|
|
e0d192 |
From 6bd383b5f142c4f2795bb3bfb2db167981622a9d Mon Sep 17 00:00:00 2001
|
|
|
e0d192 |
From: jmagne <jmagne@redhat.com>
|
|
|
e0d192 |
Date: Wed, 30 Sep 2020 13:35:25 -0400
|
|
|
e0d192 |
Subject: [PATCH 1/6] Resolve: Bug 1710978 - TPS - Add logging to
|
|
|
e0d192 |
tdbAddCertificatesForCUID if adding or searching for cert record fails (#559)
|
|
|
e0d192 |
|
|
|
e0d192 |
Submitted by RHCS-maint.
|
|
|
e0d192 |
|
|
|
e0d192 |
This fix provides better logging when the update to the token db sufferes a partial or complete failure.
|
|
|
e0d192 |
|
|
|
e0d192 |
Due to the unlikelyness of this happening in practice, this fix provides a simple config based way to simulate
|
|
|
e0d192 |
the issue, such that the log activity can be easily observed just as if had happened during an actual failure.
|
|
|
e0d192 |
|
|
|
e0d192 |
Set the following in the TPS's CS.cfg:
|
|
|
e0d192 |
|
|
|
e0d192 |
op.enroll.testAddCertsToDBFailure=true.
|
|
|
e0d192 |
|
|
|
e0d192 |
The setting is false by default.
|
|
|
e0d192 |
|
|
|
e0d192 |
Co-authored-by: Jack Magne <jmagne@test.host.com>
|
|
|
e0d192 |
(cherry picked from commit d7f2b72dd4fe9cd21de70fb8ce1806f66aec3624)
|
|
|
e0d192 |
---
|
|
|
e0d192 |
.../src/org/dogtagpki/server/tps/TPSTokendb.java | 76 ++++++++++++++++++----
|
|
|
e0d192 |
.../server/tps/processor/TPSEnrollProcessor.java | 14 +++-
|
|
|
e0d192 |
2 files changed, 75 insertions(+), 15 deletions(-)
|
|
|
e0d192 |
|
|
|
e0d192 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
|
|
|
e0d192 |
index 446fa3f..7434502 100644
|
|
|
e0d192 |
--- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
|
|
|
e0d192 |
+++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
|
|
|
e0d192 |
@@ -241,25 +241,75 @@ public class TPSTokendb {
|
|
|
e0d192 |
|
|
|
e0d192 |
CMS.debug(method + " found token " + cuid);
|
|
|
e0d192 |
CMS.debug(method + " number of certs to update:" + certs.size());
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ // Keep track of which certs made it to the database and which didn't,
|
|
|
e0d192 |
+ // in case of failure
|
|
|
e0d192 |
+ class CnIssuerPair {
|
|
|
e0d192 |
+ public final String cn;
|
|
|
e0d192 |
+ public final String issuer;
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ public CnIssuerPair(String _cn, String _issuer) {
|
|
|
e0d192 |
+ cn = _cn;
|
|
|
e0d192 |
+ issuer = _issuer;
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ public String toString() {
|
|
|
e0d192 |
+ return "(cn=" + cn + ", issuerCn=" + issuer + ")";
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ ArrayList<CnIssuerPair> cnIssuerPairsRemaining = new ArrayList<CnIssuerPair>(certs.size());
|
|
|
e0d192 |
+ for(TPSCertRecord cert : certs) {
|
|
|
e0d192 |
+ String cn = cert.getId();
|
|
|
e0d192 |
+ String issuerCn = cert.getIssuedBy();
|
|
|
e0d192 |
+ cnIssuerPairsRemaining.add(new CnIssuerPair(cn, issuerCn));
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ boolean testAddCertsFailure = false;
|
|
|
e0d192 |
+ //Contrive a very difficult to reproduce testing scenario
|
|
|
e0d192 |
+
|
|
|
e0d192 |
try {
|
|
|
e0d192 |
+ IConfigStore configStore = CMS.getConfigStore();
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ // get conn ID
|
|
|
e0d192 |
+ String config = "op.enroll." + "testAddCertsToDBFailure";
|
|
|
e0d192 |
+ testAddCertsFailure = configStore.getBoolean(config,false);
|
|
|
e0d192 |
+ } catch (Exception e) {
|
|
|
e0d192 |
+ testAddCertsFailure = false;
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ try {
|
|
|
e0d192 |
+ int count = 0;
|
|
|
e0d192 |
for (TPSCertRecord cert : certs) {
|
|
|
e0d192 |
- try {
|
|
|
e0d192 |
- if (!isCertOnToken(cert, cuid)) {
|
|
|
e0d192 |
- CMS.debug(method + " adding cert with serial: " + cert.getSerialNumber());
|
|
|
e0d192 |
- tps.certDatabase.addRecord(cert.getId(), cert);
|
|
|
e0d192 |
- } else {
|
|
|
e0d192 |
- // cert already on token
|
|
|
e0d192 |
- CMS.debug(method + "retain and skip adding with serial:" + cert.getSerialNumber());
|
|
|
e0d192 |
- }
|
|
|
e0d192 |
- } catch (Exception e) {
|
|
|
e0d192 |
- CMS.debug(method + "Exception after isCertOnToken call"+ e.toString());
|
|
|
e0d192 |
- // ignore; go to next;
|
|
|
e0d192 |
+ if (!isCertOnToken(cert, cuid)) {
|
|
|
e0d192 |
+ CMS.debug(method + " adding cert with serial: " + cert.getSerialNumber());
|
|
|
e0d192 |
+ // After at least one cert is added correctly, perform the test of a failure
|
|
|
e0d192 |
+ // if so configured.
