|
|
abd338 |
From 8b462b3a7e8ded71bc5aaf7d6a8b23fdce2d7ece Mon Sep 17 00:00:00 2001
|
|
|
c6db9b |
From: Christina Fu <cfu@redhat.com>
|
|
|
c6db9b |
Date: Mon, 30 Jul 2018 17:15:09 -0700
|
|
|
abd338 |
Subject: [PATCH 1/5] Bug 1601071 Certificate generation happens with partial
|
|
|
c6db9b |
attributes in CMCRequest file
|
|
|
c6db9b |
|
|
|
c6db9b |
This patch addresses the issue where when a cmcSelfSisnged profile is used
|
|
|
c6db9b |
in a cmcUserSigned case, the certificate is issued.
|
|
|
c6db9b |
A new authToken variable TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT has
|
|
|
c6db9b |
been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case.
|
|
|
c6db9b |
A new constraint CMCSelfSignedSubjectNameConstraint has been introduced
|
|
|
c6db9b |
to verify.
|
|
|
c6db9b |
In additional, all profiles that authenticate through CMCUserSignedAuth are
|
|
|
c6db9b |
turned off by default to allow site administrators to make conscious decision
|
|
|
c6db9b |
on their own for these features.
|
|
|
c6db9b |
Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default.
|
|
|
c6db9b |
|
|
|
c6db9b |
Change-Id: I275118d31b966494411888beb37032bb022c29ce
|
|
|
c6db9b |
(cherry picked from commit 50b881b7ec1d4856d4bfcc182a22bf1c131cd536)
|
|
|
c6db9b |
---
|
|
|
c6db9b |
base/ca/shared/conf/CS.cfg | 2 +-
|
|
|
c6db9b |
base/ca/shared/conf/registry.cfg | 9 +-
|
|
|
c6db9b |
.../profiles/ca/caECFullCMCSelfSignedCert.cfg | 8 +-
|
|
|
c6db9b |
.../profiles/ca/caECFullCMCUserSignedCert.cfg | 2 +-
|
|
|
c6db9b |
.../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 8 +-
|
|
|
c6db9b |
.../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 2 +-
|
|
|
c6db9b |
.../certsrv/authentication/IAuthToken.java | 7 +-
|
|
|
c6db9b |
.../com/netscape/cms/authentication/CMCAuth.java | 5 +-
|
|
|
c6db9b |
.../cms/authentication/CMCUserSignedAuth.java | 16 ++-
|
|
|
c6db9b |
.../netscape/cms/authentication/SharedSecret.java | 4 +-
|
|
|
c6db9b |
.../netscape/cms/profile/common/EnrollProfile.java | 18 +++
|
|
|
c6db9b |
.../CMCSelfSignedSubjectNameConstraint.java | 129 +++++++++++++++++++++
|
|
|
c6db9b |
.../profile/def/AuthTokenSubjectNameDefault.java | 2 +-
|
|
|
c6db9b |
.../servlet/profile/ProfileSubmitCMCServlet.java | 29 ++++-
|
|
|
c6db9b |
base/server/cmsbundle/src/UserMessages.properties | 3 +-
|
|
|
c6db9b |
15 files changed, 216 insertions(+), 28 deletions(-)
|
|
|
c6db9b |
create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
|
|
|
c6db9b |
|
|
|
c6db9b |
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
|
|
|
c6db9b |
index 1d65835..fcd85a2 100644
|
|
|
c6db9b |
--- a/base/ca/shared/conf/CS.cfg
|
|
|
c6db9b |
+++ b/base/ca/shared/conf/CS.cfg
|
|
|
c6db9b |
@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
|
|
|
c6db9b |
log.instance.SignedAudit._006=##
|
|
|
c6db9b |
log.instance.SignedAudit.bufferSize=512
|
|
|
c6db9b |
log.instance.SignedAudit.enable=true
|
|
|
c6db9b |
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
|
|
|
c6db9b |
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED
|
|
|
c6db9b |
log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
|
|
|
c6db9b |
log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
|
|
|
c6db9b |
log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
|
|
|
c6db9b |
diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
|
|
|
c6db9b |
index 54e4d95..4fe6e93 100644
|
|
|
c6db9b |
--- a/base/ca/shared/conf/registry.cfg
|
|
|
c6db9b |
+++ b/base/ca/shared/conf/registry.cfg
|
|
|
c6db9b |
@@ -1,5 +1,5 @@
|
|
|
c6db9b |
types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater
|
|
|
c6db9b |
-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
|
|
|
c6db9b |
+constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
|
|
|
c6db9b |
constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint
|
|
|
c6db9b |
constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint
|
|
|
c6db9b |
constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint
|
|
|
c6db9b |
@@ -36,9 +36,12 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr
|
|
|
c6db9b |
constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint
|
|
|
c6db9b |
constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint
|
|
|
c6db9b |
constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint
|
|
|
c6db9b |
+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint
|
|
|
c6db9b |
+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint
|
|
|
c6db9b |
+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint
|
|
|
c6db9b |
constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint
|
|
|
c6db9b |
-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint
|
|
|
c6db9b |
-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint
|
|
|
c6db9b |
+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint
|
|
|
c6db9b |
+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint
|
|
|
c6db9b |
constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint
|
|
|
c6db9b |
constraintPolicy.validityConstraintImpl.desc=Validity Constraint
|
|
|
c6db9b |
constraintPolicy.validityConstraintImpl.name=Validity Constraint
|
|
|
c6db9b |
diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
|
|
|
c6db9b |
index 144c05c..48e6499 100644
|
|
|
c6db9b |
--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
|
|
|
c6db9b |
+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
|
|
|
c6db9b |
@@ -1,5 +1,5 @@
|
|
|
c6db9b |
desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request
|
|
|
c6db9b |
-enable=true
|
|
|
c6db9b |
+enable=false
|
|
|
c6db9b |
enableBy=admin
|
|
|
c6db9b |
name=Self-Signed CMC User Certificate Enrollment
|
|
|
c6db9b |
visible=false
|
|
|
c6db9b |
@@ -10,10 +10,8 @@ output.list=o1
|
|
|
c6db9b |
output.o1.class_id=certOutputImpl
|
|
|
c6db9b |
policyset.list=cmcUserCertSet
|
|
|
c6db9b |
policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
|
|
|
c6db9b |
-policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
|
|
|
c6db9b |
-policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
|
|
|
c6db9b |
-policyset.cmcUserCertSet.1.constraint.params.accept=true
|
|
|
c6db9b |
-policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
|
|
|
c6db9b |
+policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl
|
|
|
c6db9b |
+policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint
|
|
|
c6db9b |
policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
|
|
|
c6db9b |
policyset.cmcUserCertSet.1.default.name=Subject Name Default
|
|
|
c6db9b |
policyset.cmcUserCertSet.1.default.params.name=
|
|
|
c6db9b |
diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
|
|
|
c6db9b |
index d2286de..e7b60ee 100644
|
|
|
c6db9b |
--- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
|
|
|
c6db9b |
+++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
|
|
|
c6db9b |
@@ -1,5 +1,5 @@
|
|
|
c6db9b |
desc=This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication.
|
|
|
c6db9b |
-enable=true
|
|
|
c6db9b |
+enable=false
|
|
|
c6db9b |
enableBy=admin
|
|
|
c6db9b |
name=User-Signed CMC-Authenticated User Certificate Enrollment
|
|
|
c6db9b |
visible=false
|
|
|
c6db9b |
diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
|
|
|
c6db9b |
index bdcdc24..538b16a 100644
|
|
|
c6db9b |
--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
|
|
|
c6db9b |
+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
|
|
|
c6db9b |
@@ -1,5 +1,5 @@
|
|
|
c6db9b |
desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request
|
|
|
c6db9b |
-enable=true
|
|
|
c6db9b |
+enable=false
|
|
|
c6db9b |
enableBy=admin
|
|
|
c6db9b |
name=Self-Signed CMC User Certificate Enrollment
|
|
|
c6db9b |
visible=false
|
|
|
c6db9b |
@@ -10,10 +10,8 @@ output.list=o1
|
|
|
c6db9b |
output.o1.class_id=certOutputImpl
|
|
|
c6db9b |
policyset.list=cmcUserCertSet
|
|
|
c6db9b |
policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
|
|
|
c6db9b |
-policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
|
|
|
c6db9b |
-policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
|
|
|
c6db9b |
-policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
|
|
|
c6db9b |
-policyset.cmcUserCertSet.1.constraint.params.accept=true
|
|
|
c6db9b |
+policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl
|
|
|
c6db9b |
+policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint
|
|
|
c6db9b |
policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
|
|
|
c6db9b |
policyset.cmcUserCertSet.1.default.name=Subject Name Default
|
|
|
c6db9b |
policyset.cmcUserCertSet.1.default.params.name=
|
|
|
c6db9b |
diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
|
|
|
c6db9b |
index 9b5d3e9..b0ff8af 100644
|
|
|
c6db9b |
--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
|
|
|
c6db9b |
+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
|
|
|
c6db9b |
@@ -1,5 +1,5 @@
|
|
|
c6db9b |
desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication.
