|
 |
b1e4e4 |
From d98aed0cbb25deaa954289e7f870c10edde688dd Mon Sep 17 00:00:00 2001
|
|
|
b1e4e4 |
From: Christina Fu <cfu@redhat.com>
|
|
|
b1e4e4 |
Date: Mon, 18 May 2020 19:14:41 -0400
|
|
|
b1e4e4 |
Subject: [PATCH 1/2] Bug 1794213 Add Directory-based-auth profile for
|
|
|
b1e4e4 |
SeverSide Keygen
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
This patch adds caServerKeygen_DirUserCert.cfg, which is a profile using
|
|
|
b1e4e4 |
directory-based authentication for severSide Keygen enrollment.
|
|
|
b1e4e4 |
One is required to set up UserDirEnrollment in CS.cfg.
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
It also contains some misc cleanup such as removal of unneeded imports
|
|
|
b1e4e4 |
and debugs, as well as perfecting a couple error handling stemmed from
|
|
|
b1e4e4 |
upstream review.
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
https://bugzilla.redhat.com/show_bug.cgi?id=1794213
|
|
|
b1e4e4 |
(cherry picked from commit 9e2bb93bb435e658a15ab8572a61d6481bb4fed8)
|
|
|
b1e4e4 |
---
|
|
|
b1e4e4 |
base/ca/shared/conf/CS.cfg | 4 +-
|
|
|
b1e4e4 |
.../profiles/ca/caServerKeygen_DirUserCert.cfg | 104 +++++++++++++++++++++
|
|
|
b1e4e4 |
base/kra/src/com/netscape/kra/RecoveryService.java | 2 +-
|
|
|
b1e4e4 |
.../cms/profile/common/CAEnrollProfile.java | 2 +
|
|
|
b1e4e4 |
.../profile/def/ServerKeygenUserKeyDefault.java | 12 ++-
|
|
|
b1e4e4 |
.../cms/servlet/connector/ConnectorServlet.java | 1 -
|
|
|
b1e4e4 |
.../netscape/cmscore/request/ARequestQueue.java | 5 +-
|
|
|
b1e4e4 |
7 files changed, 119 insertions(+), 11 deletions(-)
|
|
|
b1e4e4 |
create mode 100644 base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
|
|
|
b1e4e4 |
index 004efdc..2c50831 100644
|
|
|
b1e4e4 |
--- a/base/ca/shared/conf/CS.cfg
|
|
|
b1e4e4 |
+++ b/base/ca/shared/conf/CS.cfg
|
|
|
b1e4e4 |
@@ -976,7 +976,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
|
|
|
b1e4e4 |
oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
|
|
|
b1e4e4 |
oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
|
|
|
b1e4e4 |
os.userid=nobody
|
|
|
b1e4e4 |
-profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caServerKeygen_UserCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
|
|
|
b1e4e4 |
+profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caServerKeygen_UserCert,caServerKeygen_DirUserCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
|
|
|
b1e4e4 |
profile.caUUIDdeviceCert.class_id=caEnrollImpl
|
|
|
b1e4e4 |
profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
|
|
|
b1e4e4 |
profile.caManualRenewal.class_id=caEnrollImpl
|
|
|
b1e4e4 |
@@ -1133,6 +1133,8 @@ profile.caTransportCert.class_id=caEnrollImpl
|
|
|
b1e4e4 |
profile.caTransportCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTransportCert.cfg
|
|
|
b1e4e4 |
profile.caServerKeygen_UserCert.class_id=caEnrollImpl
|
|
|
b1e4e4 |
profile.caServerKeygen_UserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerKeygen_UserCert.cfg
|
|
|
b1e4e4 |
+profile.caServerKeygen_DirUserCert.class_id=caEnrollImpl
|
|
|
b1e4e4 |
+profile.caServerKeygen_DirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerKeygen_DirUserCert.cfg
|
|
|
b1e4e4 |
profile.caUserCert.class_id=caEnrollImpl
|
|
|
b1e4e4 |
profile.caUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUserCert.cfg
|
|
|
b1e4e4 |
profile.caECUserCert.class_id=caEnrollImpl
|
|
|
b1e4e4 |
diff --git a/base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg b/base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg
|
|
|
b1e4e4 |
new file mode 100644
|
|
|
b1e4e4 |
index 0000000..ea1acfb
|
|
|
b1e4e4 |
--- /dev/null
|
|
|
b1e4e4 |
+++ b/base/ca/shared/profiles/ca/caServerKeygen_DirUserCert.cfg
|
|
|
b1e4e4 |
@@ -0,0 +1,104 @@
|
|
|
b1e4e4 |
+desc=This certificate profile is for enrolling user certificates using server-side Key generation with Directory-based authentication.