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ if(count > 0 && testAddCertsFailure == true) {
|
|
|
e0d192 |
+ throw new Exception(method + ": " + "Failed to add certificate to token db, as part of a test of failure condition.");
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+ tps.certDatabase.addRecord(cert.getId(), cert);
|
|
|
e0d192 |
+ } else {
|
|
|
e0d192 |
+ // cert already on token
|
|
|
e0d192 |
+ CMS.debug(method + "retain and skip adding with serial:" + cert.getSerialNumber());
|
|
|
e0d192 |
}
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ // Successfully added cert or verified it was already there, so remove
|
|
|
e0d192 |
+ // it from the 'remaining' list
|
|
|
e0d192 |
+ cnIssuerPairsRemaining.removeIf(p -> (p.cn == cert.getId() && p.issuer == cert.getIssuedBy()));
|
|
|
e0d192 |
+ count ++ ;
|
|
|
e0d192 |
}
|
|
|
e0d192 |
} catch (Exception e) {
|
|
|
e0d192 |
CMS.debug(method + e);
|
|
|
e0d192 |
- // TODO: what if it throws in the middle of the cert list -- some cert records already updated?
|
|
|
e0d192 |
- throw new TPSException(e.getMessage());
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ String subjectDn = certs.get(0).getSubject();
|
|
|
e0d192 |
+ String logMsg = method + ": " + "Failed to add or verify the following certs for [" + subjectDn + "] in the Certificate DB: ";
|
|
|
e0d192 |
+ for(CnIssuerPair pair : cnIssuerPairsRemaining) {
|
|
|
e0d192 |
+ logMsg += pair + "; ";
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ throw new TPSException(logMsg);
|
|
|
e0d192 |
}
|
|
|
e0d192 |
}
|
|
|
e0d192 |
|
|
|
e0d192 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
|
|
|
e0d192 |
index f1e773a..5175344 100644
|
|
|
e0d192 |
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
|
|
|
e0d192 |
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
|
|
|
e0d192 |
@@ -618,8 +618,18 @@ public class TPSEnrollProcessor extends TPSProcessor {
|
|
|
e0d192 |
ArrayList<TPSCertRecord> certRecords = certsInfo.toTPSCertRecords(tokenRecord.getId(), tokenRecord.getUserID());
|
|
|
e0d192 |
|
|
|
e0d192 |
CMS.debug(method + " adding certs to token with tdbAddCertificatesForCUID...");
|
|
|
e0d192 |
- tps.tdb.tdbAddCertificatesForCUID(tokenRecord.getId(), certRecords);
|
|
|
e0d192 |
- CMS.debug(method + " tokendb updated with certs to the cuid so that it reflects what's on the token");
|
|
|
e0d192 |
+ try {
|
|
|
e0d192 |
+ tps.tdb.tdbAddCertificatesForCUID(tokenRecord.getId(), certRecords);
|
|
|
e0d192 |
+ CMS.debug(method + " tokendb updated with certs to the cuid so that it reflects what's on the token");
|
|
|
e0d192 |
+ } catch(TPSException e) {
|
|
|
e0d192 |
+ CMS.debug(method + " Exception occurred in tdbAddCertificatesForCUID: " + e.getMessage());
|
|
|
e0d192 |
+ try {
|
|
|
e0d192 |
+ auditEnrollment(userid, "enrollment", appletInfo, "failure", channel.getKeyInfoData().toHexStringPlain(), null, null, e.getMessage());
|
|
|
e0d192 |
+ tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), e.getMessage(), "failure");
|
|
|
e0d192 |
+ } catch(Exception f) {
|
|
|
e0d192 |
+ CMS.debug(method + " Failed to log previous exception: " + f);
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
|
|
|
e0d192 |
String finalAppletVersion = appletInfo.getFinalAppletVersion();
|
|
|
e0d192 |
if(finalAppletVersion == null)
|
|
|
e0d192 |
--
|
|
|
e0d192 |
1.8.3.1
|
|
|
e0d192 |
|
|
|
e0d192 |
|
|
|
e0d192 |
From dfaecd2ce22313a0144939f5009cb0096511fceb Mon Sep 17 00:00:00 2001
|
|
|
e0d192 |
From: jmagne <jmagne@redhat.com>
|
|
|
e0d192 |
Date: Wed, 30 Sep 2020 13:39:27 -0400
|
|
|
e0d192 |
Subject: [PATCH 2/6] Resolve: Bug 1858860 - TPS - Update Error Codes returned
|
|
|
e0d192 |
to client (CIW/ESC) to Match CS8. (#564)
|
|
|
e0d192 |
|
|
|
e0d192 |
This is simply the addition to one very simple patch to the pin reset procedure, that provides
|
|
|
e0d192 |
the proper error code back to the client in 2 very unlikely error scenarios.
|
|
|
e0d192 |
|
|
|
e0d192 |
RHCS-maint.