|
|
|
c6db9b |
-enable=true
|
|
|
c6db9b |
+enable=false
|
|
|
c6db9b |
enableBy=admin
|
|
|
c6db9b |
name=User-Signed CMC-Authenticated User Certificate Enrollment
|
|
|
c6db9b |
visible=false
|
|
|
c6db9b |
diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
|
|
|
c6db9b |
index 59c6af2..d5d03b4 100644
|
|
|
c6db9b |
--- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
|
|
|
c6db9b |
+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
|
|
|
c6db9b |
@@ -44,9 +44,14 @@ public interface IAuthToken {
|
|
|
c6db9b |
public static final String GROUP = "group";
|
|
|
c6db9b |
public static final String GROUPS = "groups";
|
|
|
c6db9b |
|
|
|
c6db9b |
- /* Subject name of the certificate in the authenticating entry */
|
|
|
c6db9b |
+ /* Subject name of the certificate request in the authenticating entry */
|
|
|
c6db9b |
public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject";
|
|
|
c6db9b |
|
|
|
c6db9b |
+ /* Subject name of the authenticated cert */
|
|
|
c6db9b |
+ public static final String TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenAuthenticatedCertSubject";
|
|
|
c6db9b |
+ /* Subject DN of the Shared Token authenticated entry */
|
|
|
c6db9b |
+ public static final String TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenSharedTokenAuthenticatedCertSubject";
|
|
|
c6db9b |
+
|
|
|
c6db9b |
/* NotBefore value of the certificate in the authenticating entry */
|
|
|
c6db9b |
public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore";
|
|
|
c6db9b |
|
|
|
c6db9b |
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
|
|
|
c6db9b |
index 86ffa2f..9b6a819 100644
|
|
|
c6db9b |
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
|
|
|
c6db9b |
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
|
|
|
c6db9b |
@@ -959,8 +959,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
|
|
|
c6db9b |
|
|
|
c6db9b |
IAuthToken tempToken = agentAuth.authenticate(agentCred);
|
|
|
c6db9b |
netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
|
|
|
c6db9b |
- String ID = tempPrincipal.toString();
|
|
|
c6db9b |
+ String ID = tempPrincipal.getName();
|
|
|
c6db9b |
CMS.debug(method + " Principal name = " + ID);
|
|
|
c6db9b |
+ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID);
|
|
|
c6db9b |
|
|
|
c6db9b |
BigInteger agentCertSerial = x509Certs[0].getSerialNumber();
|
|
|
c6db9b |
authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, agentCertSerial.toString());
|
|
|
c6db9b |
@@ -1047,7 +1048,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
|
|
|
c6db9b |
public void populate(IAuthToken token, IRequest request)
|
|
|
c6db9b |
throws EProfileException {
|
|
|
c6db9b |
request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
|
|
|
c6db9b |
- token.getInString(AuthToken.TOKEN_CERT_SUBJECT));
|
|
|
c6db9b |
+ token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT));
|
|
|
c6db9b |
}
|
|
|
c6db9b |
|
|
|
c6db9b |
public boolean isSSLClientRequired() {
|
|
|
c6db9b |
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
|
|
|
c6db9b |
index d5f6c34..a9a7ade 100644
|
|
|
c6db9b |
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
|
|
|
c6db9b |
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
|
|
|
c6db9b |
@@ -674,7 +674,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
|
|
|
c6db9b |
if (requestCertSubject.equals("")) {
|
|
|
c6db9b |
requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
|
|
|
c6db9b |
}
|
|
|
c6db9b |
-
|
|
|
c6db9b |
authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss);
|
|
|
c6db9b |
auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject);
|
|
|
c6db9b |
//authToken.set("uid", uid);
|
|
|
c6db9b |
@@ -1160,8 +1159,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
|
|
|
c6db9b |
|
|
|
c6db9b |
IAuthToken tempToken = new AuthToken(null);
|
|
|
c6db9b |
netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
|
|
|
c6db9b |
- String ID = tempPrincipal.toString(); //tempToken.get("userid");
|
|
|
c6db9b |
+ String ID = tempPrincipal.getName(); //tempToken.get("userid");
|
|
|
c6db9b |
CMS.debug(method + " Principal name = " + ID);
|
|
|
c6db9b |
+ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID);
|
|
|
c6db9b |
|
|
|
c6db9b |
BigInteger certSerial = x509Certs[0].getSerialNumber();
|
|
|
c6db9b |
CMS.debug(method + " verified cert serial=" + certSerial.toString());
|
|
|
c6db9b |
@@ -1276,8 +1276,16 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
|
|
|
c6db9b |
|
|
|
c6db9b |
public void populate(IAuthToken token, IRequest request)
|
|
|
c6db9b |
throws EProfileException {
|
|
|
c6db9b |
- request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
|
|
|
c6db9b |
- token.getInString(AuthToken.TOKEN_CERT_SUBJECT));
|
|
|
c6db9b |
+ String method = "CMCUserSignedAuth: populate: ";
|
|
|
c6db9b |
+ String authenticatedDN = token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT);
|
|
|
c6db9b |
+ if (authenticatedDN != null) {
|
|
|
c6db9b |
+ request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
|
|
|
c6db9b |
+ authenticatedDN);
|
|
|
c6db9b |
+ CMS.debug(method + "IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is: "+
|
|
|
c6db9b |
+ authenticatedDN);
|
|
|
c6db9b |
+ } else {
|
|
|
c6db9b |
+ CMS.debug(method + "AuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is null; self-signed?");
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
}
|
|
|
c6db9b |
|
|
|
c6db9b |
public boolean isSSLClientRequired() {
|
|
|
c6db9b |
diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
|
|
|
c6db9b |
index 5ebc213..2d8679c 100644
|
|
|
c6db9b |
--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
|
|
|
c6db9b |
+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
|
|
|
c6db9b |
@@ -30,9 +30,9 @@ import org.mozilla.jss.crypto.SymmetricKey;
|
|
|
c6db9b |
import org.mozilla.jss.pkix.cmc.PKIData;
|
|
|
c6db9b |
|
|
|
c6db9b |
import com.netscape.certsrv.apps.CMS;
|
|
|
c6db9b |
-import com.netscape.certsrv.authentication.AuthToken;
|
|
|
c6db9b |
import com.netscape.certsrv.authentication.EInvalidCredentials;
|
|
|
c6db9b |
import com.netscape.certsrv.authentication.IAuthCredentials;
|
|
|
c6db9b |
+import com.netscape.certsrv.authentication.AuthToken;
|
|
|
c6db9b |
import com.netscape.certsrv.authentication.IAuthToken;
|
|
|
c6db9b |
import com.netscape.certsrv.authentication.ISharedToken;
|
|
|
c6db9b |
