rpms / pki-core

Clone
Source Code
GIT

Blame SOURCES/pki-core-10.5.9-snapshot-1.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-10.6 c8-stream-10.6 c8s-stream-10.6 c9 c9-beta
  1.   62cf1a9557bb7a558e0fb9dc818c32ee74267d94
  2.   SOURCES
  3.   pki-core-10.5.9-snapshot-1.patch
Blob History Raw
62cf1a 
From 8b462b3a7e8ded71bc5aaf7d6a8b23fdce2d7ece Mon Sep 17 00:00:00 2001
635061 
From: Christina Fu <cfu@redhat.com>
635061 
Date: Mon, 30 Jul 2018 17:15:09 -0700
62cf1a 
Subject: [PATCH 1/5] Bug 1601071  Certificate generation happens with partial
635061 
 attributes in CMCRequest file
635061
635061 
This patch addresses the issue where when a cmcSelfSisnged profile is used
635061 
in a cmcUserSigned case, the certificate is issued.
635061 
A new authToken variable TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT has
635061 
been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case.
635061 
A new constraint CMCSelfSignedSubjectNameConstraint has been introduced
635061 
to verify.
635061 
In additional, all profiles that authenticate through CMCUserSignedAuth are
635061 
turned off by default to allow site administrators to make conscious decision
635061 
on their own for these features.
635061 
Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default.
635061
635061 
Change-Id: I275118d31b966494411888beb37032bb022c29ce
635061 
(cherry picked from commit 50b881b7ec1d4856d4bfcc182a22bf1c131cd536)
635061 
---
635061 
 base/ca/shared/conf/CS.cfg                         |   2 +-
635061 
 base/ca/shared/conf/registry.cfg                   |   9 +-
635061 
 .../profiles/ca/caECFullCMCSelfSignedCert.cfg      |   8 +-
635061 
 .../profiles/ca/caECFullCMCUserSignedCert.cfg      |   2 +-
635061 
 .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg |   8 +-
635061 
 .../shared/profiles/ca/caFullCMCUserSignedCert.cfg |   2 +-
635061 
 .../certsrv/authentication/IAuthToken.java         |   7 +-
635061 
 .../com/netscape/cms/authentication/CMCAuth.java   |   5 +-
635061 
 .../cms/authentication/CMCUserSignedAuth.java      |  16 ++-
635061 
 .../netscape/cms/authentication/SharedSecret.java  |   4 +-
635061 
 .../netscape/cms/profile/common/EnrollProfile.java |  18 +++
635061 
 .../CMCSelfSignedSubjectNameConstraint.java        | 129 +++++++++++++++++++++
635061 
 .../profile/def/AuthTokenSubjectNameDefault.java   |   2 +-
635061 
 .../servlet/profile/ProfileSubmitCMCServlet.java   |  29 ++++-
635061 
 base/server/cmsbundle/src/UserMessages.properties  |   3 +-
635061 
 15 files changed, 216 insertions(+), 28 deletions(-)
635061 
 create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
635061
635061 
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
635061 
index 1d65835..fcd85a2 100644
635061 
--- a/base/ca/shared/conf/CS.cfg
635061 
+++ b/base/ca/shared/conf/CS.cfg
635061 
@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
635061 
 log.instance.SignedAudit._006=##
635061 
 log.instance.SignedAudit.bufferSize=512
635061 
 log.instance.SignedAudit.enable=true
635061 
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
635061 
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED
635061 
 log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
635061 
 log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
635061 
 log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
635061 
diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
635061 
index 54e4d95..4fe6e93 100644
635061 
--- a/base/ca/shared/conf/registry.cfg
635061 
+++ b/base/ca/shared/conf/registry.cfg
635061 
@@ -1,5 +1,5 @@
635061 
 types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater
635061 
-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
635061 
+constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
635061 
 constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint
635061 
 constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint
635061 
 constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint
635061 
@@ -36,9 +36,12 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr
635061 
 constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint
635061 
 constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint
635061 
 constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint
635061 
+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint
635061 
+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint
635061 
+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint
635061 
 constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint
635061 
-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint
635061 
-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint
635061 
+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint
635061 
+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint
635061 
 constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint
635061 
 constraintPolicy.validityConstraintImpl.desc=Validity Constraint
635061 
 constraintPolicy.validityConstraintImpl.name=Validity Constraint
635061 
diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
635061 
index 144c05c..48e6499 100644
635061 
--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
635061 
+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
635061 
@@ -1,5 +1,5 @@
635061 
 desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request
635061 
-enable=true
635061 
+enable=false
635061 
 enableBy=admin
635061 
 name=Self-Signed CMC User Certificate Enrollment
635061 
 visible=false
635061 
@@ -10,10 +10,8 @@ output.list=o1
635061 
 output.o1.class_id=certOutputImpl
635061 
 policyset.list=cmcUserCertSet
635061 
 policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
635061 
-policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
635061 
-policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
635061 
-policyset.cmcUserCertSet.1.constraint.params.accept=true
635061 
-policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
635061 
+policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl
635061 
+policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint
635061 
 policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
635061 
 policyset.cmcUserCertSet.1.default.name=Subject Name Default
635061 
 policyset.cmcUserCertSet.1.default.params.name=
635061 
diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
635061 
index d2286de..e7b60ee 100644
635061 
--- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
635061 
+++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
635061 
@@ -1,5 +1,5 @@
635061 
 desc=This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication.
