|
|
efb1ef |
From 2d40c57887f7801f2ab0a8065b3b471bb7eafe80 Mon Sep 17 00:00:00 2001
|
|
|
efb1ef |
From: Christina Fu <cfu@redhat.com>
|
|
|
efb1ef |
Date: Tue, 19 Jun 2018 15:21:54 -0700
|
|
|
efb1ef |
Subject: [PATCH 1/7] Ticket 3037 CMC SharedToken SubjectDN default
|
|
|
efb1ef |
|
|
|
efb1ef |
This patch adds proper subjectDN to CMC requests authenticated via ShardToken.
|
|
|
efb1ef |
Specifically, the AuthTokenSubjectNameDefault profile default is added to
|
|
|
efb1ef |
the default CMC profiles that authenticates via SharedToken.
|
|
|
efb1ef |
Code were added to ensure that the proper subjectDN retrieved from the
|
|
|
efb1ef |
mapped user entry is added to the AuthToken for such utilization.
|
|
|
efb1ef |
|
|
|
efb1ef |
Fixes https://pagure.io/dogtagpki/issue/3037
|
|
|
efb1ef |
|
|
|
efb1ef |
Change-Id: Id92d9496ab5b41ea7b5dcffb8d73d3ffe8b29fbc
|
|
|
efb1ef |
---
|
|
|
efb1ef |
.../ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 4 ++--
|
|
|
efb1ef |
base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 4 ++--
|
|
|
efb1ef |
.../netscape/certsrv/authentication/ISharedToken.java | 2 +-
|
|
|
efb1ef |
.../com/netscape/cms/authentication/SharedSecret.java | 17 ++++++++++++++---
|
|
|
efb1ef |
.../com/netscape/cms/profile/common/EnrollProfile.java | 12 ++++++++++--
|
|
|
efb1ef |
.../cms/servlet/profile/ProfileSubmitCMCServlet.java | 1 +
|
|
|
efb1ef |
6 files changed, 30 insertions(+), 10 deletions(-)
|
|
|
efb1ef |
|
|
|
efb1ef |
diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
|
|
|
efb1ef |
index d0a3c25..144c05c 100644
|
|
|
efb1ef |
--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
|
|
|
efb1ef |
+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
|
|
|
efb1ef |
@@ -13,8 +13,8 @@ policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
|
|
|
efb1ef |
policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
|
|
|
efb1ef |
policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
|
|
|
efb1ef |
policyset.cmcUserCertSet.1.constraint.params.accept=true
|
|
|
efb1ef |
-policyset.cmcUserCertSet.1.constraint.params.pattern=.*
|
|
|
efb1ef |
-policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
|
|
|
efb1ef |
+policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
|
|
|
efb1ef |
+policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
|
|
|
efb1ef |
policyset.cmcUserCertSet.1.default.name=Subject Name Default
|
|
|
efb1ef |
policyset.cmcUserCertSet.1.default.params.name=
|
|
|
efb1ef |
policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
|
|
|
efb1ef |
diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
|
|
|
efb1ef |
index 6b2da33..bdcdc24 100644
|
|
|
efb1ef |
--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
|
|
|
efb1ef |
+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
|
|
|
efb1ef |
@@ -12,9 +12,9 @@ policyset.list=cmcUserCertSet
|
|
|
efb1ef |
policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
|
|
|
efb1ef |
policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
|
|
|
efb1ef |
policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
|
|
|
efb1ef |
+policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
|
|
|
efb1ef |
policyset.cmcUserCertSet.1.constraint.params.accept=true
|
|
|
efb1ef |
-policyset.cmcUserCertSet.1.constraint.params.pattern=.*
|
|
|
efb1ef |
-policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
|
|
|
efb1ef |
+policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
|
|
|
efb1ef |
policyset.cmcUserCertSet.1.default.name=Subject Name Default
|
|
|
efb1ef |
policyset.cmcUserCertSet.1.default.params.name=
|
|
|
efb1ef |
policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
|
|
|
efb1ef |
diff --git a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java
|
|
|
efb1ef |
index 761c344..13f2286 100644
|
|
|
efb1ef |
--- a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java
|
|
|
efb1ef |
+++ b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java
|
|
|
efb1ef |
@@ -28,7 +28,7 @@ import com.netscape.certsrv.base.EBaseException;
|
|
|
efb1ef |
public interface ISharedToken {
|
|
|
efb1ef |
|
|
|
efb1ef |
// support for id_cmc_identification
|
|
|
efb1ef |
- public char[] getSharedToken(String identification)
|
|
|
efb1ef |
+ public char[] getSharedToken(String identification, IAuthToken authToken)
|
|
|
efb1ef |
throws EBaseException;
|
|
|
efb1ef |
|
|
|
efb1ef |
public char[] getSharedToken(PKIData cmcData)
|
|
|
efb1ef |
diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
|
|
|
efb1ef |
index 1a3d877..e304b74 100644
|
|
|
efb1ef |
--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
|
|
|
efb1ef |
+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
|
|
|
efb1ef |
@@ -33,6 +33,7 @@ import com.netscape.certsrv.apps.CMS;
|
|
|
efb1ef |
import com.netscape.certsrv.authentication.AuthToken;
|
|
|
efb1ef |
import com.netscape.certsrv.authentication.EInvalidCredentials;
|
|
|
efb1ef |
import com.netscape.certsrv.authentication.IAuthCredentials;
|
|
|
efb1ef |
+import com.netscape.certsrv.authentication.IAuthToken;
|
|
|
efb1ef |
import com.netscape.certsrv.authentication.ISharedToken;
|
|
|
efb1ef |
import com.netscape.certsrv.base.EBaseException;
|
|
|
efb1ef |
import com.netscape.certsrv.base.IConfigStore;
|
|
|
efb1ef |
@@ -233,18 +234,25 @@ public class SharedSecret extends DirBasedAuthentication
|
|
|
efb1ef |
}
|
|
|
efb1ef |
|
|
|
efb1ef |
/**
|
|
|
efb1ef |
- * getSharedToken(String identification) provides
|
|
|
efb1ef |
+ * getSharedToken(String identification, IAuthToken authToken) provides
|
|
|
efb1ef |
* support for id_cmc_identification shared secret based enrollment
|
|
|
efb1ef |
*
|
|
|
efb1ef |
+ * @param identification maps to the uid in user's ldap record
|
|
|
efb1ef |
+ * @param authToken the IAuthToken that will be filled with the DN
|
|
|
efb1ef |
+ * in user's ldap record
|
|
|
efb1ef |
+ *
|
|
|
efb1ef |
* Note: caller should clear the memory for the returned token
|
|
|
efb1ef |
* after each use
|
|
|
efb1ef |
*/
|
|
|
efb1ef |
- public char[] getSharedToken(String identification)
|
|
|
efb1ef |
+ public char[] getSharedToken(String identification, IAuthToken authToken)
|
|
|
efb1ef |
throws EBaseException {
|
|
|
efb1ef |
- String method = "SharedSecret.getSharedToken(String identification): ";
|
|
|
efb1ef |
+ String method = "SharedSecret.getSharedToken(String identification, IAuthToken authToken): ";
|
|
|
efb1ef |
String msg = "";
|
|
|
efb1ef |
CMS.debug(method + "begins.");
|
|
|
efb1ef |
|
|
|
efb1ef |
+ if ((identification == null) || (authToken == null)) {
|
|
|
efb1ef |
+ throw new EBaseException(method + "paramsters identification or authToken cannot be null");
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
LDAPConnection shrTokLdapConnection = null;
|
|
|
efb1ef |
LDAPSearchResults res = null;
|
|
|
efb1ef |
LDAPEntry entry = null;
|
|
|
efb1ef |
@@ -287,6 +295,9 @@ public class SharedSecret extends DirBasedAuthentication
|
|
|
efb1ef |
throw new EBaseException(msg);
|
|
|
efb1ef |
}
|
|
|
efb1ef |
|
|
|
efb1ef |
+ CMS.debug(method + "found user ldap entry: userdn = " + userdn);
|
|
|
efb1ef |
+ authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn);
|
|
|
efb1ef |
+
|
|
|
efb1ef |
res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE,
|
|
|
efb1ef |
"(objectclass=*)", new String[] { mShrTokAttr }, false);
|
|
|
efb1ef |
if (res != null && res.hasMoreElements()) {
|
|
|
efb1ef |
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
|
|
|
efb1ef |
index caa466c..929e629 100644
|
|
|
efb1ef |
--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
|
|
|
efb1ef |
+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
|
|
|
efb1ef |
@@ -1412,10 +1412,14 @@ public abstract class EnrollProfile extends BasicProfile
|
|
|
efb1ef |
CMS.debug(method + " Failed to retrieve shared secret authentication plugin class");
|
|
|
efb1ef |
sharedSecretFound = false;
|
|
|
efb1ef |
}
|
|
|
efb1ef |
+
|
|
|
efb1ef |
+ IAuthToken authToken = (IAuthToken)
|
|
|
efb1ef |
+ context.get(SessionContext.AUTH_TOKEN);
|
|
|
efb1ef |
+
|
|
|
efb1ef |
ISharedToken tokenClass = (ISharedToken) sharedTokenAuth;
|
|
|
efb1ef |
|
|
|
efb1ef |
if (ident_string != null) {
|
|
|
efb1ef |
- sharedSecret = tokenClass.getSharedToken(ident_string);
|
|
|
efb1ef |
+ sharedSecret = tokenClass.getSharedToken(ident_string, authToken);
|
|
|
efb1ef |
} else {
|
|
|
efb1ef |
sharedSecret = tokenClass.getSharedToken(mCMCData);
|
|
|
efb1ef |
}
|
|
|
efb1ef |
@@ -1709,12 +1713,16 @@ public abstract class EnrollProfile extends BasicProfile
|
|
|
efb1ef |
signedAuditLogger.log(auditMessage);
|
|
|
efb1ef |
return false;
|
|
|
efb1ef |
}
|
|
|
efb1ef |
+
|
|
|
efb1ef |
+ IAuthToken authToken = (IAuthToken)
|
|
|
efb1ef |
+ sessionContext.get(SessionContext.AUTH_TOKEN);
|
|
|
efb1ef |
+
|
|
|
efb1ef |
ISharedToken tokenClass = (ISharedToken) sharedTokenAuth;
|
|
|
efb1ef |
|
|
|
efb1ef |
char[] token = null;
|
|
|
efb1ef |
if (ident_string != null) {
|
|
|
efb1ef |
auditAttemptedCred = ident_string;
|
|
|
efb1ef |
- token = tokenClass.getSharedToken(ident_string);
|
|
|
efb1ef |
+ token = tokenClass.getSharedToken(ident_string, authToken);
|
|
|
efb1ef |
} else
|
|
|
efb1ef |
token = tokenClass.getSharedToken(mCMCData);
|
|
|
efb1ef |
|
|
|
efb1ef |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
efb1ef |
index 7d75e31..f469a66 100644
|
|
|
efb1ef |
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
efb1ef |
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
efb1ef |
@@ -446,6 +446,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
// authentication success
|
|
|
efb1ef |
if (authToken != null) {
|
|
|
efb1ef |
auditSubjectID = authToken.getInString(IAuthToken.USER_ID);
|
|
|
efb1ef |
+ context.put(SessionContext.AUTH_TOKEN, authToken);
|
|
|
efb1ef |
}
|
|
|
efb1ef |
} catch (EBaseException e) {
|
|
|
efb1ef |
CMCOutputTemplate template = new CMCOutputTemplate();
|
|
|
efb1ef |
--
|
|
|
efb1ef |
1.8.3.1
|
|
|
efb1ef |
|
|
|
efb1ef |
|
|
|
efb1ef |
From 2a228b4a8e1af920e577d007be87291831c635d5 Mon Sep 17 00:00:00 2001
|
|
|
efb1ef |
From: Christina Fu <cfu@redhat.com>
|
|
|
efb1ef |
Date: Wed, 20 Jun 2018 18:59:28 -0700
|
|
|
efb1ef |
Subject: [PATCH 2/7] Ticket 2920 Part2 of SharedToken Audit
|
|
|
efb1ef |
|
|
|
efb1ef |
This patch addresses the issue that the original audit message for failure
|
|
|
efb1ef |
got overwritten for SharedToken.