import com.netscape.certsrv.base.EBaseException;
|
|
|
c6db9b |
@@ -296,7 +296,7 @@ public class SharedSecret extends DirBasedAuthentication
|
|
|
c6db9b |
}
|
|
|
c6db9b |
|
|
|
c6db9b |
CMS.debug(method + "found user ldap entry: userdn = " + userdn);
|
|
|
c6db9b |
- authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn);
|
|
|
c6db9b |
+ authToken.set(IAuthToken.TOKEN_CERT_SUBJECT, userdn);
|
|
|
c6db9b |
|
|
|
c6db9b |
res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE,
|
|
|
c6db9b |
"(objectclass=*)", new String[] { mShrTokAttr }, false);
|
|
|
c6db9b |
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
|
|
|
c6db9b |
index 929e629..f9903c6 100644
|
|
|
c6db9b |
--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
|
|
|
c6db9b |
+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
|
|
|
c6db9b |
@@ -209,6 +209,14 @@ public abstract class EnrollProfile extends BasicProfile
|
|
|
c6db9b |
|
|
|
c6db9b |
// catch for invalid request
|
|
|
c6db9b |
cmc_msgs = parseCMC(locale, cert_request, donePOI);
|
|
|
c6db9b |
+ SessionContext sessionContext = SessionContext.getContext();
|
|
|
c6db9b |
+ String authenticatedSubject =
|
|
|
c6db9b |
+ (String) sessionContext.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ if (authenticatedSubject != null) {
|
|
|
c6db9b |
+ ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, authenticatedSubject);
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+
|
|
|
c6db9b |
if (cmc_msgs == null) {
|
|
|
c6db9b |
CMS.debug(method + "parseCMC returns cmc_msgs null");
|
|
|
c6db9b |
return null;
|
|
|
c6db9b |
@@ -1795,6 +1803,16 @@ public abstract class EnrollProfile extends BasicProfile
|
|
|
c6db9b |
auditSubjectID = ident_string;
|
|
|
c6db9b |
sessionContext.put(SessionContext.USER_ID, auditSubjectID);
|
|
|
c6db9b |
|
|
|
c6db9b |
+ // subjectdn from SharedSecret ldap auth
|
|
|
c6db9b |
+ // set in context and authToken to be used by profile
|
|
|
c6db9b |
+ // default and constraints plugins
|
|
|
c6db9b |
+ authToken.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT,
|
|
|
c6db9b |
+ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
|
|
|
c6db9b |
+ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT,
|
|
|
c6db9b |
+ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
|
|
|
c6db9b |
+ sessionContext.put(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT,
|
|
|
c6db9b |
+ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
|
|
|
c6db9b |
+
|
|
|
c6db9b |
auditMessage = CMS.getLogMessage(
|
|
|
c6db9b |
AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
|
|
|
c6db9b |
auditSubjectID,
|
|
|
c6db9b |
diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
|
|
|
c6db9b |
new file mode 100644
|
|
|
c6db9b |
index 0000000..d4554ca
|
|
|
c6db9b |
--- /dev/null
|
|
|
c6db9b |
+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
|
|
|
c6db9b |
@@ -0,0 +1,129 @@
|
|
|
c6db9b |
+// --- BEGIN COPYRIGHT BLOCK ---
|
|
|
c6db9b |
+// This program is free software; you can redistribute it and/or modify
|
|
|
c6db9b |
+// it under the terms of the GNU General Public License as published by
|
|
|
c6db9b |
+// the Free Software Foundation; version 2 of the License.
|
|
|
c6db9b |
+//
|
|
|
c6db9b |
+// This program is distributed in the hope that it will be useful,
|
|
|
c6db9b |
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
c6db9b |
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
c6db9b |
+// GNU General Public License for more details.
|
|
|
c6db9b |
+//
|
|
|
c6db9b |
+// You should have received a copy of the GNU General Public License along
|
|
|
c6db9b |
+// with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
c6db9b |
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
c6db9b |
+//
|
|
|
c6db9b |
+// (C) 2013 Red Hat, Inc.
|
|
|
c6db9b |
+// All rights reserved.
|
|
|
c6db9b |
+// --- END COPYRIGHT BLOCK ---
|
|
|
c6db9b |
+package com.netscape.cms.profile.constraint;
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+import java.util.Locale;
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+import com.netscape.certsrv.apps.CMS;
|
|
|
c6db9b |
+import com.netscape.certsrv.authentication.IAuthToken;
|
|
|
c6db9b |
+import com.netscape.certsrv.authentication.IAuthManager;
|
|
|
c6db9b |
+import com.netscape.certsrv.base.IConfigStore;
|
|
|
c6db9b |
+import com.netscape.certsrv.profile.EProfileException;
|
|
|
c6db9b |
+import com.netscape.certsrv.profile.ERejectException;
|
|
|
c6db9b |
+import com.netscape.certsrv.profile.IPolicyDefault;
|
|
|
c6db9b |
+import com.netscape.certsrv.profile.IProfile;
|
|
|
c6db9b |
+import com.netscape.certsrv.property.IDescriptor;
|
|
|
c6db9b |
+import com.netscape.certsrv.request.IRequest;
|
|
|
c6db9b |
+import com.netscape.cms.profile.common.EnrollProfile;
|
|
|
c6db9b |
+import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault;
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+import netscape.security.x509.CertificateSubjectName;
|
|
|
c6db9b |
+import netscape.security.x509.X500Name;
|
|
|
c6db9b |
+import netscape.security.x509.X509CertInfo;
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+/**
|
|
|
c6db9b |
+ * This class implements the user subject name constraint for self-signed cmc requests.
|
|
|
c6db9b |
+ * It makes sure the SharedSecret authenticated subjectDN and the rsulting cert match
|
|
|
c6db9b |
+ *
|
|
|
c6db9b |
+ * @author cfu
|
|
|
c6db9b |
+ * @version $Revision$, $Date$
|
|
|
c6db9b |
+ */
|
|
|
c6db9b |
+public class CMCSelfSignedSubjectNameConstraint extends EnrollConstraint {
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ public CMCSelfSignedSubjectNameConstraint() {
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ public void init(IProfile profile, IConfigStore config)
|
|
|
c6db9b |
+ throws EProfileException {
|
|
|
c6db9b |
+ super.init(profile, config);
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ public IDescriptor getConfigDescriptor(Locale locale, String name) {
|
|
|
c6db9b |
+ return null;
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ public String getDefaultConfig(String name) {
|
|
|
c6db9b |
+ return null;
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ /**
|
|
|
c6db9b |
+ * Validates the request. The request is not modified
|
|
|
c6db9b |
+ * during the validation. User encoded subject name
|
|
|
c6db9b |
+ * is copied into the certificate template.
