCS #7 if requested
efb1ef
-- 
efb1ef
1.8.3.1
efb1ef
efb1ef
efb1ef
From 3ad054342a08719cd80c618c2aa260210b418113 Mon Sep 17 00:00:00 2001
efb1ef
From: Christina Fu <cfu@redhat.com>
efb1ef
Date: Wed, 27 Jun 2018 15:04:57 -0700
efb1ef
Subject: [PATCH 6/7] Ticket #2959 Address pkispawn ECC profile overrides
efb1ef
efb1ef
This patch enables proper ECC profiles to be automatically applied during
efb1ef
pkispawn.
efb1ef
efb1ef
This patch would eliminate the need for the workaround documented here:
efb1ef
http://www.dogtagpki.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround
efb1ef
efb1ef
The idea is to use the % replacement strings as part of the profile names
efb1ef
in the default.cfg file for pkispawn,
efb1ef
and change the profile names to mach the format. So for example:
efb1ef
efb1ef
%(pki_admin_key_type)AdminCert.profile
efb1ef
efb1ef
would either be translated to rsaAdminCert.profile or eccAdminCert.profile
efb1ef
depending  on the value in pki_admin_key_type
efb1ef
efb1ef
All 6 relevant profiles have been renamed per new convention.
efb1ef
efb1ef
fixes https://pagure.io/dogtagpki/issue/2959
efb1ef
efb1ef
Change-Id: I9a9f70e415438e0b4130294abb725c74fd6e1b95
efb1ef
---
efb1ef
 base/ca/shared/conf/ECadminCert.profile      | 39 --------------------------
efb1ef
 base/ca/shared/conf/ECserverCert.profile     | 39 --------------------------
efb1ef
 base/ca/shared/conf/ECsubsystemCert.profile  | 39 --------------------------
efb1ef
 base/ca/shared/conf/adminCert.profile        | 39 --------------------------
efb1ef
 base/ca/shared/conf/eccAdminCert.profile     | 39 ++++++++++++++++++++++++++
efb1ef
 base/ca/shared/conf/eccServerCert.profile    | 39 ++++++++++++++++++++++++++
efb1ef
 base/ca/shared/conf/eccSubsystemCert.profile | 39 ++++++++++++++++++++++++++
efb1ef
 base/ca/shared/conf/rsaAdminCert.profile     | 39 ++++++++++++++++++++++++++
efb1ef
 base/ca/shared/conf/rsaServerCert.profile    | 41 ++++++++++++++++++++++++++++
efb1ef
 base/ca/shared/conf/rsaSubsystemCert.profile | 39 ++++++++++++++++++++++++++
efb1ef
 base/ca/shared/conf/serverCert.profile       | 41 ----------------------------
efb1ef
 base/ca/shared/conf/subsystemCert.profile    | 39 --------------------------
efb1ef
 base/server/etc/default.cfg                  |  6 ++--
efb1ef
 13 files changed, 239 insertions(+), 239 deletions(-)
efb1ef
 delete mode 100644 base/ca/shared/conf/ECadminCert.profile
efb1ef
 delete mode 100644 base/ca/shared/conf/ECserverCert.profile
efb1ef
 delete mode 100644 base/ca/shared/conf/ECsubsystemCert.profile
efb1ef
 delete mode 100644 base/ca/shared/conf/adminCert.profile
efb1ef
 create mode 100644 base/ca/shared/conf/eccAdminCert.profile
efb1ef
 create mode 100644 base/ca/shared/conf/eccServerCert.profile
efb1ef
 create mode 100644 base/ca/shared/conf/eccSubsystemCert.profile
efb1ef
 create mode 100644 base/ca/shared/conf/rsaAdminCert.profile
efb1ef
 create mode 100644 base/ca/shared/conf/rsaServerCert.profile
efb1ef
 create mode 100644 base/ca/shared/conf/rsaSubsystemCert.profile
efb1ef
 delete mode 100644 base/ca/shared/conf/serverCert.profile
efb1ef
 delete mode 100644 base/ca/shared/conf/subsystemCert.profile
efb1ef
efb1ef
diff --git a/base/ca/shared/conf/ECadminCert.profile b/base/ca/shared/conf/ECadminCert.profile
efb1ef
deleted file mode 100644
efb1ef
index 46d157a..0000000
efb1ef
--- a/base/ca/shared/conf/ECadminCert.profile
efb1ef
+++ /dev/null
efb1ef
@@ -1,39 +0,0 @@
efb1ef
-#
efb1ef
-# Admin Certificate
efb1ef
-#
efb1ef
-id=adminCert.profile
efb1ef
-name=All Purpose admin cert with ECC keys Profile
efb1ef
-description=This profile creates an administrator's certificate with ECC keys
efb1ef
-profileIDMapping=caAdminCert
efb1ef
-profileSetIDMapping=adminCertSet
efb1ef
-list=2,4,5,6,7
efb1ef
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
efb1ef
-2.default.name=Validity Default
efb1ef
-2.default.params.range=720
efb1ef
-2.default.params.startTime=0
efb1ef
-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
efb1ef
-4.default.name=Authority Key Identifier Default
efb1ef
-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
efb1ef
-5.default.name=AIA Extension Default
efb1ef
-5.default.params.authInfoAccessADEnable_0=true
efb1ef
-5.default.params.authInfoAccessADLocationType_0=URIName
efb1ef
-5.default.params.authInfoAccessADLocation_0=
efb1ef
-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
efb1ef
-5.default.params.authInfoAccessCritical=false
efb1ef
-5.default.params.authInfoAccessNumADs=1
efb1ef
-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
efb1ef
-6.default.name=Key Usage Default
efb1ef
-6.default.params.keyUsageCritical=true
efb1ef
-6.default.params.keyUsageDigitalSignature=true
efb1ef
-6.default.params.keyUsageNonRepudiation=true
efb1ef
-6.default.params.keyUsageDataEncipherment=true
efb1ef
-6.default.params.keyUsageKeyEncipherment=false
efb1ef
-6.default.params.keyUsageKeyAgreement=true
efb1ef
-6.default.params.keyUsageKeyCertSign=false
efb1ef
-6.default.params.keyUsageCrlSign=false
efb1ef
-6.default.params.keyUsageEncipherOnly=false
efb1ef
-6.default.params.keyUsageDecipherOnly=false
efb1ef
-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
efb1ef
-7.default.name=Extended Key Usage Extension Default