|
|
|
efb1ef |
|
|
|
efb1ef |
fixes https://pagure.io/dogtagpki/issue/2920
|
|
|
efb1ef |
|
|
|
efb1ef |
Change-Id: I0c09fbcc39135dc9aeee8a49a40772565af996c4
|
|
|
efb1ef |
---
|
|
|
efb1ef |
.../netscape/cms/authentication/SharedSecret.java | 5 ++
|
|
|
efb1ef |
.../def/CMCUserSignedSubjectNameDefault.java | 7 ++-
|
|
|
efb1ef |
.../cms/servlet/common/CMCOutputTemplate.java | 9 ++--
|
|
|
efb1ef |
.../servlet/profile/ProfileSubmitCMCServlet.java | 63 ++++++++++++++--------
|
|
|
efb1ef |
4 files changed, 57 insertions(+), 27 deletions(-)
|
|
|
efb1ef |
|
|
|
efb1ef |
diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
|
|
|
efb1ef |
index e304b74..5ebc213 100644
|
|
|
efb1ef |
--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
|
|
|
efb1ef |
+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
|
|
|
efb1ef |
@@ -406,6 +406,11 @@ public class SharedSecret extends DirBasedAuthentication
|
|
|
efb1ef |
String method = "SharedSecret.getSharedToken(BigInteger serial): ";
|
|
|
efb1ef |
String msg = "";
|
|
|
efb1ef |
|
|
|
efb1ef |
+ if (serial == null) {
|
|
|
efb1ef |
+ throw new EBaseException(method + "paramster serial cannot be null");
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
+ CMS.debug(method + serial.toString());
|
|
|
efb1ef |
+
|
|
|
efb1ef |
ICertRecord record = null;
|
|
|
efb1ef |
try {
|
|
|
efb1ef |
record = certRepository.readCertificateRecord(serial);
|
|
|
efb1ef |
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java
|
|
|
efb1ef |
index a0816ea..f1810b0 100644
|
|
|
efb1ef |
--- a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java
|
|
|
efb1ef |
+++ b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java
|
|
|
efb1ef |
@@ -137,12 +137,17 @@ public class CMCUserSignedSubjectNameDefault extends EnrollDefault {
|
|
|
efb1ef |
String msg = "";
|
|
|
efb1ef |
CMS.debug(method + "begins");
|
|
|
efb1ef |
|
|
|
efb1ef |
- String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT);
|
|
|
efb1ef |
if (info == null) {
|
|
|
efb1ef |
msg = method + "info null";
|
|
|
efb1ef |
CMS.debug(msg);
|
|
|
efb1ef |
throw new EProfileException(msg);
|
|
|
efb1ef |
}
|
|
|
efb1ef |
+ String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT);
|
|
|
efb1ef |
+ if (signingUserSerial == null) {
|
|
|
efb1ef |
+ msg = method + "signing user serial not found; request was unsigned?";
|
|
|
efb1ef |
+ CMS.debug(msg);
|
|
|
efb1ef |
+ throw new EProfileException(msg);
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
|
|
|
efb1ef |
CertificateSubjectName certSN = null;
|
|
|
efb1ef |
try {
|
|
|
efb1ef |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
efb1ef |
index a0a946d..154cd33 100644
|
|
|
efb1ef |
--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
efb1ef |
+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
efb1ef |
@@ -1103,14 +1103,15 @@ public class CMCOutputTemplate {
|
|
|
efb1ef |
|
|
|
efb1ef |
char[] sharedSecret = null;
|
|
|
efb1ef |
try {
|
|
|
efb1ef |
- sharedSecret = tokenClass.getSharedToken(revokeSerial);
|
|
|
efb1ef |
+ sharedSecret = tokenClass.getSharedToken(revokeSerial);
|
|
|
efb1ef |
} catch (Exception eShrTok) {
|
|
|
efb1ef |
- CMS.debug("CMCOutputTemplate: " + eShrTok.toString());
|
|
|
efb1ef |
+ msg = "CMCOutputTemplate: " + eShrTok.toString();
|
|
|
efb1ef |
}
|
|
|
efb1ef |
|
|
|
efb1ef |
if (sharedSecret == null) {
|
|
|
efb1ef |
- msg = " shared secret not found";
|
|
|
efb1ef |
- CMS.debug(method + msg);
|
|
|
efb1ef |
+ if (msg.equals("")) // don't overwrite the msg
|
|
|
efb1ef |
+ msg = " shared secret not found";
|
|
|
efb1ef |
+ CMS.debug(msg);
|
|
|
efb1ef |
audit(new CertStatusChangeRequestProcessedEvent(
|
|
|
efb1ef |
auditSubjectID,
|
|
|
efb1ef |
ILogger.FAILURE,
|
|
|
efb1ef |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
efb1ef |
index f469a66..12fd294 100644
|
|
|
efb1ef |
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
efb1ef |
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
efb1ef |
@@ -533,10 +533,16 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth");
|
|
|
efb1ef |
ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
|
|
|
efb1ef |
}
|
|
|
efb1ef |
+
|
|
|
efb1ef |
+ String errorCode = null;
|
|
|
efb1ef |
+ String errorReason = null;
|
|
|
efb1ef |
+ String auditRequesterID = ILogger.UNIDENTIFIED;
|
|
|
efb1ef |
+
|
|
|
efb1ef |
try {
|
|
|
efb1ef |
reqs = profile.createRequests(ctx, locale);
|
|
|
efb1ef |
} catch (ECMCBadMessageCheckException e) {
|
|
|
efb1ef |
- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString());
|
|
|
efb1ef |
+ errorReason = e.toString();
|
|
|
efb1ef |
+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason);
|
|
|
efb1ef |
CMCOutputTemplate template = new CMCOutputTemplate();
|
|
|
efb1ef |
SEQUENCE seq = new SEQUENCE();
|
|
|
efb1ef |
seq.addElement(new INTEGER(0));
|
|
|
efb1ef |
@@ -547,9 +553,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
}
|
|
|
efb1ef |
template.createFullResponseWithFailedStatus(response, seq,
|
|
|
efb1ef |
OtherInfo.BAD_MESSAGE_CHECK, s);
|
|
|
efb1ef |
- return;
|
|
|
efb1ef |
} catch (ECMCBadIdentityException e) {
|
|
|
efb1ef |
- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString());
|
|
|
efb1ef |
+ errorReason = e.toString();
|
|
|
efb1ef |
+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason);
|
|
|
efb1ef |
CMCOutputTemplate template = new CMCOutputTemplate();
|
|
|
efb1ef |
SEQUENCE seq = new SEQUENCE();
|
|
|
efb1ef |
seq.addElement(new INTEGER(0));
|
|
|
efb1ef |
@@ -560,9 +566,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
}
|
|
|
efb1ef |
template.createFullResponseWithFailedStatus(response, seq,
|
|
|
efb1ef |
OtherInfo.BAD_IDENTITY, s);
|
|
|
efb1ef |
- return;
|
|
|
efb1ef |
} catch (ECMCPopFailedException e) {
|
|
|
efb1ef |
- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString());
|
|
|
efb1ef |
+ errorReason = e.toString();
|
|
|
efb1ef |
+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason);
|
|
|
efb1ef |
CMCOutputTemplate template = new CMCOutputTemplate();
|
|
|
efb1ef |
SEQUENCE seq = new SEQUENCE();
|
|
|
efb1ef |
seq.addElement(new INTEGER(0));
|
|
|
efb1ef |
@@ -573,9 +579,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
}
|
|
|
efb1ef |
template.createFullResponseWithFailedStatus(response, seq,
|
|
|
efb1ef |
OtherInfo.POP_FAILED, s);
|
|
|
efb1ef |
- return;
|
|
|
efb1ef |
} catch (ECMCBadRequestException e) {
|
|
|
efb1ef |
- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString());
|
|
|
efb1ef |
+ errorReason = e.toString();
|
|
|
efb1ef |
+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason);
|
|
|
efb1ef |
CMCOutputTemplate template = new CMCOutputTemplate();
|
|
|
efb1ef |
SEQUENCE seq = new SEQUENCE();
|
|
|
efb1ef |
seq.addElement(new INTEGER(0));
|
|
|
efb1ef |
@@ -586,9 +592,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
}
|
|
|
efb1ef |
template.createFullResponseWithFailedStatus(response, seq,
|
|
|
efb1ef |
OtherInfo.BAD_REQUEST, s);
|
|
|
efb1ef |
- return;
|
|
|
efb1ef |
} catch (EProfileException e) {
|
|
|
efb1ef |
- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString());
|
|
|
efb1ef |
+ errorReason = e.toString();
|
|
|
efb1ef |
+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason);
|
|
|
efb1ef |
CMCOutputTemplate template = new CMCOutputTemplate();
|
|
|
efb1ef |
SEQUENCE seq = new SEQUENCE();
|
|
|
efb1ef |
seq.addElement(new INTEGER(0));
|
|
|
efb1ef |
@@ -599,9 +605,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
}
|
|
|
efb1ef |
template.createFullResponseWithFailedStatus(response, seq,
|
|
|
efb1ef |
OtherInfo.INTERNAL_CA_ERROR, s);
|
|
|
efb1ef |
- return;
|
|
|
efb1ef |
} catch (Throwable e) {
|
|
|
efb1ef |
- CMS.debug("ProfileSubmitCMCServlet: createRequests - " + e.toString());
|
|
|
efb1ef |
+ errorReason = e.toString();
|
|
|
efb1ef |
+ CMS.debug("ProfileSubmitCMCServlet: createRequests - " + errorReason);
|
|
|
efb1ef |
CMCOutputTemplate template = new CMCOutputTemplate();
|
|
|
efb1ef |
SEQUENCE seq = new SEQUENCE();
|
|
|
efb1ef |
seq.addElement(new INTEGER(0));
|
|
|
efb1ef |
@@ -612,7 +618,15 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
}
|
|
|
efb1ef |
template.createFullResponseWithFailedStatus(response, seq,
|
|
|
efb1ef |
OtherInfo.INTERNAL_CA_ERROR, s);
|
|
|
efb1ef |
- return;
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
+
|
|
|
efb1ef |
+ if (errorReason != null) {
|
|
|
efb1ef |
+ audit(CertRequestProcessedEvent.createFailureEvent(
|
|
|
efb1ef |
+ auditSubjectID,
|
|
|
efb1ef |
+ auditRequesterID,
|
|
|
efb1ef |
+ ILogger.SIGNED_AUDIT_REJECTION,
|
|
|
efb1ef |
+ errorReason));
|
|
|
efb1ef |
+ return;
|
|
|
efb1ef |
}
|
|
|
efb1ef |
|
|
|
efb1ef |
TaggedAttribute attr =
|
|
|
efb1ef |
@@ -684,13 +698,11 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
}
|
|
|
efb1ef |
}
|
|
|
efb1ef |
|
|
|
efb1ef |
- String errorCode = null;
|
|
|
efb1ef |
- String errorReason = null;
|
|
|
efb1ef |
-
|
|
|
efb1ef |
///////////////////////////////////////////////
|
|
|
efb1ef |
// populate request
|
|
|
efb1ef |
///////////////////////////////////////////////
|
|
|
efb1ef |
for (int k = 0; (!isRevoke) && (provedReq == null) &&(k < reqs.length); k++) {
|
|
|
efb1ef |
+ auditRequesterID = auditRequesterID(reqs[k]);
|
|
|
efb1ef |
// adding parameters to request
|
|
|
efb1ef |
setInputsIntoRequest(request, profile, reqs[k]);
|
|
|
efb1ef |
|
|
|
efb1ef |
@@ -769,7 +781,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
profile.populateInput(ctx, reqs[k]);
|
|
|
efb1ef |
profile.populate(reqs[k]);
|
|
|
efb1ef |
} catch (ECMCPopFailedException e) {
|
|
|
efb1ef |
- CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString());
|
|
|
efb1ef |
+ errorReason = e.toString();
|
|
|
efb1ef |
+ CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason);
|
|
|
efb1ef |
CMCOutputTemplate template = new CMCOutputTemplate();
|
|
|
efb1ef |
SEQUENCE seq = new SEQUENCE();
|
|
|
efb1ef |
seq.addElement(new INTEGER(0));
|
|
|
efb1ef |
@@ -780,9 +793,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
}
|
|
|
efb1ef |
template.createFullResponseWithFailedStatus(response, seq,
|
|
|
efb1ef |
OtherInfo.POP_FAILED, s);
|
|
|
efb1ef |
- return;
|
|
|
efb1ef |
} catch (EProfileException e) {
|
|
|
efb1ef |
- CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString());
|
|
|
efb1ef |
+ errorReason = e.toString();
|
|
|
efb1ef |
+ CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason);
|
|
|
efb1ef |
CMCOutputTemplate template = new CMCOutputTemplate();
|
|
|
efb1ef |
SEQUENCE seq = new SEQUENCE();
|
|
|
efb1ef |
seq.addElement(new INTEGER(0));
|
|
|
efb1ef |
@@ -793,9 +806,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
}
|
|
|
efb1ef |
template.createFullResponseWithFailedStatus(response, seq,
|
|
|
efb1ef |
OtherInfo.BAD_REQUEST, s);
|
|
|
efb1ef |
- return;
|
|
|
efb1ef |
} catch (Throwable e) {
|
|
|
efb1ef |
- CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString());
|
|
|
efb1ef |
+ errorReason = e.toString();
|
|
|
efb1ef |
+ CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason);
|
|
|
efb1ef |
// throw new IOException("Profile " + profileId +
|
|
|
efb1ef |
// " cannot populate");
|
|
|
efb1ef |
CMCOutputTemplate template = new CMCOutputTemplate();
|
|
|
efb1ef |
@@ -808,12 +821,18 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
efb1ef |
}
|
|
|
efb1ef |
template.createFullResponseWithFailedStatus(response, seq,
|
|
|
efb1ef |
OtherInfo.INTERNAL_CA_ERROR, s);
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
+
|
|
|
efb1ef |
+ if (errorReason != null) {
|
|
|
efb1ef |
+ audit(CertRequestProcessedEvent.createFailureEvent(
|
|
|
efb1ef |
+ auditSubjectID,
|
|
|
efb1ef |
+ auditRequesterID,
|
|
|
efb1ef |
+ ILogger.SIGNED_AUDIT_REJECTION,
|
|
|
efb1ef |
+ errorReason));
|
|
|
efb1ef |
return;
|
|
|
efb1ef |
}
|
|
|
efb1ef |
} //for
|
|
|
efb1ef |
|
|
|
efb1ef |
- String auditRequesterID = ILogger.UNIDENTIFIED;
|
|
|
efb1ef |
-
|
|
|
efb1ef |
try {
|
|
|
efb1ef |
///////////////////////////////////////////////
|
|
|
efb1ef |
// submit request
|
|
|
efb1ef |
--
|
|
|
efb1ef |
1.8.3.1
|
|
|
efb1ef |
|
|
|
efb1ef |
|
|
|
efb1ef |
From a85486cfc7644b6a1caac6f5a2b34c4516ea1288 Mon Sep 17 00:00:00 2001
|
|
|
efb1ef |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
efb1ef |
Date: Fri, 15 Jun 2018 00:28:43 +1000
|
|
|
efb1ef |
Subject: [PATCH 3/7] IPAddressName: fix construction from String
|
|
|
efb1ef |
|
|
|
efb1ef |
The IPAddressName(String) constructor (the non-netmask case) was
|
|
|
efb1ef |
broken by commit 628ace0c90073a8a1d90e96fae0aab9e43903fd6. Fix it,
|
|
|
efb1ef |
and rename one of the helper methods to clarify its behaviour.