|
|
|
c6db9b |
+ */
|
|
|
c6db9b |
+ public void validate(IRequest request, X509CertInfo info)
|
|
|
c6db9b |
+ throws ERejectException {
|
|
|
c6db9b |
+ String method = "CMCSelfSignedSubjectNameConstraint: ";
|
|
|
c6db9b |
+ String msg = "";
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ CertificateSubjectName infoCertSN = null;
|
|
|
c6db9b |
+ String authTokenSharedTokenSN = null;
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ try {
|
|
|
c6db9b |
+ infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT);
|
|
|
c6db9b |
+ if (infoCertSN == null) {
|
|
|
c6db9b |
+ msg = method + "infoCertSN null";
|
|
|
c6db9b |
+ CMS.debug(msg);
|
|
|
c6db9b |
+ throw new Exception(msg);
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+ CMS.debug(method + "validate user subject ="+
|
|
|
c6db9b |
+ infoCertSN.toString());
|
|
|
c6db9b |
+ X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME);
|
|
|
c6db9b |
+ if (infoCertName == null) {
|
|
|
c6db9b |
+ msg = method + "infoCertName null";
|
|
|
c6db9b |
+ CMS.debug(msg);
|
|
|
c6db9b |
+ throw new Exception(msg);
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
|
|
|
c6db9b |
+ if (authTokenSharedTokenSN == null) {
|
|
|
c6db9b |
+ msg = method + "authTokenSharedTokenSN null";
|
|
|
c6db9b |
+ CMS.debug(msg);
|
|
|
c6db9b |
+ throw new Exception(msg);
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+ if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) {
|
|
|
c6db9b |
+ CMS.debug(method + "names matched");
|
|
|
c6db9b |
+ } else {
|
|
|
c6db9b |
+ msg = method + "names do not match; authTokenSharedTokenSN =" +
|
|
|
c6db9b |
+ authTokenSharedTokenSN;
|
|
|
c6db9b |
+ CMS.debug(msg);
|
|
|
c6db9b |
+ throw new Exception(msg);
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ } catch (Exception e) {
|
|
|
c6db9b |
+ throw new ERejectException(
|
|
|
c6db9b |
+ CMS.getUserMessage(getLocale(request),
|
|
|
c6db9b |
+ "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e);
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ public String getText(Locale locale) {
|
|
|
c6db9b |
+ return CMS.getUserMessage(locale,
|
|
|
c6db9b |
+ "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT");
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ public boolean isApplicable(IPolicyDefault def) {
|
|
|
c6db9b |
+ String method = "CMCSelfSignedSubjectNameConstraint: isApplicable: ";
|
|
|
c6db9b |
+ if (def instanceof AuthTokenSubjectNameDefault) {
|
|
|
c6db9b |
+ CMS.debug(method + "true");
|
|
|
c6db9b |
+ return true;
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+ CMS.debug(method + "false");
|
|
|
c6db9b |
+ return false;
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+}
|
|
|
c6db9b |
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
|
|
|
c6db9b |
index e789625..85bf241 100644
|
|
|
c6db9b |
--- a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
|
|
|
c6db9b |
+++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
|
|
|
c6db9b |
@@ -140,7 +140,7 @@ public class AuthTokenSubjectNameDefault extends EnrollDefault {
|
|
|
c6db9b |
X500Name name = new X500Name(
|
|
|
c6db9b |
request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
|
|
|
c6db9b |
|
|
|
c6db9b |
- CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.toString());
|
|
|
c6db9b |
+ CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.getName());
|
|
|
c6db9b |
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name));
|
|
|
c6db9b |
} catch (Exception e) {
|
|
|
c6db9b |
// failed to insert subject name
|
|
|
c6db9b |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
c6db9b |
index 12fd294..03e94a8 100644
|
|
|
c6db9b |
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
c6db9b |
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
c6db9b |
@@ -525,6 +525,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
c6db9b |
CMS.debug("ProfileSubmitCMCServlet: null it out");
|
|
|
c6db9b |
ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, "");
|
|
|
c6db9b |
}
|
|
|
c6db9b |
+
|
|
|
c6db9b |
String signingCertSerialS = null;
|
|
|
c6db9b |
if (authToken != null) {
|
|
|
c6db9b |
signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT);
|
|
|
c6db9b |
@@ -534,6 +535,14 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
c6db9b |
ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
|
|
|
c6db9b |
}
|
|
|
c6db9b |
|
|
|
c6db9b |
+ String tmpSharedTokenAuthenticatedCertSubject = ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
|
|
|
c6db9b |
+ if (tmpSharedTokenAuthenticatedCertSubject != null) {
|
|
|
c6db9b |
+ // unlikely to happen, but do this just in case
|
|
|
c6db9b |
+ CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in ctx for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject);
|
|
|
c6db9b |
+ CMS.debug("ProfileSubmitCMCServlet: null it out");
|
|
|
c6db9b |
+ ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, "");
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+
|
|
|
c6db9b |
String errorCode = null;
|
|
|
c6db9b |
String errorReason = null;
|
|
|
c6db9b |
String auditRequesterID = ILogger.UNIDENTIFIED;
|
|
|
c6db9b |
@@ -731,13 +740,31 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
c6db9b |
|
|
|
c6db9b |
tmpCertSerialS = reqs[k].getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT);
|
|
|
c6db9b |
if (tmpCertSerialS != null) {
|
|
|
c6db9b |
- // unlikely to happenm, but do this just in case
|
|
|
c6db9b |
+ // unlikely to happen, but do this just in case
|
|
|
c6db9b |
CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth:" + tmpCertSerialS);
|
|
|
c6db9b |
CMS.debug("ProfileSubmitCMCServlet: null it out");
|
|
|
c6db9b |
reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, "");
|
|
|
c6db9b |
}
|
|
|
c6db9b |
// put CMCUserSignedAuth authToken in request
|
|
|
c6db9b |
if (signingCertSerialS != null) {
|
|
|
c6db9b |
+ CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth");
|
|
|
c6db9b |
+ reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+
|
|
|
c6db9b |
+ tmpSharedTokenAuthenticatedCertSubject = reqs[k].getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
|
|
|
c6db9b |
+ if (tmpSharedTokenAuthenticatedCertSubject != null) {
|
|
|
c6db9b |
+ // unlikely to happen, but do this just in case
|
|
|
c6db9b |
+ CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in request for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject);
|
|
|
c6db9b |
+ CMS.debug("ProfileSubmitCMCServlet: null it out");
|
|
|
c6db9b |
+ reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, "");
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+ // put Shared Token authToken in request
|
|
|
c6db9b |
+ String st_sbj = (String) ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
|
|
|
c6db9b |
+ if (st_sbj != null) {
|
|
|
c6db9b |
+ CMS.debug("ProfileSubmitCMCServlet: setting IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in req for CMCUserSignedAuth");
|
|
|
c6db9b |
+ reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, st_sbj);
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
+ if (tmpSharedTokenAuthenticatedCertSubject != null) {
|
|
|
c6db9b |
CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth");
|
|
|
c6db9b |
reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
|
|
|
c6db9b |
}
|
|
|
c6db9b |
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
|
|
|
c6db9b |
index 208632d..e5e6ecc 100644
|
|
|
c6db9b |
--- a/base/server/cmsbundle/src/UserMessages.properties
|
|
|
c6db9b |
+++ b/base/server/cmsbundle/src/UserMessages.properties
|
|
|
c6db9b |
@@ -956,7 +956,8 @@ CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing
|
|
|
c6db9b |
CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0}
|
|
|
c6db9b |
CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only
|
|
|
c6db9b |
CMS_PROFILE_CONSTRAINT_USER_SUBJECT_NAME_TEXT=This constraint accepts user subject name only
|
|
|
c6db9b |
-CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the CMC request siging cert only
|
|
|
c6db9b |
+CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of user-signed CMC request only
|
|
|
c6db9b |
+CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the self-signed CMC request only
|
|
|
c6db9b |
CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days.
|
|
|
c6db9b |
CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0}
|
|
|
c6db9b |
CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate.
|
|
|
c6db9b |
--
|
|
|
c6db9b |
1.8.3.1
|
|
|
c6db9b |
|
|
|
c6db9b |
|
|
|
abd338 |
From 99101af800addd61f66cdcf6b18c0b26f1e27011 Mon Sep 17 00:00:00 2001
|
|
|
c6db9b |
From: Christina Fu <cfu@redhat.com>
|
|
|
c6db9b |
Date: Wed, 1 Aug 2018 13:35:53 -0700
|
|
|
abd338 |
Subject: [PATCH 2/5] Bug 1593805 Better understanding of
|
|
|
c6db9b |
NSS_USE_DECODED_CKA_EC_POINT for ECC
|
|
|
c6db9b |
|
|
|
c6db9b |
This patch removes the outdated reference to EC environment variable
|
|
|
c6db9b |
NSS_USE_DECODED_CKA_EC_POINT for ECC in the HttpClient command line usage.
|
|
|
c6db9b |
|
|
|
c6db9b |
More info in the usage are updated as well for correctness and clarity.
|
|
|
c6db9b |
|
|
|
c6db9b |
Change-Id: I562e2c0cd86f91369f347b38cc660cc3cee585b9
|
|
|
c6db9b |
(cherry picked from commit 6eef4f5cb83cd4b7e2c45ad6a44ba453392ec051)
|
|
|
c6db9b |
---
|
|
|
c6db9b |
.../src/com/netscape/cmstools/HttpClient.java | 32 ++++++++++++----------
|
|
|
c6db9b |
1 file changed, 18 insertions(+), 14 deletions(-)
|
|
|
c6db9b |
|
|
|
c6db9b |
diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
|
|
|
c6db9b |
index fcaf210..28934ab 100644
|
|
|
c6db9b |
--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
|
|
|
c6db9b |
+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
|
|
|
c6db9b |
@@ -251,43 +251,47 @@ public class HttpClient {
|
|
|
c6db9b |
System.out.println("The configuration file should look like as follows:");
|
|
|
c6db9b |
System.out.println("");
|
|
|
c6db9b |
System.out.println("#host: host name for the http server");
|
|
|
c6db9b |
- System.out.println("host=host1.a.com");
|
|
|
c6db9b |
+ System.out.println("host=host.example.com");
|
|
|
c6db9b |
System.out.println("");
|
|
|
c6db9b |
System.out.println("#port: port number");
|
|
|
c6db9b |
- System.out.println("port=1025");
|
|
|
c6db9b |
+ System.out.println("port=8443");
|
|
|
c6db9b |
System.out.println("");
|
|
|
c6db9b |
System.out.println("#secure: true for secure connection, false for nonsecure connection");
|
|
|
c6db9b |
- System.out.println("#For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command");
|
|
|
c6db9b |
System.out.println("secure=false");
|
|
|
c6db9b |
System.out.println("");
|
|
|
c6db9b |
System.out.println("#input: full path for the enrollment request, the content must be in binary format");
|
|
|
c6db9b |
- System.out.println("input=/u/doc/cmcReqCRMFBin");
|
|
|
c6db9b |
+ System.out.println("input=~/cmcReqCRMFBin");
|
|
|
c6db9b |
System.out.println("");
|
|
|
c6db9b |
System.out.println("#output: full path for the response in binary format");
|
|
|
c6db9b |
- System.out.println("output=/u/doc/cmcResp");
|
|
|
c6db9b |
+ System.out.println("#output could be parsed by running CMCResponse");
|
|
|
c6db9b |
+ System.out.println("output=~/cmcResp");
|
|
|
c6db9b |
System.out.println("");
|
|
|
c6db9b |
- System.out.println("#tokenname: name of token where SSL client authentication cert can be found (default is internal)");
|
|
|
c6db9b |
+ System.out.println("#dbdir: directory for NSS certificate/key databases");
|
|
|
c6db9b |
System.out.println("#This parameter will be ignored if secure=false");
|
|
|
c6db9b |
- System.out.println("tokenname=hsmname");
|
|
|
c6db9b |
+ System.out.println("dbdir=/.dogtag/nssdb");
|
|
|
c6db9b |
System.out.println("");
|
|
|
c6db9b |
- System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db");
|
|
|
c6db9b |
+ System.out.println("#password: password for NSS database");
|
|
|
c6db9b |
+ System.out.println("#This parameter will be ignored if secure=false and clientmode=false");
|
|
|
c6db9b |
+ System.out.println("password=");
|
|
|
c6db9b |
+ System.out.println("");
|
|
|
c6db9b |
+ System.out.println("#tokenname: name of token where SSL client authentication cert for nickname can be found (default is internal)");
|
|
|
c6db9b |
System.out.println("#This parameter will be ignored if secure=false");
|
|
|
c6db9b |
- System.out.println("dbdir=/u/smith/.netscape");
|
|
|
c6db9b |
+ System.out.println("tokenname=internal");
|
|
|
c6db9b |
System.out.println("");
|
|
|
c6db9b |
System.out.println("#clientmode: true for client authentication, false for no client authentication");
|
|
|
c6db9b |
System.out.println("#This parameter will be ignored if secure=false");
|
|
|
c6db9b |
System.out.println("clientmode=false");
|
|
|
c6db9b |
System.out.println("");
|
|
|
c6db9b |
- System.out.println("#password: password for cert8.db");
|
|
|
c6db9b |
- System.out.println("#This parameter will be ignored if secure=false and clientauth=false");
|
|
|
c6db9b |
- System.out.println("password=");
|
|
|
c6db9b |
- System.out.println("");
|
|
|
c6db9b |
System.out.println("#nickname: nickname for client certificate");
|
|
|
c6db9b |
System.out.println("#This parameter will be ignored if clientmode=false");
|
|
|
c6db9b |
System.out.println("nickname=");
|
|
|
c6db9b |
System.out.println("");
|
|
|
c6db9b |
System.out.println("#servlet: target URL");
|
|
|
c6db9b |
- System.out.println("#This parameter may include query parameters");
|
|
|
c6db9b |
+ System.out.println("#This parameter may include query parameters;");
|
|
|
c6db9b |
+ System.out.println("# - reminder: profileId should be a profile that matches");
|
|
|
c6db9b |
+ System.out.println("# the intended certificate; for certificates intended");
|
|
|
c6db9b |
+ System.out.println("# for SSL (client or server), profiles should match");
|
|
|
c6db9b |
+ System.out.println("# the key type (RSA or EC) of the keys generated for CSR;");
|
|
|
c6db9b |
System.out.println("servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert");
|
|
|
c6db9b |
System.out.println("");
|
|
|
c6db9b |
System.exit(0);
|
|
|
c6db9b |
--
|
|
|
c6db9b |
1.8.3.1
|
|
|
c6db9b |
|
|
|
c6db9b |
|
|
|
abd338 |
From a285327323d058218684cc671223b5b872bc9afc Mon Sep 17 00:00:00 2001
|
|
|
c6db9b |
From: Christina Fu <cfu@redhat.com>
|
|
|
c6db9b |
Date: Thu, 2 Aug 2018 09:31:50 -0700
|
|
|
abd338 |
Subject: [PATCH 3/5] Bug1608375 - CMC Revocations throws exception with same
|
|
|
c6db9b |
reqIssuer & certissuer
|
|
|
c6db9b |
|
|
|
c6db9b |
This patch resolves the possible encoding mismatch between the actual CA cert
|
|
|
c6db9b |
and the X500Name gleaned from the CMC revocation request.
|
|
|
c6db9b |
|
|
|
c6db9b |
Change-Id: I220f5d656a69c90fa02ba38fa21b069ed7d15a9d
|
|
|
c6db9b |
(cherry picked from commit 4a085b2ea3ee0f89ef2e49e1c0dbee2e36abd248)
|
|
|
c6db9b |
---
|
|
|
c6db9b |
.../cms/authentication/CMCUserSignedAuth.java | 21 ++++++++++++++++++---
|
|
|
c6db9b |
1 file changed, 18 insertions(+), 3 deletions(-)
|
|
|
c6db9b |
|
|
|
c6db9b |
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
|
|
|
c6db9b |
index a9a7ade..97971dd 100644
|
|
|
c6db9b |
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
|
|
|
c6db9b |
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
|
|
|
c6db9b |
@@ -83,6 +83,7 @@ import com.netscape.certsrv.base.EBaseException;
|
|
|
c6db9b |
import com.netscape.certsrv.base.IConfigStore;
|
|
|
c6db9b |
import com.netscape.certsrv.base.IExtendedPluginInfo;
|
|
|
c6db9b |
import com.netscape.certsrv.base.SessionContext;
|
|
|
c6db9b |
+import com.netscape.certsrv.ca.ICertificateAuthority;
|
|
|
c6db9b |
import com.netscape.certsrv.logging.ILogger;
|
|
|
c6db9b |
import com.netscape.certsrv.logging.event.CMCUserSignedRequestSigVerifyEvent;
|
|
|
c6db9b |
import com.netscape.certsrv.profile.EProfileException;
|
|
|
c6db9b |
@@ -497,13 +498,27 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
|
|
|
c6db9b |
// to CMCOutputTemplate so that we can
|
|
|
c6db9b |
// have a chance to capture user identification info
|
|
|
c6db9b |
if (issuerANY != null) {
|
|
|
c6db9b |
+ // get CA signing cert
|
|
|
c6db9b |
+ ICertificateAuthority ca = null;
|
|
|
c6db9b |
+ ca = (ICertificateAuthority) CMS.getSubsystem("ca");
|
|
|
c6db9b |
+ X500Name caName = ca.getX500Name();
|
|
|
c6db9b |
+
|
|
|
c6db9b |
try {
|
|
|
c6db9b |
byte[] issuerBytes = issuerANY.getEncoded();
|
|
|
c6db9b |
- X500Name issuerName = new X500Name(issuerBytes);
|
|
|
c6db9b |
- CMS.debug(method + "revRequest issuer name = " + issuerName.toString());
|
|
|
c6db9b |
+ X500Name reqIssuerName = new X500Name(issuerBytes);
|
|
|
c6db9b |
+ String reqIssuerNameStr = reqIssuerName.getName();
|
|
|
c6db9b |
+ CMS.debug(method + "revRequest issuer name = " + reqIssuerNameStr);
|
|
|
c6db9b |
+ if (reqIssuerNameStr.equalsIgnoreCase(caName.getName())) {
|
|
|
c6db9b |
+ // making sure it's identical, even in encoding
|
|
|
c6db9b |
+ reqIssuerName = caName;
|
|
|
c6db9b |
+ } else {
|
|
|
c6db9b |
+ // not this CA; will be bumped off later;
|
|
|
c6db9b |
+ // make a note in debug anyway
|
|
|
c6db9b |
+ CMS.debug(method + "revRequest issuer name doesn't match our CA; will be bumped off later;");
|
|
|
c6db9b |
+ }
|
|
|
c6db9b |
// capture issuer principal to be checked against
|
|
|
c6db9b |
// cert issuer principal later in CMCOutputTemplate
|
|
|
c6db9b |
- auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, issuerName);
|
|
|
c6db9b |
+ auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, reqIssuerName);
|
|
|
c6db9b |
} catch (Exception e) {
|
|
|
c6db9b |
CMS.debug(method + "failed getting issuer from RevokeRequest:" + e.toString());
|
|
|
c6db9b |
}
|
|
|
c6db9b |
--
|
|
|
c6db9b |
1.8.3.1
|
|
|
c6db9b |
|
|
|
c6db9b |
|
|
|
abd338 |
From 9f3c6d13991cdafc748ded223a85b121ce2389b5 Mon Sep 17 00:00:00 2001
|
|
|
c6db9b |
From: Christina Fu <cfu@redhat.com>
|
|
|
c6db9b |
Date: Wed, 8 Aug 2018 18:41:52 -0700
|
|
|
abd338 |
Subject: [PATCH 4/5] Ticket #3041 Enable all config audit events
|
|
|
c6db9b |
|
|
|
c6db9b |
This patch enables the audit events concerning role actions (mostly config)
|
|
|
c6db9b |
by default.
|
|
|
c6db9b |
|
|
|
c6db9b |
Two additional minor issues are also addressed:
|
|
|
c6db9b |
1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert
|
|
|
c6db9b |
(bugzilla #1610718)
|
|
|
c6db9b |
2. removing unrecommended signing algorithms
|
|
|
c6db9b |
|
|
|
c6db9b |
fixes: https://pagure.io/dogtagpki/issue/3041
|
|
|
c6db9b |
Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d
|
|
|
c6db9b |
(cherry picked from commit 5e9876da3fa7c1587b96e983f36ee2830398c099)
|
|
|
c6db9b |
---
|
|
|
c6db9b |
base/ca/shared/conf/CS.cfg | 2 +-
|
|
|
c6db9b |
base/ca/shared/profiles/ca/caDirUserCert.cfg | 2 +-
|
|
|
c6db9b |
base/ca/shared/profiles/ca/caECDirUserCert.cfg | 2 +-
|
|
|
c6db9b |
base/kra/shared/conf/CS.cfg | 2 +-
|
|
|
c6db9b |
base/ocsp/shared/conf/CS.cfg | 2 +-
|
|
|
c6db9b |
.../netscape/cms/profile/common/ServerCertCAEnrollProfile.java | 2 +-
|
|
|
c6db9b |
.../com/netscape/cms/profile/common/UserCertCAEnrollProfile.java | 2 +-
|
|
|
c6db9b |
base/server/cmsbundle/src/LogMessages.properties | 2 +-
|
|
|
c6db9b |
base/tks/shared/conf/CS.cfg | 2 +-
|
|
|
c6db9b |
base/tps/shared/conf/CS.cfg | 2 +-
|
|
|
c6db9b |
base/util/src/netscape/security/x509/AlgorithmId.java | 8 ++++----
|
|
|
c6db9b |
11 files changed, 14 insertions(+), 14 deletions(-)
|
|
|
c6db9b |
|
|
|
c6db9b |
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
|
|
|
c6db9b |
index fcd85a2..6158d5a 100644
|
|
|
c6db9b |
--- a/base/ca/shared/conf/CS.cfg
|
|
|
c6db9b |
+++ b/base/ca/shared/conf/CS.cfg
|
|
|
c6db9b |
@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
|
|
|
c6db9b |
log.instance.SignedAudit._006=##
|
|
|
c6db9b |
log.instance.SignedAudit.bufferSize=512
|
|
|
c6db9b |
log.instance.SignedAudit.enable=true
|
|
|
c6db9b |
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED
|
|
|
c6db9b |
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG
|
|
|
c6db9b |
log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
|
|
|
c6db9b |
log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
|
|
|
c6db9b |
log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
|
|
|
c6db9b |
diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg
|
|
|
c6db9b |
index f12c7ed..0b7f6b7 100644
|
|
|
c6db9b |
--- a/base/ca/shared/profiles/ca/caDirUserCert.cfg
|
|
|
c6db9b |
+++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg
|
|
|
c6db9b |
@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180
|
|
|
c6db9b |
policyset.userCertSet.2.default.params.startTime=0
|
|
|
c6db9b |
policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
|
|
|
c6db9b |
policyset.userCertSet.3.constraint.name=Key Constraint
|
|
|
c6db9b |
-policyset.userCertSet.3.constraint.params.keyType=EC
|
|
|
c6db9b |
+policyset.userCertSet.3.constraint.params.keyType=RSA
|
|
|
c6db9b |
policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
|
|
|
c6db9b |
policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
|
|
|
c6db9b |
policyset.userCertSet.3.default.name=Key Default
|
|
|
c6db9b |
diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
|
|
|
c6db9b |
index 0663b40..b65999e 100644
|
|
|
c6db9b |
--- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg
|
|
|
c6db9b |
+++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
|
|
|
c6db9b |
@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180
|
|
|
c6db9b |
policyset.userCertSet.2.default.params.startTime=0
|
|
|
c6db9b |
policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
|
|
|
c6db9b |
policyset.userCertSet.3.constraint.name=Key Constraint
|
|
|
c6db9b |
-policyset.userCertSet.3.constraint.params.keyType=-
|
|
|
c6db9b |
+policyset.userCertSet.3.constraint.params.keyType=EC
|
|
|
c6db9b |
policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
|
|
|
c6db9b |
policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
|
|
|
c6db9b |
policyset.userCertSet.3.default.name=Key Default
|
|
|
c6db9b |
diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
|
|
|
c6db9b |
index f314234..878e5f8 100644
|
|
|
c6db9b |
--- a/base/kra/shared/conf/CS.cfg
|
|
|
c6db9b |
+++ b/base/kra/shared/conf/CS.cfg
|
|
|
c6db9b |
@@ -304,7 +304,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
|
|
|
c6db9b |
log.instance.SignedAudit._006=##
|
|
|
c6db9b |
log.instance.SignedAudit.bufferSize=512
|
|
|
c6db9b |
log.instance.SignedAudit.enable=true
|
|
|
c6db9b |
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED
|
|
|
c6db9b |
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL
|
|
|
c6db9b |
log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure)
|
|
|
c6db9b |
log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure)
|
|
|
c6db9b |
log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure)
|
|
|
c6db9b |
diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg
|
|
|
c6db9b |
index dc993b0..b412e5e 100644
|
|
|
c6db9b |
--- a/base/ocsp/shared/conf/CS.cfg
|
|
|
c6db9b |
+++ b/base/ocsp/shared/conf/CS.cfg
|
|
|
c6db9b |
@@ -220,7 +220,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
|
|
|
c6db9b |
log.instance.SignedAudit._006=##
|
|
|
c6db9b |
log.instance.SignedAudit.bufferSize=512
|
|
|
c6db9b |
log.instance.SignedAudit.enable=true
|
|
|
c6db9b |
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
|
|
|
c6db9b |
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
|
|
|
c6db9b |
log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
|
|
|
c6db9b |
log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
|
|
|
c6db9b |
log.instance.SignedAudit.expirationTime=0
|
|
|
c6db9b |
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
|
|
|
c6db9b |
index a1a83a4..2dcf9c1 100644
|
|
|
c6db9b |
--- a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
|
|
|
c6db9b |