|
|
|
b1e4e4 |
+visible=true
|
|
|
b1e4e4 |
+enable=true
|
|
|
b1e4e4 |
+enableBy=admin
|
|
|
b1e4e4 |
+name=Directory-authenticated User Dual-Use Certificate Enrollment using server-side Key generation
|
|
|
b1e4e4 |
+auth.instance_id=UserDirEnrollment
|
|
|
b1e4e4 |
+input.list=i1,i2,i3
|
|
|
b1e4e4 |
+input.i1.class_id=serverKeygenInputImpl
|
|
|
b1e4e4 |
+input.i2.class_id=subjectNameInputImpl
|
|
|
b1e4e4 |
+input.i3.class_id=submitterInfoInputImpl
|
|
|
b1e4e4 |
+output.list=o1
|
|
|
b1e4e4 |
+output.o1.class_id=pkcs12OutputImpl
|
|
|
b1e4e4 |
+policyset.list=userCertSet
|
|
|
b1e4e4 |
+policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9
|
|
|
b1e4e4 |
+policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.1.constraint.name=Subject Name Constraint
|
|
|
b1e4e4 |
+policyset.userCertSet.1.constraint.params.pattern=UID=.*
|
|
|
b1e4e4 |
+policyset.userCertSet.1.constraint.params.accept=true
|
|
|
b1e4e4 |
+policyset.userCertSet.1.default.class_id=userSubjectNameDefaultImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.1.default.name=Subject Name Default
|
|
|
b1e4e4 |
+policyset.userCertSet.1.default.params.name=
|
|
|
b1e4e4 |
+policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
|
|
|
b1e4e4 |
+policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
|
|
|
b1e4e4 |
+policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
|
|
|
b1e4e4 |
+policyset.userCertSet.10.default.class_id=noDefaultImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.10.default.name=No Default
|
|
|
b1e4e4 |
+policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.2.constraint.name=Validity Constraint
|
|
|
b1e4e4 |
+policyset.userCertSet.2.constraint.params.range=365
|
|
|
b1e4e4 |
+policyset.userCertSet.2.constraint.params.notBeforeCheck=false
|
|
|
b1e4e4 |
+policyset.userCertSet.2.constraint.params.notAfterCheck=false
|
|
|
b1e4e4 |
+policyset.userCertSet.2.default.class_id=validityDefaultImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.2.default.name=Validity Default
|
|
|
b1e4e4 |
+policyset.userCertSet.2.default.params.range=180
|
|
|
b1e4e4 |
+policyset.userCertSet.2.default.params.startTime=0
|
|
|
b1e4e4 |
+policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.3.constraint.name=Key Constraint
|
|
|
b1e4e4 |
+policyset.userCertSet.3.constraint.params.keyType=-
|
|
|
b1e4e4 |
+policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
|
|
|
b1e4e4 |
+policyset.userCertSet.3.default.class_id=serverKeygenUserKeyDefaultImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.3.default.name=Server-Side Keygen Default
|
|
|
b1e4e4 |
+policyset.userCertSet.3.default.params.keyType=RSA
|
|
|
b1e4e4 |
+policyset.userCertSet.3.default.params.keySize=2048
|
|
|
b1e4e4 |
+policyset.userCertSet.3.default.params.enableArchival=true
|
|
|
b1e4e4 |
+policyset.userCertSet.4.constraint.class_id=noConstraintImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.4.constraint.name=No Constraint
|
|
|
b1e4e4 |
+policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.4.default.name=Authority Key Identifier Default
|
|
|
b1e4e4 |
+policyset.userCertSet.5.constraint.class_id=noConstraintImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.5.constraint.name=No Constraint
|
|
|
b1e4e4 |
+policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.5.default.name=AIA Extension Default
|
|
|
b1e4e4 |
+policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
|
|
|
b1e4e4 |
+policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
|
|
|
b1e4e4 |
+policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
|
|
|
b1e4e4 |
+policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
|
|
|
b1e4e4 |
+policyset.userCertSet.5.default.params.authInfoAccessCritical=false
|
|
|
b1e4e4 |
+policyset.userCertSet.5.default.params.authInfoAccessNumADs=1
|
|
|
b1e4e4 |
+policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
|
|
|
b1e4e4 |
+policyset.userCertSet.6.constraint.params.keyUsageCritical=true
|
|
|
b1e4e4 |
+policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
|
|
|
b1e4e4 |
+policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
|
|
|
b1e4e4 |
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
|
|
|
b1e4e4 |
+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true
|
|
|
b1e4e4 |
+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false
|
|
|
b1e4e4 |
+policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
|
|
|
b1e4e4 |
+policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
|
|
|
b1e4e4 |
+policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
|
|
|
b1e4e4 |
+policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false
|
|
|
b1e4e4 |
+policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.6.default.name=Key Usage Default
|
|
|
b1e4e4 |
+policyset.userCertSet.6.default.params.keyUsageCritical=true
|
|
|
b1e4e4 |
+policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
|
|
|
b1e4e4 |
+policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
|
|
|
b1e4e4 |
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
|
|
|
b1e4e4 |
+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true
|
|
|
b1e4e4 |
+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
|
|
|
b1e4e4 |
+policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
|
|
|
b1e4e4 |
+policyset.userCertSet.6.default.params.keyUsageCrlSign=false
|
|
|
b1e4e4 |
+policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
|
|
|
b1e4e4 |
+policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
|
|
|
b1e4e4 |
+policyset.userCertSet.7.constraint.class_id=noConstraintImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.7.constraint.name=No Constraint
|
|
|
b1e4e4 |
+policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
|
|
|
b1e4e4 |
+policyset.userCertSet.7.default.params.exKeyUsageCritical=false
|
|
|
b1e4e4 |
+policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
|
|
|
b1e4e4 |
+policyset.userCertSet.8.constraint.class_id=noConstraintImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.8.constraint.name=No Constraint
|
|
|
b1e4e4 |
+policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.8.default.name=Subject Alt Name Constraint
|
|
|
b1e4e4 |
+policyset.userCertSet.8.default.params.subjAltNameExtCritical=false
|
|
|
b1e4e4 |
+policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name
|
|
|
b1e4e4 |
+policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
|
|
|
b1e4e4 |
+policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
|
|
|
b1e4e4 |
+policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
|
|
|
b1e4e4 |
+policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.9.constraint.name=No Constraint
|
|
|
b1e4e4 |
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC,SHA256withRSA/PSS,SHA384withRSA/PSS,SHA512withRSA/PSS
|
|
|
b1e4e4 |
+policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
|
|
|
b1e4e4 |
+policyset.userCertSet.9.default.name=Signing Alg
|
|
|
b1e4e4 |
+policyset.userCertSet.9.default.params.signingAlg=-
|
|
|
b1e4e4 |
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
|
|
|
b1e4e4 |
index c5229ea..529cb57 100644
|
|
|
b1e4e4 |
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
|
|
|
b1e4e4 |
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
|
|
|
b1e4e4 |
@@ -637,7 +637,7 @@ public class RecoveryService implements IService {
|
|
|
b1e4e4 |
pass,
|
|
|
b1e4e4 |
/* NSS has a bug that causes any AES CBC encryption
|
|
|
b1e4e4 |
* to use AES-256, but AlgorithmID contains chosen
|
|
|
b1e4e4 |
- * alg. To avoid mismatch, use AES_128_CBC. */
|
|
|
b1e4e4 |
+ * alg. To avoid mismatch, use AES_256_CBC. */
|
|
|
b1e4e4 |
EncryptionAlgorithm.AES_256_CBC,
|
|
|
b1e4e4 |
0 /* iterations (use default) */,
|
|
|
b1e4e4 |
priKey);
|
|
|
b1e4e4 |
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
|
|
|
b1e4e4 |
index f8b547d..b0dd773 100644
|
|
|
b1e4e4 |
--- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
|
|
|
b1e4e4 |
+++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
|
|
|
b1e4e4 |
@@ -156,6 +156,8 @@ public class CAEnrollProfile extends EnrollProfile {
|
|
|
b1e4e4 |
if (kraConnector == null) {
|
|
|
b1e4e4 |
String message = "KRA connector not configured";
|
|
|
b1e4e4 |
CMS.debug(method + message);
|
|
|
b1e4e4 |
+
|
|
|
b1e4e4 |
+ throw new EProfileException(message);
|
|
|
b1e4e4 |
} else {
|
|
|
b1e4e4 |
CMS.debug(method + "request");
|
|
|
b1e4e4 |
kraConnector.send(request);
|
|
|
b1e4e4 |
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java
|
|
|
b1e4e4 |
index b1eb58e..3c4e3d0 100644
|
|
|
b1e4e4 |
--- a/base/server/cms/src/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java
|
|
|
b1e4e4 |
+++ b/base/server/cms/src/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java
|
|
|
b1e4e4 |
@@ -20,7 +20,6 @@ package com.netscape.cms.profile.def;
|
|
|
b1e4e4 |
import java.io.ByteArrayInputStream;
|
|
|
b1e4e4 |
import java.math.BigInteger;
|
|
|
b1e4e4 |
import java.security.interfaces.DSAParams;
|
|
|
b1e4e4 |
-import java.util.Enumeration;
|
|
|
b1e4e4 |
import java.util.Locale;
|
|
|
b1e4e4 |
import java.util.Vector;
|
|
|
b1e4e4 |
import java.security.KeyPair;
|
|
|
b1e4e4 |
@@ -271,6 +270,7 @@ public class ServerKeygenUserKeyDefault extends EnrollDefault {
|
|
|
b1e4e4 |
CertificateX509Key certKey = null;
|
|
|
b1e4e4 |
String method = "ServerKeygenUserKeyDefault: populate: ";
|
|
|
b1e4e4 |
CMS.debug(method + "begins");
|
|
|
b1e4e4 |
+ String errmsg = "";
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
// trigger serverSide keygen enrollment
|
|
|
b1e4e4 |
try {
|
|
|
b1e4e4 |
@@ -439,8 +439,9 @@ public class ServerKeygenUserKeyDefault extends EnrollDefault {
|
|
|
b1e4e4 |
pubKeyStr = TEMP_PUBKEY_RSA_4096;
|
|
|
b1e4e4 |
break;
|
|
|
b1e4e4 |
default:
|
|
|
b1e4e4 |
- CMS.debug("ServerKeygenUserKeyDefault: populate: unsupported keySize: " + keySize);
|
|
|
b1e4e4 |
- break;
|
|
|
b1e4e4 |
+ errmsg = "unsupported keySize: " + keySize;