efb1ef
-7.default.params.exKeyUsageCritical=false
efb1ef
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
efb1ef
diff --git a/base/ca/shared/conf/ECserverCert.profile b/base/ca/shared/conf/ECserverCert.profile
efb1ef
deleted file mode 100644
efb1ef
index 8c679f7..0000000
efb1ef
--- a/base/ca/shared/conf/ECserverCert.profile
efb1ef
+++ /dev/null
efb1ef
@@ -1,39 +0,0 @@
efb1ef
-#
efb1ef
-# ECC Server Certificate
efb1ef
-#
efb1ef
-id=serverCert.profile
efb1ef
-name=All Purpose SSL server cert with ECC keys Profile
efb1ef
-description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers
efb1ef
-profileIDMapping=caECServerCert
efb1ef
-profileSetIDMapping=serverCertSet
efb1ef
-list=2,4,5,6,7
efb1ef
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
efb1ef
-2.default.name=Validity Default
efb1ef
-2.default.params.range=720
efb1ef
-2.default.params.startTime=0
efb1ef
-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
efb1ef
-4.default.name=Authority Key Identifier Default
efb1ef
-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
efb1ef
-5.default.name=AIA Extension Default
efb1ef
-5.default.params.authInfoAccessADEnable_0=true
efb1ef
-5.default.params.authInfoAccessADLocationType_0=URIName
efb1ef
-5.default.params.authInfoAccessADLocation_0=
efb1ef
-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
efb1ef
-5.default.params.authInfoAccessCritical=false
efb1ef
-5.default.params.authInfoAccessNumADs=1
efb1ef
-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
efb1ef
-6.default.name=Key Usage Default
efb1ef
-6.default.params.keyUsageCritical=true
efb1ef
-6.default.params.keyUsageDigitalSignature=true
efb1ef
-6.default.params.keyUsageNonRepudiation=false
efb1ef
-6.default.params.keyUsageDataEncipherment=true
efb1ef
-6.default.params.keyUsageKeyEncipherment=false
efb1ef
-6.default.params.keyUsageKeyAgreement=true
efb1ef
-6.default.params.keyUsageKeyCertSign=false
efb1ef
-6.default.params.keyUsageCrlSign=false
efb1ef
-6.default.params.keyUsageEncipherOnly=false
efb1ef
-6.default.params.keyUsageDecipherOnly=false
efb1ef
-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
efb1ef
-7.default.name=Extended Key Usage Extension Default
efb1ef
-7.default.params.exKeyUsageCritical=false
efb1ef
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
efb1ef
diff --git a/base/ca/shared/conf/ECsubsystemCert.profile b/base/ca/shared/conf/ECsubsystemCert.profile
efb1ef
deleted file mode 100644
efb1ef
index d11dabb..0000000
efb1ef
--- a/base/ca/shared/conf/ECsubsystemCert.profile
efb1ef
+++ /dev/null
efb1ef
@@ -1,39 +0,0 @@
efb1ef
-#
efb1ef
-# ECC Subsystem Certificate
efb1ef
-#
efb1ef
-id=subsystemCert.profile
efb1ef
-name=Subsystem cert with ECC keys Profile
efb1ef
-description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients
efb1ef
-profileIDMapping=caECSubsystemCert
efb1ef
-profileSetIDMapping=serverCertSet
efb1ef
-list=2,4,5,6,7
efb1ef
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
efb1ef
-2.default.name=Validity Default
efb1ef
-2.default.params.range=720
efb1ef
-2.default.params.startTime=0
efb1ef
-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
efb1ef
-4.default.name=Authority Key Identifier Default
efb1ef
-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
efb1ef
-5.default.name=AIA Extension Default
efb1ef
-5.default.params.authInfoAccessADEnable_0=true
efb1ef
-5.default.params.authInfoAccessADLocationType_0=URIName
efb1ef
-5.default.params.authInfoAccessADLocation_0=
efb1ef
-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
efb1ef
-5.default.params.authInfoAccessCritical=false
efb1ef
-5.default.params.authInfoAccessNumADs=1
efb1ef
-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
efb1ef
-6.default.name=Key Usage Default
efb1ef
-6.default.params.keyUsageCritical=true
efb1ef
-6.default.params.keyUsageDigitalSignature=true
efb1ef
-6.default.params.keyUsageNonRepudiation=false
efb1ef
-6.default.params.keyUsageDataEncipherment=true
efb1ef
-6.default.params.keyUsageKeyEncipherment=false
efb1ef
-6.default.params.keyUsageKeyAgreement=true
efb1ef
-6.default.params.keyUsageKeyCertSign=false
efb1ef
-6.default.params.keyUsageCrlSign=false
efb1ef
-6.default.params.keyUsageEncipherOnly=false
efb1ef
-6.default.params.keyUsageDecipherOnly=false
efb1ef
-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
efb1ef
-7.default.name=Extended Key Usage Extension Default
efb1ef
-7.default.params.exKeyUsageCritical=false
efb1ef
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
efb1ef
diff --git a/base/ca/shared/conf/adminCert.profile b/base/ca/shared/conf/adminCert.profile
efb1ef
deleted file mode 100644
efb1ef
index 5e84d74..0000000
efb1ef
--- a/base/ca/shared/conf/adminCert.profile
efb1ef
+++ /dev/null
efb1ef
@@ -1,39 +0,0 @@
efb1ef
-#
efb1ef
-# Server Certificate
efb1ef
-#
efb1ef
-id=adminCert.profile
efb1ef
-name=All Purpose admin server cert Profile
efb1ef
-description=This profile creates an administrator's certificate
efb1ef
-profileIDMapping=caAdminCert
efb1ef
-profileSetIDMapping=adminCertSet
efb1ef
-list=2,4,5,6,7
efb1ef
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
efb1ef
-2.default.name=Validity Default
efb1ef
-2.default.params.range=720
efb1ef
-2.default.params.startTime=0
efb1ef