635061 
-enable=true
635061 
+enable=false
635061 
 enableBy=admin
635061 
 name=User-Signed CMC-Authenticated User Certificate Enrollment
635061 
 visible=false
635061 
diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
635061 
index bdcdc24..538b16a 100644
635061 
--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
635061 
+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
635061 
@@ -1,5 +1,5 @@
635061 
 desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request
635061 
-enable=true
635061 
+enable=false
635061 
 enableBy=admin
635061 
 name=Self-Signed CMC User Certificate Enrollment
635061 
 visible=false
635061 
@@ -10,10 +10,8 @@ output.list=o1
635061 
 output.o1.class_id=certOutputImpl
635061 
 policyset.list=cmcUserCertSet
635061 
 policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
635061 
-policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
635061 
-policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
635061 
-policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
635061 
-policyset.cmcUserCertSet.1.constraint.params.accept=true
635061 
+policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl
635061 
+policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint
635061 
 policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
635061 
 policyset.cmcUserCertSet.1.default.name=Subject Name Default
635061 
 policyset.cmcUserCertSet.1.default.params.name=
635061 
diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
635061 
index 9b5d3e9..b0ff8af 100644
635061 
--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
635061 
+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
635061 
@@ -1,5 +1,5 @@
635061 
 desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication.
635061 
-enable=true
635061 
+enable=false
635061 
 enableBy=admin
635061 
 name=User-Signed CMC-Authenticated User Certificate Enrollment
635061 
 visible=false
635061 
diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
635061 
index 59c6af2..d5d03b4 100644
635061 
--- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
635061 
+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
635061 
@@ -44,9 +44,14 @@ public interface IAuthToken {
635061 
     public static final String GROUP = "group";
635061 
     public static final String GROUPS = "groups";
635061
635061 
-    /* Subject name of the certificate in the authenticating entry */
635061 
+    /* Subject name of the certificate request in the authenticating entry */
635061 
     public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject";
635061
635061 
+    /* Subject name of the authenticated cert */
635061 
+    public static final String TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenAuthenticatedCertSubject";
635061 
+    /* Subject DN of the Shared Token authenticated entry */
635061 
+    public static final String TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenSharedTokenAuthenticatedCertSubject";
635061 
+
635061 
     /* NotBefore value of the certificate in the authenticating entry */
635061 
     public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore";
635061
635061 
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
635061 
index 86ffa2f..9b6a819 100644
635061 
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
635061 
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
635061 
@@ -959,8 +959,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
635061
635061 
                         IAuthToken tempToken = agentAuth.authenticate(agentCred);
635061 
                         netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
635061 
-                        String ID = tempPrincipal.toString();
635061 
+                        String ID = tempPrincipal.getName();
635061 
                         CMS.debug(method + " Principal name = " + ID);
635061 
+                        authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID);
635061
635061 
                         BigInteger agentCertSerial = x509Certs[0].getSerialNumber();
635061 
                         authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, agentCertSerial.toString());
635061 
@@ -1047,7 +1048,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
635061 
     public void populate(IAuthToken token, IRequest request)
635061 
             throws EProfileException {
635061 
         request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
635061 
-                token.getInString(AuthToken.TOKEN_CERT_SUBJECT));
635061 
+                token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT));
635061 
     }
635061
635061 
     public boolean isSSLClientRequired() {
635061 
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
635061 
index d5f6c34..a9a7ade 100644
635061 
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
635061 
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
635061 
@@ -674,7 +674,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
635061 
                                     if (requestCertSubject.equals("")) {
635061 
                                         requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
635061 
                                     }
635061 
-
635061 
                                     authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss);
635061 
                                     auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject);
635061 
                                     //authToken.set("uid", uid);
635061 
@@ -1160,8 +1159,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
635061
635061 
                         IAuthToken tempToken = new AuthToken(null);
635061 
                         netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
635061 
-                        String ID = tempPrincipal.toString(); //tempToken.get("userid");
635061 
+                        String ID = tempPrincipal.getName(); //tempToken.get("userid");
635061 
                         CMS.debug(method + " Principal name = " + ID);
635061 
+                        authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID);
635061
635061 
                         BigInteger certSerial = x509Certs[0].getSerialNumber();
635061 
                         CMS.debug(method + " verified cert serial=" + certSerial.toString());
635061 
@@ -1276,8 +1276,16 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
635061
635061 
     public void populate(IAuthToken token, IRequest request)
635061 
             throws EProfileException {
635061 
-        request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
635061 
-                token.getInString(AuthToken.TOKEN_CERT_SUBJECT));
635061 
+        String method = "CMCUserSignedAuth: populate: ";
635061 
+        String authenticatedDN = token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT);
635061 
+        if (authenticatedDN != null) {
635061 
+            request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
635061 
+                    authenticatedDN);
635061 
+            CMS.debug(method + "IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is: "+
635061 