|
|
|
e0d192 |
|
|
|
e0d192 |
Co-authored-by: Jack Magne <jmagne@test.host.com>
|
|
|
e0d192 |
(cherry picked from commit 3c58273ddb5567b86f7aad664f2af5e6560f3928)
|
|
|
e0d192 |
---
|
|
|
e0d192 |
.../src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java | 4 ++--
|
|
|
e0d192 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
e0d192 |
|
|
|
e0d192 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
|
|
|
e0d192 |
index de5c634..7d3a7cd 100644
|
|
|
e0d192 |
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
|
|
|
e0d192 |
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
|
|
|
e0d192 |
@@ -50,7 +50,7 @@ public class TPSPinResetProcessor extends TPSProcessor {
|
|
|
e0d192 |
@Override
|
|
|
e0d192 |
public void process(BeginOpMsg beginMsg) throws TPSException, IOException {
|
|
|
e0d192 |
if (beginMsg == null) {
|
|
|
e0d192 |
- throw new TPSException("TPSPinResetProcessor.process: invalid input data, not beginMsg provided.",
|
|
|
e0d192 |
+ throw new TPSException("TPSPinResetProcessor.process: invalid input data, no beginMsg provided.",
|
|
|
e0d192 |
TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
|
|
|
e0d192 |
}
|
|
|
e0d192 |
setBeginMessage(beginMsg);
|
|
|
e0d192 |
@@ -306,7 +306,7 @@ public class TPSPinResetProcessor extends TPSProcessor {
|
|
|
e0d192 |
logMsg = logMsg + ":" + e.toString();
|
|
|
e0d192 |
tps.tdb.tdbActivity(ActivityDatabase.OP_PIN_RESET, tokenRecord, session.getIpAddress(), logMsg,
|
|
|
e0d192 |
"failure");
|
|
|
e0d192 |
- throw new TPSException(logMsg);
|
|
|
e0d192 |
+ throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_UPDATE_TOKENDB_FAILED);
|
|
|
e0d192 |
}
|
|
|
e0d192 |
|
|
|
e0d192 |
CMS.debug(method + ": Token Pin successfully reset!");
|
|
|
e0d192 |
--
|
|
|
e0d192 |
1.8.3.1
|
|
|
e0d192 |
|
|
|
e0d192 |
|
|
|
e0d192 |
From 6dc155765b9752c9b1e89d442c53b464756df325 Mon Sep 17 00:00:00 2001
|
|
|
e0d192 |
From: Christina Fu <cfu@redhat.com>
|
|
|
e0d192 |
Date: Tue, 8 Sep 2020 17:18:49 -0400
|
|
|
e0d192 |
Subject: [PATCH 3/6] Bug1858861 TPS - Server side key generation is not
|
|
|
e0d192 |
working for Identity only tokens Missing some commits
|
|
|
e0d192 |
|
|
|
e0d192 |
This patch relates to Bug 1494591, where the fix was missing a patch.
|
|
|
e0d192 |
|
|
|
e0d192 |
It makes it so that as long as one keyType has serverKeyGen enabled then
|
|
|
e0d192 |
all key tyes under the same tps profile are considered server-side
|
|
|
e0d192 |
keygen.
|
|
|
e0d192 |
|
|
|
e0d192 |
Code submittd by RHCS-MAINT
|
|
|
e0d192 |
|
|
|
e0d192 |
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1858861
|
|
|
e0d192 |
|
|
|
e0d192 |
(cherry picked from commit 103a03062c235cc3e51f98e721ca6d72eb1f5a9d)
|
|
|
e0d192 |
---
|
|
|
e0d192 |
.../server/tps/cms/TKSRemoteRequestHandler.java | 50 ++++++++++++++++------
|
|
|
e0d192 |
1 file changed, 38 insertions(+), 12 deletions(-)
|
|
|
e0d192 |
|
|
|
e0d192 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java
|
|
|
e0d192 |
index 8155f90..770819d 100644
|
|
|
e0d192 |
--- a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java
|
|
|
e0d192 |
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java
|
|
|
e0d192 |
@@ -127,9 +127,7 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler
|
|
|
e0d192 |
break;
|
|
|
e0d192 |
}
|
|
|
e0d192 |
}
|
|
|
e0d192 |
-
|
|
|
e0d192 |
-
|
|
|
e0d192 |
-
|
|
|
e0d192 |
+ CMS.debug(method + " final serverkegGen enabled? " + serverKeygen);
|
|
|
e0d192 |
|
|
|
e0d192 |
if (keySet == null)
|
|
|
e0d192 |
keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet");
|
|
|
e0d192 |
@@ -264,10 +262,23 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler
|
|
|
e0d192 |
|
|
|
e0d192 |
IConfigStore conf = CMS.getConfigStore();
|
|
|
e0d192 |
|
|
|
e0d192 |
- boolean serverKeygen =
|
|
|
e0d192 |
- conf.getBoolean("op.enroll." +
|
|
|
e0d192 |
- tokenType + ".keyGen.encryption.serverKeygen.enable",
|
|
|
e0d192 |
- false);
|
|
|
e0d192 |
+ boolean serverKeygen = false;
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ //Try out all the currently supported cert types to see if we are doing server side keygen here
|
|
|
e0d192 |
+ String[] keygenStrings = { "identity", "signing", "encryption", "authentication", "auth"};
|
|
|
e0d192 |
+ for (String keygenString : keygenStrings) {
|
|
|
e0d192 |
+ boolean enabled = conf.getBoolean("op.enroll." +
|
|
|
e0d192 |
+ tokenType + ".keyGen." +
|
|
|
e0d192 |
+ keygenString + ".serverKeygen.enable", false);
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ CMS.debug(method + " serverkegGen enabled for " + keygenString + " : " + enabled);
|
|
|
e0d192 |
+ if (enabled) {
|
|
|
e0d192 |
+ serverKeygen = true;
|
|
|
e0d192 |
+ break;
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+ CMS.debug(method + " final serverkegGen enabled? " + serverKeygen);
|
|
|
e0d192 |
+
|
|
|
e0d192 |
if (keySet == null)
|
|
|
e0d192 |
keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet");
|
|
|
e0d192 |
|
|
|
e0d192 |
@@ -427,7 +438,9 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler
|
|
|
e0d192 |
String tokenType)
|
|
|
e0d192 |
throws EBaseException {
|
|
|
e0d192 |
|
|
|
e0d192 |
- CMS.debug("TKSRemoteRequestHandler: computeSessionKeySCP02(): begins.");
|
|
|
e0d192 |
+ String method = "TKSRemoteRequestHandler: computeSessionKeysSCP02(): ";
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ CMS.debug(method + " begins.");
|
|
|
e0d192 |
if (cuid == null || kdd == null || keyInfo == null ||
|
|
|
e0d192 |
sequenceCounter == null
|
|
|
e0d192 |
|| derivationConstant == null) {
|
|
|
e0d192 |
@@ -436,10 +449,23 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler
|
|
|
e0d192 |
|
|
|
e0d192 |
IConfigStore conf = CMS.getConfigStore();
|
|
|
e0d192 |
|
|
|
e0d192 |
- boolean serverKeygen =
|
|
|
e0d192 |
- conf.getBoolean("op.enroll." +
|
|
|
e0d192 |
- tokenType + ".keyGen.encryption.serverKeygen.enable",
|
|
|
e0d192 |
- false);
|
|
|
e0d192 |
+ boolean serverKeygen = false;
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ //Try out all the currently supported cert types to see if we are doing server side keygen here
|
|
|
e0d192 |
+ String[] keygenStrings = { "identity", "signing", "encryption", "authentication", "auth"};
|
|
|
e0d192 |
+ for (String keygenString : keygenStrings) {
|
|
|
e0d192 |
+ boolean enabled = conf.getBoolean("op.enroll." +
|
|
|
e0d192 |
+ tokenType + ".keyGen." +
|
|
|
e0d192 |
+ keygenString + ".serverKeygen.enable", false);
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ CMS.debug(method + " serverkegGen enabled for " + keygenString + " : " + enabled);
|
|
|
e0d192 |
+ if (enabled) {
|
|
|
e0d192 |
+ serverKeygen = true;
|
|
|
e0d192 |
+ break;
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+ CMS.debug(method + " final serverkegGen enabled? " + serverKeygen);
|
|
|
e0d192 |
+
|
|
|
e0d192 |
if (keySet == null)
|
|
|
e0d192 |
keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet");
|
|
|
e0d192 |
|
|
|
e0d192 |
--
|
|
|
e0d192 |
1.8.3.1
|
|
|
e0d192 |
|
|
|
e0d192 |
|
|
|
e0d192 |
From 9627046fe5d38c447c85ec3a1be75ab86dbdaaac Mon Sep 17 00:00:00 2001
|
|
|
e0d192 |
From: Christina Fu <cfu@redhat.com>
|
|
|
e0d192 |
Date: Tue, 13 Oct 2020 16:19:06 -0700
|
|
|
e0d192 |
Subject: [PATCH 4/6] Bug1883639-add profile caAuditSigningCert
|
|
|
e0d192 |
|
|
|
e0d192 |
Existing profiiles caStorageCert.cfg and caTransportCert.cfg
|
|
|
e0d192 |
should be used for KRA.
|
|
|
e0d192 |
a caAuditSigningCert profile is added, although I find
|
|
|
e0d192 |
a misleading profile named caSignedLogCert.cfg that was intended for
|
|
|
e0d192 |
the use. I disabled caSignedLogCert.cfg instead.
|
|
|
e0d192 |
|
|
|
e0d192 |
I also removed the SHA1 algorithms from all the *storage* and *audit*
|
|
|
e0d192 |
profiles while I'm at it.
|
|
|
e0d192 |
|
|
|
e0d192 |
The upgrade scripts only adds the new profile caAuditSigningCert. It
|
|
|
e0d192 |
does not modify existing profiles or remove those two IPA specific
|
|
|
e0d192 |
ones.
|
|
|
e0d192 |
|
|
|
e0d192 |
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1883639
|
|
|
e0d192 |
|
|
|
e0d192 |
(cherry picked from commit 73efcea0c74eb4882c003a7fe6cef21fa7627363)
|
|
|
e0d192 |
---
|
|
|
e0d192 |
base/ca/shared/conf/CS.cfg | 4 +-
|
|
|
e0d192 |
base/ca/shared/profiles/ca/caAuditSigningCert.cfg | 80 ++++++++++++++++++++++
|
|
|
e0d192 |
.../profiles/ca/caInternalAuthAuditSigningCert.cfg | 2 +-
|
|
|
e0d192 |
.../profiles/ca/caInternalAuthDRMstorageCert.cfg | 2 +-
|
|
|
e0d192 |
.../profiles/ca/caInternalAuthTransportCert.cfg | 2 +-
|
|
|
e0d192 |
base/ca/shared/profiles/ca/caSignedLogCert.cfg | 4 +-
|
|
|
e0d192 |
base/ca/shared/profiles/ca/caStorageCert.cfg | 2 +-
|
|
|
e0d192 |
base/ca/shared/profiles/ca/caTransportCert.cfg | 2 +-
|
|
|
e0d192 |
.../10.5.17/02-AddProfileCaAuditSigningCert | 52 ++++++++++++++
|
|
|
e0d192 |
9 files changed, 142 insertions(+), 8 deletions(-)
|
|
|
e0d192 |
create mode 100644 base/ca/shared/profiles/ca/caAuditSigningCert.cfg
|
|
|
e0d192 |
create mode 100644 base/server/upgrade/10.5.17/02-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
|
|
|
e0d192 |
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
|
|
|
e0d192 |
index 2c50831..1eb8881 100644
|
|
|
e0d192 |
--- a/base/ca/shared/conf/CS.cfg
|
|
|
e0d192 |
+++ b/base/ca/shared/conf/CS.cfg
|
|
|
e0d192 |
@@ -976,7 +976,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
|
|
|
e0d192 |
oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
|
|
|
e0d192 |
oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
|
|
|
e0d192 |
os.userid=nobody
|
|
|
e0d192 |
-profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caServerKeygen_UserCert,caServerKeygen_DirUserCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
|
|
|
e0d192 |
+profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caServerKeygen_UserCert,caServerKeygen_DirUserCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caAuditSigningCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
|
|
|
e0d192 |
profile.caUUIDdeviceCert.class_id=caEnrollImpl
|
|
|
e0d192 |
profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
|
|
|
e0d192 |
profile.caManualRenewal.class_id=caEnrollImpl
|
|
|
e0d192 |
@@ -1087,6 +1087,8 @@ profile.caECServerCert.class_id=caEnrollImpl
|
|
|
e0d192 |
profile.caECServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECServerCert.cfg
|
|
|
e0d192 |
profile.caSignedLogCert.class_id=caEnrollImpl
|
|
|
e0d192 |
profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSignedLogCert.cfg
|
|
|
e0d192 |
+profile.caAuditSigningCert.class_id=caEnrollImpl
|
|
|
e0d192 |
+profile.caAuditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAuditSigningCert.cfg
|
|
|
e0d192 |
profile.caSigningUserCert.class_id=caEnrollImpl
|
|
|
e0d192 |
profile.caSigningUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningUserCert.cfg
|
|
|
e0d192 |
profile.caSimpleCMCUserCert.class_id=caEnrollImpl
|
|
|
e0d192 |
diff --git a/base/ca/shared/profiles/ca/caAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caAuditSigningCert.cfg
|
|
|
e0d192 |
new file mode 100644
|
|
|
e0d192 |
index 0000000..68dfcad
|
|
|
e0d192 |
--- /dev/null
|
|
|
e0d192 |
+++ b/base/ca/shared/profiles/ca/caAuditSigningCert.cfg
|
|
|
e0d192 |
@@ -0,0 +1,80 @@
|
|
|
e0d192 |
+desc=This certificate profile is for enrolling audit signing certificates.
|
|
|
e0d192 |
+visible=true
|
|
|
e0d192 |
+enable=true
|
|
|
e0d192 |
+enableBy=admin
|
|
|
e0d192 |
+auth.instance_id=
|
|
|
e0d192 |
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
|
|
|
e0d192 |
+name=Manual Audit Signing Certificate Enrollment
|
|
|
e0d192 |
+input.list=i1,i2
|
|
|
e0d192 |
+input.i1.class_id=certReqInputImpl
|
|
|
e0d192 |
+input.i2.class_id=submitterInfoInputImpl
|
|
|
e0d192 |
+output.list=o1
|
|
|
e0d192 |
+output.o1.class_id=certOutputImpl
|
|
|
e0d192 |
+policyset.list=auditSigningCertSet
|
|
|
e0d192 |
+policyset.auditSigningCertSet.list=1,2,3,4,5,6,9
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.*
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.constraint.params.accept=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.default.name=Subject Name Default
|
|
|
e0d192 |
+policyset.auditSigningCertSet.1.default.params.name=
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.constraint.name=Validity Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.constraint.params.range=720
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.default.name=Validity Default
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.default.params.range=720
|
|
|
e0d192 |
+policyset.auditSigningCertSet.2.default.params.startTime=0
|
|
|
e0d192 |
+policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.3.constraint.name=Key Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.3.constraint.params.keyType=-
|
|
|
e0d192 |
+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
|
|
|
e0d192 |
+policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.3.default.name=Key Default
|
|
|
e0d192 |
+policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.4.constraint.name=No Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.constraint.name=No Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.name=AIA Extension Default
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0=
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.name=Key Usage Default
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageCritical=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.constraint.name=No Constraint
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.default.name=Signing Alg
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.default.params.signingAlg=-
|
|
|
e0d192 |
diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
|
|
|
e0d192 |
index 55cfd8c..86f288e 100644
|
|
|
e0d192 |
--- a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
|
|
|
e0d192 |
+++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
|
|
|
e0d192 |
@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
|
|
|
e0d192 |
policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
|
|
|
e0d192 |
policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
|
|
|
e0d192 |
policyset.auditSigningCertSet.9.constraint.name=No Constraint
|
|
|
e0d192 |
-policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
e0d192 |
+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
e0d192 |
policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
|
|
|
e0d192 |
policyset.auditSigningCertSet.9.default.name=Signing Alg
|
|
|
e0d192 |
policyset.auditSigningCertSet.9.default.params.signingAlg=-
|
|
|
e0d192 |
diff --git a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