|
|
|
efb1ef |
|
|
|
efb1ef |
Fixes: https://pagure.io/dogtagpki/issue/2922
|
|
|
efb1ef |
Change-Id: I711cf6845496f54c86b10d2d01368912084f96ea
|
|
|
efb1ef |
---
|
|
|
efb1ef |
base/util/src/netscape/security/x509/IPAddressName.java | 8 ++++----
|
|
|
efb1ef |
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
efb1ef |
|
|
|
efb1ef |
diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java
|
|
|
efb1ef |
index a343a5f..b227af0 100644
|
|
|
efb1ef |
--- a/base/util/src/netscape/security/x509/IPAddressName.java
|
|
|
efb1ef |
+++ b/base/util/src/netscape/security/x509/IPAddressName.java
|
|
|
efb1ef |
@@ -76,7 +76,7 @@ public class IPAddressName implements GeneralNameInterface {
|
|
|
efb1ef |
* @param netmask the netmask address in the format: n.n.n.n or x:x:x:x:x:x:x:x (RFC 1884)
|
|
|
efb1ef |
*/
|
|
|
efb1ef |
public IPAddressName(String s, String netmask) {
|
|
|
efb1ef |
- address = initAddress(true, s);
|
|
|
efb1ef |
+ address = parseAddress(true, s);
|
|
|
efb1ef |
if (address.length == IPv4_LEN * 2)
|
|
|
efb1ef |
fillIPv4Address(netmask, address, address.length / 2);
|
|
|
efb1ef |
else
|
|
|
efb1ef |
@@ -90,7 +90,7 @@ public class IPAddressName implements GeneralNameInterface {
|
|
|
efb1ef |
* @param mask a CIDR netmask
|
|
|
efb1ef |
*/
|
|
|
efb1ef |
public IPAddressName(String s, CIDRNetmask mask) {
|
|
|
efb1ef |
- address = initAddress(true, s);
|
|
|
efb1ef |
+ address = parseAddress(true, s);
|
|
|
efb1ef |
mask.write(ByteBuffer.wrap(
|
|
|
efb1ef |
address, address.length / 2, address.length / 2));
|
|
|
efb1ef |
}
|
|
|
efb1ef |
@@ -102,7 +102,7 @@ public class IPAddressName implements GeneralNameInterface {
|
|
|
efb1ef |
* @param s the ip address in the format: n.n.n.n or x:x:x:x:x:x:x:x
|
|
|
efb1ef |
*/
|
|
|
efb1ef |
public IPAddressName(String s) {
|
|
|
efb1ef |
- initAddress(false, s);
|
|
|
efb1ef |
+ address = parseAddress(false, s);
|
|
|
efb1ef |
}
|
|
|
efb1ef |
|
|
|
efb1ef |
/**
|
|
|
efb1ef |
@@ -113,7 +113,7 @@ public class IPAddressName implements GeneralNameInterface {
|
|
|
efb1ef |
* @return byte[] of length 4 or 16 if withNetmask == false,
|
|
|
efb1ef |
* or length 8 or 32 if withNetmask == true.
|
|
|
efb1ef |
*/
|
|
|
efb1ef |
- private static byte[] initAddress(boolean withNetmask, String s) {
|
|
|
efb1ef |
+ private static byte[] parseAddress(boolean withNetmask, String s) {
|
|
|
efb1ef |
if (s.indexOf(':') != -1) {
|
|
|
efb1ef |
byte[] address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)];
|
|
|
efb1ef |
fillIPv6Address(s, address, 0);
|
|
|
efb1ef |
--
|
|
|
efb1ef |
1.8.3.1
|
|
|
efb1ef |
|
|
|
efb1ef |
|
|
|
efb1ef |
From 1f5e857759cb822093cdc20125fa4d0990432356 Mon Sep 17 00:00:00 2001
|
|
|
efb1ef |
From: Christina Fu <cfu@redhat.com>
|
|
|
efb1ef |
Date: Mon, 25 Jun 2018 16:46:36 -0700
|
|
|
efb1ef |
Subject: [PATCH 4/7] Ticket 3003 AuditVerify failure due to line breaks
|
|
|
efb1ef |
|
|
|
efb1ef |
This patch normalizes the CONFIG_ROLE audit event params to eliminate line breaks
|
|
|
efb1ef |
in audit entry from running pki ca-user-cert-add which would cause AuditVerify
|
|
|
efb1ef |
to fail. (note: adding user cert via the java console does not have such issue)
|
|
|
efb1ef |
|
|
|
efb1ef |
fixes https://pagure.io/dogtagpki/issue/3003
|
|
|
efb1ef |
|
|
|
efb1ef |
Change-Id: I52814714acebd29774abf0eb66aef3655ef2adb9
|
|
|
efb1ef |
---
|
|
|
efb1ef |
.../com/netscape/certsrv/logging/event/ConfigRoleEvent.java | 3 ++-
|
|
|
efb1ef |
base/util/src/com/netscape/cmsutil/util/Utils.java | 12 +++++++++++-
|
|
|
efb1ef |
2 files changed, 13 insertions(+), 2 deletions(-)
|
|
|
efb1ef |
|
|
|
efb1ef |
diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java
|
|
|
efb1ef |
index cc5f0b7..0ac71a8 100644
|
|
|
efb1ef |
--- a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java
|
|
|
efb1ef |
+++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java
|
|
|
efb1ef |
@@ -18,6 +18,7 @@
|
|
|
efb1ef |
package com.netscape.certsrv.logging.event;
|
|
|
efb1ef |
|
|
|
efb1ef |
import com.netscape.certsrv.logging.SignedAuditEvent;
|
|
|
efb1ef |
+import com.netscape.cmsutil.util.Utils;
|
|
|
efb1ef |
|
|
|
efb1ef |
public class ConfigRoleEvent extends SignedAuditEvent {
|
|
|
efb1ef |
|
|
|
efb1ef |
@@ -35,6 +36,6 @@ public class ConfigRoleEvent extends SignedAuditEvent {
|
|
|
efb1ef |
|
|
|
efb1ef |
setAttribute("SubjectID", subjectID);
|
|
|
efb1ef |
setAttribute("Outcome", outcome);
|
|
|
efb1ef |
- setAttribute("ParamNameValPairs", params);
|
|
|
efb1ef |
+ setAttribute("ParamNameValPairs", Utils.normalizeString(params, true /*keep space*/));
|
|
|
efb1ef |
}
|
|
|
efb1ef |
}
|
|
|
efb1ef |
diff --git a/base/util/src/com/netscape/cmsutil/util/Utils.java b/base/util/src/com/netscape/cmsutil/util/Utils.java
|
|
|
efb1ef |
index 5ff78ad..9d0f9eb 100644
|
|
|
efb1ef |
--- a/base/util/src/com/netscape/cmsutil/util/Utils.java
|
|
|
efb1ef |
+++ b/base/util/src/com/netscape/cmsutil/util/Utils.java
|
|
|
efb1ef |
@@ -336,15 +336,24 @@ public class Utils {
|
|
|
efb1ef |
* Normalize B64 input String
|
|
|
efb1ef |
*
|
|
|
efb1ef |
* @pram string base-64 string
|
|
|
efb1ef |
+ * @param keepspace a boolean variable to control whether to keep spaces or not
|
|
|
efb1ef |
* @return normalized string
|
|
|
efb1ef |
*/
|
|
|
efb1ef |
public static String normalizeString(String string) {
|
|
|
efb1ef |
+ return normalizeString(string, false /*keepSpace*/);
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
+
|
|
|
efb1ef |
+ public static String normalizeString(String string, Boolean keepSpace) {
|
|
|
efb1ef |
if (string == null) {
|
|
|
efb1ef |
return string;
|
|
|
efb1ef |
}
|
|
|
efb1ef |
|
|
|
efb1ef |
StringBuffer sb = new StringBuffer();
|
|
|
efb1ef |
- StringTokenizer st = new StringTokenizer(string, "\r\n ");
|
|
|
efb1ef |
+ StringTokenizer st = null;
|
|
|
efb1ef |
+ if (keepSpace)
|
|
|
efb1ef |
+ st = new StringTokenizer(string, "\r\n");
|
|
|
efb1ef |
+ else
|
|
|
efb1ef |
+ st = new StringTokenizer(string, "\r\n ");
|
|
|
efb1ef |
|
|
|
efb1ef |
while (st.hasMoreTokens()) {
|
|
|
efb1ef |
String nextLine = st.nextToken();
|
|
|
efb1ef |
@@ -353,4 +362,5 @@ public class Utils {
|
|
|
efb1ef |
}
|
|
|
efb1ef |
return sb.toString();
|
|
|
efb1ef |
}
|
|
|
efb1ef |
+
|
|
|
efb1ef |
}
|
|
|
efb1ef |
--
|
|
|
efb1ef |
1.8.3.1
|
|
|
efb1ef |
|
|
|
efb1ef |
|
|
|
efb1ef |
From cf1b83ed6e7be07636c3deac770d586433d80f9e Mon Sep 17 00:00:00 2001
|
|
|
efb1ef |
From: Christina Fu <cfu@redhat.com>
|
|
|
efb1ef |
Date: Tue, 26 Jun 2018 15:16:53 -0700
|
|
|
efb1ef |
Subject: [PATCH 5/7] Ticket 2992 CMC Simple request profiles and CMCResponse
|
|
|
efb1ef |
to support simple response
|
|
|
efb1ef |
|
|
|
efb1ef |
This patch fixes the broken profiles resulted from https://pagure.io/dogtagpki/issue/3018.
|
|
|
efb1ef |
|
|
|
efb1ef |
In addition, CMCResponse has been improved to handle CMC simple response.
|
|
|
efb1ef |
|
|
|
efb1ef |
fixes https://pagure.io/dogtagpki/issue/2992
|
|
|
efb1ef |
|
|
|
efb1ef |
Change-Id: If72aa08f044c96e4e5bd5ed98512d2936fe0d50a
|
|
|
efb1ef |
---
|
|
|
efb1ef |
.../shared/profiles/ca/caECSimpleCMCUserCert.cfg | 6 +--
|
|
|
efb1ef |
base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 6 +--
|
|
|
efb1ef |
.../src/com/netscape/cmstools/CMCResponse.java | 46 +++++++++++++---------
|
|
|
efb1ef |
3 files changed, 34 insertions(+), 24 deletions(-)
|
|
|
efb1ef |
|
|
|
efb1ef |
diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
|
|
|
efb1ef |
index 64a6ad9..8df3576 100644
|
|
|
efb1ef |
--- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
|
|
|
efb1ef |
+++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
|
|
|
efb1ef |
@@ -1,11 +1,11 @@
|
|
|
efb1ef |
-desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.
|
|
|
efb1ef |
+desc=This certificate profile is for enrolling user certificates by using the CMC simple certificate request with agent authentication.
|
|
|
efb1ef |
enable=true
|
|
|
efb1ef |
enableBy=admin
|
|
|
efb1ef |
name=Simple CMC Enrollment Request for User Certificate
|
|
|
efb1ef |
visible=false
|
|
|
efb1ef |
-auth.instance_id=
|
|
|
efb1ef |
+auth.instance_id=AgentCertAuth
|
|
|
efb1ef |
input.list=i1
|
|
|
efb1ef |
-input.i1.class_id=cmcCertReqInputImpl
|
|
|
efb1ef |
+input.i1.class_id=certReqInputImpl
|
|
|
efb1ef |
output.list=o1
|
|
|
efb1ef |
output.o1.class_id=certOutputImpl
|
|
|
efb1ef |
policyset.list=cmcUserCertSet
|
|
|
efb1ef |
diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
|
|
|
efb1ef |
index 0628a36..a55873f 100644
|
|
|
efb1ef |
--- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
|
|
|
efb1ef |
+++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
|
|
|
efb1ef |
@@ -1,11 +1,11 @@
|
|
|
efb1ef |
-desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.