+                    authenticatedDN);
635061 
+        } else {
635061 
+            CMS.debug(method + "AuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is null; self-signed?");
635061 
+        }
635061 
     }
635061
635061 
     public boolean isSSLClientRequired() {
635061 
diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
635061 
index 5ebc213..2d8679c 100644
635061 
--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
635061 
+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
635061 
@@ -30,9 +30,9 @@ import org.mozilla.jss.crypto.SymmetricKey;
635061 
 import org.mozilla.jss.pkix.cmc.PKIData;
635061
635061 
 import com.netscape.certsrv.apps.CMS;
635061 
-import com.netscape.certsrv.authentication.AuthToken;
635061 
 import com.netscape.certsrv.authentication.EInvalidCredentials;
635061 
 import com.netscape.certsrv.authentication.IAuthCredentials;
635061 
+import com.netscape.certsrv.authentication.AuthToken;
635061 
 import com.netscape.certsrv.authentication.IAuthToken;
635061 
 import com.netscape.certsrv.authentication.ISharedToken;
635061 
 import com.netscape.certsrv.base.EBaseException;
635061 
@@ -296,7 +296,7 @@ public class SharedSecret extends DirBasedAuthentication
635061 
             }
635061
635061 
             CMS.debug(method + "found user ldap entry: userdn = " + userdn);
635061 
-            authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn);
635061 
+            authToken.set(IAuthToken.TOKEN_CERT_SUBJECT, userdn);
635061
635061 
             res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE,
635061 
                     "(objectclass=*)", new String[] { mShrTokAttr }, false);
635061 
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
635061 
index 929e629..f9903c6 100644
635061 
--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
635061 
+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
635061 
@@ -209,6 +209,14 @@ public abstract class EnrollProfile extends BasicProfile
635061
635061 
             // catch for invalid request
635061 
             cmc_msgs = parseCMC(locale, cert_request, donePOI);
635061 
+            SessionContext sessionContext = SessionContext.getContext();
635061 
+            String authenticatedSubject =
635061 
+                    (String) sessionContext.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
635061 
+
635061 
+            if (authenticatedSubject != null) {
635061 
+                ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, authenticatedSubject);
635061 
+            }
635061 
+
635061 
             if (cmc_msgs == null) {
635061 
                 CMS.debug(method + "parseCMC returns cmc_msgs null");
635061 
                 return null;
635061 
@@ -1795,6 +1803,16 @@ public abstract class EnrollProfile extends BasicProfile
635061 
                 auditSubjectID = ident_string;
635061 
                 sessionContext.put(SessionContext.USER_ID, auditSubjectID);
635061
635061 
+                // subjectdn from SharedSecret ldap auth
635061 
+                // set in context and authToken to be used by profile
635061 
+                // default and constraints plugins
635061 
+                authToken.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT,
635061 
+                        authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
635061 
+                authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT,
635061 
+                        authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
635061 
+                sessionContext.put(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT,
635061 
+                        authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
635061 
+
635061 
                 auditMessage = CMS.getLogMessage(
635061 
                         AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
635061 
                         auditSubjectID,
635061 
diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
635061 
new file mode 100644
635061 
index 0000000..d4554ca
635061 
--- /dev/null
635061 
+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
635061 
@@ -0,0 +1,129 @@
635061 
+// --- BEGIN COPYRIGHT BLOCK ---
635061 
+// This program is free software; you can redistribute it and/or modify
635061 
+// it under the terms of the GNU General Public License as published by
635061 
+// the Free Software Foundation; version 2 of the License.
635061 
+//
635061 
+// This program is distributed in the hope that it will be useful,
635061 
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
635061 
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
635061 
+// GNU General Public License for more details.
635061 
+//
635061 
+// You should have received a copy of the GNU General Public License along
635061 
+// with this program; if not, write to the Free Software Foundation, Inc.,
635061 
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
635061 
+//
635061 
+// (C) 2013 Red Hat, Inc.
635061 
+// All rights reserved.
635061 
+// --- END COPYRIGHT BLOCK ---
635061 
+package com.netscape.cms.profile.constraint;
635061 
+
635061 
+import java.util.Locale;
635061 
+
635061 
+import com.netscape.certsrv.apps.CMS;
635061 
+import com.netscape.certsrv.authentication.IAuthToken;
635061 
+import com.netscape.certsrv.authentication.IAuthManager;
635061 
+import com.netscape.certsrv.base.IConfigStore;
635061 
+import com.netscape.certsrv.profile.EProfileException;
635061 
+import com.netscape.certsrv.profile.ERejectException;
635061 
+import com.netscape.certsrv.profile.IPolicyDefault;
635061 
+import com.netscape.certsrv.profile.IProfile;
635061 
+import com.netscape.certsrv.property.IDescriptor;
635061 
+import com.netscape.certsrv.request.IRequest;
635061 
+import com.netscape.cms.profile.common.EnrollProfile;
635061 
+import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault;
635061 
+
635061 
+import netscape.security.x509.CertificateSubjectName;
635061 
+import netscape.security.x509.X500Name;
635061 
+import netscape.security.x509.X509CertInfo;
635061 
+
635061 
+/**
635061 
+ * This class implements the user subject name constraint for self-signed cmc requests.
635061 
+ * It makes sure the SharedSecret authenticated subjectDN and the rsulting cert match
635061 
+ *
635061 
+ * @author cfu
635061 
+ * @version $Revision$, $Date$
635061 
+ */
635061 
+public class CMCSelfSignedSubjectNameConstraint extends EnrollConstraint {
635061 
+
635061 
+    public CMCSelfSignedSubjectNameConstraint() {
635061 
+    }
635061 
+
635061 
+    public void init(IProfile profile, IConfigStore config)
635061 
+            throws EProfileException {
635061 
+        super.init(profile, config);
635061 
+    }
635061 
+
635061 
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
635061 
+        return null;
635061 
+    }
635061 
+
635061 
+    public String getDefaultConfig(String name) {
635061 
+        return null;
635061 
+    }
635061 
+
635061 
+    /**
635061 
+     * Validates the request. The request is not modified
635061 
+     * during the validation. User encoded subject name
635061 
+     * is copied into the certificate template.