-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
efb1ef
-4.default.name=Authority Key Identifier Default
efb1ef
-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
efb1ef
-5.default.name=AIA Extension Default
efb1ef
-5.default.params.authInfoAccessADEnable_0=true
efb1ef
-5.default.params.authInfoAccessADLocationType_0=URIName
efb1ef
-5.default.params.authInfoAccessADLocation_0=
efb1ef
-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
efb1ef
-5.default.params.authInfoAccessCritical=false
efb1ef
-5.default.params.authInfoAccessNumADs=1
efb1ef
-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
efb1ef
-6.default.name=Key Usage Default
efb1ef
-6.default.params.keyUsageCritical=true
efb1ef
-6.default.params.keyUsageDigitalSignature=true
efb1ef
-6.default.params.keyUsageNonRepudiation=true
efb1ef
-6.default.params.keyUsageDataEncipherment=true
efb1ef
-6.default.params.keyUsageKeyEncipherment=true
efb1ef
-6.default.params.keyUsageKeyAgreement=false
efb1ef
-6.default.params.keyUsageKeyCertSign=false
efb1ef
-6.default.params.keyUsageCrlSign=false
efb1ef
-6.default.params.keyUsageEncipherOnly=false
efb1ef
-6.default.params.keyUsageDecipherOnly=false
efb1ef
-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
efb1ef
-7.default.name=Extended Key Usage Extension Default
efb1ef
-7.default.params.exKeyUsageCritical=false
efb1ef
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
efb1ef
diff --git a/base/ca/shared/conf/eccAdminCert.profile b/base/ca/shared/conf/eccAdminCert.profile
efb1ef
new file mode 100644
efb1ef
index 0000000..46d157a
efb1ef
--- /dev/null
efb1ef
+++ b/base/ca/shared/conf/eccAdminCert.profile
efb1ef
@@ -0,0 +1,39 @@
efb1ef
+#
efb1ef
+# Admin Certificate
efb1ef
+#
efb1ef
+id=adminCert.profile
efb1ef
+name=All Purpose admin cert with ECC keys Profile
efb1ef
+description=This profile creates an administrator's certificate with ECC keys
efb1ef
+profileIDMapping=caAdminCert
efb1ef
+profileSetIDMapping=adminCertSet
efb1ef
+list=2,4,5,6,7
efb1ef
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
efb1ef
+2.default.name=Validity Default
efb1ef
+2.default.params.range=720
efb1ef
+2.default.params.startTime=0
efb1ef
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
efb1ef
+4.default.name=Authority Key Identifier Default
efb1ef
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
efb1ef
+5.default.name=AIA Extension Default
efb1ef
+5.default.params.authInfoAccessADEnable_0=true
efb1ef
+5.default.params.authInfoAccessADLocationType_0=URIName
efb1ef
+5.default.params.authInfoAccessADLocation_0=
efb1ef
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
efb1ef
+5.default.params.authInfoAccessCritical=false
efb1ef
+5.default.params.authInfoAccessNumADs=1
efb1ef
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
efb1ef
+6.default.name=Key Usage Default
efb1ef
+6.default.params.keyUsageCritical=true
efb1ef
+6.default.params.keyUsageDigitalSignature=true
efb1ef
+6.default.params.keyUsageNonRepudiation=true
efb1ef
+6.default.params.keyUsageDataEncipherment=true
efb1ef
+6.default.params.keyUsageKeyEncipherment=false
efb1ef
+6.default.params.keyUsageKeyAgreement=true
efb1ef
+6.default.params.keyUsageKeyCertSign=false
efb1ef
+6.default.params.keyUsageCrlSign=false
efb1ef
+6.default.params.keyUsageEncipherOnly=false
efb1ef
+6.default.params.keyUsageDecipherOnly=false
efb1ef
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
efb1ef
+7.default.name=Extended Key Usage Extension Default
efb1ef
+7.default.params.exKeyUsageCritical=false
efb1ef
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
efb1ef
diff --git a/base/ca/shared/conf/eccServerCert.profile b/base/ca/shared/conf/eccServerCert.profile
efb1ef
new file mode 100644
efb1ef
index 0000000..8c679f7
efb1ef
--- /dev/null
efb1ef
+++ b/base/ca/shared/conf/eccServerCert.profile
efb1ef
@@ -0,0 +1,39 @@
efb1ef
+#
efb1ef
+# ECC Server Certificate
efb1ef
+#
efb1ef
+id=serverCert.profile
efb1ef
+name=All Purpose SSL server cert with ECC keys Profile
efb1ef
+description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers
efb1ef
+profileIDMapping=caECServerCert
efb1ef
+profileSetIDMapping=serverCertSet
efb1ef
+list=2,4,5,6,7
efb1ef
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
efb1ef
+2.default.name=Validity Default
efb1ef
+2.default.params.range=720
efb1ef
+2.default.params.startTime=0
efb1ef
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
efb1ef
+4.default.name=Authority Key Identifier Default
efb1ef
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
efb1ef
+5.default.name=AIA Extension Default
efb1ef
+5.default.params.authInfoAccessADEnable_0=true
efb1ef
+5.default.params.authInfoAccessADLocationType_0=URIName
efb1ef
+5.default.params.authInfoAccessADLocation_0=
efb1ef
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
efb1ef
+5.default.params.authInfoAccessCritical=false
efb1ef
+5.default.params.authInfoAccessNumADs=1
efb1ef
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
efb1ef
+6.default.name=Key Usage Default
efb1ef
+6.default.params.keyUsageCritical=true
efb1ef
+6.default.params.keyUsageDigitalSignature=true
efb1ef
+6.default.params.keyUsageNonRepudiation=false
efb1ef
+6.default.params.keyUsageDataEncipherment=true
efb1ef