|
|
|
efb1ef |
+desc=This certificate profile is for enrolling user certificates by using the CMC Simple certificate request with agent authentication.
|
|
|
efb1ef |
enable=true
|
|
|
efb1ef |
enableBy=admin
|
|
|
efb1ef |
name=Simple CMC Enrollment Request for User Certificate
|
|
|
efb1ef |
visible=false
|
|
|
efb1ef |
-auth.instance_id=
|
|
|
efb1ef |
+auth.instance_id=AgentCertAuth
|
|
|
efb1ef |
input.list=i1
|
|
|
efb1ef |
-input.i1.class_id=cmcCertReqInputImpl
|
|
|
efb1ef |
+input.i1.class_id=certReqInputImpl
|
|
|
efb1ef |
output.list=o1
|
|
|
efb1ef |
output.o1.class_id=certOutputImpl
|
|
|
efb1ef |
policyset.list=cmcUserCertSet
|
|
|
efb1ef |
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java
|
|
|
efb1ef |
index 945f09f..5d4f6c6 100644
|
|
|
efb1ef |
--- a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java
|
|
|
efb1ef |
+++ b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java
|
|
|
efb1ef |
@@ -82,14 +82,20 @@ public class CMCResponse {
|
|
|
efb1ef |
|
|
|
efb1ef |
public Collection<CMCStatusInfoV2> getStatusInfos() throws IOException, InvalidBERException {
|
|
|
efb1ef |
|
|
|
efb1ef |
- Collection<CMCStatusInfoV2> list = new ArrayList<>();
|
|
|
efb1ef |
-
|
|
|
efb1ef |
- // assume full CMC response
|
|
|
efb1ef |
-
|
|
|
efb1ef |
SignedData signedData = (SignedData) contentInfo.getInterpretedContent();
|
|
|
efb1ef |
EncapsulatedContentInfo eci = signedData.getContentInfo();
|
|
|
efb1ef |
|
|
|
efb1ef |
+ Collection<CMCStatusInfoV2> list = new ArrayList<>();
|
|
|
efb1ef |
+
|
|
|
efb1ef |
OCTET_STRING content = eci.getContent();
|
|
|
efb1ef |
+ if (content == null) {
|
|
|
efb1ef |
+ System.out.println("CMC Simple Response.");
|
|
|
efb1ef |
+ // No EncapsulatedContentInfo content; Assume simple response;
|
|
|
efb1ef |
+ return null;
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
+ // assume full CMC response
|
|
|
efb1ef |
+ System.out.println("CMC Full Response.");
|
|
|
efb1ef |
+
|
|
|
efb1ef |
ByteArrayInputStream is = new ByteArrayInputStream(content.toByteArray());
|
|
|
efb1ef |
ResponseBody responseBody = (ResponseBody) (new ResponseBody.Template()).decode(is);
|
|
|
efb1ef |
|
|
|
efb1ef |
@@ -166,8 +172,10 @@ public class CMCResponse {
|
|
|
efb1ef |
System.out.println("Invalid CMC Response Format");
|
|
|
efb1ef |
}
|
|
|
efb1ef |
|
|
|
efb1ef |
- if (!ci.hasContent())
|
|
|
efb1ef |
+ if (!ci.hasContent()) {
|
|
|
efb1ef |
+ // No EncapsulatedContentInfo content; Assume simple response
|
|
|
efb1ef |
return;
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
|
|
|
efb1ef |
OCTET_STRING content1 = ci.getContent();
|
|
|
efb1ef |
ByteArrayInputStream bbis = new ByteArrayInputStream(content1.toByteArray());
|
|
|
efb1ef |
@@ -371,23 +379,25 @@ public class CMCResponse {
|
|
|
efb1ef |
|
|
|
efb1ef |
// terminate if any of the statuses is not a SUCCESS
|
|
|
efb1ef |
Collection<CMCStatusInfoV2> statusInfos = response.getStatusInfos();
|
|
|
efb1ef |
- for (CMCStatusInfoV2 statusInfo : statusInfos) {
|
|
|
efb1ef |
+ if (statusInfos != null) { // full response
|
|
|
efb1ef |
+ for (CMCStatusInfoV2 statusInfo : statusInfos) {
|
|
|
efb1ef |
|
|
|
efb1ef |
- int status = statusInfo.getStatus();
|
|
|
efb1ef |
- if (status == CMCStatusInfoV2.SUCCESS) {
|
|
|
efb1ef |
- continue;
|
|
|
efb1ef |
- }
|
|
|
efb1ef |
+ int status = statusInfo.getStatus();
|
|
|
efb1ef |
+ if (status == CMCStatusInfoV2.SUCCESS) {
|
|
|
efb1ef |
+ continue;
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
|
|
|
efb1ef |
- SEQUENCE bodyList = statusInfo.getBodyList();
|
|
|
efb1ef |
+ SEQUENCE bodyList = statusInfo.getBodyList();
|
|
|
efb1ef |
|
|
|
efb1ef |
- Collection<INTEGER> list = new ArrayList<>();
|
|
|
efb1ef |
- for (int i = 0; i < bodyList.size(); i++) {
|
|
|
efb1ef |
- INTEGER n = (INTEGER) bodyList.elementAt(i);
|
|
|
efb1ef |
- list.add(n);
|
|
|
efb1ef |
- }
|
|
|
efb1ef |
+ Collection<INTEGER> list = new ArrayList<>();
|
|
|
efb1ef |
+ for (int i = 0; i < bodyList.size(); i++) {
|
|
|
efb1ef |
+ INTEGER n = (INTEGER) bodyList.elementAt(i);
|
|
|
efb1ef |
+ list.add(n);
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
|
|
|
efb1ef |
- System.err.println("ERROR: CMC status for " + list + ": " + CMCStatusInfoV2.STATUS[status]);
|
|
|
efb1ef |
- System.exit(1);
|
|
|
efb1ef |
+ System.err.println("ERROR: CMC status for " + list + ": " + CMCStatusInfoV2.STATUS[status]);
|
|
|
efb1ef |
+ System.exit(1);
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
}
|
|
|
efb1ef |
|
|
|
efb1ef |
// export PKCS #7 if requested
|
|
|
efb1ef |
--
|
|
|
efb1ef |
1.8.3.1
|
|
|
efb1ef |
|
|
|
efb1ef |
|
|
|
efb1ef |
From 3ad054342a08719cd80c618c2aa260210b418113 Mon Sep 17 00:00:00 2001
|
|
|
efb1ef |
From: Christina Fu <cfu@redhat.com>
|
|
|
efb1ef |
Date: Wed, 27 Jun 2018 15:04:57 -0700
|
|
|
efb1ef |
Subject: [PATCH 6/7] Ticket #2959 Address pkispawn ECC profile overrides
|
|
|
efb1ef |
|
|
|
efb1ef |
This patch enables proper ECC profiles to be automatically applied during
|
|
|
efb1ef |
pkispawn.
|
|
|
efb1ef |
|
|
|
efb1ef |
This patch would eliminate the need for the workaround documented here:
|
|
|
efb1ef |
http://www.dogtagpki.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround
|
|
|
efb1ef |
|
|
|
efb1ef |
The idea is to use the % replacement strings as part of the profile names
|
|
|
efb1ef |
in the default.cfg file for pkispawn,
|
|
|
efb1ef |
and change the profile names to mach the format. So for example:
|
|
|
efb1ef |
|
|
|
efb1ef |
%(pki_admin_key_type)AdminCert.profile
|
|
|
efb1ef |
|
|
|
efb1ef |
would either be translated to rsaAdminCert.profile or eccAdminCert.profile
|
|
|
efb1ef |
depending on the value in pki_admin_key_type
|
|
|
efb1ef |
|
|
|
efb1ef |
All 6 relevant profiles have been renamed per new convention.
|
|
|
efb1ef |
|
|
|
efb1ef |
fixes https://pagure.io/dogtagpki/issue/2959
|
|
|
efb1ef |
|
|
|
efb1ef |
Change-Id: I9a9f70e415438e0b4130294abb725c74fd6e1b95
|
|
|
efb1ef |
---
|
|
|
efb1ef |
base/ca/shared/conf/ECadminCert.profile | 39 --------------------------
|
|
|
efb1ef |
base/ca/shared/conf/ECserverCert.profile | 39 --------------------------
|
|
|
efb1ef |
base/ca/shared/conf/ECsubsystemCert.profile | 39 --------------------------
|
|
|
efb1ef |
base/ca/shared/conf/adminCert.profile | 39 --------------------------
|
|
|
efb1ef |
base/ca/shared/conf/eccAdminCert.profile | 39 ++++++++++++++++++++++++++
|
|
|
efb1ef |
base/ca/shared/conf/eccServerCert.profile | 39 ++++++++++++++++++++++++++
|
|
|
efb1ef |
base/ca/shared/conf/eccSubsystemCert.profile | 39 ++++++++++++++++++++++++++
|
|
|
efb1ef |
base/ca/shared/conf/rsaAdminCert.profile | 39 ++++++++++++++++++++++++++
|
|
|
efb1ef |
base/ca/shared/conf/rsaServerCert.profile | 41 ++++++++++++++++++++++++++++
|
|
|
efb1ef |
base/ca/shared/conf/rsaSubsystemCert.profile | 39 ++++++++++++++++++++++++++
|
|
|
efb1ef |
base/ca/shared/conf/serverCert.profile | 41 ----------------------------
|
|
|
efb1ef |
base/ca/shared/conf/subsystemCert.profile | 39 --------------------------
|
|
|
efb1ef |
base/server/etc/default.cfg | 6 ++--
|
|
|
efb1ef |
13 files changed, 239 insertions(+), 239 deletions(-)
|
|
|
efb1ef |
delete mode 100644 base/ca/shared/conf/ECadminCert.profile
|
|
|
efb1ef |
delete mode 100644 base/ca/shared/conf/ECserverCert.profile
|
|
|
efb1ef |
delete mode 100644 base/ca/shared/conf/ECsubsystemCert.profile
|
|
|
efb1ef |
delete mode 100644 base/ca/shared/conf/adminCert.profile
|
|
|
efb1ef |
create mode 100644 base/ca/shared/conf/eccAdminCert.profile
|
|
|
efb1ef |
create mode 100644 base/ca/shared/conf/eccServerCert.profile
|
|
|
efb1ef |
create mode 100644 base/ca/shared/conf/eccSubsystemCert.profile
|
|
|
efb1ef |
create mode 100644 base/ca/shared/conf/rsaAdminCert.profile
|
|
|
efb1ef |
create mode 100644 base/ca/shared/conf/rsaServerCert.profile
|
|
|
efb1ef |
create mode 100644 base/ca/shared/conf/rsaSubsystemCert.profile
|
|
|
efb1ef |
delete mode 100644 base/ca/shared/conf/serverCert.profile
|
|
|
efb1ef |
delete mode 100644 base/ca/shared/conf/subsystemCert.profile
|
|
|
efb1ef |
|
|
|
efb1ef |
diff --git a/base/ca/shared/conf/ECadminCert.profile b/base/ca/shared/conf/ECadminCert.profile
|
|
|
efb1ef |
deleted file mode 100644
|
|
|
efb1ef |
index 46d157a..0000000
|
|
|
efb1ef |
--- a/base/ca/shared/conf/ECadminCert.profile
|
|
|
efb1ef |
+++ /dev/null
|
|
|
efb1ef |
@@ -1,39 +0,0 @@
|
|
|
efb1ef |
-#
|
|
|
efb1ef |
-# Admin Certificate
|
|
|
efb1ef |
-#
|
|
|
efb1ef |
-id=adminCert.profile
|
|
|
efb1ef |
-name=All Purpose admin cert with ECC keys Profile
|
|
|
efb1ef |
-description=This profile creates an administrator's certificate with ECC keys
|
|
|
efb1ef |
-profileIDMapping=caAdminCert
|
|
|
efb1ef |
-profileSetIDMapping=adminCertSet
|
|
|
efb1ef |
-list=2,4,5,6,7
|
|
|
efb1ef |
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
efb1ef |
-2.default.name=Validity Default
|
|
|
efb1ef |
-2.default.params.range=720
|
|
|
efb1ef |
-2.default.params.startTime=0
|
|
|
efb1ef |
-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
|
|
|
efb1ef |
-4.default.name=Authority Key Identifier Default
|
|
|
efb1ef |
-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
|
|
|
efb1ef |
-5.default.name=AIA Extension Default
|
|
|
efb1ef |
-5.default.params.authInfoAccessADEnable_0=true
|
|
|
efb1ef |
-5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
efb1ef |
-5.default.params.authInfoAccessADLocation_0=
|
|
|
efb1ef |
-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
efb1ef |
-5.default.params.authInfoAccessCritical=false
|
|
|
efb1ef |
-5.default.params.authInfoAccessNumADs=1
|
|
|
efb1ef |
-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
|
|
|
efb1ef |
-6.default.name=Key Usage Default
|
|
|
efb1ef |
-6.default.params.keyUsageCritical=true
|
|
|
efb1ef |
-6.default.params.keyUsageDigitalSignature=true
|
|
|
efb1ef |
-6.default.params.keyUsageNonRepudiation=true
|
|
|
efb1ef |
-6.default.params.keyUsageDataEncipherment=true
|
|
|
efb1ef |
-6.default.params.keyUsageKeyEncipherment=false
|
|
|
efb1ef |
-6.default.params.keyUsageKeyAgreement=true
|
|
|
efb1ef |
-6.default.params.keyUsageKeyCertSign=false
|
|
|
efb1ef |
-6.default.params.keyUsageCrlSign=false
|
|
|
efb1ef |
-6.default.params.keyUsageEncipherOnly=false
|