635061 
+     */
635061 
+    public void validate(IRequest request, X509CertInfo info)
635061 
+            throws ERejectException {
635061 
+        String method = "CMCSelfSignedSubjectNameConstraint: ";
635061 
+        String msg = "";
635061 
+
635061 
+        CertificateSubjectName infoCertSN = null;
635061 
+        String authTokenSharedTokenSN = null;
635061 
+
635061 
+        try {
635061 
+            infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT);
635061 
+            if (infoCertSN == null) {
635061 
+                msg = method + "infoCertSN null";
635061 
+                CMS.debug(msg);
635061 
+                throw new Exception(msg);
635061 
+            }
635061 
+            CMS.debug(method + "validate user subject ="+
635061 
+                      infoCertSN.toString());
635061 
+            X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME);
635061 
+            if (infoCertName == null) {
635061 
+                msg = method + "infoCertName null";
635061 
+                CMS.debug(msg);
635061 
+                throw new Exception(msg);
635061 
+            }
635061 
+
635061 
+            authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
635061 
+            if (authTokenSharedTokenSN == null) {
635061 
+                msg = method + "authTokenSharedTokenSN null";
635061 
+                CMS.debug(msg);
635061 
+                throw new Exception(msg);
635061 
+            }
635061 
+            if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) {
635061 
+                CMS.debug(method + "names matched");
635061 
+            } else {
635061 
+                msg = method + "names do not match; authTokenSharedTokenSN =" +
635061 
+                        authTokenSharedTokenSN;
635061 
+                CMS.debug(msg);
635061 
+                throw new Exception(msg);
635061 
+            }
635061 
+
635061 
+        } catch (Exception e) {
635061 
+            throw new ERejectException(
635061 
+                    CMS.getUserMessage(getLocale(request),
635061 
+                        "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e);
635061 
+        }
635061 
+    }
635061 
+
635061 
+    public String getText(Locale locale) {
635061 
+        return CMS.getUserMessage(locale,
635061 
+                   "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT");
635061 
+    }
635061 
+
635061 
+    public boolean isApplicable(IPolicyDefault def) {
635061 
+        String method = "CMCSelfSignedSubjectNameConstraint: isApplicable: ";
635061 
+        if (def instanceof AuthTokenSubjectNameDefault) {
635061 
+            CMS.debug(method + "true");
635061 
+            return true;
635061 
+        }
635061 
+        CMS.debug(method + "false");
635061 
+        return false;
635061 
+    }
635061 
+}
635061 
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
635061 
index e789625..85bf241 100644
635061 
--- a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
635061 
+++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
635061 
@@ -140,7 +140,7 @@ public class AuthTokenSubjectNameDefault extends EnrollDefault {
635061 
             X500Name name = new X500Name(
635061 
                     request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
635061
635061 
-            CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.toString());
635061 
+            CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.getName());
635061 
             info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name));
635061 
         } catch (Exception e) {
635061 
             // failed to insert subject name
635061 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
635061 
index 12fd294..03e94a8 100644
635061 
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
635061 
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
635061 
@@ -525,6 +525,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
635061 
             CMS.debug("ProfileSubmitCMCServlet: null it out");
635061 
             ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, "");
635061 
         }
635061 
+
635061 
         String signingCertSerialS = null;
635061 
         if (authToken != null) {
635061 
             signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT);
635061 
@@ -534,6 +535,14 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
635061 
             ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
635061 
         }
635061
635061 
+        String tmpSharedTokenAuthenticatedCertSubject = ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
635061 
+        if (tmpSharedTokenAuthenticatedCertSubject != null) {
635061 
+            // unlikely to happen, but do this just in case
635061 
+            CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in ctx for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject);
635061 
+            CMS.debug("ProfileSubmitCMCServlet: null it out");
635061 
+            ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, "");
635061 
+        }
635061 
+
635061 
         String errorCode = null;
635061 
         String errorReason = null;
635061 
         String auditRequesterID = ILogger.UNIDENTIFIED;
635061 
@@ -731,13 +740,31 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
635061
635061 
                 tmpCertSerialS = reqs[k].getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT);
635061 
                 if (tmpCertSerialS != null) {
635061 
-                    // unlikely to happenm, but do this just in case
635061 
+                    // unlikely to happen, but do this just in case
635061 
                     CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth:" + tmpCertSerialS);
635061 
                     CMS.debug("ProfileSubmitCMCServlet: null it out");
635061 
                     reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, "");
635061 
                 }
635061 
                 // put CMCUserSignedAuth authToken in request
635061 
                 if (signingCertSerialS != null) {
635061 
+                     CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth");
635061 
+                     reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
635061 
+                 }
635061 
+
635061 
+                tmpSharedTokenAuthenticatedCertSubject = reqs[k].getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
635061 
+                if (tmpSharedTokenAuthenticatedCertSubject != null) {
635061 
+                    // unlikely to happen, but do this just in case
635061 
+                    CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in request for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject);
635061 
+                    CMS.debug("ProfileSubmitCMCServlet: null it out");
635061 
+                    reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, "");
635061 
+                }
635061 
+                // put Shared Token authToken in request
635061 
+                String st_sbj = (String) ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
635061 
+                if (st_sbj != null) {
635061 
+                    CMS.debug("ProfileSubmitCMCServlet: setting IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in req for CMCUserSignedAuth");
635061 
+                    reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, st_sbj);
635061 
+                }
635061 
+                if (tmpSharedTokenAuthenticatedCertSubject != null) {
635061 
                     CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth");
635061 
                     reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
635061 
                 }
635061 
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
635061 
index 208632d..e5e6ecc 100644
635061 
--- a/base/server/cmsbundle/src/UserMessages.properties
635061 
+++ b/base/server/cmsbundle/src/UserMessages.properties
635061 
@@ -956,7 +956,8 @@ CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing
635061 
 CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0}
635061 
 CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only
635061 
 CMS_PROFILE_CONSTRAINT_USER_SUBJECT_NAME_TEXT=This constraint accepts user subject name only
635061 
-CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the CMC request siging cert only
635061 
+CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of user-signed CMC request only
635061 
+CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the self-signed CMC request only
635061 
 CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days.
635061 
 CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0}
635061 
 CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate.
635061 
--
635061 
1.8.3.1
635061
635061
62cf1a 
From 99101af800addd61f66cdcf6b18c0b26f1e27011 Mon Sep 17 00:00:00 2001
635061 
From: Christina Fu <cfu@redhat.com>
635061 
Date: Wed, 1 Aug 2018 13:35:53 -0700
62cf1a 
Subject: [PATCH 2/5] Bug 1593805  Better understanding of
635061 
 NSS_USE_DECODED_CKA_EC_POINT for ECC
635061
635061 
This patch removes the outdated reference to EC environment variable
635061 
NSS_USE_DECODED_CKA_EC_POINT for ECC in the HttpClient command line usage.
635061
635061 
More info in the usage are updated as well for correctness and clarity.