|
|
|
b1e4e4 |
+ CMS.debug("ServerKeygenUserKeyDefault: populate: " + errmsg);
|
|
|
b1e4e4 |
+ throw new EProfileException(errmsg);
|
|
|
b1e4e4 |
}
|
|
|
b1e4e4 |
} else {
|
|
|
b1e4e4 |
switch (curveName) {
|
|
|
b1e4e4 |
@@ -454,8 +455,9 @@ public class ServerKeygenUserKeyDefault extends EnrollDefault {
|
|
|
b1e4e4 |
pubKeyStr = TEMP_PUBKEY_EC_NISTP521;
|
|
|
b1e4e4 |
break;
|
|
|
b1e4e4 |
default:
|
|
|
b1e4e4 |
- CMS.debug("ServerKeygenUserKeyDefault: populate: unsupported cureveName: " + curveName);
|
|
|
b1e4e4 |
- break;
|
|
|
b1e4e4 |
+ errmsg = "unsupported curveName: " + curveName;
|
|
|
b1e4e4 |
+ CMS.debug("ServerKeygenUserKeyDefault: populate: " + errmsg);
|
|
|
b1e4e4 |
+ throw new EProfileException(errmsg);
|
|
|
b1e4e4 |
}
|
|
|
b1e4e4 |
}
|
|
|
b1e4e4 |
byte[] certKeyData = CryptoUtil.base64Decode(pubKeyStr);
|
|
|
b1e4e4 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
|
|
|
b1e4e4 |
index fb9ed65..0e72559 100644
|
|
|
b1e4e4 |
--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
|
|
|
b1e4e4 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
|
|
|
b1e4e4 |
@@ -28,7 +28,6 @@ import java.security.cert.Certificate;
|
|
|
b1e4e4 |
import java.security.cert.CertificateException;
|
|
|
b1e4e4 |
import java.security.cert.X509Certificate;
|
|
|
b1e4e4 |
import java.util.Enumeration;
|
|
|
b1e4e4 |
-import java.util.Hashtable;
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
import javax.servlet.ServletConfig;
|
|
|
b1e4e4 |
import javax.servlet.ServletException;
|
|
|
b1e4e4 |
diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestQueue.java b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestQueue.java
|
|
|
b1e4e4 |
index 24c2f77..3941fa0 100644
|
|
|
b1e4e4 |
--- a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestQueue.java
|
|
|
b1e4e4 |
+++ b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestQueue.java
|
|
|
b1e4e4 |
@@ -568,12 +568,11 @@ public abstract class ARequestQueue
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
// by default, write request to LDAP
|
|
|
b1e4e4 |
if (delayLDAPCommit == null || !delayLDAPCommit.equals("true")) {
|
|
|
b1e4e4 |
- CMS.debug("ARequestQueue: updateRequest(): delayLDAPCommit is false");
|
|
|
b1e4e4 |
+ // CMS.debug("ARequestQueue: updateRequest(): delayLDAPCommit is false");
|
|
|
b1e4e4 |
// TODO: use a state flag to determine whether to call
|
|
|
b1e4e4 |
// addRequest or modifyRequest (see newRequest as well)
|
|
|
b1e4e4 |
modifyRequest(r);
|
|
|
b1e4e4 |
- } else //: delay the write to ldap
|
|
|
b1e4e4 |
- CMS.debug("ARequestQueue: updateRequest(): delayLDAPCommit is true");
|
|
|
b1e4e4 |
+ }
|
|
|
b1e4e4 |
}
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
// PRIVATE functions
|
|
|
b1e4e4 |
--
|
|
|
b1e4e4 |
1.8.3.1
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
From b12e75b4314c9d017763130683b99008d7fc22ca Mon Sep 17 00:00:00 2001
|
|
|
b1e4e4 |
From: jmagne <jmagne@redhat.com>
|
|
|
b1e4e4 |
Date: Mon, 18 May 2020 20:35:31 -0400
|
|
|
b1e4e4 |
Subject: [PATCH 2/2] Additional fix Bug# 1710109 - add RSA PSS support. (#414)
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
Remove minor log message which was causing problems.
|
|
|
b1e4e4 |
Fix a typo in the pkispawn code that detects PSS signing algorithms.