|
|
efb1ef |
-6.default.params.keyUsageDecipherOnly=false
|
|
|
efb1ef |
-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
|
|
|
efb1ef |
-7.default.name=Extended Key Usage Extension Default
|
|
|
efb1ef |
-7.default.params.exKeyUsageCritical=false
|
|
|
efb1ef |
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
|
|
|
efb1ef |
diff --git a/base/ca/shared/conf/ECserverCert.profile b/base/ca/shared/conf/ECserverCert.profile
|
|
|
efb1ef |
deleted file mode 100644
|
|
|
efb1ef |
index 8c679f7..0000000
|
|
|
efb1ef |
--- a/base/ca/shared/conf/ECserverCert.profile
|
|
|
efb1ef |
+++ /dev/null
|
|
|
efb1ef |
@@ -1,39 +0,0 @@
|
|
|
efb1ef |
-#
|
|
|
efb1ef |
-# ECC Server Certificate
|
|
|
efb1ef |
-#
|
|
|
efb1ef |
-id=serverCert.profile
|
|
|
efb1ef |
-name=All Purpose SSL server cert with ECC keys Profile
|
|
|
efb1ef |
-description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers
|
|
|
efb1ef |
-profileIDMapping=caECServerCert
|
|
|
efb1ef |
-profileSetIDMapping=serverCertSet
|
|
|
efb1ef |
-list=2,4,5,6,7
|
|
|
efb1ef |
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
efb1ef |
-2.default.name=Validity Default
|
|
|
efb1ef |
-2.default.params.range=720
|
|
|
efb1ef |
-2.default.params.startTime=0
|
|
|
efb1ef |
-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
|
|
|
efb1ef |
-4.default.name=Authority Key Identifier Default
|
|
|
efb1ef |
-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
|
|
|
efb1ef |
-5.default.name=AIA Extension Default
|
|
|
efb1ef |
-5.default.params.authInfoAccessADEnable_0=true
|
|
|
efb1ef |
-5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
efb1ef |
-5.default.params.authInfoAccessADLocation_0=
|
|
|
efb1ef |
-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
efb1ef |
-5.default.params.authInfoAccessCritical=false
|
|
|
efb1ef |
-5.default.params.authInfoAccessNumADs=1
|
|
|
efb1ef |
-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
|
|
|
efb1ef |
-6.default.name=Key Usage Default
|
|
|
efb1ef |
-6.default.params.keyUsageCritical=true
|
|
|
efb1ef |
-6.default.params.keyUsageDigitalSignature=true
|
|
|
efb1ef |
-6.default.params.keyUsageNonRepudiation=false
|
|
|
efb1ef |
-6.default.params.keyUsageDataEncipherment=true
|
|
|
efb1ef |
-6.default.params.keyUsageKeyEncipherment=false
|
|
|
efb1ef |
-6.default.params.keyUsageKeyAgreement=true
|
|
|
efb1ef |
-6.default.params.keyUsageKeyCertSign=false
|
|
|
efb1ef |
-6.default.params.keyUsageCrlSign=false
|
|
|
efb1ef |
-6.default.params.keyUsageEncipherOnly=false
|
|
|
efb1ef |
-6.default.params.keyUsageDecipherOnly=false
|
|
|
efb1ef |
-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
|
|
|
efb1ef |
-7.default.name=Extended Key Usage Extension Default
|
|
|
efb1ef |
-7.default.params.exKeyUsageCritical=false
|
|
|
efb1ef |
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
|
|
|
efb1ef |
diff --git a/base/ca/shared/conf/ECsubsystemCert.profile b/base/ca/shared/conf/ECsubsystemCert.profile
|
|
|
efb1ef |
deleted file mode 100644
|
|
|
efb1ef |
index d11dabb..0000000
|
|
|
efb1ef |
--- a/base/ca/shared/conf/ECsubsystemCert.profile
|
|
|
efb1ef |
+++ /dev/null
|
|
|
efb1ef |
@@ -1,39 +0,0 @@
|
|
|
efb1ef |
-#
|
|
|
efb1ef |
-# ECC Subsystem Certificate
|
|
|
efb1ef |
-#
|
|
|
efb1ef |
-id=subsystemCert.profile
|
|
|
efb1ef |
-name=Subsystem cert with ECC keys Profile
|
|
|
efb1ef |
-description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients
|
|
|
efb1ef |
-profileIDMapping=caECSubsystemCert
|
|
|
efb1ef |
-profileSetIDMapping=serverCertSet
|
|
|
efb1ef |
-list=2,4,5,6,7
|
|
|
efb1ef |
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
efb1ef |
-2.default.name=Validity Default
|
|
|
efb1ef |
-2.default.params.range=720
|
|
|
efb1ef |
-2.default.params.startTime=0
|
|
|
efb1ef |
-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
|
|
|
efb1ef |
-4.default.name=Authority Key Identifier Default
|
|
|
efb1ef |
-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
|
|
|
efb1ef |
-5.default.name=AIA Extension Default
|
|
|
efb1ef |
-5.default.params.authInfoAccessADEnable_0=true
|
|
|
efb1ef |
-5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
efb1ef |
-5.default.params.authInfoAccessADLocation_0=
|
|
|
efb1ef |
-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
efb1ef |
-5.default.params.authInfoAccessCritical=false
|
|
|
efb1ef |
-5.default.params.authInfoAccessNumADs=1
|
|
|
efb1ef |
-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
|
|
|
efb1ef |
-6.default.name=Key Usage Default
|
|
|
efb1ef |
-6.default.params.keyUsageCritical=true
|
|
|
efb1ef |
-6.default.params.keyUsageDigitalSignature=true
|
|
|
efb1ef |
-6.default.params.keyUsageNonRepudiation=false
|
|
|
efb1ef |
-6.default.params.keyUsageDataEncipherment=true
|
|
|
efb1ef |
-6.default.params.keyUsageKeyEncipherment=false
|
|
|
efb1ef |
-6.default.params.keyUsageKeyAgreement=true
|
|
|
efb1ef |
-6.default.params.keyUsageKeyCertSign=false
|
|
|
efb1ef |
-6.default.params.keyUsageCrlSign=false
|
|
|
efb1ef |
-6.default.params.keyUsageEncipherOnly=false
|
|
|
efb1ef |
-6.default.params.keyUsageDecipherOnly=false
|
|
|
efb1ef |
-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
|
|
|
efb1ef |
-7.default.name=Extended Key Usage Extension Default
|
|
|
efb1ef |
-7.default.params.exKeyUsageCritical=false
|
|
|
efb1ef |
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
|
|
|
efb1ef |
diff --git a/base/ca/shared/conf/adminCert.profile b/base/ca/shared/conf/adminCert.profile
|
|
|
efb1ef |
deleted file mode 100644
|
|
|
efb1ef |
index 5e84d74..0000000
|
|
|
efb1ef |
--- a/base/ca/shared/conf/adminCert.profile
|
|
|
efb1ef |
+++ /dev/null
|
|
|
efb1ef |
@@ -1,39 +0,0 @@
|
|
|
efb1ef |
-#
|
|
|
efb1ef |
-# Server Certificate
|
|
|
efb1ef |
-#
|
|
|
efb1ef |
-id=adminCert.profile
|
|
|
efb1ef |
-name=All Purpose admin server cert Profile
|
|
|
efb1ef |
-description=This profile creates an administrator's certificate
|
|
|
efb1ef |
-profileIDMapping=caAdminCert
|
|
|
efb1ef |
-profileSetIDMapping=adminCertSet
|
|
|
efb1ef |
-list=2,4,5,6,7
|
|
|
efb1ef |
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
efb1ef |
-2.default.name=Validity Default
|
|
|
efb1ef |
-2.default.params.range=720
|
|
|
efb1ef |
-2.default.params.startTime=0
|
|
|
efb1ef |
-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
|
|
|
efb1ef |
-4.default.name=Authority Key Identifier Default
|
|
|
efb1ef |
-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
|
|
|
efb1ef |
-5.default.name=AIA Extension Default
|
|
|
efb1ef |
-5.default.params.authInfoAccessADEnable_0=true
|
|
|
efb1ef |
-5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
efb1ef |
-5.default.params.authInfoAccessADLocation_0=
|
|
|
efb1ef |
-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
efb1ef |
-5.default.params.authInfoAccessCritical=false
|
|
|
efb1ef |
-5.default.params.authInfoAccessNumADs=1
|
|
|
efb1ef |
-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
|
|
|
efb1ef |
-6.default.name=Key Usage Default
|
|
|
efb1ef |
-6.default.params.keyUsageCritical=true
|
|
|
efb1ef |
-6.default.params.keyUsageDigitalSignature=true
|
|
|
efb1ef |
-6.default.params.keyUsageNonRepudiation=true
|
|
|
efb1ef |
-6.default.params.keyUsageDataEncipherment=true
|
|
|
efb1ef |
-6.default.params.keyUsageKeyEncipherment=true
|
|
|
efb1ef |
-6.default.params.keyUsageKeyAgreement=false
|
|
|
efb1ef |
-6.default.params.keyUsageKeyCertSign=false
|
|
|
efb1ef |
-6.default.params.keyUsageCrlSign=false
|
|
|
efb1ef |
-6.default.params.keyUsageEncipherOnly=false
|
|
|
efb1ef |
-6.default.params.keyUsageDecipherOnly=false
|
|
|
efb1ef |
-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
|
|
|
efb1ef |
-7.default.name=Extended Key Usage Extension Default
|
|
|
efb1ef |
-7.default.params.exKeyUsageCritical=false
|
|
|
efb1ef |
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
|
|
|
efb1ef |
diff --git a/base/ca/shared/conf/eccAdminCert.profile b/base/ca/shared/conf/eccAdminCert.profile
|
|
|
efb1ef |
new file mode 100644
|
|
|
efb1ef |
index 0000000..46d157a
|
|
|
efb1ef |
--- /dev/null
|
|
|
efb1ef |
+++ b/base/ca/shared/conf/eccAdminCert.profile
|
|
|
efb1ef |
@@ -0,0 +1,39 @@
|
|
|
efb1ef |
+#
|
|
|
efb1ef |
+# Admin Certificate
|
|
|
efb1ef |
+#
|
|
|
efb1ef |
+id=adminCert.profile
|
|
|
efb1ef |
+name=All Purpose admin cert with ECC keys Profile
|
|
|
efb1ef |
+description=This profile creates an administrator's certificate with ECC keys
|
|
|
efb1ef |
+profileIDMapping=caAdminCert
|
|
|
efb1ef |
+profileSetIDMapping=adminCertSet
|
|
|
efb1ef |
+list=2,4,5,6,7
|
|
|
efb1ef |
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
efb1ef |
+2.default.name=Validity Default
|
|
|
efb1ef |
+2.default.params.range=720
|
|
|
efb1ef |
+2.default.params.startTime=0
|
|
|
efb1ef |
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
|
|
|
efb1ef |
+4.default.name=Authority Key Identifier Default
|
|
|
efb1ef |
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
|
|
|
efb1ef |
+5.default.name=AIA Extension Default
|
|
|
efb1ef |
+5.default.params.authInfoAccessADEnable_0=true
|
|
|
efb1ef |
+5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
efb1ef |
+5.default.params.authInfoAccessADLocation_0=
|
|
|
efb1ef |
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
efb1ef |
+5.default.params.authInfoAccessCritical=false
|
|
|
efb1ef |
+5.default.params.authInfoAccessNumADs=1
|
|
|
efb1ef |
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
|
|
|
efb1ef |
+6.default.name=Key Usage Default
|
|
|
efb1ef |
+6.default.params.keyUsageCritical=true
|
|
|
efb1ef |
+6.default.params.keyUsageDigitalSignature=true
|
|
|
efb1ef |
+6.default.params.keyUsageNonRepudiation=true
|
|
|
efb1ef |
+6.default.params.keyUsageDataEncipherment=true
|
|
|
efb1ef |
+6.default.params.keyUsageKeyEncipherment=false
|
|
|
efb1ef |
+6.default.params.keyUsageKeyAgreement=true
|
|
|
efb1ef |
+6.default.params.keyUsageKeyCertSign=false
|
|
|
efb1ef |
+6.default.params.keyUsageCrlSign=false
|
|
|
efb1ef |
+6.default.params.keyUsageEncipherOnly=false
|
|
|
efb1ef |
+6.default.params.keyUsageDecipherOnly=false
|
|
|
efb1ef |
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
|
|
|
efb1ef |
+7.default.name=Extended Key Usage Extension Default
|
|
|
efb1ef |