635061
635061 
Change-Id: I562e2c0cd86f91369f347b38cc660cc3cee585b9
635061 
(cherry picked from commit 6eef4f5cb83cd4b7e2c45ad6a44ba453392ec051)
635061 
---
635061 
 .../src/com/netscape/cmstools/HttpClient.java      | 32 ++++++++++++----------
635061 
 1 file changed, 18 insertions(+), 14 deletions(-)
635061
635061 
diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
635061 
index fcaf210..28934ab 100644
635061 
--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
635061 
+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
635061 
@@ -251,43 +251,47 @@ public class HttpClient {
635061 
         System.out.println("The configuration file should look like as follows:");
635061 
         System.out.println("");
635061 
         System.out.println("#host: host name for the http server");
635061 
-        System.out.println("host=host1.a.com");
635061 
+        System.out.println("host=host.example.com");
635061 
         System.out.println("");
635061 
         System.out.println("#port: port number");
635061 
-        System.out.println("port=1025");
635061 
+        System.out.println("port=8443");
635061 
         System.out.println("");
635061 
         System.out.println("#secure: true for secure connection, false for nonsecure connection");
635061 
-        System.out.println("#For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command");
635061 
         System.out.println("secure=false");
635061 
         System.out.println("");
635061 
         System.out.println("#input: full path for the enrollment request, the content must be in binary format");
635061 
-        System.out.println("input=/u/doc/cmcReqCRMFBin");
635061 
+        System.out.println("input=~/cmcReqCRMFBin");
635061 
         System.out.println("");
635061 
         System.out.println("#output: full path for the response in binary format");
635061 
-        System.out.println("output=/u/doc/cmcResp");
635061 
+        System.out.println("#output could be parsed by running CMCResponse");
635061 
+        System.out.println("output=~/cmcResp");
635061 
         System.out.println("");
635061 
-        System.out.println("#tokenname: name of token where SSL client authentication cert can be found (default is internal)");
635061 
+        System.out.println("#dbdir: directory for NSS certificate/key databases");
635061 
         System.out.println("#This parameter will be ignored if secure=false");
635061 
-        System.out.println("tokenname=hsmname");
635061 
+        System.out.println("dbdir=/.dogtag/nssdb");
635061 
         System.out.println("");
635061 
-        System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db");
635061 
+        System.out.println("#password: password for NSS database");
635061 
+        System.out.println("#This parameter will be ignored if secure=false and clientmode=false");
635061 
+        System.out.println("password=");
635061 
+        System.out.println("");
635061 
+        System.out.println("#tokenname: name of token where SSL client authentication cert for nickname can be found (default is internal)");
635061 
         System.out.println("#This parameter will be ignored if secure=false");
635061 
-        System.out.println("dbdir=/u/smith/.netscape");
635061 
+        System.out.println("tokenname=internal");
635061 
         System.out.println("");
635061 
         System.out.println("#clientmode: true for client authentication, false for no client authentication");
635061 
         System.out.println("#This parameter will be ignored if secure=false");
635061 
         System.out.println("clientmode=false");
635061 
         System.out.println("");
635061 
-        System.out.println("#password: password for cert8.db");
635061 
-        System.out.println("#This parameter will be ignored if secure=false and clientauth=false");
635061 
-        System.out.println("password=");
635061 
-        System.out.println("");
635061 
         System.out.println("#nickname: nickname for client certificate");
635061 
         System.out.println("#This parameter will be ignored if clientmode=false");
635061 
         System.out.println("nickname=");
635061 
         System.out.println("");
635061 
         System.out.println("#servlet: target URL");
635061 
-        System.out.println("#This parameter may include query parameters");
635061 
+        System.out.println("#This parameter may include query parameters;");
635061 
+        System.out.println("#  - reminder: profileId should be a profile that matches");
635061 
+        System.out.println("#    the intended certificate; for certificates intended");
635061 
+        System.out.println("#    for SSL (client or server), profiles should match");
635061 
+        System.out.println("#    the key type (RSA or EC) of the keys generated for CSR;");
635061 
         System.out.println("servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert");
635061 
         System.out.println("");
635061 
         System.exit(0);
635061 
--
635061 
1.8.3.1
635061
635061
62cf1a 
From a285327323d058218684cc671223b5b872bc9afc Mon Sep 17 00:00:00 2001
635061 
From: Christina Fu <cfu@redhat.com>
635061 
Date: Thu, 2 Aug 2018 09:31:50 -0700
62cf1a 
Subject: [PATCH 3/5] Bug1608375 - CMC Revocations throws exception with same
635061 
 reqIssuer & certissuer
635061
635061 
This patch resolves the possible encoding mismatch between the actual CA cert
635061 
and the X500Name gleaned from the CMC revocation request.