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
Co-authored-by: Jack Magne <jmagne@test.host.com>
|
|
|
b1e4e4 |
(cherry picked from commit f30d2a26d6484cd85415b338fd721efc6499a937)
|
|
|
b1e4e4 |
---
|
|
|
b1e4e4 |
base/server/python/pki/server/deployment/pkihelper.py | 2 +-
|
|
|
b1e4e4 |
base/util/src/netscape/security/x509/X509CertInfo.java | 6 ------
|
|
|
b1e4e4 |
2 files changed, 1 insertion(+), 7 deletions(-)
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
b1e4e4 |
index 8c7ef51..214c9ae 100644
|
|
|
b1e4e4 |
--- a/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
b1e4e4 |
+++ b/base/server/python/pki/server/deployment/pkihelper.py
|
|
|
b1e4e4 |
@@ -4596,7 +4596,7 @@ class ConfigClient:
|
|
|
b1e4e4 |
if ('pki_subsystem_signing_algorithm' in self.mdict):
|
|
|
b1e4e4 |
if ('RSA' in self.mdict['pki_subsystem_signing_algorithm'] and
|
|
|
b1e4e4 |
'PSS' not in self.mdict['pki_subsystem_signing_algorithm']):
|
|
|
b1e4e4 |
- self.mdict[''] = \
|
|
|
b1e4e4 |
+ self.mdict['pki_subsystem_signing_algorithm'] = \
|
|
|
b1e4e4 |
self.mdict['pki_subsystem_signing_algorithm'] + '/PSS'
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
diff --git a/base/util/src/netscape/security/x509/X509CertInfo.java b/base/util/src/netscape/security/x509/X509CertInfo.java
|
|
|
b1e4e4 |
index 93377f4..083ec41 100644
|
|
|
b1e4e4 |
--- a/base/util/src/netscape/security/x509/X509CertInfo.java
|
|
|
b1e4e4 |
+++ b/base/util/src/netscape/security/x509/X509CertInfo.java
|
|
|
b1e4e4 |
@@ -34,9 +34,6 @@ import netscape.security.util.DerInputStream;
|
|
|
b1e4e4 |
import netscape.security.util.DerOutputStream;
|
|
|
b1e4e4 |
import netscape.security.util.DerValue;
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
-import org.slf4j.Logger;
|
|
|
b1e4e4 |
-import org.slf4j.LoggerFactory;
|
|
|
b1e4e4 |
-
|
|
|
b1e4e4 |
/**
|
|
|
b1e4e4 |
* The X509CertInfo class represents X.509 certificate information.
|
|
|
b1e4e4 |
*
|
|
|
b1e4e4 |
@@ -75,8 +72,6 @@ public class X509CertInfo implements CertAttrSet, Serializable {
|
|
|
b1e4e4 |
* get, set, delete methods of Certificate, x509 type.
|
|
|
b1e4e4 |
*/
|
|
|
b1e4e4 |
|
|
|
b1e4e4 |
- private static Logger logger = LoggerFactory.getLogger(X509CertInfo.class);
|
|
|
b1e4e4 |
-
|
|
|
b1e4e4 |
public static final String IDENT = "x509.info";
|
|
|
b1e4e4 |
// Certificate attribute names
|
|
|
b1e4e4 |
public static final String NAME = "info";
|
|
|
b1e4e4 |
@@ -621,7 +616,6 @@ public class X509CertInfo implements CertAttrSet, Serializable {
|
|
|
b1e4e4 |
return (serialNum.get(attrName.getSuffix()));
|
|
|
b1e4e4 |
}
|
|
|
b1e4e4 |
case (ATTR_ALGORITHM):
|
|
|
b1e4e4 |
- logger.warn("X509CertInfo.get(alg): " + this.toString());
|
|
|
b1e4e4 |
if (attrName.getSuffix() == null) {
|
|
|
b1e4e4 |
return (algId);
|
|
|
b1e4e4 |
} else {
|
|
|
b1e4e4 |
--
|
|
|
b1e4e4 |
1.8.3.1
|
|
|
b1e4e4 |
|