+++ b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
|
|
|
c6db9b |
@@ -77,7 +77,7 @@ public class ServerCertCAEnrollProfile extends CAEnrollProfile
|
|
|
c6db9b |
defConfig4
|
|
|
c6db9b |
.putString(
|
|
|
c6db9b |
"params.signingAlgsAllowed",
|
|
|
c6db9b |
- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
|
|
|
c6db9b |
+ "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
|
|
|
c6db9b |
|
|
|
c6db9b |
IProfilePolicy policy5 =
|
|
|
c6db9b |
createProfilePolicy("set1", "p5",
|
|
|
c6db9b |
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
|
|
|
c6db9b |
index 710a461..9b1eacb 100644
|
|
|
c6db9b |
--- a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
|
|
|
c6db9b |
+++ b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
|
|
|
c6db9b |
@@ -79,7 +79,7 @@ public class UserCertCAEnrollProfile extends CAEnrollProfile
|
|
|
c6db9b |
defConfig4
|
|
|
c6db9b |
.putString(
|
|
|
c6db9b |
"params.signingAlgsAllowed",
|
|
|
c6db9b |
- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
|
|
|
c6db9b |
+ "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
|
|
|
c6db9b |
|
|
|
c6db9b |
IProfilePolicy policy5 =
|
|
|
c6db9b |
createProfilePolicy("set1", "p5",
|
|
|
c6db9b |
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
|
|
|
c6db9b |
index 7963f6f..d534506 100644
|
|
|
c6db9b |
--- a/base/server/cmsbundle/src/LogMessages.properties
|
|
|
c6db9b |
+++ b/base/server/cmsbundle/src/LogMessages.properties
|
|
|
c6db9b |
@@ -2133,7 +2133,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authenticatio
|
|
|
c6db9b |
# and to be approved by an agent
|
|
|
c6db9b |
# Op must be "approve" or "disapprove"
|
|
|
c6db9b |
#
|
|
|
c6db9b |
-LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval
|
|
|
c6db9b |
+LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval
|
|
|
c6db9b |
#
|
|
|
c6db9b |
# LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION
|
|
|
c6db9b |
# - used for proof of possession during certificate enrollment processing
|
|
|
c6db9b |
diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg
|
|
|
c6db9b |
index d1da996..e9bf03e 100644
|
|
|
c6db9b |
--- a/base/tks/shared/conf/CS.cfg
|
|
|
c6db9b |
+++ b/base/tks/shared/conf/CS.cfg
|
|
|
c6db9b |
@@ -212,7 +212,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
|
|
|
c6db9b |
log.instance.SignedAudit._006=##
|
|
|
c6db9b |
log.instance.SignedAudit.bufferSize=512
|
|
|
c6db9b |
log.instance.SignedAudit.enable=true
|
|
|
c6db9b |
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
|
|
|
c6db9b |
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
|
|
|
c6db9b |
log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
|
|
|
c6db9b |
log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
|
|
|
c6db9b |
log.instance.SignedAudit.expirationTime=0
|
|
|
c6db9b |
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
|
|
|
c6db9b |
index c44bc75..3671100 100644
|
|
|
c6db9b |
--- a/base/tps/shared/conf/CS.cfg
|
|
|
c6db9b |
+++ b/base/tps/shared/conf/CS.cfg
|
|
|
c6db9b |
@@ -229,7 +229,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
|
|
|
c6db9b |
log.instance.SignedAudit._006=##
|
|
|
c6db9b |
log.instance.SignedAudit.bufferSize=512
|
|
|
c6db9b |
log.instance.SignedAudit.enable=true
|
|
|
c6db9b |
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER
|
|
|
c6db9b |
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER,CONFIG_ACL
|
|
|
c6db9b |
log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
|
|
|
c6db9b |
log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
|
|
|
c6db9b |
log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure)
|
|
|
c6db9b |
diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java
|
|
|
c6db9b |
index ae5975a..012575c 100644
|
|
|
c6db9b |
--- a/base/util/src/netscape/security/x509/AlgorithmId.java
|
|
|
c6db9b |
+++ b/base/util/src/netscape/security/x509/AlgorithmId.java
|
|
|
c6db9b |
@@ -798,17 +798,17 @@ public class AlgorithmId implements Serializable, DerEncoder {
|
|
|
c6db9b |
* Supported signing algorithms for a RSA key.
|
|
|
c6db9b |
*/
|
|
|
c6db9b |
public static final String[] RSA_SIGNING_ALGORITHMS = new String[]
|
|
|
c6db9b |
- { "SHA1withRSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "MD5withRSA", "MD2withRSA" };
|
|
|
c6db9b |
+ { "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA" };
|
|
|
c6db9b |
|
|
|
c6db9b |
public static final String[] EC_SIGNING_ALGORITHMS = new String[]
|
|
|
c6db9b |
- { "SHA1withEC", "SHA256withEC", "SHA384withEC", "SHA512withEC" };
|
|
|
c6db9b |
+ { "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" };
|
|
|
c6db9b |
|
|
|
c6db9b |
/**
|
|
|
c6db9b |
* All supported signing algorithms.
|
|
|
c6db9b |
*/
|
|
|
c6db9b |
public static final String[] ALL_SIGNING_ALGORITHMS = new String[]
|
|
|
c6db9b |
{
|
|
|
c6db9b |
- "SHA1withRSA", "MD5withRSA", "MD2withRSA", "SHA1withDSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withEC",
|
|
|
c6db9b |
- "SHA256withEC", "SHA384withEC", "SHA512withEC" };
|
|
|
c6db9b |
+ "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA",
|
|
|
c6db9b |
+ "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" };
|
|
|
c6db9b |
|
|
|
c6db9b |
}
|
|
|
c6db9b |
--
|
|
|
c6db9b |
1.8.3.1
|
|
|
c6db9b |
|
|
|
c6db9b |
|
|
|
abd338 |
From b4ef13f36124aeaadf3e43ae7c0560c38233c78a Mon Sep 17 00:00:00 2001
|
|
|
c6db9b |
From: Christina Fu <cfu@redhat.com>
|
|
|
c6db9b |
Date: Fri, 10 Aug 2018 14:04:14 -0700
|
|
|
abd338 |
Subject: [PATCH 5/5] Ticket #2481 ECC keys not supported for signing audit
|
|
|
c6db9b |
logs
|
|
|
c6db9b |
|
|
|
c6db9b |
This patch addes support for ECC audit log signing key.
|
|
|
c6db9b |
All enrollment profiles for audit signing certificate are updated to allow that.