635061
635061 
Change-Id: I220f5d656a69c90fa02ba38fa21b069ed7d15a9d
635061 
(cherry picked from commit 4a085b2ea3ee0f89ef2e49e1c0dbee2e36abd248)
635061 
---
635061 
 .../cms/authentication/CMCUserSignedAuth.java       | 21 ++++++++++++++++++---
635061 
 1 file changed, 18 insertions(+), 3 deletions(-)
635061
635061 
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
635061 
index a9a7ade..97971dd 100644
635061 
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
635061 
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
635061 
@@ -83,6 +83,7 @@ import com.netscape.certsrv.base.EBaseException;
635061 
 import com.netscape.certsrv.base.IConfigStore;
635061 
 import com.netscape.certsrv.base.IExtendedPluginInfo;
635061 
 import com.netscape.certsrv.base.SessionContext;
635061 
+import com.netscape.certsrv.ca.ICertificateAuthority;
635061 
 import com.netscape.certsrv.logging.ILogger;
635061 
 import com.netscape.certsrv.logging.event.CMCUserSignedRequestSigVerifyEvent;
635061 
 import com.netscape.certsrv.profile.EProfileException;
635061 
@@ -497,13 +498,27 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
635061 
                                     // to CMCOutputTemplate so that we can
635061 
                                     // have a chance to capture user identification info
635061 
                                     if (issuerANY != null) {
635061 
+                                        // get CA signing cert
635061 
+                                        ICertificateAuthority ca = null;
635061 
+                                        ca = (ICertificateAuthority) CMS.getSubsystem("ca");
635061 
+                                        X500Name caName = ca.getX500Name();
635061 
+
635061 
                                         try {
635061 
                                             byte[] issuerBytes = issuerANY.getEncoded();
635061 
-                                            X500Name issuerName = new X500Name(issuerBytes);
635061 
-                                            CMS.debug(method + "revRequest issuer name = " + issuerName.toString());
635061 
+                                            X500Name reqIssuerName = new X500Name(issuerBytes);
635061 
+                                            String reqIssuerNameStr = reqIssuerName.getName();
635061 
+                                            CMS.debug(method + "revRequest issuer name = " + reqIssuerNameStr);
635061 
+                                            if (reqIssuerNameStr.equalsIgnoreCase(caName.getName())) {
635061 
+                                                // making sure it's identical, even in encoding
635061 
+                                                reqIssuerName = caName;
635061 
+                                            } else {
635061 
+                                                // not this CA; will be bumped off later;
635061 
+                                                // make a note in debug anyway
635061 
+                                                CMS.debug(method + "revRequest issuer name doesn't match our CA; will be bumped off later;");
635061 
+                                            }
635061 
                                             // capture issuer principal to be checked against
635061 
                                             // cert issuer principal later in CMCOutputTemplate
635061 
-                                            auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, issuerName);
635061 
+                                            auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, reqIssuerName);
635061 
                                         } catch (Exception e) {
635061 
                                             CMS.debug(method + "failed getting issuer from RevokeRequest:" + e.toString());
635061 
                                         }
635061 
--
635061 
1.8.3.1
635061
635061
62cf1a 
From 9f3c6d13991cdafc748ded223a85b121ce2389b5 Mon Sep 17 00:00:00 2001
635061 
From: Christina Fu <cfu@redhat.com>
635061 
Date: Wed, 8 Aug 2018 18:41:52 -0700
62cf1a 
Subject: [PATCH 4/5] Ticket #3041 Enable all config audit events
635061
635061 
This patch enables the audit events concerning role actions (mostly config)
635061 
by default.
635061
635061 
Two additional minor issues are also addressed:
635061 
1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert
635061 
   (bugzilla #1610718)
635061 
2. removing unrecommended signing algorithms
635061
635061 
fixes: https://pagure.io/dogtagpki/issue/3041
635061 
Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d
635061 
(cherry picked from commit 5e9876da3fa7c1587b96e983f36ee2830398c099)
635061 
---
635061 
 base/ca/shared/conf/CS.cfg                                        | 2 +-
635061 
 base/ca/shared/profiles/ca/caDirUserCert.cfg                      | 2 +-
635061 
 base/ca/shared/profiles/ca/caECDirUserCert.cfg                    | 2 +-
635061 
 base/kra/shared/conf/CS.cfg                                       | 2 +-
635061 
 base/ocsp/shared/conf/CS.cfg                                      | 2 +-
635061 
 .../netscape/cms/profile/common/ServerCertCAEnrollProfile.java    | 2 +-
635061 
 .../com/netscape/cms/profile/common/UserCertCAEnrollProfile.java  | 2 +-
635061 
 base/server/cmsbundle/src/LogMessages.properties                  | 2 +-
635061 
 base/tks/shared/conf/CS.cfg                                       | 2 +-
635061 
 base/tps/shared/conf/CS.cfg                                       | 2 +-
635061 
 base/util/src/netscape/security/x509/AlgorithmId.java             | 8 ++++----
635061 
 11 files changed, 14 insertions(+), 14 deletions(-)
635061
635061 
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
635061 
index fcd85a2..6158d5a 100644
635061 
--- a/base/ca/shared/conf/CS.cfg
635061 
+++ b/base/ca/shared/conf/CS.cfg
635061 
@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
635061 
 log.instance.SignedAudit._006=##
635061 
 log.instance.SignedAudit.bufferSize=512
635061 
 log.instance.SignedAudit.enable=true
635061 
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED
635061 
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG
635061 
 log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
635061 
 log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
635061 
 log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
635061 
diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg
635061 
index f12c7ed..0b7f6b7 100644
635061 
--- a/base/ca/shared/profiles/ca/caDirUserCert.cfg
635061 
+++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg
635061 
@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180
635061 
 policyset.userCertSet.2.default.params.startTime=0
635061 
 policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
635061 
 policyset.userCertSet.3.constraint.name=Key Constraint
635061 
-policyset.userCertSet.3.constraint.params.keyType=EC
635061 
+policyset.userCertSet.3.constraint.params.keyType=RSA
635061 
 policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
635061 
 policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
635061 
 policyset.userCertSet.3.default.name=Key Default
635061 
diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
635061 
index 0663b40..b65999e 100644
635061 
--- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg
635061 
+++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
635061 
@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180
635061 