+6.default.params.keyUsageKeyEncipherment=false
efb1ef
+6.default.params.keyUsageKeyAgreement=true
efb1ef
+6.default.params.keyUsageKeyCertSign=false
efb1ef
+6.default.params.keyUsageCrlSign=false
efb1ef
+6.default.params.keyUsageEncipherOnly=false
efb1ef
+6.default.params.keyUsageDecipherOnly=false
efb1ef
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
efb1ef
+7.default.name=Extended Key Usage Extension Default
efb1ef
+7.default.params.exKeyUsageCritical=false
efb1ef
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
efb1ef
diff --git a/base/ca/shared/conf/eccSubsystemCert.profile b/base/ca/shared/conf/eccSubsystemCert.profile
efb1ef
new file mode 100644
efb1ef
index 0000000..d11dabb
efb1ef
--- /dev/null
efb1ef
+++ b/base/ca/shared/conf/eccSubsystemCert.profile
efb1ef
@@ -0,0 +1,39 @@
efb1ef
+#
efb1ef
+# ECC Subsystem Certificate
efb1ef
+#
efb1ef
+id=subsystemCert.profile
efb1ef
+name=Subsystem cert with ECC keys Profile
efb1ef
+description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients
efb1ef
+profileIDMapping=caECSubsystemCert
efb1ef
+profileSetIDMapping=serverCertSet
efb1ef
+list=2,4,5,6,7
efb1ef
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
efb1ef
+2.default.name=Validity Default
efb1ef
+2.default.params.range=720
efb1ef
+2.default.params.startTime=0
efb1ef
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
efb1ef
+4.default.name=Authority Key Identifier Default
efb1ef
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
efb1ef
+5.default.name=AIA Extension Default
efb1ef
+5.default.params.authInfoAccessADEnable_0=true
efb1ef
+5.default.params.authInfoAccessADLocationType_0=URIName
efb1ef
+5.default.params.authInfoAccessADLocation_0=
efb1ef
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
efb1ef
+5.default.params.authInfoAccessCritical=false
efb1ef
+5.default.params.authInfoAccessNumADs=1
efb1ef
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
efb1ef
+6.default.name=Key Usage Default
efb1ef
+6.default.params.keyUsageCritical=true
efb1ef
+6.default.params.keyUsageDigitalSignature=true
efb1ef
+6.default.params.keyUsageNonRepudiation=false
efb1ef
+6.default.params.keyUsageDataEncipherment=true
efb1ef
+6.default.params.keyUsageKeyEncipherment=false
efb1ef
+6.default.params.keyUsageKeyAgreement=true
efb1ef
+6.default.params.keyUsageKeyCertSign=false
efb1ef
+6.default.params.keyUsageCrlSign=false
efb1ef
+6.default.params.keyUsageEncipherOnly=false
efb1ef
+6.default.params.keyUsageDecipherOnly=false
efb1ef
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
efb1ef
+7.default.name=Extended Key Usage Extension Default
efb1ef
+7.default.params.exKeyUsageCritical=false
efb1ef
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
efb1ef
diff --git a/base/ca/shared/conf/rsaAdminCert.profile b/base/ca/shared/conf/rsaAdminCert.profile
efb1ef
new file mode 100644
efb1ef
index 0000000..5e84d74
efb1ef
--- /dev/null
efb1ef
+++ b/base/ca/shared/conf/rsaAdminCert.profile
efb1ef
@@ -0,0 +1,39 @@
efb1ef
+#
efb1ef
+# Server Certificate
efb1ef
+#
efb1ef
+id=adminCert.profile
efb1ef
+name=All Purpose admin server cert Profile
efb1ef
+description=This profile creates an administrator's certificate
efb1ef
+profileIDMapping=caAdminCert
efb1ef
+profileSetIDMapping=adminCertSet
efb1ef
+list=2,4,5,6,7
efb1ef
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
efb1ef
+2.default.name=Validity Default
efb1ef
+2.default.params.range=720
efb1ef
+2.default.params.startTime=0
efb1ef
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
efb1ef
+4.default.name=Authority Key Identifier Default
efb1ef
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
efb1ef
+5.default.name=AIA Extension Default
efb1ef
+5.default.params.authInfoAccessADEnable_0=true
efb1ef
+5.default.params.authInfoAccessADLocationType_0=URIName
efb1ef
+5.default.params.authInfoAccessADLocation_0=
efb1ef
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
efb1ef
+5.default.params.authInfoAccessCritical=false
efb1ef
+5.default.params.authInfoAccessNumADs=1
efb1ef
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
efb1ef
+6.default.name=Key Usage Default
efb1ef
+6.default.params.keyUsageCritical=true
efb1ef
+6.default.params.keyUsageDigitalSignature=true
efb1ef
+6.default.params.keyUsageNonRepudiation=true
efb1ef
+6.default.params.keyUsageDataEncipherment=true
efb1ef
+6.default.params.keyUsageKeyEncipherment=true
efb1ef
+6.default.params.keyUsageKeyAgreement=false
efb1ef
+6.default.params.keyUsageKeyCertSign=false
efb1ef
+6.default.params.keyUsageCrlSign=false
efb1ef
+6.default.params.keyUsageEncipherOnly=false
efb1ef
+6.default.params.keyUsageDecipherOnly=false
efb1ef
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
efb1ef
+7.default.name=Extended Key Usage Extension Default
efb1ef
+7.default.params.exKeyUsageCritical=false
efb1ef
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
efb1ef
diff --git a/base/ca/shared/conf/rsaServerCert.profile b/base/ca/shared/conf/rsaServerCert.profile
efb1ef
new file mode 100644
efb1ef
index 0000000..e740760
efb1ef
--- /dev/null
efb1ef
+++ b/base/ca/shared/conf/rsaServerCert.profile
efb1ef
@@ -0,0 +1,41 @@
efb1ef
+#
efb1ef
+# Server Certificate
efb1ef
+#
efb1ef
+id=serverCert.profile
efb1ef
+name=All Purpose SSL server cert Profile