|
|
|
e0d192 |
index ae9593e..23a0850 100644
|
|
|
e0d192 |
--- a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
|
|
|
e0d192 |
+++ b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
|
|
|
e0d192 |
@@ -80,7 +80,7 @@ policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false
|
|
|
e0d192 |
policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
|
|
|
e0d192 |
policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl
|
|
|
e0d192 |
policyset.drmStorageCertSet.9.constraint.name=No Constraint
|
|
|
e0d192 |
-policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
e0d192 |
+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
e0d192 |
policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl
|
|
|
e0d192 |
policyset.drmStorageCertSet.9.default.name=Signing Alg
|
|
|
e0d192 |
policyset.drmStorageCertSet.9.default.params.signingAlg=-
|
|
|
e0d192 |
diff --git a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
|
|
|
e0d192 |
index 359881e..cbeb0eb 100644
|
|
|
e0d192 |
--- a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
|
|
|
e0d192 |
+++ b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
|
|
|
e0d192 |
@@ -80,7 +80,7 @@ policyset.transportCertSet.7.default.params.exKeyUsageCritical=false
|
|
|
e0d192 |
policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
|
|
|
e0d192 |
policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl
|
|
|
e0d192 |
policyset.transportCertSet.8.constraint.name=No Constraint
|
|
|
e0d192 |
-policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
e0d192 |
+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
e0d192 |
policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl
|
|
|
e0d192 |
policyset.transportCertSet.8.default.name=Signing Alg
|
|
|
e0d192 |
policyset.transportCertSet.8.default.params.signingAlg=-
|
|
|
e0d192 |
diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
|
|
|
e0d192 |
index ddd3d1a..01e21f1 100644
|
|
|
e0d192 |
--- a/base/ca/shared/profiles/ca/caSignedLogCert.cfg
|
|
|
e0d192 |
+++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg
|
|
|
e0d192 |
@@ -1,6 +1,6 @@
|
|
|
e0d192 |
desc=This profile is for enrolling audit log signing certificates
|
|
|
e0d192 |
-visible=true
|
|
|
e0d192 |
-enable=true
|
|
|
e0d192 |
+visible=false
|
|
|
e0d192 |
+enable=false
|
|
|
e0d192 |
enableBy=admin
|
|
|
e0d192 |
auth.class_id=
|
|
|
e0d192 |
name=Manual Audit Log Signing Certificate Enrollment
|
|
|
e0d192 |
diff --git a/base/ca/shared/profiles/ca/caStorageCert.cfg b/base/ca/shared/profiles/ca/caStorageCert.cfg
|
|
|
e0d192 |
index abb9715..0791b79 100644
|
|
|
e0d192 |
--- a/base/ca/shared/profiles/ca/caStorageCert.cfg
|
|
|
e0d192 |
+++ b/base/ca/shared/profiles/ca/caStorageCert.cfg
|
|
|
e0d192 |
@@ -73,7 +73,7 @@ policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false
|
|
|
e0d192 |
policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false
|
|
|
e0d192 |
policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl
|
|
|
e0d192 |
policyset.drmStorageCertSet.9.constraint.name=No Constraint
|
|
|
e0d192 |
-policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
e0d192 |
+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
e0d192 |
policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl
|
|
|
e0d192 |
policyset.drmStorageCertSet.9.default.name=Signing Alg
|
|
|
e0d192 |
policyset.drmStorageCertSet.9.default.params.signingAlg=-
|
|
|
e0d192 |
diff --git a/base/ca/shared/profiles/ca/caTransportCert.cfg b/base/ca/shared/profiles/ca/caTransportCert.cfg
|
|
|
e0d192 |
index 51dc084..f6ae711 100644
|
|
|
e0d192 |
--- a/base/ca/shared/profiles/ca/caTransportCert.cfg
|
|
|
e0d192 |
+++ b/base/ca/shared/profiles/ca/caTransportCert.cfg
|
|
|
e0d192 |
@@ -79,7 +79,7 @@ policyset.transportCertSet.7.default.params.exKeyUsageCritical=false
|
|
|
e0d192 |
policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
|
|
|
e0d192 |
policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl
|
|
|
e0d192 |
policyset.transportCertSet.8.constraint.name=No Constraint
|
|
|
e0d192 |
-policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
e0d192 |
+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
e0d192 |
policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl
|
|
|
e0d192 |
policyset.transportCertSet.8.default.name=Signing Alg
|
|
|
e0d192 |
policyset.transportCertSet.8.default.params.signingAlg=-
|
|
|
e0d192 |
diff --git a/base/server/upgrade/10.5.17/02-AddProfileCaAuditSigningCert b/base/server/upgrade/10.5.17/02-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
new file mode 100644
|
|
|
e0d192 |
index 0000000..02b8477
|
|
|
e0d192 |
--- /dev/null
|
|
|
e0d192 |
+++ b/base/server/upgrade/10.5.17/02-AddProfileCaAuditSigningCert
|
|
|
e0d192 |
@@ -0,0 +1,52 @@
|
|
|
e0d192 |
+# Authors:
|
|
|
e0d192 |
+# Christina Fu <cfu@redhat.com>
|
|
|
e0d192 |
+#
|
|
|
e0d192 |
+# Copyright Red Hat, Inc.