 policyset.userCertSet.2.default.params.startTime=0
635061 
 policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
635061 
 policyset.userCertSet.3.constraint.name=Key Constraint
635061 
-policyset.userCertSet.3.constraint.params.keyType=-
635061 
+policyset.userCertSet.3.constraint.params.keyType=EC
635061 
 policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
635061 
 policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
635061 
 policyset.userCertSet.3.default.name=Key Default
635061 
diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
635061 
index f314234..878e5f8 100644
635061 
--- a/base/kra/shared/conf/CS.cfg
635061 
+++ b/base/kra/shared/conf/CS.cfg
635061 
@@ -304,7 +304,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
635061 
 log.instance.SignedAudit._006=##
635061 
 log.instance.SignedAudit.bufferSize=512
635061 
 log.instance.SignedAudit.enable=true
635061 
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED
635061 
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL
635061 
 log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure)
635061 
 log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure)
635061 
 log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure)
635061 
diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg
635061 
index dc993b0..b412e5e 100644
635061 
--- a/base/ocsp/shared/conf/CS.cfg
635061 
+++ b/base/ocsp/shared/conf/CS.cfg
635061 
@@ -220,7 +220,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
635061 
 log.instance.SignedAudit._006=##
635061 
 log.instance.SignedAudit.bufferSize=512
635061 
 log.instance.SignedAudit.enable=true
635061 
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
635061 
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
635061 
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
635061 
 log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
635061 
 log.instance.SignedAudit.expirationTime=0
635061 
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
635061 
index a1a83a4..2dcf9c1 100644
635061 
--- a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
635061 
+++ b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
635061 
@@ -77,7 +77,7 @@ public class ServerCertCAEnrollProfile extends CAEnrollProfile
635061 
         defConfig4
635061 
                 .putString(
635061 
                         "params.signingAlgsAllowed",
635061 
-                        "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
635061 
+                        "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
635061
635061 
         IProfilePolicy policy5 =
635061 
                 createProfilePolicy("set1", "p5",
635061 
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
635061 
index 710a461..9b1eacb 100644
635061 
--- a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
635061 
+++ b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
635061 
@@ -79,7 +79,7 @@ public class UserCertCAEnrollProfile extends CAEnrollProfile
635061 
         defConfig4
635061 
                 .putString(
635061 
                         "params.signingAlgsAllowed",
635061 
-                        "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
635061 
+                        "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
635061
635061 
         IProfilePolicy policy5 =
635061 
                 createProfilePolicy("set1", "p5",
635061 
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
635061 
index 7963f6f..d534506 100644
635061 
--- a/base/server/cmsbundle/src/LogMessages.properties
635061 
+++ b/base/server/cmsbundle/src/LogMessages.properties
635061 
@@ -2133,7 +2133,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authenticatio
635061 
 #           and to be approved by an agent
635061 
 # Op must be "approve" or "disapprove"
635061 
 #
635061 
-LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval
635061 
+LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval
635061 
 #
635061 
 # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION
635061 
 # - used for proof of possession during certificate enrollment processing
635061 
diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg
635061 
index d1da996..e9bf03e 100644
635061 
--- a/base/tks/shared/conf/CS.cfg
635061 
+++ b/base/tks/shared/conf/CS.cfg
635061 
@@ -212,7 +212,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
635061 
 log.instance.SignedAudit._006=##
635061 
 log.instance.SignedAudit.bufferSize=512
635061 
 log.instance.SignedAudit.enable=true
635061 
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
635061 
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
635061 
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
635061 
 log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
635061 
 log.instance.SignedAudit.expirationTime=0
635061 
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
635061 
index c44bc75..3671100 100644
635061 
--- a/base/tps/shared/conf/CS.cfg
635061 
+++ b/base/tps/shared/conf/CS.cfg
635061 
@@ -229,7 +229,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
635061 
 log.instance.SignedAudit._006=##
635061 
 log.instance.SignedAudit.bufferSize=512
635061 
 log.instance.SignedAudit.enable=true
635061 
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER
635061 
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER,CONFIG_ACL
635061 
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
635061 
 log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
635061 
 log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure)
635061 
diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java
635061 
index ae5975a..012575c 100644
635061 
--- a/base/util/src/netscape/security/x509/AlgorithmId.java
635061 
+++ b/base/util/src/netscape/security/x509/AlgorithmId.java
635061 
@@ -798,17 +798,17 @@ public class AlgorithmId implements Serializable, DerEncoder {
635061 
      * Supported signing algorithms for a RSA key.
635061 
      */
635061 
     public static final String[] RSA_SIGNING_ALGORITHMS = new String[]
635061 
-    { "SHA1withRSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "MD5withRSA", "MD2withRSA" };
635061 
+    { "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA" };
635061
635061 
     public static final String[] EC_SIGNING_ALGORITHMS = new String[]
635061 
-    { "SHA1withEC", "SHA256withEC", "SHA384withEC", "SHA512withEC" };
635061 
+    { "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" };
635061
635061 
     /**
635061 
      * All supported signing algorithms.
635061 
      */
635061 
     public static final String[] ALL_SIGNING_ALGORITHMS = new String[]
635061 
     {
635061 
-            "SHA1withRSA", "MD5withRSA", "MD2withRSA", "SHA1withDSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withEC",
635061 
-            "SHA256withEC", "SHA384withEC", "SHA512withEC" };
635061 
+            "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA",
635061 
+            "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" };
635061
635061 
 }
635061 
--
635061 
1.8.3.1
635061
635061
62cf1a 
From b4ef13f36124aeaadf3e43ae7c0560c38233c78a Mon Sep 17 00:00:00 2001
635061 
From: Christina Fu <cfu@redhat.com>
635061 
Date: Fri, 10 Aug 2018 14:04:14 -0700
62cf1a 
Subject: [PATCH 5/5] Ticket #2481 ECC keys not supported for signing audit
635061 
 logs
635061
635061 
This patch addes support for ECC audit log signing key.
635061 
All enrollment profiles for audit signing certificate are updated to allow that.