efb1ef
+description=This profile creates an SSL server certificate that is valid for SSL servers
efb1ef
+profileIDMapping=caServerCert
efb1ef
+profileSetIDMapping=serverCertSet
efb1ef
+list=2,4,5,6,7,8
efb1ef
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
efb1ef
+2.default.name=Validity Default
efb1ef
+2.default.params.range=720
efb1ef
+2.default.params.startTime=0
efb1ef
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
efb1ef
+4.default.name=Authority Key Identifier Default
efb1ef
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
efb1ef
+5.default.name=AIA Extension Default
efb1ef
+5.default.params.authInfoAccessADEnable_0=true
efb1ef
+5.default.params.authInfoAccessADLocationType_0=URIName
efb1ef
+5.default.params.authInfoAccessADLocation_0=
efb1ef
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
efb1ef
+5.default.params.authInfoAccessCritical=false
efb1ef
+5.default.params.authInfoAccessNumADs=1
efb1ef
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
efb1ef
+6.default.name=Key Usage Default
efb1ef
+6.default.params.keyUsageCritical=true
efb1ef
+6.default.params.keyUsageDigitalSignature=true
efb1ef
+6.default.params.keyUsageNonRepudiation=false
efb1ef
+6.default.params.keyUsageDataEncipherment=true
efb1ef
+6.default.params.keyUsageKeyEncipherment=true
efb1ef
+6.default.params.keyUsageKeyAgreement=false
efb1ef
+6.default.params.keyUsageKeyCertSign=false
efb1ef
+6.default.params.keyUsageCrlSign=false
efb1ef
+6.default.params.keyUsageEncipherOnly=false
efb1ef
+6.default.params.keyUsageDecipherOnly=false
efb1ef
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
efb1ef
+7.default.name=Extended Key Usage Extension Default
efb1ef
+7.default.params.exKeyUsageCritical=false
efb1ef
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
efb1ef
+8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault
efb1ef
+8.default.name=Copy Common Name to Subjec Alternative Name Extension
efb1ef
diff --git a/base/ca/shared/conf/rsaSubsystemCert.profile b/base/ca/shared/conf/rsaSubsystemCert.profile
efb1ef
new file mode 100644
efb1ef
index 0000000..fa8f84e
efb1ef
--- /dev/null
efb1ef
+++ b/base/ca/shared/conf/rsaSubsystemCert.profile
efb1ef
@@ -0,0 +1,39 @@
efb1ef
+#
efb1ef
+# Subsystem Certificate
efb1ef
+#
efb1ef
+id=subsystemCert.profile
efb1ef
+name=All Purpose SSL server cert Profile
efb1ef
+description=This profile creates a subsystem certificate that is valid for SSL client
efb1ef
+profileIDMapping=caSubsystemCert
efb1ef
+profileSetIDMapping=serverCertSet
efb1ef
+list=2,4,5,6,7
efb1ef
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
efb1ef
+2.default.name=Validity Default
efb1ef
+2.default.params.range=720
efb1ef
+2.default.params.startTime=0
efb1ef
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
efb1ef
+4.default.name=Authority Key Identifier Default
efb1ef
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
efb1ef
+5.default.name=AIA Extension Default
efb1ef
+5.default.params.authInfoAccessADEnable_0=true
efb1ef
+5.default.params.authInfoAccessADLocationType_0=URIName
efb1ef
+5.default.params.authInfoAccessADLocation_0=
efb1ef
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
efb1ef
+5.default.params.authInfoAccessCritical=false
efb1ef
+5.default.params.authInfoAccessNumADs=1
efb1ef
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
efb1ef
+6.default.name=Key Usage Default
efb1ef
+6.default.params.keyUsageCritical=true
efb1ef
+6.default.params.keyUsageDigitalSignature=true
efb1ef
+6.default.params.keyUsageNonRepudiation=true
efb1ef
+6.default.params.keyUsageDataEncipherment=true
efb1ef
+6.default.params.keyUsageKeyEncipherment=true
efb1ef
+6.default.params.keyUsageKeyAgreement=false
efb1ef
+6.default.params.keyUsageKeyCertSign=false
efb1ef
+6.default.params.keyUsageCrlSign=false
efb1ef
+6.default.params.keyUsageEncipherOnly=false
efb1ef
+6.default.params.keyUsageDecipherOnly=false
efb1ef
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
efb1ef
+7.default.name=Extended Key Usage Extension Default
efb1ef
+7.default.params.exKeyUsageCritical=false
efb1ef
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
efb1ef
diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile
efb1ef
deleted file mode 100644
efb1ef
index e740760..0000000
efb1ef
--- a/base/ca/shared/conf/serverCert.profile
efb1ef
+++ /dev/null
efb1ef
@@ -1,41 +0,0 @@
efb1ef
-#
efb1ef
-# Server Certificate
efb1ef
-#
efb1ef
-id=serverCert.profile
efb1ef
-name=All Purpose SSL server cert Profile
efb1ef
-description=This profile creates an SSL server certificate that is valid for SSL servers
efb1ef
-profileIDMapping=caServerCert
efb1ef
-profileSetIDMapping=serverCertSet
efb1ef
-list=2,4,5,6,7,8
efb1ef
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
efb1ef
-2.default.name=Validity Default
efb1ef
-2.default.params.range=720
efb1ef
-2.default.params.startTime=0
efb1ef
-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
efb1ef
-4.default.name=Authority Key Identifier Default
efb1ef
-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
efb1ef
-5.default.name=AIA Extension Default
efb1ef
-5.default.params.authInfoAccessADEnable_0=true
efb1ef
-5.default.params.authInfoAccessADLocationType_0=URIName
efb1ef
-5.default.params.authInfoAccessADLocation_0=
efb1ef
-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
efb1ef
-5.default.params.authInfoAccessCritical=false
efb1ef
-5.default.params.authInfoAccessNumADs=1
efb1ef
-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
efb1ef
-6.default.name=Key Usage Default
efb1ef
-6.default.params.keyUsageCritical=true
efb1ef
-6.default.params.keyUsageDigitalSignature=true
efb1ef
-6.default.params.keyUsageNonRepudiation=false
efb1ef
-6.default.params.keyUsageDataEncipherment=true
efb1ef
-6.default.params.keyUsageKeyEncipherment=true
efb1ef
-6.default.params.keyUsageKeyAgreement=false
efb1ef
-6.default.params.keyUsageKeyCertSign=false
efb1ef
-6.default.params.keyUsageCrlSign=false
efb1ef
-6.default.params.keyUsageEncipherOnly=false
efb1ef
-6.default.params.keyUsageDecipherOnly=false
efb1ef
-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
efb1ef
-7.default.name=Extended Key Usage Extension Default
efb1ef
-7.default.params.exKeyUsageCritical=false
efb1ef
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
efb1ef
-8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault
efb1ef
-8.default.name=Copy Common Name to Subjec Alternative Name Extension
efb1ef
diff --git a/base/ca/shared/conf/subsystemCert.profile b/base/ca/shared/conf/subsystemCert.profile
efb1ef
deleted file mode 100644
efb1ef
index fa8f84e..0000000
efb1ef
--- a/base/ca/shared/conf/subsystemCert.profile
efb1ef
+++ /dev/null
efb1ef
@@ -1,39 +0,0 @@
efb1ef
-#
efb1ef
-# Subsystem Certificate
efb1ef
-#
efb1ef
-id=subsystemCert.profile
efb1ef
-name=All Purpose SSL server cert Profile
efb1ef
-description=This profile creates a subsystem certificate that is valid for SSL client
efb1ef
-profileIDMapping=caSubsystemCert
efb1ef
-profileSetIDMapping=serverCertSet
efb1ef
-list=2,4,5,6,7
efb1ef
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
efb1ef
-2.default.name=Validity Default
efb1ef
-2.default.params.range=720
efb1ef
-2.default.params.startTime=0
efb1ef
-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
efb1ef
-4.default.name=Authority Key Identifier Default
efb1ef
-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
efb1ef
-5.default.name=AIA Extension Default
efb1ef
-5.default.params.authInfoAccessADEnable_0=true
efb1ef
-5.default.params.authInfoAccessADLocationType_0=URIName
efb1ef
-5.default.params.authInfoAccessADLocation_0=
efb1ef
-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
efb1ef
-5.default.params.authInfoAccessCritical=false
efb1ef
-5.default.params.authInfoAccessNumADs=1
efb1ef
-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
efb1ef
-6.default.name=Key Usage Default
efb1ef
-6.default.params.keyUsageCritical=true
efb1ef
-6.default.params.keyUsageDigitalSignature=true
efb1ef
-6.default.params.keyUsageNonRepudiation=true
efb1ef
-6.default.params.keyUsageDataEncipherment=true
efb1ef
-6.default.params.keyUsageKeyEncipherment=true
efb1ef
-6.default.params.keyUsageKeyAgreement=false
efb1ef
-6.default.params.keyUsageKeyCertSign=false
efb1ef
-6.default.params.keyUsageCrlSign=false
efb1ef
-6.default.params.keyUsageEncipherOnly=false
efb1ef
-6.default.params.keyUsageDecipherOnly=false
efb1ef
-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
efb1ef
-7.default.name=Extended Key Usage Extension Default
efb1ef
-7.default.params.exKeyUsageCritical=false
efb1ef
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
efb1ef
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
efb1ef
index e727648..c575e68 100644
efb1ef
--- a/base/server/etc/default.cfg
efb1ef
+++ b/base/server/etc/default.cfg
efb1ef
@@ -400,12 +400,12 @@ pki_source_flatfile_txt=%(pki_source_conf_path)s/flatfile.txt
efb1ef
 pki_source_profiles=/usr/share/pki/ca/profiles
efb1ef
 pki_source_proxy_conf=%(pki_source_conf_path)s/proxy.conf
efb1ef
 pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg
efb1ef
-pki_source_admincert_profile=%(pki_source_conf_path)s/adminCert.profile
efb1ef
+pki_source_admincert_profile=%(pki_source_conf_path)s/%(pki_admin_key_type)sAdminCert.profile
efb1ef
 pki_source_caauditsigningcert_profile=%(pki_source_conf_path)s/caAuditSigningCert.profile
efb1ef
 pki_source_cacert_profile=%(pki_source_conf_path)s/caCert.profile
efb1ef
 pki_source_caocspcert_profile=%(pki_source_conf_path)s/caOCSPCert.profile
efb1ef
-pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile
efb1ef
-pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile
efb1ef
+pki_source_servercert_profile=%(pki_source_conf_path)s/%(pki_sslserver_key_type)sServerCert.profile
efb1ef
+pki_source_subsystemcert_profile=%(pki_source_conf_path)s/%(pki_subsystem_key_type)sSubsystemCert.profile
efb1ef
 pki_subsystem_emails_path=%(pki_subsystem_path)s/emails
efb1ef
 pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles
efb1ef
 
efb1ef
-- 
efb1ef
1.8.3.1
efb1ef
efb1ef
efb1ef
From 2a9c2022d39e293269c49d806fa142992bef8abd Mon Sep 17 00:00:00 2001
efb1ef
From: Christina Fu <cfu@redhat.com>
efb1ef
Date: Tue, 12 Jun 2018 11:47:57 -0700
efb1ef
Subject: [PATCH 7/7] Ticket 2865 X500Name.directoryStringEncodingOrder
efb1ef
 overridden by CSR encoding
efb1ef
efb1ef
This patch allows profile to have control over whether to override the subjectDN
efb1ef
encoding in the CSR with the encoding set by the system.