|
|
|
e0d192 |
+#
|
|
|
e0d192 |
+# SPDX-License-Identifier: GPL-2.0-or-later
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+from __future__ import absolute_import
|
|
|
e0d192 |
+import logging
|
|
|
e0d192 |
+import os
|
|
|
e0d192 |
+import shutil
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+import pki
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+logger = logging.getLogger(__name__)
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+class AddProfileCaAuditSigningCert(pki.server.upgrade.PKIServerUpgradeScriptlet):
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ def __init__(self):
|
|
|
e0d192 |
+ super(AddProfileCaAuditSigningCert, self).__init__()
|
|
|
e0d192 |
+ self.message = 'Add caAuditSigningCert profile'
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ def upgrade_subsystem(self, instance, subsystem):
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ if subsystem.name != 'ca':
|
|
|
e0d192 |
+ return
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ path = os.path.join(subsystem.base_dir, 'profiles', 'ca', 'caAuditSigningCert.cfg')
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ if not os.path.exists(path):
|
|
|
e0d192 |
+ logger.info('Creating caAuditSigningCert.cfg')
|
|
|
e0d192 |
+ self.backup(path)
|
|
|
e0d192 |
+ shutil.copyfile('/usr/share/pki/ca/profiles/ca/caAuditSigningCert.cfg', path)
|
|
|
e0d192 |
+ os.chown(path, instance.uid, instance.gid)
|
|
|
e0d192 |
+ os.chmod(path, 0o0660)
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ logger.info('Adding caAuditSigningCert into profile.list')
|
|
|
e0d192 |
+ profile_list = subsystem.config.get('profile.list').split(',')
|
|
|
e0d192 |
+ if 'caAuditSigningCert' not in profile_list:
|
|
|
e0d192 |
+ profile_list.append('caAuditSigningCert')
|
|
|
e0d192 |
+ profile_list.sort()
|
|
|
e0d192 |
+ subsystem.config['profile.list'] = ','.join(profile_list)
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ logger.info('Adding profile.caAuditSigningCert.class_id')
|
|
|
e0d192 |
+ subsystem.config['profile.caAuditSigningCert.class_id'] = 'caEnrollImpl'
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ logger.info('Adding profile.caAuditSigningCert.config')
|
|
|
e0d192 |
+ subsystem.config['profile.caAuditSigningCert.config'] = path
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ self.backup(subsystem.cs_conf)
|
|
|
e0d192 |
+ subsystem.save()
|
|
|
e0d192 |
--
|
|
|
e0d192 |
1.8.3.1
|
|
|
e0d192 |
|
|
|
e0d192 |
|
|
|
e0d192 |
From 77eadead2fea96d897f3f09894ce612b9e1ee19d Mon Sep 17 00:00:00 2001
|
|
|
e0d192 |
From: Christina Fu <cfu@redhat.com>
|
|
|
e0d192 |
Date: Wed, 16 Sep 2020 18:47:33 -0400
|
|
|
e0d192 |
Subject: [PATCH 5/6] Bug1858867-TPS does not check token cuid on the user
|
|
|
e0d192 |
externalReg record during PIN reset
|
|
|
e0d192 |
|
|
|
e0d192 |
RHCS-MAINT contribution
|
|
|
e0d192 |
This patch makes sure that if "tokenCUID" exists for the user reg record,
|
|
|
e0d192 |
pinReset operation would make sure that it mathes with the current
|
|
|
e0d192 |
token cuid;
|
|
|
e0d192 |
If the "tokenCUID" does not exist in the user registration record
|
|
|
e0d192 |
then any token can be used for pinReset;
|
|
|
e0d192 |
|
|
|
e0d192 |
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1858867
|
|
|
e0d192 |
|
|
|
e0d192 |
(cherry picked from commit 1f24b6f0b9d37139b2069564ee6b2f5fe2bae527)
|
|
|
e0d192 |
---
|
|
|
e0d192 |
.../server/tps/processor/TPSPinResetProcessor.java | 26 ++++++++++++++++++++++
|
|
|
e0d192 |
1 file changed, 26 insertions(+)
|
|
|
e0d192 |
|
|
|
e0d192 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
|
|
|
e0d192 |
index 7d3a7cd..af42689 100644
|
|
|
e0d192 |
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
|
|
|
e0d192 |
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
|
|
|
e0d192 |
@@ -187,6 +187,32 @@ public class TPSPinResetProcessor extends TPSProcessor {
|
|
|
e0d192 |
} else {
|
|
|
e0d192 |
CMS.debug(method + " --> registrationtype attribute disabled or not found, continuing.");
|
|
|
e0d192 |
}
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ /*
|
|
|
e0d192 |
+ * If cuid is provided on the user registration record, then
|
|
|
e0d192 |
+ * we have to compare that with the current token cuid;
|
|
|
e0d192 |
+ *
|
|
|
e0d192 |
+ * If, the cuid is not provided on the user registration record,
|
|
|
e0d192 |
+ * then any token can be used.
|
|
|
e0d192 |
+ */
|
|
|
e0d192 |
+ if (erAttrs.getTokenCUID() != null) {
|
|
|
e0d192 |
+ CMS.debug(method + " checking if token cuid matches record cuid");
|
|
|
e0d192 |
+ CMS.debug(method + " erAttrs.getTokenCUID()=" + erAttrs.getTokenCUID());
|
|
|
e0d192 |
+ CMS.debug(method + " tokenRecord.getId()=" + tokenRecord.getId());
|
|
|
e0d192 |
+ if (!tokenRecord.getId().equalsIgnoreCase(erAttrs.getTokenCUID())) {
|
|
|
e0d192 |
+ logMsg = "isExternalReg: token CUID not matching record:" + tokenRecord.getId() + " : " +
|
|
|
e0d192 |
+ erAttrs.getTokenCUID();
|
|
|
e0d192 |
+ CMS.debug(method + logMsg);
|
|
|
e0d192 |
+ tps.tdb.tdbActivity(ActivityDatabase.OP_PIN_RESET, tokenRecord, session.getIpAddress(), logMsg,
|
|
|
e0d192 |
+ "failure");
|
|
|
e0d192 |
+ throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_NOT_TOKEN_OWNER);
|
|
|
e0d192 |
+ } else {
|
|
|
e0d192 |
+ logMsg = "isExternalReg: token CUID matches record";
|
|
|
e0d192 |
+ CMS.debug(method + logMsg);
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+ } else {
|
|
|
e0d192 |
+ CMS.debug(method + " no need to check if token cuid matches record");
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
|
|
|
e0d192 |
session.setExternalRegAttrs(erAttrs);
|
|
|
e0d192 |
setExternalRegSelectedTokenType(erAttrs);
|
|
|
e0d192 |
--
|
|
|
e0d192 |
1.8.3.1
|
|
|
e0d192 |
|
|
|
e0d192 |
|
|
|
e0d192 |
From 8c17891db620896e684cf0efd4ead66d8b1b4e1d Mon Sep 17 00:00:00 2001
|
|
|
e0d192 |
From: jmagne <jmagne@redhat.com>
|
|
|
e0d192 |
Date: Mon, 19 Oct 2020 21:26:43 -0400
|
|
|
e0d192 |
Subject: [PATCH 6/6] Enhancment to Bug 1858860 - TPS - Update Error Codes
|
|
|
e0d192 |
returned to client (CIW/ESC) to Match CS8. (#3360)
|
|
|
e0d192 |
|
|
|
e0d192 |
This enhancement allows config values to be used to test the unlikely error conditions addressed in the original bug:
|
|
|
e0d192 |
|
|
|
e0d192 |
To test one two scenarios, use these settings one at a time:
|
|
|
e0d192 |
|
|
|
e0d192 |
op.pinReset.testNoBeginMsg=false
|
|
|
e0d192 |
op.pinReset.testUpdateDBFailure=false
|
|
|
e0d192 |
|
|
|
e0d192 |
The first one will test the error code returned when the beginOp message is missing when atempting
|
|
|
e0d192 |
a pin Reset operation. The error returned should be error "4".
|
|
|
e0d192 |
|
|
|
e0d192 |
The second one will test if the update of the db for the token does not complete properly.
|
|
|
e0d192 |
|
|
|
e0d192 |
The error returned in this scenario should be "41".
|
|
|
e0d192 |
|
|
|
e0d192 |
The tpsclient utility can be used to test these two scenarios. Once again try them separately
|
|
|
e0d192 |
because the first error will stop the pin reset procedure before the second scenario can even happen.
|
|
|
e0d192 |
|
|
|
e0d192 |
Co-authored-by: Jack Magne <jmagne@test.host.com>
|
|
|
e0d192 |
(cherry picked from commit 509d31cf80e13c564b50d41feb11fd9c2eb9db73)
|
|
|
e0d192 |
---
|
|
|
e0d192 |
.../server/tps/processor/TPSPinResetProcessor.java | 29 +++++++++++++++++++++-
|
|
|
e0d192 |
1 file changed, 28 insertions(+), 1 deletion(-)
|
|
|
e0d192 |
|
|
|
e0d192 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
|
|
|
e0d192 |
index af42689..805af20 100644
|
|
|
e0d192 |
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
|
|
|
e0d192 |
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
|
|
|
e0d192 |
@@ -49,7 +49,19 @@ public class TPSPinResetProcessor extends TPSProcessor {
|
|
|
e0d192 |
|
|
|
e0d192 |
@Override
|
|
|
e0d192 |
public void process(BeginOpMsg beginMsg) throws TPSException, IOException {
|
|
|
e0d192 |
- if (beginMsg == null) {
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ IConfigStore configStore = CMS.getConfigStore();
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ // Use this only for testing, not for normal operation.
|
|
|
e0d192 |
+ String configName = "op.pinReset.testNoBeginMsg";
|
|
|
e0d192 |
+ boolean testPinResetNoBeginMsg = false;
|
|
|
e0d192 |
+ try {
|
|
|
e0d192 |
+ testPinResetNoBeginMsg = configStore.getBoolean(configName,false);
|
|
|
e0d192 |
+ } catch (EBaseException e) {
|
|
|
e0d192 |
+ testPinResetNoBeginMsg = false;
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ if (beginMsg == null || testPinResetNoBeginMsg == true) {
|
|
|
e0d192 |
throw new TPSException("TPSPinResetProcessor.process: invalid input data, no beginMsg provided.",
|
|
|
e0d192 |
TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
|
|
|
e0d192 |
}
|
|
|
e0d192 |
@@ -324,7 +336,22 @@ public class TPSPinResetProcessor extends TPSProcessor {
|
|
|
e0d192 |
|
|
|
e0d192 |
statusUpdate(100, "PROGRESS_PIN_RESET_COMPLETE");
|
|
|
e0d192 |
logMsg = "update token during pin reset";
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ IConfigStore configStore = CMS.getConfigStore();
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ // Use this only for testing, not for normal operation.
|
|
|
e0d192 |
+ String configName = "op.pinReset.testUpdateDBFailure";
|
|
|
e0d192 |
+ boolean testUpdateDBFailure = false;
|
|
|
e0d192 |
try {
|
|
|
e0d192 |
+ testUpdateDBFailure = configStore.getBoolean(configName,false);
|
|
|
e0d192 |
+ } catch (EBaseException e) {
|
|
|
e0d192 |
+ testUpdateDBFailure = false;
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
+
|
|
|
e0d192 |
+ try {
|
|
|
e0d192 |
+ if(testUpdateDBFailure == true) {
|
|
|
e0d192 |
+ throw new Exception("Test failure to update DB for Pin Reset!");
|
|
|
e0d192 |
+ }
|
|
|
e0d192 |
tps.tdb.tdbUpdateTokenEntry(tokenRecord);
|
|
|
e0d192 |
tps.tdb.tdbActivity(ActivityDatabase.OP_PIN_RESET, tokenRecord, session.getIpAddress(), logMsg, "success");
|
|
|
e0d192 |
CMS.debug(method + ": token record updated!");
|
|
|
e0d192 |
--
|
|
|
e0d192 |
1.8.3.1
|
|
|
e0d192 |
|