Blame SOURCES/pki-core-10.5.9-snapshot-1.patch

abd338
From 8b462b3a7e8ded71bc5aaf7d6a8b23fdce2d7ece Mon Sep 17 00:00:00 2001
c6db9b
From: Christina Fu <cfu@redhat.com>
c6db9b
Date: Mon, 30 Jul 2018 17:15:09 -0700
abd338
Subject: [PATCH 1/5] Bug 1601071  Certificate generation happens with partial
c6db9b
 attributes in CMCRequest file
c6db9b
c6db9b
This patch addresses the issue where when a cmcSelfSisnged profile is used
c6db9b
in a cmcUserSigned case, the certificate is issued.
c6db9b
A new authToken variable TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT has
c6db9b
been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case.
c6db9b
A new constraint CMCSelfSignedSubjectNameConstraint has been introduced
c6db9b
to verify.
c6db9b
In additional, all profiles that authenticate through CMCUserSignedAuth are
c6db9b
turned off by default to allow site administrators to make conscious decision
c6db9b
on their own for these features.
c6db9b
Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default.
c6db9b
c6db9b
Change-Id: I275118d31b966494411888beb37032bb022c29ce
c6db9b
(cherry picked from commit 50b881b7ec1d4856d4bfcc182a22bf1c131cd536)
c6db9b
---
c6db9b
 base/ca/shared/conf/CS.cfg                         |   2 +-
c6db9b
 base/ca/shared/conf/registry.cfg                   |   9 +-
c6db9b
 .../profiles/ca/caECFullCMCSelfSignedCert.cfg      |   8 +-
c6db9b
 .../profiles/ca/caECFullCMCUserSignedCert.cfg      |   2 +-
c6db9b
 .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg |   8 +-
c6db9b
 .../shared/profiles/ca/caFullCMCUserSignedCert.cfg |   2 +-
c6db9b
 .../certsrv/authentication/IAuthToken.java         |   7 +-
c6db9b
 .../com/netscape/cms/authentication/CMCAuth.java   |   5 +-
c6db9b
 .../cms/authentication/CMCUserSignedAuth.java      |  16 ++-
c6db9b
 .../netscape/cms/authentication/SharedSecret.java  |   4 +-
c6db9b
 .../netscape/cms/profile/common/EnrollProfile.java |  18 +++
c6db9b
 .../CMCSelfSignedSubjectNameConstraint.java        | 129 +++++++++++++++++++++
c6db9b
 .../profile/def/AuthTokenSubjectNameDefault.java   |   2 +-
c6db9b
 .../servlet/profile/ProfileSubmitCMCServlet.java   |  29 ++++-
c6db9b
 base/server/cmsbundle/src/UserMessages.properties  |   3 +-
c6db9b
 15 files changed, 216 insertions(+), 28 deletions(-)
c6db9b
 create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
c6db9b
c6db9b
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
c6db9b
index 1d65835..fcd85a2 100644
c6db9b
--- a/base/ca/shared/conf/CS.cfg
c6db9b
+++ b/base/ca/shared/conf/CS.cfg
c6db9b
@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
c6db9b
 log.instance.SignedAudit._006=##
c6db9b
 log.instance.SignedAudit.bufferSize=512
c6db9b
 log.instance.SignedAudit.enable=true
c6db9b
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
c6db9b
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED
c6db9b
 log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
c6db9b
 log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
c6db9b
 log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
c6db9b
diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg
c6db9b
index 54e4d95..4fe6e93 100644
c6db9b
--- a/base/ca/shared/conf/registry.cfg
c6db9b
+++ b/base/ca/shared/conf/registry.cfg
c6db9b
@@ -1,5 +1,5 @@
c6db9b
 types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater
c6db9b
-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
c6db9b
+constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl
c6db9b
 constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint
c6db9b
 constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint
c6db9b
 constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint
c6db9b
@@ -36,9 +36,12 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr
c6db9b
 constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint
c6db9b
 constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint
c6db9b
 constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint
c6db9b
+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint
c6db9b
+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint
c6db9b
+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint
c6db9b
 constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint
c6db9b
-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint
c6db9b
-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint
c6db9b
+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint
c6db9b
+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint
c6db9b
 constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint
c6db9b
 constraintPolicy.validityConstraintImpl.desc=Validity Constraint
c6db9b
 constraintPolicy.validityConstraintImpl.name=Validity Constraint
c6db9b
diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
c6db9b
index 144c05c..48e6499 100644
c6db9b
--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
c6db9b
+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
c6db9b
@@ -1,5 +1,5 @@
c6db9b
 desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request
c6db9b
-enable=true
c6db9b
+enable=false
c6db9b
 enableBy=admin
c6db9b
 name=Self-Signed CMC User Certificate Enrollment
c6db9b
 visible=false
c6db9b
@@ -10,10 +10,8 @@ output.list=o1
c6db9b
 output.o1.class_id=certOutputImpl
c6db9b
 policyset.list=cmcUserCertSet
c6db9b
 policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
c6db9b
-policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
c6db9b
-policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
c6db9b
-policyset.cmcUserCertSet.1.constraint.params.accept=true
c6db9b
-policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
c6db9b
+policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl
c6db9b
+policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint
c6db9b
 policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
c6db9b
 policyset.cmcUserCertSet.1.default.name=Subject Name Default
c6db9b
 policyset.cmcUserCertSet.1.default.params.name=
c6db9b
diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
c6db9b
index d2286de..e7b60ee 100644
c6db9b
--- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
c6db9b
+++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
c6db9b
@@ -1,5 +1,5 @@
c6db9b
 desc=This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication.
c6db9b
-enable=true
c6db9b
+enable=false
c6db9b
 enableBy=admin
c6db9b
 name=User-Signed CMC-Authenticated User Certificate Enrollment
c6db9b
 visible=false
c6db9b
diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
c6db9b
index bdcdc24..538b16a 100644
c6db9b
--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
c6db9b
+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
c6db9b
@@ -1,5 +1,5 @@
c6db9b
 desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request
c6db9b
-enable=true
c6db9b
+enable=false
c6db9b
 enableBy=admin
c6db9b
 name=Self-Signed CMC User Certificate Enrollment
c6db9b
 visible=false
c6db9b
@@ -10,10 +10,8 @@ output.list=o1
c6db9b
 output.o1.class_id=certOutputImpl
c6db9b
 policyset.list=cmcUserCertSet
c6db9b
 policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
c6db9b
-policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
c6db9b
-policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
c6db9b
-policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.*
c6db9b
-policyset.cmcUserCertSet.1.constraint.params.accept=true
c6db9b
+policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl
c6db9b
+policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint
c6db9b
 policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
c6db9b
 policyset.cmcUserCertSet.1.default.name=Subject Name Default
c6db9b
 policyset.cmcUserCertSet.1.default.params.name=
c6db9b
diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
c6db9b
index 9b5d3e9..b0ff8af 100644
c6db9b
--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
c6db9b
+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
c6db9b
@@ -1,5 +1,5 @@
c6db9b
 desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication.
c6db9b
-enable=true
c6db9b
+enable=false
c6db9b
 enableBy=admin
c6db9b
 name=User-Signed CMC-Authenticated User Certificate Enrollment
c6db9b
 visible=false
c6db9b
diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
c6db9b
index 59c6af2..d5d03b4 100644
c6db9b
--- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
c6db9b
+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java
c6db9b
@@ -44,9 +44,14 @@ public interface IAuthToken {
c6db9b
     public static final String GROUP = "group";
c6db9b
     public static final String GROUPS = "groups";
c6db9b
 