efb1ef
efb1ef
New parameter in profile:
efb1ef
policyset.<policy set>.<#>.default.params.useSysEncoding=true
efb1ef
efb1ef
where "true" means to override the subjectdn with the system default order or
efb1ef
the order set by X500Name.directoryStringEncodingOrder in CS.cfg
efb1ef
efb1ef
by default, without useSysEncoding in profile, it is treated as false.
efb1ef
efb1ef
fixes https://pagure.io/dogtagpki/issue/2865
efb1ef
efb1ef
Change-Id: I41f8f5371f26668909624f056a77ffbf66f0f5e1
efb1ef
---
efb1ef
 .../cms/profile/def/UserSubjectNameDefault.java    | 83 +++++++++++++++++-----
efb1ef
 base/server/cmsbundle/src/UserMessages.properties  |  1 +
efb1ef
 .../netscape/cmscore/cert/X500NameSubsystem.java   |  7 +-
efb1ef
 3 files changed, 72 insertions(+), 19 deletions(-)
efb1ef
efb1ef
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java
efb1ef
index 9064bc1..636b045 100644
efb1ef
--- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java
efb1ef
+++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java
efb1ef
@@ -44,9 +44,11 @@ import com.netscape.certsrv.request.IRequest;
efb1ef
 public class UserSubjectNameDefault extends EnrollDefault {
efb1ef
 
efb1ef
     public static final String VAL_NAME = "name";
efb1ef
+    public static final String CONFIG_USE_SYS_ENCODING = "useSysEncoding";
efb1ef
 
efb1ef
     public UserSubjectNameDefault() {
efb1ef
         super();
efb1ef
+        addConfigName(CONFIG_USE_SYS_ENCODING);
efb1ef
         addValueName(VAL_NAME);
efb1ef
     }
efb1ef
 
efb1ef
@@ -55,6 +57,16 @@ public class UserSubjectNameDefault extends EnrollDefault {
efb1ef
         super.init(profile, config);
efb1ef
     }
efb1ef
 
efb1ef
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
efb1ef
+        if (name.equals(CONFIG_USE_SYS_ENCODING)) {
efb1ef
+            return new Descriptor(IDescriptor.BOOLEAN, null,
efb1ef
+                    "false",
efb1ef
+                    CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_USE_SYS_ENCODING"));
efb1ef
+        } else {
efb1ef
+            return null;
efb1ef
+        }
efb1ef
+    }
efb1ef
+
efb1ef
     public IDescriptor getValueDescriptor(Locale locale, String name) {
efb1ef
         if (name.equals(VAL_NAME)) {
efb1ef
             return new Descriptor(IDescriptor.STRING, null, null,
efb1ef
@@ -64,52 +76,79 @@ public class UserSubjectNameDefault extends EnrollDefault {
efb1ef
         }
efb1ef
     }
efb1ef
 
efb1ef
-    public void setValue(String name, Locale locale,
efb1ef
-            X509CertInfo info, String value)
efb1ef
-            throws EPropertyException {
efb1ef
-        if (name == null) {
efb1ef
-            throw new EPropertyException(CMS.getUserMessage(
efb1ef
-                        locale, "CMS_INVALID_PROPERTY", name));
efb1ef
-        }
efb1ef
-        if (name.equals(VAL_NAME)) {
efb1ef
+    private X500Name getX500Name(X509CertInfo info, String value) {
efb1ef
+            String method = "UserSubjectNameDefault: getX500Name: ";
efb1ef
             X500Name x500name = null;
efb1ef
+            /*
efb1ef
+             * useSysEencoding default is false
efb1ef
+             * To change that, add the following in the affected profile:
efb1ef
+             * policyset.<policy set>.<#>.default.params.useSysEncoding=true
efb1ef
+             */
efb1ef
+            boolean useSysEncoding = getConfigBoolean(CONFIG_USE_SYS_ENCODING);
efb1ef
+            CMS.debug(method +
efb1ef
+                    "use system encoding: " + useSysEncoding);
efb1ef
 
efb1ef
             try {
efb1ef
-                x500name = new X500Name(value);
efb1ef
+                if (value != null)
efb1ef
+                    x500name = new X500Name(value);
efb1ef
 
efb1ef
+                // oldName is what comes with the CSR
efb1ef
                 CertificateSubjectName oldName = info.getSubjectObj();
efb1ef
                 if (oldName != null) {
efb1ef
+                    CMS.debug(method + "subjectDN exists in CSR. ");
efb1ef
+                } else {
efb1ef
+                    CMS.debug(method + "subjectDN does not exist in CSR. ");
efb1ef
+                }
efb1ef
+                if ((useSysEncoding == false) && (oldName != null)) {
efb1ef
                     /* If the canonical string representations of
efb1ef
                      * existing Subject DN and new DN are equal,
efb1ef
                      * keep the old name so that the attribute
efb1ef
                      * encodings are preserved. */
efb1ef
                     X500Name oldX500name = oldName.getX500Name();
efb1ef
                     if (x500name.toString().equals(oldX500name.toString())) {
efb1ef
-                        CMS.debug(
efb1ef
-                            "UserSubjectNameDefault: setValue: "
efb1ef
+                        CMS.debug( method
efb1ef
                             + "new Subject DN has same string representation "
efb1ef
                             + "as current value; retaining current value."