+7.default.params.exKeyUsageCritical=false
|
|
|
efb1ef |
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
|
|
|
efb1ef |
diff --git a/base/ca/shared/conf/eccServerCert.profile b/base/ca/shared/conf/eccServerCert.profile
|
|
|
efb1ef |
new file mode 100644
|
|
|
efb1ef |
index 0000000..8c679f7
|
|
|
efb1ef |
--- /dev/null
|
|
|
efb1ef |
+++ b/base/ca/shared/conf/eccServerCert.profile
|
|
|
efb1ef |
@@ -0,0 +1,39 @@
|
|
|
efb1ef |
+#
|
|
|
efb1ef |
+# ECC Server Certificate
|
|
|
efb1ef |
+#
|
|
|
efb1ef |
+id=serverCert.profile
|
|
|
efb1ef |
+name=All Purpose SSL server cert with ECC keys Profile
|
|
|
efb1ef |
+description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers
|
|
|
efb1ef |
+profileIDMapping=caECServerCert
|
|
|
efb1ef |
+profileSetIDMapping=serverCertSet
|
|
|
efb1ef |
+list=2,4,5,6,7
|
|
|
efb1ef |
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
efb1ef |
+2.default.name=Validity Default
|
|
|
efb1ef |
+2.default.params.range=720
|
|
|
efb1ef |
+2.default.params.startTime=0
|
|
|
efb1ef |
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
|
|
|
efb1ef |
+4.default.name=Authority Key Identifier Default
|
|
|
efb1ef |
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
|
|
|
efb1ef |
+5.default.name=AIA Extension Default
|
|
|
efb1ef |
+5.default.params.authInfoAccessADEnable_0=true
|
|
|
efb1ef |
+5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
efb1ef |
+5.default.params.authInfoAccessADLocation_0=
|
|
|
efb1ef |
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
efb1ef |
+5.default.params.authInfoAccessCritical=false
|
|
|
efb1ef |
+5.default.params.authInfoAccessNumADs=1
|
|
|
efb1ef |
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
|
|
|
efb1ef |
+6.default.name=Key Usage Default
|
|
|
efb1ef |
+6.default.params.keyUsageCritical=true
|
|
|
efb1ef |
+6.default.params.keyUsageDigitalSignature=true
|
|
|
efb1ef |
+6.default.params.keyUsageNonRepudiation=false
|
|
|
efb1ef |
+6.default.params.keyUsageDataEncipherment=true
|
|
|
efb1ef |
+6.default.params.keyUsageKeyEncipherment=false
|
|
|
efb1ef |
+6.default.params.keyUsageKeyAgreement=true
|
|
|
efb1ef |
+6.default.params.keyUsageKeyCertSign=false
|
|
|
efb1ef |
+6.default.params.keyUsageCrlSign=false
|
|
|
efb1ef |
+6.default.params.keyUsageEncipherOnly=false
|
|
|
efb1ef |
+6.default.params.keyUsageDecipherOnly=false
|
|
|
efb1ef |
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
|
|
|
efb1ef |
+7.default.name=Extended Key Usage Extension Default
|
|
|
efb1ef |
+7.default.params.exKeyUsageCritical=false
|
|
|
efb1ef |
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
|
|
|
efb1ef |
diff --git a/base/ca/shared/conf/eccSubsystemCert.profile b/base/ca/shared/conf/eccSubsystemCert.profile
|
|
|
efb1ef |
new file mode 100644
|
|
|
efb1ef |
index 0000000..d11dabb
|
|
|
efb1ef |
--- /dev/null
|
|
|
efb1ef |
+++ b/base/ca/shared/conf/eccSubsystemCert.profile
|
|
|
efb1ef |
@@ -0,0 +1,39 @@
|
|
|
efb1ef |
+#
|
|
|
efb1ef |
+# ECC Subsystem Certificate
|
|
|
efb1ef |
+#
|
|
|
efb1ef |
+id=subsystemCert.profile
|
|
|
efb1ef |
+name=Subsystem cert with ECC keys Profile
|
|
|
efb1ef |
+description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients
|
|
|
efb1ef |
+profileIDMapping=caECSubsystemCert
|
|
|
efb1ef |
+profileSetIDMapping=serverCertSet
|
|
|
efb1ef |
+list=2,4,5,6,7
|
|
|
efb1ef |
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
efb1ef |
+2.default.name=Validity Default
|
|
|
efb1ef |
+2.default.params.range=720
|
|
|
efb1ef |
+2.default.params.startTime=0
|
|
|
efb1ef |
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
|
|
|
efb1ef |
+4.default.name=Authority Key Identifier Default
|
|
|
efb1ef |
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
|
|
|
efb1ef |
+5.default.name=AIA Extension Default
|
|
|
efb1ef |
+5.default.params.authInfoAccessADEnable_0=true
|
|
|
efb1ef |
+5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
efb1ef |
+5.default.params.authInfoAccessADLocation_0=
|
|
|
efb1ef |
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
efb1ef |
+5.default.params.authInfoAccessCritical=false
|
|
|
efb1ef |
+5.default.params.authInfoAccessNumADs=1
|
|
|
efb1ef |
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
|
|
|
efb1ef |
+6.default.name=Key Usage Default
|
|
|
efb1ef |
+6.default.params.keyUsageCritical=true
|
|
|
efb1ef |
+6.default.params.keyUsageDigitalSignature=true
|
|
|
efb1ef |
+6.default.params.keyUsageNonRepudiation=false
|
|
|
efb1ef |
+6.default.params.keyUsageDataEncipherment=true
|
|
|
efb1ef |
+6.default.params.keyUsageKeyEncipherment=false
|
|
|
efb1ef |
+6.default.params.keyUsageKeyAgreement=true
|
|
|
efb1ef |
+6.default.params.keyUsageKeyCertSign=false
|
|
|
efb1ef |
+6.default.params.keyUsageCrlSign=false
|
|
|
efb1ef |
+6.default.params.keyUsageEncipherOnly=false
|
|
|
efb1ef |
+6.default.params.keyUsageDecipherOnly=false
|
|
|
efb1ef |
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
|
|
|
efb1ef |
+7.default.name=Extended Key Usage Extension Default
|
|
|
efb1ef |
+7.default.params.exKeyUsageCritical=false
|
|
|
efb1ef |
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
|
|
|
efb1ef |
diff --git a/base/ca/shared/conf/rsaAdminCert.profile b/base/ca/shared/conf/rsaAdminCert.profile
|
|
|
efb1ef |
new file mode 100644
|
|
|
efb1ef |
index 0000000..5e84d74
|
|
|
efb1ef |
--- /dev/null
|
|
|
efb1ef |
+++ b/base/ca/shared/conf/rsaAdminCert.profile
|
|
|
efb1ef |
@@ -0,0 +1,39 @@
|
|
|
efb1ef |
+#
|
|
|
efb1ef |
+# Server Certificate
|
|
|
efb1ef |
+#
|
|
|
efb1ef |
+id=adminCert.profile
|
|
|
efb1ef |
+name=All Purpose admin server cert Profile
|
|
|
efb1ef |
+description=This profile creates an administrator's certificate
|
|
|
efb1ef |
+profileIDMapping=caAdminCert
|
|
|
efb1ef |
+profileSetIDMapping=adminCertSet
|
|
|
efb1ef |
+list=2,4,5,6,7
|
|
|
efb1ef |
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
efb1ef |
+2.default.name=Validity Default
|
|
|
efb1ef |
+2.default.params.range=720
|
|
|
efb1ef |
+2.default.params.startTime=0
|
|
|
efb1ef |
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
|
|
|
efb1ef |
+4.default.name=Authority Key Identifier Default
|
|
|
efb1ef |
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
|
|
|
efb1ef |
+5.default.name=AIA Extension Default
|
|
|
efb1ef |
+5.default.params.authInfoAccessADEnable_0=true
|
|
|
efb1ef |
+5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
efb1ef |
+5.default.params.authInfoAccessADLocation_0=
|
|
|
efb1ef |
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
efb1ef |
+5.default.params.authInfoAccessCritical=false
|
|
|
efb1ef |
+5.default.params.authInfoAccessNumADs=1
|
|
|
efb1ef |
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
|
|
|
efb1ef |
+6.default.name=Key Usage Default
|
|
|
efb1ef |
+6.default.params.keyUsageCritical=true
|
|
|
efb1ef |
+6.default.params.keyUsageDigitalSignature=true
|
|
|
efb1ef |
+6.default.params.keyUsageNonRepudiation=true
|
|
|
efb1ef |
+6.default.params.keyUsageDataEncipherment=true
|
|
|
efb1ef |
+6.default.params.keyUsageKeyEncipherment=true
|
|
|
efb1ef |
+6.default.params.keyUsageKeyAgreement=false
|
|
|
efb1ef |
+6.default.params.keyUsageKeyCertSign=false
|
|
|
efb1ef |
+6.default.params.keyUsageCrlSign=false
|
|
|
efb1ef |
+6.default.params.keyUsageEncipherOnly=false
|
|
|
efb1ef |
+6.default.params.keyUsageDecipherOnly=false
|
|
|
efb1ef |
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
|
|
|
efb1ef |
+7.default.name=Extended Key Usage Extension Default
|
|
|
efb1ef |
+7.default.params.exKeyUsageCritical=false
|
|
|
efb1ef |
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
|
|
|
efb1ef |
diff --git a/base/ca/shared/conf/rsaServerCert.profile b/base/ca/shared/conf/rsaServerCert.profile
|
|
|
efb1ef |
new file mode 100644
|
|
|
efb1ef |
index 0000000..e740760
|
|
|
efb1ef |
--- /dev/null
|
|
|
efb1ef |
+++ b/base/ca/shared/conf/rsaServerCert.profile
|
|
|
efb1ef |
@@ -0,0 +1,41 @@
|
|
|
efb1ef |
+#
|
|
|
efb1ef |
+# Server Certificate
|
|
|
efb1ef |
+#
|
|
|
efb1ef |
+id=serverCert.profile
|
|
|
efb1ef |
+name=All Purpose SSL server cert Profile
|
|
|
efb1ef |
+description=This profile creates an SSL server certificate that is valid for SSL servers
|
|
|
efb1ef |
+profileIDMapping=caServerCert
|
|
|
efb1ef |
+profileSetIDMapping=serverCertSet
|
|
|
efb1ef |
+list=2,4,5,6,7,8
|
|
|
efb1ef |
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
efb1ef |
+2.default.name=Validity Default
|
|
|
efb1ef |
+2.default.params.range=720
|
|
|
efb1ef |
+2.default.params.startTime=0
|
|
|
efb1ef |
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
|
|
|
efb1ef |
+4.default.name=Authority Key Identifier Default
|
|
|
efb1ef |
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
|
|
|
efb1ef |
+5.default.name=AIA Extension Default
|
|
|
efb1ef |
+5.default.params.authInfoAccessADEnable_0=true
|
|
|
efb1ef |
+5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
efb1ef |
+5.default.params.authInfoAccessADLocation_0=
|
|
|
efb1ef |
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
efb1ef |
+5.default.params.authInfoAccessCritical=false
|
|
|
efb1ef |
+5.default.params.authInfoAccessNumADs=1
|
|
|
efb1ef |
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
|
|
|
efb1ef |
+6.default.name=Key Usage Default
|
|
|
efb1ef |
+6.default.params.keyUsageCritical=true
|
|
|
efb1ef |
+6.default.params.keyUsageDigitalSignature=true
|
|
|
efb1ef |
+6.default.params.keyUsageNonRepudiation=false
|
|
|
efb1ef |
+6.default.params.keyUsageDataEncipherment=true
|
|
|
efb1ef |
+6.default.params.keyUsageKeyEncipherment=true
|
|
|
efb1ef |
+6.default.params.keyUsageKeyAgreement=false
|
|
|
efb1ef |
+6.default.params.keyUsageKeyCertSign=false
|
|
|
efb1ef |
+6.default.params.keyUsageCrlSign=false
|
|
|
efb1ef |
+6.default.params.keyUsageEncipherOnly=false
|
|
|
efb1ef |
+6.default.params.keyUsageDecipherOnly=false
|
|
|
efb1ef |
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
|
|
|
efb1ef |
+7.default.name=Extended Key Usage Extension Default
|
|
|
efb1ef |
+7.default.params.exKeyUsageCritical=false
|
|
|
efb1ef |
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
|
|
|
efb1ef |
+8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault
|
|
|
efb1ef |
+8.default.name=Copy Common Name to Subjec Alternative Name Extension
|
|
|
efb1ef |
diff --git a/base/ca/shared/conf/rsaSubsystemCert.profile b/base/ca/shared/conf/rsaSubsystemCert.profile
|
|
|
efb1ef |
new file mode 100644
|
|
|
efb1ef |
index 0000000..fa8f84e
|
|
|
efb1ef |
--- /dev/null
|
|
|
efb1ef |
+++ b/base/ca/shared/conf/rsaSubsystemCert.profile
|
|
|
efb1ef |
@@ -0,0 +1,39 @@
|
|
|
efb1ef |
+#
|
|
|
efb1ef |
+# Subsystem Certificate
|
|
|
efb1ef |
+#
|
|
|
efb1ef |
+id=subsystemCert.profile
|
|
|
efb1ef |
+name=All Purpose SSL server cert Profile
|
|
|
efb1ef |
+description=This profile creates a subsystem certificate that is valid for SSL client
|
|
|
efb1ef |
+profileIDMapping=caSubsystemCert
|
|
|
efb1ef |
+profileSetIDMapping=serverCertSet
|
|
|
efb1ef |
+list=2,4,5,6,7
|
|
|
efb1ef |
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
efb1ef |
+2.default.name=Validity Default
|
|
|
efb1ef |
+2.default.params.range=720
|
|
|
efb1ef |
+2.default.params.startTime=0
|
|
|
efb1ef |
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
|
|
|
efb1ef |
+4.default.name=Authority Key Identifier Default
|
|
|
efb1ef |
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
|
|
|
efb1ef |
+5.default.name=AIA Extension Default
|
|
|
efb1ef |
+5.default.params.authInfoAccessADEnable_0=true
|
|
|
efb1ef |
+5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
efb1ef |
+5.default.params.authInfoAccessADLocation_0=
|
|
|
efb1ef |
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
efb1ef |
+5.default.params.authInfoAccessCritical=false
|
|
|
efb1ef |
+5.default.params.authInfoAccessNumADs=1
|
|
|
efb1ef |
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
|
|
|
efb1ef |
+6.default.name=Key Usage Default
|
|
|
efb1ef |
+6.default.params.keyUsageCritical=true
|
|
|
efb1ef |
+6.default.params.keyUsageDigitalSignature=true
|
|
|
efb1ef |
+6.default.params.keyUsageNonRepudiation=true
|
|
|
efb1ef |
+6.default.params.keyUsageDataEncipherment=true
|
|
|
efb1ef |
+6.default.params.keyUsageKeyEncipherment=true
|
|
|
efb1ef |
+6.default.params.keyUsageKeyAgreement=false
|
|
|
efb1ef |
+6.default.params.keyUsageKeyCertSign=false
|
|
|
efb1ef |
+6.default.params.keyUsageCrlSign=false
|
|
|
efb1ef |
+6.default.params.keyUsageEncipherOnly=false
|
|
|
efb1ef |
+6.default.params.keyUsageDecipherOnly=false
|
|
|
efb1ef |
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
|
|
|
efb1ef |
+7.default.name=Extended Key Usage Extension Default
|
|
|
efb1ef |
+7.default.params.exKeyUsageCritical=false
|
|
|
efb1ef |
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
|
|
|
efb1ef |
diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile
|
|
|
efb1ef |
deleted file mode 100644
|
|
|
efb1ef |
index e740760..0000000
|
|
|
efb1ef |
--- a/base/ca/shared/conf/serverCert.profile
|
|
|
efb1ef |
+++ /dev/null
|
|
|
efb1ef |
@@ -1,41 +0,0 @@
|
|
|
efb1ef |
-#
|
|
|
efb1ef |
-# Server Certificate
|
|
|
efb1ef |
-#
|
|
|
efb1ef |
-id=serverCert.profile
|
|
|
efb1ef |
-name=All Purpose SSL server cert Profile
|
|
|
efb1ef |
-description=This profile creates an SSL server certificate that is valid for SSL servers
|
|
|
efb1ef |
-profileIDMapping=caServerCert
|
|
|
efb1ef |
-profileSetIDMapping=serverCertSet
|
|
|
efb1ef |
-list=2,4,5,6,7,8
|
|
|
efb1ef |
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
efb1ef |
-2.default.name=Validity Default
|
|
|
efb1ef |
-2.default.params.range=720
|
|
|
efb1ef |
-2.default.params.startTime=0
|
|
|
efb1ef |
-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
|
|
|
efb1ef |
-4.default.name=Authority Key Identifier Default
|
|
|
efb1ef |
-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
|
|
|
efb1ef |
-5.default.name=AIA Extension Default
|
|
|
efb1ef |
-5.default.params.authInfoAccessADEnable_0=true
|
|
|
efb1ef |
-5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
efb1ef |
-5.default.params.authInfoAccessADLocation_0=
|
|
|
efb1ef |
-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
efb1ef |
-5.default.params.authInfoAccessCritical=false
|
|
|
efb1ef |
-5.default.params.authInfoAccessNumADs=1
|
|
|
efb1ef |
-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
|
|
|
efb1ef |
-6.default.name=Key Usage Default
|
|
|
efb1ef |
-6.default.params.keyUsageCritical=true
|
|
|
efb1ef |
-6.default.params.keyUsageDigitalSignature=true
|
|
|
efb1ef |
-6.default.params.keyUsageNonRepudiation=false
|
|
|
efb1ef |
-6.default.params.keyUsageDataEncipherment=true
|
|
|
efb1ef |
-6.default.params.keyUsageKeyEncipherment=true
|
|
|
efb1ef |
-6.default.params.keyUsageKeyAgreement=false
|
|
|
efb1ef |
-6.default.params.keyUsageKeyCertSign=false
|
|
|
efb1ef |
-6.default.params.keyUsageCrlSign=false
|
|
|
efb1ef |
-6.default.params.keyUsageEncipherOnly=false
|
|
|
efb1ef |
-6.default.params.keyUsageDecipherOnly=false
|
|
|
efb1ef |
-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
|
|
|
efb1ef |
-7.default.name=Extended Key Usage Extension Default
|
|
|
efb1ef |
-7.default.params.exKeyUsageCritical=false
|
|
|
efb1ef |
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
|
|
|
efb1ef |
-8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault
|
|
|
efb1ef |
-8.default.name=Copy Common Name to Subjec Alternative Name Extension
|
|
|
efb1ef |
diff --git a/base/ca/shared/conf/subsystemCert.profile b/base/ca/shared/conf/subsystemCert.profile
|
|
|
efb1ef |
deleted file mode 100644
|
|
|
efb1ef |
index fa8f84e..0000000
|
|
|
efb1ef |
--- a/base/ca/shared/conf/subsystemCert.profile
|
|
|
efb1ef |
+++ /dev/null
|
|
|
efb1ef |
@@ -1,39 +0,0 @@
|
|
|
efb1ef |
-#
|
|
|
efb1ef |
-# Subsystem Certificate
|
|
|
efb1ef |
-#
|
|
|
efb1ef |
-id=subsystemCert.profile
|
|
|
efb1ef |
-name=All Purpose SSL server cert Profile
|
|
|
efb1ef |
-description=This profile creates a subsystem certificate that is valid for SSL client
|
|
|
efb1ef |
-profileIDMapping=caSubsystemCert
|
|
|
efb1ef |
-profileSetIDMapping=serverCertSet
|
|
|
efb1ef |
-list=2,4,5,6,7
|
|
|
efb1ef |
-2.default.class=com.netscape.cms.profile.def.ValidityDefault
|
|
|
efb1ef |
-2.default.name=Validity Default
|
|
|
efb1ef |
-2.default.params.range=720
|
|
|
efb1ef |
-2.default.params.startTime=0
|
|
|
efb1ef |
-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
|
|
|
efb1ef |
-4.default.name=Authority Key Identifier Default
|
|
|
efb1ef |
-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
|
|
|
efb1ef |
-5.default.name=AIA Extension Default
|
|
|
efb1ef |
-5.default.params.authInfoAccessADEnable_0=true
|
|
|
efb1ef |
-5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
efb1ef |
-5.default.params.authInfoAccessADLocation_0=
|
|
|
efb1ef |
-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
efb1ef |
-5.default.params.authInfoAccessCritical=false
|
|
|
efb1ef |
-5.default.params.authInfoAccessNumADs=1
|
|
|
efb1ef |
-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
|
|
|
efb1ef |
-6.default.name=Key Usage Default
|
|
|
efb1ef |
-6.default.params.keyUsageCritical=true
|
|
|
efb1ef |
-6.default.params.keyUsageDigitalSignature=true
|
|
|
efb1ef |
-6.default.params.keyUsageNonRepudiation=true
|
|
|
efb1ef |
-6.default.params.keyUsageDataEncipherment=true
|
|
|
efb1ef |
-6.default.params.keyUsageKeyEncipherment=true
|
|
|
efb1ef |
-6.default.params.keyUsageKeyAgreement=false
|
|
|
efb1ef |
-6.default.params.keyUsageKeyCertSign=false
|
|
|
efb1ef |
-6.default.params.keyUsageCrlSign=false
|
|
|
efb1ef |
-6.default.params.keyUsageEncipherOnly=false
|
|
|
efb1ef |
-6.default.params.keyUsageDecipherOnly=false
|
|
|
efb1ef |
-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
|
|
|
efb1ef |
-7.default.name=Extended Key Usage Extension Default
|
|
|
efb1ef |
-7.default.params.exKeyUsageCritical=false
|
|
|
efb1ef |
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
|
|
|
efb1ef |
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
|
|
|
efb1ef |
index e727648..c575e68 100644
|
|
|
efb1ef |
--- a/base/server/etc/default.cfg
|
|
|
efb1ef |
+++ b/base/server/etc/default.cfg
|
|
|
efb1ef |
@@ -400,12 +400,12 @@ pki_source_flatfile_txt=%(pki_source_conf_path)s/flatfile.txt
|
|
|
efb1ef |
pki_source_profiles=/usr/share/pki/ca/profiles
|
|
|
efb1ef |
pki_source_proxy_conf=%(pki_source_conf_path)s/proxy.conf
|
|
|
efb1ef |
pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg
|
|
|
efb1ef |
-pki_source_admincert_profile=%(pki_source_conf_path)s/adminCert.profile
|
|
|
efb1ef |
+pki_source_admincert_profile=%(pki_source_conf_path)s/%(pki_admin_key_type)sAdminCert.profile
|
|
|
efb1ef |
pki_source_caauditsigningcert_profile=%(pki_source_conf_path)s/caAuditSigningCert.profile
|
|
|
efb1ef |
pki_source_cacert_profile=%(pki_source_conf_path)s/caCert.profile
|
|
|
efb1ef |
pki_source_caocspcert_profile=%(pki_source_conf_path)s/caOCSPCert.profile
|
|
|
efb1ef |
-pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile
|
|
|
efb1ef |
-pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile
|
|
|
efb1ef |
+pki_source_servercert_profile=%(pki_source_conf_path)s/%(pki_sslserver_key_type)sServerCert.profile
|
|
|
efb1ef |
+pki_source_subsystemcert_profile=%(pki_source_conf_path)s/%(pki_subsystem_key_type)sSubsystemCert.profile
|
|
|
efb1ef |
pki_subsystem_emails_path=%(pki_subsystem_path)s/emails
|
|
|
efb1ef |
pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles
|
|
|
efb1ef |
|
|
|
efb1ef |
--
|
|
|
efb1ef |
1.8.3.1
|
|
|
efb1ef |
|
|
|
efb1ef |
|
|
|
efb1ef |
From 2a9c2022d39e293269c49d806fa142992bef8abd Mon Sep 17 00:00:00 2001
|
|
|
efb1ef |
From: Christina Fu <cfu@redhat.com>
|
|
|
efb1ef |
Date: Tue, 12 Jun 2018 11:47:57 -0700
|
|
|
efb1ef |
Subject: [PATCH 7/7] Ticket 2865 X500Name.directoryStringEncodingOrder
|
|
|
efb1ef |
overridden by CSR encoding
|
|
|
efb1ef |
|
|
|
efb1ef |
This patch allows profile to have control over whether to override the subjectDN
|
|
|
efb1ef |
encoding in the CSR with the encoding set by the system.
|
|
|
efb1ef |
|
|
|
efb1ef |
New parameter in profile:
|
|
|
efb1ef |
policyset.<policy set>.<#>.default.params.useSysEncoding=true
|
|
|
efb1ef |
|
|
|
efb1ef |
where "true" means to override the subjectdn with the system default order or
|
|
|
efb1ef |
the order set by X500Name.directoryStringEncodingOrder in CS.cfg
|
|
|
efb1ef |
|
|
|
efb1ef |
by default, without useSysEncoding in profile, it is treated as false.
|
|
|
efb1ef |
|
|
|
efb1ef |
fixes https://pagure.io/dogtagpki/issue/2865
|
|
|
efb1ef |
|
|
|
efb1ef |
Change-Id: I41f8f5371f26668909624f056a77ffbf66f0f5e1
|
|
|
efb1ef |
---
|
|
|
efb1ef |
.../cms/profile/def/UserSubjectNameDefault.java | 83 +++++++++++++++++-----
|
|
|
efb1ef |
base/server/cmsbundle/src/UserMessages.properties | 1 +
|
|
|
efb1ef |
.../netscape/cmscore/cert/X500NameSubsystem.java | 7 +-
|
|
|
efb1ef |
3 files changed, 72 insertions(+), 19 deletions(-)
|
|
|
efb1ef |
|
|
|
efb1ef |
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java
|
|
|
efb1ef |
index 9064bc1..636b045 100644
|
|
|
efb1ef |
--- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java
|
|
|
efb1ef |
+++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java
|
|
|
efb1ef |
@@ -44,9 +44,11 @@ import com.netscape.certsrv.request.IRequest;
|
|
|
efb1ef |
public class UserSubjectNameDefault extends EnrollDefault {
|
|
|
efb1ef |
|
|
|
efb1ef |
public static final String VAL_NAME = "name";
|
|
|
efb1ef |
+ public static final String CONFIG_USE_SYS_ENCODING = "useSysEncoding";
|
|
|
efb1ef |
|
|
|
efb1ef |
public UserSubjectNameDefault() {
|
|
|
efb1ef |
super();
|
|
|
efb1ef |
+ addConfigName(CONFIG_USE_SYS_ENCODING);
|
|
|
efb1ef |
addValueName(VAL_NAME);
|
|
|
efb1ef |
}
|
|
|
efb1ef |
|
|
|
efb1ef |
@@ -55,6 +57,16 @@ public class UserSubjectNameDefault extends EnrollDefault {
|
|
|
efb1ef |
super.init(profile, config);
|
|
|
efb1ef |
}
|
|
|
efb1ef |
|
|
|
efb1ef |
+ public IDescriptor getConfigDescriptor(Locale locale, String name) {
|
|
|
efb1ef |
+ if (name.equals(CONFIG_USE_SYS_ENCODING)) {
|
|
|
efb1ef |
+ return new Descriptor(IDescriptor.BOOLEAN, null,
|
|
|
efb1ef |
+ "false",
|
|
|
efb1ef |
+ CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_USE_SYS_ENCODING"));
|
|
|
efb1ef |
+ } else {
|
|
|
efb1ef |
+ return null;
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
+
|
|
|
efb1ef |
public IDescriptor getValueDescriptor(Locale locale, String name) {
|
|
|
efb1ef |
if (name.equals(VAL_NAME)) {
|
|
|
efb1ef |
return new Descriptor(IDescriptor.STRING, null, null,
|
|
|
efb1ef |
@@ -64,52 +76,79 @@ public class UserSubjectNameDefault extends EnrollDefault {
|
|
|
efb1ef |
}
|
|
|
efb1ef |
}
|
|
|
efb1ef |
|
|
|
efb1ef |
- public void setValue(String name, Locale locale,
|
|
|
efb1ef |
- X509CertInfo info, String value)
|
|
|
efb1ef |
- throws EPropertyException {
|
|
|
efb1ef |
- if (name == null) {
|
|
|
efb1ef |
- throw new EPropertyException(CMS.getUserMessage(
|
|
|
efb1ef |
- locale, "CMS_INVALID_PROPERTY", name));
|
|
|
efb1ef |
- }
|
|
|
efb1ef |
- if (name.equals(VAL_NAME)) {
|
|
|
efb1ef |
+ private X500Name getX500Name(X509CertInfo info, String value) {
|
|
|
efb1ef |
+ String method = "UserSubjectNameDefault: getX500Name: ";
|
|
|
efb1ef |
X500Name x500name = null;
|
|
|
efb1ef |
+ /*
|
|
|
efb1ef |
+ * useSysEencoding default is false
|
|
|
efb1ef |
+ * To change that, add the following in the affected profile:
|
|
|
efb1ef |
+ * policyset.<policy set>.<#>.default.params.useSysEncoding=true
|
|
|
efb1ef |
+ */
|
|
|
efb1ef |
+ boolean useSysEncoding = getConfigBoolean(CONFIG_USE_SYS_ENCODING);
|
|
|
efb1ef |
+ CMS.debug(method +
|
|
|
efb1ef |
+ "use system encoding: " + useSysEncoding);
|
|
|
efb1ef |
|
|
|
efb1ef |
try {
|
|
|
efb1ef |
- x500name = new X500Name(value);
|
|
|
efb1ef |
+ if (value != null)
|
|
|
efb1ef |
+ x500name = new X500Name(value);
|
|
|
efb1ef |
|
|
|
efb1ef |
+ // oldName is what comes with the CSR
|
|
|
efb1ef |
CertificateSubjectName oldName = info.getSubjectObj();
|
|
|
efb1ef |
if (oldName != null) {
|
|
|
efb1ef |
+ CMS.debug(method + "subjectDN exists in CSR. ");
|
|
|
efb1ef |
+ } else {
|
|
|
efb1ef |
+ CMS.debug(method + "subjectDN does not exist in CSR. ");
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
+ if ((useSysEncoding == false) && (oldName != null)) {
|
|
|
efb1ef |
/* If the canonical string representations of
|
|
|
efb1ef |
* existing Subject DN and new DN are equal,
|
|
|
efb1ef |
* keep the old name so that the attribute
|
|
|
efb1ef |
* encodings are preserved. */
|
|
|
efb1ef |
X500Name oldX500name = oldName.getX500Name();
|
|
|
efb1ef |
if (x500name.toString().equals(oldX500name.toString())) {
|
|
|
efb1ef |
- CMS.debug(
|
|
|
efb1ef |
- "UserSubjectNameDefault: setValue: "
|
|
|
efb1ef |
+ CMS.debug( method
|
|
|
efb1ef |
+ "new Subject DN has same string representation "
|
|
|
efb1ef |
+ "as current value; retaining current value."
|
|
|
efb1ef |
);
|
|
|
efb1ef |
x500name = oldX500name;
|
|
|
efb1ef |
} else {
|
|
|
efb1ef |
- CMS.debug(
|
|
|
efb1ef |
- "UserSubjectNameDefault: setValue: "
|
|
|
efb1ef |
+ CMS.debug(method
|
|
|
efb1ef |
+ "replacing current value `" + oldX500name.toString() + "` "
|
|
|
efb1ef |
+ "with new value `" + x500name.toString() + "`"
|
|
|
efb1ef |
);
|
|
|
efb1ef |
}
|
|
|
efb1ef |
}
|
|
|
efb1ef |
} catch (IOException e) {
|
|
|
efb1ef |
- CMS.debug(e.toString());
|
|
|
efb1ef |
+ CMS.debug(method + e.toString());
|
|
|
efb1ef |
// failed to build x500 name
|
|
|
efb1ef |
}
|
|
|
efb1ef |
- CMS.debug("UserSubjectNameDefault: setValue name=" + x500name);
|
|
|
efb1ef |
+ return x500name;
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
+
|
|
|
efb1ef |
+ public void setValue(String name, Locale locale,
|
|
|
efb1ef |
+ X509CertInfo info, String value)
|
|
|
efb1ef |
+ throws EPropertyException {
|
|
|
efb1ef |
+ String method = "UserSubjectNameDefault: setValue: ";
|
|
|
efb1ef |
+ if (name == null) {
|
|
|
efb1ef |
+ CMS.debug(name + "name null");
|
|
|
efb1ef |
+ throw new EPropertyException(CMS.getUserMessage(
|
|
|
efb1ef |
+ locale, "CMS_INVALID_PROPERTY", name));
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
+ CMS.debug(method + "name = " + name);
|
|
|
efb1ef |
+ if (value != null)
|
|
|
efb1ef |
+ CMS.debug(method + "value = " + value);
|
|
|
efb1ef |
+ else
|
|
|
efb1ef |
+ CMS.debug(method + "value = null");
|
|
|
efb1ef |
+
|
|
|
efb1ef |
+ if (name.equals(VAL_NAME)) {
|
|
|
efb1ef |
+ X500Name x500name = getX500Name(info, value);
|
|
|
efb1ef |
+ CMS.debug(method + "setting name=" + x500name);
|
|
|
efb1ef |
try {
|
|
|
efb1ef |
info.set(X509CertInfo.SUBJECT,
|
|
|
efb1ef |
new CertificateSubjectName(x500name));
|
|
|
efb1ef |
} catch (Exception e) {
|
|
|
efb1ef |
// failed to insert subject name
|
|
|
efb1ef |
- CMS.debug("UserSubjectNameDefault: setValue " + e.toString());
|
|
|
efb1ef |
+ CMS.debug(method + e.toString());
|
|
|
efb1ef |
throw new EPropertyException(CMS.getUserMessage(
|
|
|
efb1ef |
locale, "CMS_INVALID_PROPERTY", name));
|
|
|
efb1ef |
}
|
|
|
efb1ef |
@@ -155,9 +194,17 @@ public class UserSubjectNameDefault extends EnrollDefault {
|
|
|
efb1ef |
throws EProfileException {
|
|
|
efb1ef |
// authenticate the subject name and populate it
|
|
|
efb1ef |
// to the certinfo
|
|
|
efb1ef |
+ CertificateSubjectName req_sbj = request.getExtDataInCertSubjectName(
|
|
|
efb1ef |
+ IEnrollProfile.REQUEST_SUBJECT_NAME);
|
|
|
efb1ef |
try {
|
|
|
efb1ef |
- info.set(X509CertInfo.SUBJECT, request.getExtDataInCertSubjectName(
|
|
|
efb1ef |
- IEnrollProfile.REQUEST_SUBJECT_NAME));
|
|
|
efb1ef |
+ info.set(X509CertInfo.SUBJECT, req_sbj);
|
|
|
efb1ef |
+
|
|
|
efb1ef |
+ // see if the encoding needs changing
|
|
|
efb1ef |
+ X500Name x500name = getX500Name(info, req_sbj.toString());
|
|
|
efb1ef |
+ if (x500name != null) {
|
|
|
efb1ef |
+ info.set(X509CertInfo.SUBJECT,
|
|
|
efb1ef |
+ new CertificateSubjectName(x500name));
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
} catch (Exception e) {
|
|
|
efb1ef |
// failed to insert subject name
|
|
|
efb1ef |
CMS.debug("UserSubjectNameDefault: populate " + e.toString());
|
|
|
efb1ef |
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
|
|
|
efb1ef |
index 9c324f5..208632d 100644
|
|
|
efb1ef |
--- a/base/server/cmsbundle/src/UserMessages.properties
|
|
|
efb1ef |
+++ b/base/server/cmsbundle/src/UserMessages.properties
|
|
|
efb1ef |
@@ -754,6 +754,7 @@ CMS_PROFILE_ENCODING_ERROR=Error in BER encoding
|
|
|
efb1ef |
CMS_PROFILE_REVOKE_DUPKEY_CERT=Revoke certificate with duplicate key
|
|
|
efb1ef |
CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL=Allow renewal of certification with same keys
|
|
|
efb1ef |
CMS_PROFILE_CONFIG_KEY_USAGE_EXTENSION_CHECKING=Allow duplicate subject names with different key usage for agent approved requests
|
|
|
efb1ef |
+CMS_PROFILE_CONFIG_USE_SYS_ENCODING=Use subject DN encoding from system-defined order
|
|
|
efb1ef |
CMS_PROFILE_INTERNAL_ERROR=Profile internal error: {0}
|
|
|
efb1ef |
CMS_PROFILE_DENY_OPERATION=Not authorized to do this operation.
|
|
|
efb1ef |
CMS_PROFILE_DELETE_ENABLEPROFILE=Cannot delete enabled profile: {0}
|
|
|
efb1ef |
diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java
|
|
|
efb1ef |
index 7accf2b..f1b3eb6 100644
|
|
|
efb1ef |
--- a/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java
|
|
|
efb1ef |
+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java
|
|
|
efb1ef |
@@ -185,10 +185,15 @@ public class X500NameSubsystem implements ISubsystem {
|
|
|
efb1ef |
*/
|
|
|
efb1ef |
private void setDirStrEncodingOrder()
|
|
|
efb1ef |
throws EBaseException {
|
|
|
efb1ef |
+ String method = "X500NameSubsystem: setDirStrEncodingOrder: ";
|
|
|
efb1ef |
String order = mConfig.getString(PROP_DIR_STR_ENCODING_ORDER, null);
|
|
|
efb1ef |
|
|
|
efb1ef |
- if (order == null || order.length() == 0) // nothing.
|
|
|
efb1ef |
+ if (order == null || order.length() == 0) { // nothing.
|
|
|
efb1ef |
+ CMS.debug(method + "X500Name.directoryStringEncodingOrder not specified in config; Using default order in DirStrConverter.");
|
|
|
efb1ef |
return;
|
|
|
efb1ef |
+ }
|
|
|
efb1ef |
+ CMS.debug(method + "X500Name.directoryStringEncodingOrder specified in config: " + order);
|
|
|
efb1ef |
+
|
|
|
efb1ef |
StringTokenizer toker = new StringTokenizer(order, ", \t");
|
|
|
efb1ef |
int numTokens = toker.countTokens();
|
|
|
efb1ef |
|
|
|
efb1ef |
--
|
|
|
efb1ef |
1.8.3.1
|
|
|
efb1ef |
|