c6db9b
-    /* Subject name of the certificate in the authenticating entry */
c6db9b
+    /* Subject name of the certificate request in the authenticating entry */
c6db9b
     public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject";
c6db9b
 
c6db9b
+    /* Subject name of the authenticated cert */
c6db9b
+    public static final String TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenAuthenticatedCertSubject";
c6db9b
+    /* Subject DN of the Shared Token authenticated entry */
c6db9b
+    public static final String TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenSharedTokenAuthenticatedCertSubject";
c6db9b
+
c6db9b
     /* NotBefore value of the certificate in the authenticating entry */
c6db9b
     public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore";
c6db9b
 
c6db9b
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
c6db9b
index 86ffa2f..9b6a819 100644
c6db9b
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
c6db9b
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
c6db9b
@@ -959,8 +959,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
c6db9b
 
c6db9b
                         IAuthToken tempToken = agentAuth.authenticate(agentCred);
c6db9b
                         netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
c6db9b
-                        String ID = tempPrincipal.toString();
c6db9b
+                        String ID = tempPrincipal.getName();
c6db9b
                         CMS.debug(method + " Principal name = " + ID);
c6db9b
+                        authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID);
c6db9b
 
c6db9b
                         BigInteger agentCertSerial = x509Certs[0].getSerialNumber();
c6db9b
                         authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, agentCertSerial.toString());
c6db9b
@@ -1047,7 +1048,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
c6db9b
     public void populate(IAuthToken token, IRequest request)
c6db9b
             throws EProfileException {
c6db9b
         request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
c6db9b
-                token.getInString(AuthToken.TOKEN_CERT_SUBJECT));
c6db9b
+                token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT));
c6db9b
     }
c6db9b
 
c6db9b
     public boolean isSSLClientRequired() {
c6db9b
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
c6db9b
index d5f6c34..a9a7ade 100644
c6db9b
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
c6db9b
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
c6db9b
@@ -674,7 +674,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
c6db9b
                                     if (requestCertSubject.equals("")) {
c6db9b
                                         requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE;
c6db9b
                                     }
c6db9b
-
c6db9b
                                     authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss);
c6db9b
                                     auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject);
c6db9b
                                     //authToken.set("uid", uid);
c6db9b
@@ -1160,8 +1159,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
c6db9b
 
c6db9b
                         IAuthToken tempToken = new AuthToken(null);
c6db9b
                         netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN();
c6db9b
-                        String ID = tempPrincipal.toString(); //tempToken.get("userid");
c6db9b
+                        String ID = tempPrincipal.getName(); //tempToken.get("userid");
c6db9b
                         CMS.debug(method + " Principal name = " + ID);
c6db9b
+                        authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID);
c6db9b
 
c6db9b
                         BigInteger certSerial = x509Certs[0].getSerialNumber();
c6db9b
                         CMS.debug(method + " verified cert serial=" + certSerial.toString());
c6db9b
@@ -1276,8 +1276,16 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
c6db9b
 
c6db9b
     public void populate(IAuthToken token, IRequest request)
c6db9b
             throws EProfileException {
c6db9b
-        request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
c6db9b
-                token.getInString(AuthToken.TOKEN_CERT_SUBJECT));
c6db9b
+        String method = "CMCUserSignedAuth: populate: ";
c6db9b
+        String authenticatedDN = token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT);
c6db9b
+        if (authenticatedDN != null) {
c6db9b
+            request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME,
c6db9b
+                    authenticatedDN);
c6db9b
+            CMS.debug(method + "IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is: "+
c6db9b
+                    authenticatedDN);
c6db9b
+        } else {
c6db9b
+            CMS.debug(method + "AuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is null; self-signed?");
c6db9b
+        }
c6db9b
     }
c6db9b
 
c6db9b
     public boolean isSSLClientRequired() {
c6db9b
diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
c6db9b
index 5ebc213..2d8679c 100644
c6db9b
--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
c6db9b
+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java
c6db9b
@@ -30,9 +30,9 @@ import org.mozilla.jss.crypto.SymmetricKey;
c6db9b
 import org.mozilla.jss.pkix.cmc.PKIData;
c6db9b
 
c6db9b
 import com.netscape.certsrv.apps.CMS;
c6db9b
-import com.netscape.certsrv.authentication.AuthToken;
c6db9b
 import com.netscape.certsrv.authentication.EInvalidCredentials;
c6db9b
 import com.netscape.certsrv.authentication.IAuthCredentials;
c6db9b
+import com.netscape.certsrv.authentication.AuthToken;
c6db9b
 import com.netscape.certsrv.authentication.IAuthToken;
c6db9b
 import com.netscape.certsrv.authentication.ISharedToken;
c6db9b
 import com.netscape.certsrv.base.EBaseException;
c6db9b
@@ -296,7 +296,7 @@ public class SharedSecret extends DirBasedAuthentication
c6db9b
             }
c6db9b
 
c6db9b
             CMS.debug(method + "found user ldap entry: userdn = " + userdn);
c6db9b
-            authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn);
c6db9b
+            authToken.set(IAuthToken.TOKEN_CERT_SUBJECT, userdn);
c6db9b
 
c6db9b
             res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE,
c6db9b
                     "(objectclass=*)", new String[] { mShrTokAttr }, false);
c6db9b
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
c6db9b
index 929e629..f9903c6 100644
c6db9b
--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
c6db9b
+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
c6db9b
@@ -209,6 +209,14 @@ public abstract class EnrollProfile extends BasicProfile
c6db9b
 
c6db9b
             // catch for invalid request
c6db9b
             cmc_msgs = parseCMC(locale, cert_request, donePOI);
c6db9b
+            SessionContext sessionContext = SessionContext.getContext();
c6db9b
+            String authenticatedSubject = 
c6db9b
+                    (String) sessionContext.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
c6db9b
+
c6db9b
+            if (authenticatedSubject != null) {
c6db9b
+                ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, authenticatedSubject);
c6db9b
+            }
c6db9b
+
c6db9b
             if (cmc_msgs == null) {
c6db9b
                 CMS.debug(method + "parseCMC returns cmc_msgs null");
c6db9b
                 return null;
c6db9b
@@ -1795,6 +1803,16 @@ public abstract class EnrollProfile extends BasicProfile
c6db9b
                 auditSubjectID = ident_string;
c6db9b
                 sessionContext.put(SessionContext.USER_ID, auditSubjectID);
c6db9b
 
c6db9b
+                // subjectdn from SharedSecret ldap auth
c6db9b
+                // set in context and authToken to be used by profile
c6db9b
+                // default and constraints plugins
c6db9b
+                authToken.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT,
c6db9b
+                        authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
c6db9b
+                authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT,
c6db9b
+                        authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
c6db9b
+                sessionContext.put(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT,
c6db9b
+                        authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT));
c6db9b
+
c6db9b
                 auditMessage = CMS.getLogMessage(
c6db9b
                         AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
c6db9b
                         auditSubjectID,
c6db9b
diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
c6db9b
new file mode 100644
c6db9b
index 0000000..d4554ca
c6db9b
--- /dev/null
c6db9b
+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java
c6db9b
@@ -0,0 +1,129 @@
c6db9b
+// --- BEGIN COPYRIGHT BLOCK ---
c6db9b
+// This program is free software; you can redistribute it and/or modify
c6db9b
+// it under the terms of the GNU General Public License as published by
c6db9b
+// the Free Software Foundation; version 2 of the License.
c6db9b
+//
c6db9b
+// This program is distributed in the hope that it will be useful,
c6db9b
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
c6db9b
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
c6db9b
+// GNU General Public License for more details.
c6db9b
+//
c6db9b
+// You should have received a copy of the GNU General Public License along
c6db9b
+// with this program; if not, write to the Free Software Foundation, Inc.,
c6db9b
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
c6db9b
+//
c6db9b
+// (C) 2013 Red Hat, Inc.
c6db9b
+// All rights reserved.
c6db9b
+// --- END COPYRIGHT BLOCK ---
c6db9b
+package com.netscape.cms.profile.constraint;
c6db9b
+
c6db9b
+import java.util.Locale;
c6db9b
+
c6db9b
+import com.netscape.certsrv.apps.CMS;
c6db9b
+import com.netscape.certsrv.authentication.IAuthToken;
c6db9b
+import com.netscape.certsrv.authentication.IAuthManager;
c6db9b
+import com.netscape.certsrv.base.IConfigStore;
c6db9b
+import com.netscape.certsrv.profile.EProfileException;
c6db9b
+import com.netscape.certsrv.profile.ERejectException;
c6db9b
+import com.netscape.certsrv.profile.IPolicyDefault;
c6db9b
+import com.netscape.certsrv.profile.IProfile;
c6db9b
+import com.netscape.certsrv.property.IDescriptor;
c6db9b
+import com.netscape.certsrv.request.IRequest;
c6db9b
+import com.netscape.cms.profile.common.EnrollProfile;
c6db9b
+import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault;
c6db9b
+
c6db9b
+import netscape.security.x509.CertificateSubjectName;
c6db9b
+import netscape.security.x509.X500Name;
c6db9b
+import netscape.security.x509.X509CertInfo;
c6db9b
+
c6db9b
+/**
c6db9b
+ * This class implements the user subject name constraint for self-signed cmc requests.
c6db9b
+ * It makes sure the SharedSecret authenticated subjectDN and the rsulting cert match
c6db9b
+ *
c6db9b
+ * @author cfu
c6db9b
+ * @version $Revision$, $Date$
c6db9b
+ */
c6db9b
+public class CMCSelfSignedSubjectNameConstraint extends EnrollConstraint {
c6db9b
+
c6db9b
+    public CMCSelfSignedSubjectNameConstraint() {
c6db9b
+    }
c6db9b
+
c6db9b
+    public void init(IProfile profile, IConfigStore config)
c6db9b
+            throws EProfileException {
c6db9b
+        super.init(profile, config);
c6db9b
+    }
c6db9b
+
c6db9b
+    public IDescriptor getConfigDescriptor(Locale locale, String name) {
c6db9b
+        return null;
c6db9b
+    }
c6db9b
+
c6db9b
+    public String getDefaultConfig(String name) {
c6db9b
+        return null;
c6db9b
+    }
c6db9b
+
c6db9b
+    /**
c6db9b
+     * Validates the request. The request is not modified
c6db9b
+     * during the validation. User encoded subject name
c6db9b
+     * is copied into the certificate template.
c6db9b
+     */
c6db9b
+    public void validate(IRequest request, X509CertInfo info)
c6db9b
+            throws ERejectException {
c6db9b
+        String method = "CMCSelfSignedSubjectNameConstraint: ";
c6db9b
+        String msg = "";
c6db9b
+
c6db9b
+        CertificateSubjectName infoCertSN = null;
c6db9b
+        String authTokenSharedTokenSN = null;
c6db9b
+
c6db9b
+        try {
c6db9b
+            infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT);
c6db9b
+            if (infoCertSN == null) {
c6db9b
+                msg = method + "infoCertSN null";
c6db9b
+                CMS.debug(msg);
c6db9b
+                throw new Exception(msg);
c6db9b
+            }
c6db9b
+            CMS.debug(method + "validate user subject ="+
c6db9b
+                      infoCertSN.toString());
c6db9b
+            X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME);
c6db9b
+            if (infoCertName == null) {
c6db9b
+                msg = method + "infoCertName null";
c6db9b
+                CMS.debug(msg);
c6db9b
+                throw new Exception(msg);
c6db9b
+            }
c6db9b
+
c6db9b
+            authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
c6db9b
+            if (authTokenSharedTokenSN == null) {
c6db9b
+                msg = method + "authTokenSharedTokenSN null";
c6db9b
+                CMS.debug(msg);
c6db9b
+                throw new Exception(msg);
c6db9b
+            }
c6db9b
+            if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) {
c6db9b
+                CMS.debug(method + "names matched");
c6db9b
+            } else {
c6db9b
+                msg = method + "names do not match; authTokenSharedTokenSN =" +
c6db9b
+                        authTokenSharedTokenSN;
c6db9b
+                CMS.debug(msg);
c6db9b
+                throw new Exception(msg);
c6db9b
+            }
c6db9b
+
c6db9b
+        } catch (Exception e) {
c6db9b
+            throw new ERejectException(
c6db9b
+                    CMS.getUserMessage(getLocale(request),
c6db9b
+                        "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e);
c6db9b
+        }
c6db9b
+    }
c6db9b
+
c6db9b
+    public String getText(Locale locale) {
c6db9b
+        return CMS.getUserMessage(locale,
c6db9b
+                   "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT");
c6db9b
+    }
c6db9b
+
c6db9b
+    public boolean isApplicable(IPolicyDefault def) {
c6db9b
+        String method = "CMCSelfSignedSubjectNameConstraint: isApplicable: ";
c6db9b
+        if (def instanceof AuthTokenSubjectNameDefault) {
c6db9b
+            CMS.debug(method + "true");
c6db9b
+            return true;
c6db9b
+        }
c6db9b
+        CMS.debug(method + "false");
c6db9b
+        return false;
c6db9b
+    }
c6db9b
+}
c6db9b
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
c6db9b
index e789625..85bf241 100644
c6db9b
--- a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
c6db9b
+++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java
c6db9b
@@ -140,7 +140,7 @@ public class AuthTokenSubjectNameDefault extends EnrollDefault {
c6db9b
             X500Name name = new X500Name(
c6db9b
                     request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME));
c6db9b
 
c6db9b
-            CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.toString());
c6db9b
+            CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.getName());
c6db9b
             info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name));
c6db9b
         } catch (Exception e) {
c6db9b
             // failed to insert subject name
c6db9b
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
c6db9b
index 12fd294..03e94a8 100644
c6db9b
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
c6db9b
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
c6db9b
@@ -525,6 +525,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
c6db9b
             CMS.debug("ProfileSubmitCMCServlet: null it out");
c6db9b
             ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, "");
c6db9b
         }
c6db9b
+
c6db9b
         String signingCertSerialS = null;
c6db9b
         if (authToken != null) {
c6db9b
             signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT);
c6db9b
@@ -534,6 +535,14 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
c6db9b
             ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
c6db9b
         }
c6db9b
 
c6db9b
+        String tmpSharedTokenAuthenticatedCertSubject = ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
c6db9b
+        if (tmpSharedTokenAuthenticatedCertSubject != null) {
c6db9b
+            // unlikely to happen, but do this just in case
c6db9b
+            CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in ctx for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject);
c6db9b
+            CMS.debug("ProfileSubmitCMCServlet: null it out");
c6db9b
+            ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, "");
c6db9b
+        }
c6db9b
+
c6db9b
         String errorCode = null;
c6db9b
         String errorReason = null;
c6db9b
         String auditRequesterID = ILogger.UNIDENTIFIED;
c6db9b
@@ -731,13 +740,31 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
c6db9b
 
c6db9b
                 tmpCertSerialS = reqs[k].getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT);
c6db9b
                 if (tmpCertSerialS != null) {
c6db9b
-                    // unlikely to happenm, but do this just in case
c6db9b
+                    // unlikely to happen, but do this just in case
c6db9b
                     CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth:" + tmpCertSerialS);
c6db9b
                     CMS.debug("ProfileSubmitCMCServlet: null it out");
c6db9b
                     reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, "");
c6db9b
                 }
c6db9b
                 // put CMCUserSignedAuth authToken in request
c6db9b
                 if (signingCertSerialS != null) {
c6db9b
+                     CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth");
c6db9b
+                     reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
c6db9b
+                 }
c6db9b
+
c6db9b
+                tmpSharedTokenAuthenticatedCertSubject = reqs[k].getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
c6db9b
+                if (tmpSharedTokenAuthenticatedCertSubject != null) {
c6db9b
+                    // unlikely to happen, but do this just in case
c6db9b
+                    CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in request for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject);
c6db9b
+                    CMS.debug("ProfileSubmitCMCServlet: null it out");
c6db9b
+                    reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, "");
c6db9b
+                }
c6db9b
+                // put Shared Token authToken in request
c6db9b
+                String st_sbj = (String) ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT);
c6db9b
+                if (st_sbj != null) {
c6db9b
+                    CMS.debug("ProfileSubmitCMCServlet: setting IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in req for CMCUserSignedAuth");
c6db9b
+                    reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, st_sbj);
c6db9b
+                }
c6db9b
+                if (tmpSharedTokenAuthenticatedCertSubject != null) {
c6db9b
                     CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth");
c6db9b
                     reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS);
c6db9b
                 }
c6db9b
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
c6db9b
index 208632d..e5e6ecc 100644
c6db9b
--- a/base/server/cmsbundle/src/UserMessages.properties
c6db9b
+++ b/base/server/cmsbundle/src/UserMessages.properties
c6db9b
@@ -956,7 +956,8 @@ CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing
c6db9b
 CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0}
c6db9b
 CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only
c6db9b
 CMS_PROFILE_CONSTRAINT_USER_SUBJECT_NAME_TEXT=This constraint accepts user subject name only
c6db9b
-CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the CMC request siging cert only
c6db9b
+CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of user-signed CMC request only
c6db9b
+CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the self-signed CMC request only
c6db9b
 CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days.
c6db9b
 CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0}
c6db9b
 CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate.
c6db9b
-- 
c6db9b
1.8.3.1
c6db9b
c6db9b
abd338
From 99101af800addd61f66cdcf6b18c0b26f1e27011 Mon Sep 17 00:00:00 2001
c6db9b
From: Christina Fu <cfu@redhat.com>
c6db9b
Date: Wed, 1 Aug 2018 13:35:53 -0700
abd338
Subject: [PATCH 2/5] Bug 1593805  Better understanding of
c6db9b
 NSS_USE_DECODED_CKA_EC_POINT for ECC
c6db9b
c6db9b
This patch removes the outdated reference to EC environment variable
c6db9b
NSS_USE_DECODED_CKA_EC_POINT for ECC in the HttpClient command line usage.
c6db9b
c6db9b
More info in the usage are updated as well for correctness and clarity.
c6db9b
c6db9b
Change-Id: I562e2c0cd86f91369f347b38cc660cc3cee585b9
c6db9b
(cherry picked from commit 6eef4f5cb83cd4b7e2c45ad6a44ba453392ec051)
c6db9b
---
c6db9b
 .../src/com/netscape/cmstools/HttpClient.java      | 32 ++++++++++++----------
c6db9b
 1 file changed, 18 insertions(+), 14 deletions(-)
c6db9b
c6db9b
diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
c6db9b
index fcaf210..28934ab 100644
c6db9b
--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java
c6db9b
+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java
c6db9b
@@ -251,43 +251,47 @@ public class HttpClient {
c6db9b
         System.out.println("The configuration file should look like as follows:");
c6db9b
         System.out.println("");
c6db9b
         System.out.println("#host: host name for the http server");
c6db9b
-        System.out.println("host=host1.a.com");
c6db9b
+        System.out.println("host=host.example.com");
c6db9b
         System.out.println("");
c6db9b
         System.out.println("#port: port number");
c6db9b
-        System.out.println("port=1025");
c6db9b
+        System.out.println("port=8443");
c6db9b
         System.out.println("");
c6db9b
         System.out.println("#secure: true for secure connection, false for nonsecure connection");
c6db9b
-        System.out.println("#For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command");
c6db9b
         System.out.println("secure=false");
c6db9b
         System.out.println("");
c6db9b
         System.out.println("#input: full path for the enrollment request, the content must be in binary format");
c6db9b
-        System.out.println("input=/u/doc/cmcReqCRMFBin");
c6db9b
+        System.out.println("input=~/cmcReqCRMFBin");
c6db9b
         System.out.println("");
c6db9b
         System.out.println("#output: full path for the response in binary format");
c6db9b
-        System.out.println("output=/u/doc/cmcResp");
c6db9b
+        System.out.println("#output could be parsed by running CMCResponse");
c6db9b
+        System.out.println("output=~/cmcResp");
c6db9b
         System.out.println("");
c6db9b
-        System.out.println("#tokenname: name of token where SSL client authentication cert can be found (default is internal)");
c6db9b
+        System.out.println("#dbdir: directory for NSS certificate/key databases");
c6db9b
         System.out.println("#This parameter will be ignored if secure=false");
c6db9b
-        System.out.println("tokenname=hsmname");
c6db9b
+        System.out.println("dbdir=/.dogtag/nssdb");
c6db9b
         System.out.println("");
c6db9b
-        System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db");
c6db9b
+        System.out.println("#password: password for NSS database");
c6db9b
+        System.out.println("#This parameter will be ignored if secure=false and clientmode=false");
c6db9b
+        System.out.println("password=");
c6db9b
+        System.out.println("");
c6db9b
+        System.out.println("#tokenname: name of token where SSL client authentication cert for nickname can be found (default is internal)");
c6db9b
         System.out.println("#This parameter will be ignored if secure=false");
c6db9b
-        System.out.println("dbdir=/u/smith/.netscape");
c6db9b
+        System.out.println("tokenname=internal");
c6db9b
         System.out.println("");
c6db9b
         System.out.println("#clientmode: true for client authentication, false for no client authentication");
c6db9b
         System.out.println("#This parameter will be ignored if secure=false");
c6db9b
         System.out.println("clientmode=false");
c6db9b
         System.out.println("");
c6db9b
-        System.out.println("#password: password for cert8.db");
c6db9b
-        System.out.println("#This parameter will be ignored if secure=false and clientauth=false");
c6db9b
-        System.out.println("password=");
c6db9b
-        System.out.println("");
c6db9b
         System.out.println("#nickname: nickname for client certificate");
c6db9b
         System.out.println("#This parameter will be ignored if clientmode=false");
c6db9b
         System.out.println("nickname=");
c6db9b
         System.out.println("");
c6db9b
         System.out.println("#servlet: target URL");
c6db9b
-        System.out.println("#This parameter may include query parameters");
c6db9b
+        System.out.println("#This parameter may include query parameters;");
c6db9b
+        System.out.println("#  - reminder: profileId should be a profile that matches");
c6db9b
+        System.out.println("#    the intended certificate; for certificates intended");
c6db9b
+        System.out.println("#    for SSL (client or server), profiles should match");
c6db9b
+        System.out.println("#    the key type (RSA or EC) of the keys generated for CSR;");
c6db9b
         System.out.println("servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert");
c6db9b
         System.out.println("");
c6db9b
         System.exit(0);
c6db9b
-- 
c6db9b
1.8.3.1
c6db9b
c6db9b
abd338
From a285327323d058218684cc671223b5b872bc9afc Mon Sep 17 00:00:00 2001
c6db9b
From: Christina Fu <cfu@redhat.com>
c6db9b
Date: Thu, 2 Aug 2018 09:31:50 -0700
abd338
Subject: [PATCH 3/5] Bug1608375 - CMC Revocations throws exception with same
c6db9b
 reqIssuer & certissuer
c6db9b
c6db9b
This patch resolves the possible encoding mismatch between the actual CA cert
c6db9b
and the X500Name gleaned from the CMC revocation request.
c6db9b
c6db9b
Change-Id: I220f5d656a69c90fa02ba38fa21b069ed7d15a9d
c6db9b
(cherry picked from commit 4a085b2ea3ee0f89ef2e49e1c0dbee2e36abd248)
c6db9b
---
c6db9b
 .../cms/authentication/CMCUserSignedAuth.java       | 21 ++++++++++++++++++---
c6db9b
 1 file changed, 18 insertions(+), 3 deletions(-)
c6db9b
c6db9b
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
c6db9b
index a9a7ade..97971dd 100644
c6db9b
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
c6db9b
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
c6db9b
@@ -83,6 +83,7 @@ import com.netscape.certsrv.base.EBaseException;
c6db9b
 import com.netscape.certsrv.base.IConfigStore;
c6db9b
 import com.netscape.certsrv.base.IExtendedPluginInfo;
c6db9b
 import com.netscape.certsrv.base.SessionContext;
c6db9b
+import com.netscape.certsrv.ca.ICertificateAuthority;
c6db9b
 import com.netscape.certsrv.logging.ILogger;
c6db9b
 import com.netscape.certsrv.logging.event.CMCUserSignedRequestSigVerifyEvent;
c6db9b
 import com.netscape.certsrv.profile.EProfileException;
c6db9b
@@ -497,13 +498,27 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
c6db9b
                                     // to CMCOutputTemplate so that we can
c6db9b
                                     // have a chance to capture user identification info
c6db9b
                                     if (issuerANY != null) {
c6db9b
+                                        // get CA signing cert
c6db9b
+                                        ICertificateAuthority ca = null;
c6db9b
+                                        ca = (ICertificateAuthority) CMS.getSubsystem("ca");
c6db9b
+                                        X500Name caName = ca.getX500Name();
c6db9b
+
c6db9b
                                         try {
c6db9b
                                             byte[] issuerBytes = issuerANY.getEncoded();
c6db9b
-                                            X500Name issuerName = new X500Name(issuerBytes);
c6db9b
-                                            CMS.debug(method + "revRequest issuer name = " + issuerName.toString());
c6db9b
+                                            X500Name reqIssuerName = new X500Name(issuerBytes);
c6db9b
+                                            String reqIssuerNameStr = reqIssuerName.getName();
c6db9b
+                                            CMS.debug(method + "revRequest issuer name = " + reqIssuerNameStr);
c6db9b
+                                            if (reqIssuerNameStr.equalsIgnoreCase(caName.getName())) {
c6db9b
+                                                // making sure it's identical, even in encoding
c6db9b
+                                                reqIssuerName = caName;
c6db9b
+                                            } else {
c6db9b
+                                                // not this CA; will be bumped off later;
c6db9b
+                                                // make a note in debug anyway
c6db9b
+                                                CMS.debug(method + "revRequest issuer name doesn't match our CA; will be bumped off later;");
c6db9b
+                                            }
c6db9b
                                             // capture issuer principal to be checked against
c6db9b
                                             // cert issuer principal later in CMCOutputTemplate
c6db9b
-                                            auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, issuerName);
c6db9b
+                                            auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, reqIssuerName);
c6db9b
                                         } catch (Exception e) {
c6db9b
                                             CMS.debug(method + "failed getting issuer from RevokeRequest:" + e.toString());
c6db9b
                                         }
c6db9b
-- 
c6db9b
1.8.3.1
c6db9b
c6db9b
abd338
From 9f3c6d13991cdafc748ded223a85b121ce2389b5 Mon Sep 17 00:00:00 2001
c6db9b
From: Christina Fu <cfu@redhat.com>
c6db9b
Date: Wed, 8 Aug 2018 18:41:52 -0700
abd338
Subject: [PATCH 4/5] Ticket #3041 Enable all config audit events
c6db9b
c6db9b
This patch enables the audit events concerning role actions (mostly config)
c6db9b
by default.
c6db9b
c6db9b
Two additional minor issues are also addressed:
c6db9b
1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert
c6db9b
   (bugzilla #1610718)
c6db9b
2. removing unrecommended signing algorithms
c6db9b
c6db9b
fixes: https://pagure.io/dogtagpki/issue/3041
c6db9b
Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d
c6db9b
(cherry picked from commit 5e9876da3fa7c1587b96e983f36ee2830398c099)
c6db9b
---
c6db9b
 base/ca/shared/conf/CS.cfg                                        | 2 +-
c6db9b
 base/ca/shared/profiles/ca/caDirUserCert.cfg                      | 2 +-
c6db9b
 base/ca/shared/profiles/ca/caECDirUserCert.cfg                    | 2 +-
c6db9b
 base/kra/shared/conf/CS.cfg                                       | 2 +-
c6db9b
 base/ocsp/shared/conf/CS.cfg                                      | 2 +-
c6db9b
 .../netscape/cms/profile/common/ServerCertCAEnrollProfile.java    | 2 +-
c6db9b
 .../com/netscape/cms/profile/common/UserCertCAEnrollProfile.java  | 2 +-
c6db9b
 base/server/cmsbundle/src/LogMessages.properties                  | 2 +-
c6db9b
 base/tks/shared/conf/CS.cfg                                       | 2 +-
c6db9b
 base/tps/shared/conf/CS.cfg                                       | 2 +-
c6db9b
 base/util/src/netscape/security/x509/AlgorithmId.java             | 8 ++++----
c6db9b
 11 files changed, 14 insertions(+), 14 deletions(-)
c6db9b
c6db9b
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
c6db9b
index fcd85a2..6158d5a 100644
c6db9b
--- a/base/ca/shared/conf/CS.cfg
c6db9b
+++ b/base/ca/shared/conf/CS.cfg
c6db9b
@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
c6db9b
 log.instance.SignedAudit._006=##
c6db9b
 log.instance.SignedAudit.bufferSize=512
c6db9b
 log.instance.SignedAudit.enable=true
c6db9b
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED
c6db9b
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG
c6db9b
 log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
c6db9b
 log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
c6db9b
 log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
c6db9b
diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg
c6db9b
index f12c7ed..0b7f6b7 100644
c6db9b
--- a/base/ca/shared/profiles/ca/caDirUserCert.cfg
c6db9b
+++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg
c6db9b
@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180
c6db9b
 policyset.userCertSet.2.default.params.startTime=0
c6db9b
 policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
c6db9b
 policyset.userCertSet.3.constraint.name=Key Constraint
c6db9b
-policyset.userCertSet.3.constraint.params.keyType=EC
c6db9b
+policyset.userCertSet.3.constraint.params.keyType=RSA
c6db9b
 policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
c6db9b
 policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
c6db9b
 policyset.userCertSet.3.default.name=Key Default
c6db9b
diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
c6db9b
index 0663b40..b65999e 100644
c6db9b
--- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg
c6db9b
+++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
c6db9b
@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180
c6db9b
 policyset.userCertSet.2.default.params.startTime=0
c6db9b
 policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
c6db9b
 policyset.userCertSet.3.constraint.name=Key Constraint
c6db9b
-policyset.userCertSet.3.constraint.params.keyType=-
c6db9b
+policyset.userCertSet.3.constraint.params.keyType=EC
c6db9b
 policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
c6db9b
 policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
c6db9b
 policyset.userCertSet.3.default.name=Key Default
c6db9b
diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
c6db9b
index f314234..878e5f8 100644
c6db9b
--- a/base/kra/shared/conf/CS.cfg
c6db9b
+++ b/base/kra/shared/conf/CS.cfg
c6db9b
@@ -304,7 +304,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
c6db9b
 log.instance.SignedAudit._006=##
c6db9b
 log.instance.SignedAudit.bufferSize=512
c6db9b
 log.instance.SignedAudit.enable=true
c6db9b
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED
c6db9b
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL
c6db9b
 log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure)
c6db9b
 log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure)
c6db9b
 log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure)
c6db9b
diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg
c6db9b
index dc993b0..b412e5e 100644
c6db9b
--- a/base/ocsp/shared/conf/CS.cfg
c6db9b
+++ b/base/ocsp/shared/conf/CS.cfg
c6db9b
@@ -220,7 +220,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
c6db9b
 log.instance.SignedAudit._006=##
c6db9b
 log.instance.SignedAudit.bufferSize=512
c6db9b
 log.instance.SignedAudit.enable=true
c6db9b
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
c6db9b
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
c6db9b
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
c6db9b
 log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
c6db9b
 log.instance.SignedAudit.expirationTime=0
c6db9b
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
c6db9b
index a1a83a4..2dcf9c1 100644
c6db9b
--- a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
c6db9b
+++ b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java
c6db9b
@@ -77,7 +77,7 @@ public class ServerCertCAEnrollProfile extends CAEnrollProfile
c6db9b
         defConfig4
c6db9b
                 .putString(
c6db9b
                         "params.signingAlgsAllowed",
c6db9b
-                        "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
c6db9b
+                        "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
c6db9b
 
c6db9b
         IProfilePolicy policy5 =
c6db9b
                 createProfilePolicy("set1", "p5",
c6db9b
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
c6db9b
index 710a461..9b1eacb 100644
c6db9b
--- a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
c6db9b
+++ b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java
c6db9b
@@ -79,7 +79,7 @@ public class UserCertCAEnrollProfile extends CAEnrollProfile
c6db9b
         defConfig4
c6db9b
                 .putString(
c6db9b
                         "params.signingAlgsAllowed",
c6db9b
-                        "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
c6db9b
+                        "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC");
c6db9b
 
c6db9b
         IProfilePolicy policy5 =
c6db9b
                 createProfilePolicy("set1", "p5",
c6db9b
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
c6db9b
index 7963f6f..d534506 100644
c6db9b
--- a/base/server/cmsbundle/src/LogMessages.properties
c6db9b
+++ b/base/server/cmsbundle/src/LogMessages.properties
c6db9b
@@ -2133,7 +2133,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authenticatio
c6db9b
 #           and to be approved by an agent
c6db9b
 # Op must be "approve" or "disapprove"
c6db9b
 #
c6db9b
-LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval
c6db9b
+LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval
c6db9b
 #
c6db9b
 # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION
c6db9b
 # - used for proof of possession during certificate enrollment processing
c6db9b
diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg
c6db9b
index d1da996..e9bf03e 100644
c6db9b
--- a/base/tks/shared/conf/CS.cfg
c6db9b
+++ b/base/tks/shared/conf/CS.cfg
c6db9b
@@ -212,7 +212,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
c6db9b
 log.instance.SignedAudit._006=##
c6db9b
 log.instance.SignedAudit.bufferSize=512
c6db9b
 log.instance.SignedAudit.enable=true
c6db9b
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
c6db9b
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
c6db9b
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
c6db9b
 log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
c6db9b
 log.instance.SignedAudit.expirationTime=0
c6db9b
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
c6db9b
index c44bc75..3671100 100644
c6db9b
--- a/base/tps/shared/conf/CS.cfg
c6db9b
+++ b/base/tps/shared/conf/CS.cfg
c6db9b
@@ -229,7 +229,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
c6db9b
 log.instance.SignedAudit._006=##
c6db9b
 log.instance.SignedAudit.bufferSize=512
c6db9b
 log.instance.SignedAudit.enable=true
c6db9b
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER
c6db9b
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER,CONFIG_ACL
c6db9b
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
c6db9b
 log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
c6db9b
 log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure)
c6db9b
diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java
c6db9b
index ae5975a..012575c 100644
c6db9b
--- a/base/util/src/netscape/security/x509/AlgorithmId.java
c6db9b
+++ b/base/util/src/netscape/security/x509/AlgorithmId.java
c6db9b
@@ -798,17 +798,17 @@ public class AlgorithmId implements Serializable, DerEncoder {
c6db9b
      * Supported signing algorithms for a RSA key.
c6db9b
      */
c6db9b
     public static final String[] RSA_SIGNING_ALGORITHMS = new String[]
c6db9b
-    { "SHA1withRSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "MD5withRSA", "MD2withRSA" };
c6db9b
+    { "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA" };
c6db9b
 
c6db9b
     public static final String[] EC_SIGNING_ALGORITHMS = new String[]
c6db9b
-    { "SHA1withEC", "SHA256withEC", "SHA384withEC", "SHA512withEC" };
c6db9b
+    { "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" };
c6db9b
 
c6db9b
     /**
c6db9b
      * All supported signing algorithms.
c6db9b
      */
c6db9b
     public static final String[] ALL_SIGNING_ALGORITHMS = new String[]
c6db9b
     {
c6db9b
-            "SHA1withRSA", "MD5withRSA", "MD2withRSA", "SHA1withDSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withEC",
c6db9b
-            "SHA256withEC", "SHA384withEC", "SHA512withEC" };
c6db9b
+            "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA",
c6db9b
+            "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" };
c6db9b
 
c6db9b
 }
c6db9b
-- 
c6db9b
1.8.3.1
c6db9b
c6db9b
abd338
From b4ef13f36124aeaadf3e43ae7c0560c38233c78a Mon Sep 17 00:00:00 2001
c6db9b
From: Christina Fu <cfu@redhat.com>
c6db9b
Date: Fri, 10 Aug 2018 14:04:14 -0700
abd338
Subject: [PATCH 5/5] Ticket #2481 ECC keys not supported for signing audit
c6db9b
 logs
c6db9b
c6db9b
This patch addes support for ECC audit log signing key.
c6db9b
All enrollment profiles for audit signing certificate are updated to allow that.
c6db9b
c6db9b
fixes https://pagure.io/dogtagpki/issue/2481
c6db9b
c6db9b
Change-Id: Idedd3cc2ed7655e73ee87ebcd0087ea17fb57f3f
c6db9b
(cherry picked from commit 435ede04d525d8816345271a887753a620795d56)
c6db9b
---
c6db9b
 base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg          | 4 ++--
c6db9b
 base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg | 4 ++--
c6db9b
 base/ca/shared/profiles/ca/caSignedLogCert.cfg                | 8 ++++----
c6db9b
 base/java-tools/src/com/netscape/cmstools/AuditVerify.java    | 6 +++---
c6db9b
 base/server/cms/src/com/netscape/cms/logging/LogFile.java     | 8 +++-----
c6db9b
 5 files changed, 14 insertions(+), 16 deletions(-)
c6db9b
c6db9b
diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
c6db9b
index ff4856c..642e67b 100644
c6db9b
--- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
c6db9b
+++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
c6db9b
@@ -29,8 +29,8 @@ policyset.auditSigningCertSet.2.default.params.range=720
c6db9b
 policyset.auditSigningCertSet.2.default.params.startTime=0
c6db9b
 policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
c6db9b
 policyset.auditSigningCertSet.3.constraint.name=Key Constraint
c6db9b
-policyset.auditSigningCertSet.3.constraint.params.keyType=RSA
c6db9b
-policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
c6db9b
+policyset.auditSigningCertSet.3.constraint.params.keyType=-
c6db9b
+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
c6db9b
 policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
c6db9b
 policyset.auditSigningCertSet.3.default.name=Key Default
c6db9b
 policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
c6db9b
diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
c6db9b
index b850f1c..4acaab7 100644
c6db9b
--- a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
c6db9b
+++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
c6db9b
@@ -31,7 +31,7 @@ policyset.auditSigningCertSet.2.default.params.startTime=0
c6db9b
 policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
c6db9b
 policyset.auditSigningCertSet.3.constraint.name=Key Constraint
c6db9b
 policyset.auditSigningCertSet.3.constraint.params.keyType=-
c6db9b
-policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
c6db9b
+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
c6db9b
 policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
c6db9b
 policyset.auditSigningCertSet.3.default.name=Key Default
c6db9b
 policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
c6db9b
@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
c6db9b
 policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
c6db9b
 policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
c6db9b
 policyset.auditSigningCertSet.9.constraint.name=No Constraint
c6db9b
-policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
c6db9b
+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
c6db9b
 policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
c6db9b
 policyset.auditSigningCertSet.9.default.name=Signing Alg
c6db9b
 policyset.auditSigningCertSet.9.default.params.signingAlg=-
c6db9b
diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
c6db9b
index 6fdb8b5..c568572 100644
c6db9b
--- a/base/ca/shared/profiles/ca/caSignedLogCert.cfg
c6db9b
+++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
c6db9b
@@ -3,7 +3,7 @@ visible=true
c6db9b
 enable=true
c6db9b
 enableBy=admin
c6db9b
 auth.class_id=
c6db9b
-name=Manual Log Signing Certificate Enrollment
c6db9b
+name=Manual Audit Log Signing Certificate Enrollment
c6db9b
 input.list=i1,i2
c6db9b
 input.i1.class_id=certReqInputImpl
c6db9b
 input.i2.class_id=submitterInfoInputImpl
c6db9b
@@ -29,8 +29,8 @@ policyset.caLogSigningSet.2.default.params.range=720
c6db9b
 policyset.caLogSigningSet.2.default.params.startTime=0
c6db9b
 policyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl
c6db9b
 policyset.caLogSigningSet.3.constraint.name=Key Constraint
c6db9b
-policyset.caLogSigningSet.3.constraint.params.keyType=RSA
c6db9b
-policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096
c6db9b
+policyset.caLogSigningSet.3.constraint.params.keyType=-
c6db9b
+policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
c6db9b
 policyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl
c6db9b
 policyset.caLogSigningSet.3.default.name=Key Default
c6db9b
 policyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl
c6db9b
@@ -68,7 +68,7 @@ policyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Defaul
c6db9b
 policyset.caLogSigningSet.8.default.params.critical=false
c6db9b
 policyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl
c6db9b
 policyset.caLogSigningSet.9.constraint.name=No Constraint
c6db9b
-policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
c6db9b
+policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
c6db9b
 policyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl
c6db9b
 policyset.caLogSigningSet.9.default.name=Signing Alg
c6db9b
 policyset.caLogSigningSet.9.default.params.signingAlg=-
c6db9b
diff --git a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
c6db9b
index 7693ba3..be9c0ed 100644
c6db9b
--- a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
c6db9b
+++ b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
c6db9b
@@ -25,7 +25,6 @@ import java.io.FilenameFilter;
c6db9b
 import java.io.IOException;
c6db9b
 import java.security.PublicKey;
c6db9b
 import java.security.Signature;
c6db9b
-import java.security.interfaces.DSAPublicKey;
c6db9b
 import java.security.interfaces.RSAPublicKey;
c6db9b
 import java.util.List;
c6db9b
 import java.util.StringTokenizer;
c6db9b
@@ -34,6 +33,7 @@ import java.util.Vector;
c6db9b
 import org.mozilla.jss.CryptoManager;
c6db9b
 import org.mozilla.jss.crypto.ObjectNotFoundException;
c6db9b
 import org.mozilla.jss.crypto.X509Certificate;
c6db9b
+import org.mozilla.jss.pkcs11.PK11ECPublicKey;
c6db9b
 
c6db9b
 import com.netscape.cmsutil.util.Utils;
c6db9b
 
c6db9b
@@ -159,8 +159,8 @@ public class AuditVerify {
c6db9b
         String sigAlgorithm = null;
c6db9b
         if (pubk instanceof RSAPublicKey) {
c6db9b
             sigAlgorithm = "SHA-256/RSA";
c6db9b
-        } else if (pubk instanceof DSAPublicKey) {
c6db9b
-            sigAlgorithm = "SHA-256/DSA";
c6db9b
+        } else if (pubk instanceof PK11ECPublicKey) {
c6db9b
+            sigAlgorithm = "SHA-256/EC";
c6db9b
         } else {
c6db9b
             throw new Exception("Unknown signing certificate key type: " + pubk.getAlgorithm());
c6db9b
         }
c6db9b
diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
c6db9b
index 74a8ada..b04f70d 100644
c6db9b
--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
c6db9b
+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
c6db9b
@@ -41,8 +41,6 @@ import java.security.PrivateKey;
c6db9b
 import java.security.Provider;
c6db9b
 import java.security.Signature;
c6db9b
 import java.security.SignatureException;
c6db9b
-import java.security.interfaces.DSAPrivateKey;
c6db9b
-import java.security.interfaces.RSAPrivateKey;
c6db9b
 import java.text.ParseException;
c6db9b
 import java.text.SimpleDateFormat;
c6db9b
 import java.util.Date;
c6db9b
@@ -611,10 +609,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
c6db9b
             mSigningKey = cm.findPrivKeyByCert(cert);
c6db9b
 
c6db9b
             String sigAlgorithm;
c6db9b
-            if (mSigningKey instanceof RSAPrivateKey) {
c6db9b
+            if (mSigningKey.getAlgorithm().equalsIgnoreCase("RSA")) {
c6db9b
                 sigAlgorithm = "SHA-256/RSA";
c6db9b
-            } else if (mSigningKey instanceof DSAPrivateKey) {
c6db9b
-                sigAlgorithm = "SHA-256/DSA";
c6db9b
+            } else if (mSigningKey.getAlgorithm().equalsIgnoreCase("EC")) {
c6db9b
+                sigAlgorithm = "SHA-256/EC";
c6db9b
             } else {
c6db9b
                 throw new NoSuchAlgorithmException("Unknown private key type");
c6db9b
             }
c6db9b
-- 
c6db9b
1.8.3.1
c6db9b