efb1ef
                         );
efb1ef
                         x500name = oldX500name;
efb1ef
                     } else {
efb1ef
-                        CMS.debug(
efb1ef
-                            "UserSubjectNameDefault: setValue: "
efb1ef
+                        CMS.debug(method
efb1ef
                             + "replacing current value `" + oldX500name.toString() + "` "
efb1ef
                             + "with new value `" + x500name.toString() + "`"
efb1ef
                         );
efb1ef
                     }
efb1ef
                 }
efb1ef
             } catch (IOException e) {
efb1ef
-                CMS.debug(e.toString());
efb1ef
+                CMS.debug(method + e.toString());
efb1ef
                 // failed to build x500 name
efb1ef
             }
efb1ef
-            CMS.debug("UserSubjectNameDefault: setValue name=" + x500name);
efb1ef
+            return x500name;
efb1ef
+    }
efb1ef
+
efb1ef
+    public void setValue(String name, Locale locale,
efb1ef
+            X509CertInfo info, String value)
efb1ef
+            throws EPropertyException {
efb1ef
+        String method = "UserSubjectNameDefault: setValue: ";
efb1ef
+        if (name == null) {
efb1ef
+            CMS.debug(name + "name null");
efb1ef
+            throw new EPropertyException(CMS.getUserMessage(
efb1ef
+                        locale, "CMS_INVALID_PROPERTY", name));
efb1ef
+        }
efb1ef
+        CMS.debug(method + "name = " + name);
efb1ef
+        if (value != null)
efb1ef
+            CMS.debug(method + "value = " + value);
efb1ef
+        else
efb1ef
+            CMS.debug(method + "value = null");
efb1ef
+
efb1ef
+        if (name.equals(VAL_NAME)) {
efb1ef
+            X500Name x500name = getX500Name(info, value);
efb1ef
+            CMS.debug(method + "setting name=" + x500name);
efb1ef
             try {
efb1ef
                 info.set(X509CertInfo.SUBJECT,
efb1ef
                         new CertificateSubjectName(x500name));
efb1ef
             } catch (Exception e) {
efb1ef
                 // failed to insert subject name
efb1ef
-                CMS.debug("UserSubjectNameDefault: setValue " + e.toString());
efb1ef
+                CMS.debug(method + e.toString());
efb1ef
                 throw new EPropertyException(CMS.getUserMessage(
efb1ef
                             locale, "CMS_INVALID_PROPERTY", name));
efb1ef
             }
efb1ef
@@ -155,9 +194,17 @@ public class UserSubjectNameDefault extends EnrollDefault {
efb1ef
             throws EProfileException {
efb1ef
         // authenticate the subject name and populate it
efb1ef
         // to the certinfo
efb1ef
+        CertificateSubjectName req_sbj = request.getExtDataInCertSubjectName(
efb1ef
+                    IEnrollProfile.REQUEST_SUBJECT_NAME);
efb1ef
         try {
efb1ef
-            info.set(X509CertInfo.SUBJECT, request.getExtDataInCertSubjectName(
efb1ef
-                    IEnrollProfile.REQUEST_SUBJECT_NAME));
efb1ef
+            info.set(X509CertInfo.SUBJECT, req_sbj);
efb1ef
+
efb1ef
+            // see if the encoding needs changing
efb1ef
+            X500Name x500name = getX500Name(info, req_sbj.toString());
efb1ef
+            if (x500name != null) {
efb1ef
+                info.set(X509CertInfo.SUBJECT,
efb1ef
+                        new CertificateSubjectName(x500name));
efb1ef
+            }
efb1ef
         } catch (Exception e) {
efb1ef
             // failed to insert subject name
efb1ef
             CMS.debug("UserSubjectNameDefault: populate " + e.toString());
efb1ef
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
efb1ef
index 9c324f5..208632d 100644
efb1ef
--- a/base/server/cmsbundle/src/UserMessages.properties
efb1ef
+++ b/base/server/cmsbundle/src/UserMessages.properties
efb1ef
@@ -754,6 +754,7 @@ CMS_PROFILE_ENCODING_ERROR=Error in BER encoding
efb1ef
 CMS_PROFILE_REVOKE_DUPKEY_CERT=Revoke certificate with duplicate key
efb1ef
 CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL=Allow renewal of certification with same keys
efb1ef
 CMS_PROFILE_CONFIG_KEY_USAGE_EXTENSION_CHECKING=Allow duplicate subject names with different key usage for agent approved requests
efb1ef
+CMS_PROFILE_CONFIG_USE_SYS_ENCODING=Use subject DN encoding from system-defined order
efb1ef
 CMS_PROFILE_INTERNAL_ERROR=Profile internal error: {0}
efb1ef
 CMS_PROFILE_DENY_OPERATION=Not authorized to do this operation.
efb1ef
 CMS_PROFILE_DELETE_ENABLEPROFILE=Cannot delete enabled profile: {0}
efb1ef
diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java
efb1ef
index 7accf2b..f1b3eb6 100644
efb1ef
--- a/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java
efb1ef
+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java
efb1ef
@@ -185,10 +185,15 @@ public class X500NameSubsystem implements ISubsystem {
efb1ef
      */
efb1ef
     private void setDirStrEncodingOrder()
efb1ef
             throws EBaseException {
efb1ef
+        String method = "X500NameSubsystem: setDirStrEncodingOrder: ";
efb1ef
         String order = mConfig.getString(PROP_DIR_STR_ENCODING_ORDER, null);
efb1ef
 
efb1ef
-        if (order == null || order.length() == 0) // nothing.
efb1ef
+        if (order == null || order.length() == 0) { // nothing.
efb1ef
+            CMS.debug(method + "X500Name.directoryStringEncodingOrder not specified in config; Using default order in DirStrConverter.");
efb1ef
             return;
efb1ef
+        }
efb1ef
+        CMS.debug(method + "X500Name.directoryStringEncodingOrder specified in config: " + order);
efb1ef
+
efb1ef
         StringTokenizer toker = new StringTokenizer(order, ", \t");
efb1ef
         int numTokens = toker.countTokens();
efb1ef
 
efb1ef
-- 
efb1ef
1.8.3.1
efb1ef