|
|
|
c6db9b |
|
|
|
c6db9b |
fixes https://pagure.io/dogtagpki/issue/2481
|
|
|
c6db9b |
|
|
|
c6db9b |
Change-Id: Idedd3cc2ed7655e73ee87ebcd0087ea17fb57f3f
|
|
|
c6db9b |
(cherry picked from commit 435ede04d525d8816345271a887753a620795d56)
|
|
|
c6db9b |
---
|
|
|
c6db9b |
base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg | 4 ++--
|
|
|
c6db9b |
base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg | 4 ++--
|
|
|
c6db9b |
base/ca/shared/profiles/ca/caSignedLogCert.cfg | 8 ++++----
|
|
|
c6db9b |
base/java-tools/src/com/netscape/cmstools/AuditVerify.java | 6 +++---
|
|
|
c6db9b |
base/server/cms/src/com/netscape/cms/logging/LogFile.java | 8 +++-----
|
|
|
c6db9b |
5 files changed, 14 insertions(+), 16 deletions(-)
|
|
|
c6db9b |
|
|
|
c6db9b |
diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
|
|
|
c6db9b |
index ff4856c..642e67b 100644
|
|
|
c6db9b |
--- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
|
|
|
c6db9b |
+++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
|
|
|
c6db9b |
@@ -29,8 +29,8 @@ policyset.auditSigningCertSet.2.default.params.range=720
|
|
|
c6db9b |
policyset.auditSigningCertSet.2.default.params.startTime=0
|
|
|
c6db9b |
policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
|
|
|
c6db9b |
policyset.auditSigningCertSet.3.constraint.name=Key Constraint
|
|
|
c6db9b |
-policyset.auditSigningCertSet.3.constraint.params.keyType=RSA
|
|
|
c6db9b |
-policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
|
|
|
c6db9b |
+policyset.auditSigningCertSet.3.constraint.params.keyType=-
|
|
|
c6db9b |
+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
|
|
|
c6db9b |
policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
|
|
|
c6db9b |
policyset.auditSigningCertSet.3.default.name=Key Default
|
|
|
c6db9b |
policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
|
|
|
c6db9b |
diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
|
|
|
c6db9b |
index b850f1c..4acaab7 100644
|
|
|
c6db9b |
--- a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
|
|
|
c6db9b |
+++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
|
|
|
c6db9b |
@@ -31,7 +31,7 @@ policyset.auditSigningCertSet.2.default.params.startTime=0
|
|
|
c6db9b |
policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
|
|
|
c6db9b |
policyset.auditSigningCertSet.3.constraint.name=Key Constraint
|
|
|
c6db9b |
policyset.auditSigningCertSet.3.constraint.params.keyType=-
|
|
|
c6db9b |
-policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
|
|
|
c6db9b |
+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
|
|
|
c6db9b |
policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
|
|
|
c6db9b |
policyset.auditSigningCertSet.3.default.name=Key Default
|
|
|
c6db9b |
policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
|
|
|
c6db9b |
@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
|
|
|
c6db9b |
policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
|
|
|
c6db9b |
policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
|
|
|
c6db9b |
policyset.auditSigningCertSet.9.constraint.name=No Constraint
|
|
|
c6db9b |
-policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
|
|
|
c6db9b |
+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
|
|
|
c6db9b |
policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
|
|
|
c6db9b |
policyset.auditSigningCertSet.9.default.name=Signing Alg
|
|
|
c6db9b |
policyset.auditSigningCertSet.9.default.params.signingAlg=-
|
|
|
c6db9b |
diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
|
|
|
c6db9b |
index 6fdb8b5..c568572 100644
|
|
|
c6db9b |
--- a/base/ca/shared/profiles/ca/caSignedLogCert.cfg
|
|
|
c6db9b |
+++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
|
|
|
c6db9b |
@@ -3,7 +3,7 @@ visible=true
|
|
|
c6db9b |
enable=true
|
|
|
c6db9b |
enableBy=admin
|
|
|
c6db9b |
auth.class_id=
|
|
|
c6db9b |
-name=Manual Log Signing Certificate Enrollment
|
|
|
c6db9b |
+name=Manual Audit Log Signing Certificate Enrollment
|
|
|
c6db9b |
input.list=i1,i2
|
|
|
c6db9b |
input.i1.class_id=certReqInputImpl
|
|
|
c6db9b |
input.i2.class_id=submitterInfoInputImpl
|
|
|
c6db9b |
@@ -29,8 +29,8 @@ policyset.caLogSigningSet.2.default.params.range=720
|
|
|
c6db9b |
policyset.caLogSigningSet.2.default.params.startTime=0
|
|
|
c6db9b |
policyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl
|
|
|
c6db9b |
policyset.caLogSigningSet.3.constraint.name=Key Constraint
|
|
|
c6db9b |
-policyset.caLogSigningSet.3.constraint.params.keyType=RSA
|
|
|
c6db9b |
-policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096
|
|
|
c6db9b |
+policyset.caLogSigningSet.3.constraint.params.keyType=-
|
|
|
c6db9b |
+policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
|
|
|
c6db9b |
policyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl
|
|
|
c6db9b |
policyset.caLogSigningSet.3.default.name=Key Default
|
|
|
c6db9b |
policyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl
|
|
|
c6db9b |
@@ -68,7 +68,7 @@ policyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Defaul
|
|
|
c6db9b |
policyset.caLogSigningSet.8.default.params.critical=false
|
|
|
c6db9b |
policyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl
|
|
|
c6db9b |
policyset.caLogSigningSet.9.constraint.name=No Constraint
|
|
|
c6db9b |
-policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
|
|
|
c6db9b |
+policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
|
|
|
c6db9b |
policyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl
|
|
|
c6db9b |
policyset.caLogSigningSet.9.default.name=Signing Alg
|
|
|
c6db9b |
policyset.caLogSigningSet.9.default.params.signingAlg=-
|
|
|
c6db9b |
diff --git a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
|
|
|
c6db9b |
index 7693ba3..be9c0ed 100644
|
|
|
c6db9b |
--- a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
|
|
|
c6db9b |
+++ b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
|
|
|
c6db9b |
@@ -25,7 +25,6 @@ import java.io.FilenameFilter;
|
|
|
c6db9b |
import java.io.IOException;
|
|
|
c6db9b |
import java.security.PublicKey;
|
|
|
c6db9b |
import java.security.Signature;
|
|
|
c6db9b |
-import java.security.interfaces.DSAPublicKey;
|
|
|
c6db9b |
import java.security.interfaces.RSAPublicKey;
|
|
|
c6db9b |
import java.util.List;
|
|
|
c6db9b |
import java.util.StringTokenizer;
|
|
|
c6db9b |
@@ -34,6 +33,7 @@ import java.util.Vector;
|
|
|
c6db9b |
import org.mozilla.jss.CryptoManager;
|
|
|
c6db9b |
import org.mozilla.jss.crypto.ObjectNotFoundException;
|
|
|
c6db9b |
import org.mozilla.jss.crypto.X509Certificate;
|
|
|
c6db9b |
+import org.mozilla.jss.pkcs11.PK11ECPublicKey;
|
|
|
c6db9b |
|
|
|
c6db9b |
import com.netscape.cmsutil.util.Utils;
|
|
|
c6db9b |
|
|
|
c6db9b |
@@ -159,8 +159,8 @@ public class AuditVerify {
|
|
|
c6db9b |
String sigAlgorithm = null;
|
|
|
c6db9b |
if (pubk instanceof RSAPublicKey) {
|
|
|
c6db9b |
sigAlgorithm = "SHA-256/RSA";
|
|
|
c6db9b |
- } else if (pubk instanceof DSAPublicKey) {
|
|
|
c6db9b |
- sigAlgorithm = "SHA-256/DSA";
|
|
|
c6db9b |
+ } else if (pubk instanceof PK11ECPublicKey) {
|
|
|
c6db9b |
+ sigAlgorithm = "SHA-256/EC";
|
|
|
c6db9b |
} else {
|
|
|
c6db9b |
throw new Exception("Unknown signing certificate key type: " + pubk.getAlgorithm());
|
|
|
c6db9b |
}
|
|
|
c6db9b |
diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
|
|
|
c6db9b |
index 74a8ada..b04f70d 100644
|
|
|
c6db9b |
--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
|
|
|
c6db9b |
+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
|
|
|
c6db9b |
@@ -41,8 +41,6 @@ import java.security.PrivateKey;
|
|
|
c6db9b |
import java.security.Provider;
|
|
|
c6db9b |
import java.security.Signature;
|
|
|
c6db9b |
import java.security.SignatureException;
|
|
|
c6db9b |
-import java.security.interfaces.DSAPrivateKey;
|
|
|
c6db9b |
-import java.security.interfaces.RSAPrivateKey;
|
|
|
c6db9b |
import java.text.ParseException;
|
|
|
c6db9b |
import java.text.SimpleDateFormat;
|
|
|
c6db9b |
import java.util.Date;
|
|
|
c6db9b |
@@ -611,10 +609,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
|
|
|
c6db9b |
mSigningKey = cm.findPrivKeyByCert(cert);
|
|
|
c6db9b |
|
|
|
c6db9b |
String sigAlgorithm;
|
|
|
c6db9b |
- if (mSigningKey instanceof RSAPrivateKey) {
|
|
|
c6db9b |
+ if (mSigningKey.getAlgorithm().equalsIgnoreCase("RSA")) {
|
|
|
c6db9b |
sigAlgorithm = "SHA-256/RSA";
|
|
|
c6db9b |
- } else if (mSigningKey instanceof DSAPrivateKey) {
|
|
|
c6db9b |
- sigAlgorithm = "SHA-256/DSA";
|
|
|
c6db9b |
+ } else if (mSigningKey.getAlgorithm().equalsIgnoreCase("EC")) {
|
|
|
c6db9b |
+ sigAlgorithm = "SHA-256/EC";
|
|
|
c6db9b |
} else {
|
|
|
c6db9b |
throw new NoSuchAlgorithmException("Unknown private key type");
|
|
|
c6db9b |
}
|
|
|
c6db9b |
--
|
|
|
c6db9b |
1.8.3.1
|
|
|
c6db9b |
|