635061
635061 
fixes https://pagure.io/dogtagpki/issue/2481
635061
635061 
Change-Id: Idedd3cc2ed7655e73ee87ebcd0087ea17fb57f3f
635061 
(cherry picked from commit 435ede04d525d8816345271a887753a620795d56)
635061 
---
635061 
 base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg          | 4 ++--
635061 
 base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg | 4 ++--
635061 
 base/ca/shared/profiles/ca/caSignedLogCert.cfg                | 8 ++++----
635061 
 base/java-tools/src/com/netscape/cmstools/AuditVerify.java    | 6 +++---
635061 
 base/server/cms/src/com/netscape/cms/logging/LogFile.java     | 8 +++-----
635061 
 5 files changed, 14 insertions(+), 16 deletions(-)
635061
635061 
diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
635061 
index ff4856c..642e67b 100644
635061 
--- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
635061 
+++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
635061 
@@ -29,8 +29,8 @@ policyset.auditSigningCertSet.2.default.params.range=720
635061 
 policyset.auditSigningCertSet.2.default.params.startTime=0
635061 
 policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
635061 
 policyset.auditSigningCertSet.3.constraint.name=Key Constraint
635061 
-policyset.auditSigningCertSet.3.constraint.params.keyType=RSA
635061 
-policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
635061 
+policyset.auditSigningCertSet.3.constraint.params.keyType=-
635061 
+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
635061 
 policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
635061 
 policyset.auditSigningCertSet.3.default.name=Key Default
635061 
 policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
635061 
diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
635061 
index b850f1c..4acaab7 100644
635061 
--- a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
635061 
+++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
635061 
@@ -31,7 +31,7 @@ policyset.auditSigningCertSet.2.default.params.startTime=0
635061 
 policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
635061 
 policyset.auditSigningCertSet.3.constraint.name=Key Constraint
635061 
 policyset.auditSigningCertSet.3.constraint.params.keyType=-
635061 
-policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
635061 
+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
635061 
 policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
635061 
 policyset.auditSigningCertSet.3.default.name=Key Default
635061 
 policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
635061 
@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
635061 
 policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
635061 
 policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
635061 
 policyset.auditSigningCertSet.9.constraint.name=No Constraint
635061 
-policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
635061 
+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
635061 
 policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
635061 
 policyset.auditSigningCertSet.9.default.name=Signing Alg
635061 
 policyset.auditSigningCertSet.9.default.params.signingAlg=-
635061 
diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
635061 
index 6fdb8b5..c568572 100644
635061 
--- a/base/ca/shared/profiles/ca/caSignedLogCert.cfg
635061 
+++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
635061 
@@ -3,7 +3,7 @@ visible=true
635061 
 enable=true
635061 
 enableBy=admin
635061 
 auth.class_id=
635061 
-name=Manual Log Signing Certificate Enrollment
635061 
+name=Manual Audit Log Signing Certificate Enrollment
635061 
 input.list=i1,i2
635061 
 input.i1.class_id=certReqInputImpl
635061 
 input.i2.class_id=submitterInfoInputImpl
635061 
@@ -29,8 +29,8 @@ policyset.caLogSigningSet.2.default.params.range=720
635061 
 policyset.caLogSigningSet.2.default.params.startTime=0
635061 
 policyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl
635061 
 policyset.caLogSigningSet.3.constraint.name=Key Constraint
635061 
-policyset.caLogSigningSet.3.constraint.params.keyType=RSA
635061 
-policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096
635061 
+policyset.caLogSigningSet.3.constraint.params.keyType=-
635061 
+policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
635061 
 policyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl
635061 
 policyset.caLogSigningSet.3.default.name=Key Default
635061 
 policyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl
635061 
@@ -68,7 +68,7 @@ policyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Defaul
635061 
 policyset.caLogSigningSet.8.default.params.critical=false
635061 
 policyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl
635061 
 policyset.caLogSigningSet.9.constraint.name=No Constraint
635061 
-policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
635061 
+policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
635061 
 policyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl
635061 
 policyset.caLogSigningSet.9.default.name=Signing Alg
635061 
 policyset.caLogSigningSet.9.default.params.signingAlg=-
635061 
diff --git a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
635061 
index 7693ba3..be9c0ed 100644
635061 
--- a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
635061 
+++ b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
635061 
@@ -25,7 +25,6 @@ import java.io.FilenameFilter;
635061 
 import java.io.IOException;
635061 
 import java.security.PublicKey;
635061 
 import java.security.Signature;
635061 
-import java.security.interfaces.DSAPublicKey;
635061 
 import java.security.interfaces.RSAPublicKey;
635061 
 import java.util.List;
635061 
 import java.util.StringTokenizer;
635061 
@@ -34,6 +33,7 @@ import java.util.Vector;
635061 
 import org.mozilla.jss.CryptoManager;
635061 
 import org.mozilla.jss.crypto.ObjectNotFoundException;
635061 
 import org.mozilla.jss.crypto.X509Certificate;
635061 
+import org.mozilla.jss.pkcs11.PK11ECPublicKey;
635061
635061 
 import com.netscape.cmsutil.util.Utils;
635061
635061 
@@ -159,8 +159,8 @@ public class AuditVerify {
635061 
         String sigAlgorithm = null;
635061 
         if (pubk instanceof RSAPublicKey) {
635061 
             sigAlgorithm = "SHA-256/RSA";
635061 
-        } else if (pubk instanceof DSAPublicKey) {
635061 
-            sigAlgorithm = "SHA-256/DSA";
635061 
+        } else if (pubk instanceof PK11ECPublicKey) {
635061 
+            sigAlgorithm = "SHA-256/EC";
635061 
         } else {
635061 
             throw new Exception("Unknown signing certificate key type: " + pubk.getAlgorithm());
635061 
         }
635061 
diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
635061 
index 74a8ada..b04f70d 100644
635061 
--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
635061 
+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
635061 
@@ -41,8 +41,6 @@ import java.security.PrivateKey;
635061 
 import java.security.Provider;
635061 
 import java.security.Signature;
635061 
 import java.security.SignatureException;
635061 
-import java.security.interfaces.DSAPrivateKey;
635061 
-import java.security.interfaces.RSAPrivateKey;
635061 
 import java.text.ParseException;
635061 
 import java.text.SimpleDateFormat;
635061 
 import java.util.Date;
635061 
@@ -611,10 +609,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
635061 
             mSigningKey = cm.findPrivKeyByCert(cert);
635061
635061 
             String sigAlgorithm;
635061 
-            if (mSigningKey instanceof RSAPrivateKey) {
635061 
+            if (mSigningKey.getAlgorithm().equalsIgnoreCase("RSA")) {
635061 
                 sigAlgorithm = "SHA-256/RSA";
635061 
-            } else if (mSigningKey instanceof DSAPrivateKey) {
635061 
-                sigAlgorithm = "SHA-256/DSA";
635061 
+            } else if (mSigningKey.getAlgorithm().equalsIgnoreCase("EC")) {
635061 
+                sigAlgorithm = "SHA-256/EC";
635061 
             } else {
635061 
                 throw new NoSuchAlgorithmException("Unknown private key type");
635061 
             }
635061 
--
635061 
1.8.3.1
635061

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation