rpms / pki-core

Clone
Source Code
GIT

Blame SOURCES/pki-core-rhel-7-9-rhcs-9-7-post-beta.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-10.6 c8-stream-10.6 c8s-stream-10.6 c9 c9-beta
  1.   92ababec5581a2bfd6ca01c059d3b83394d23b02
  2.   SOURCES
  3.   pki-core-rhel-7-9-rhcs-9-7-post-beta.patch
Blob History Raw
b1e4e4 
From cc6d37299e5f1158c7a579c963b1ecf350948d9e Mon Sep 17 00:00:00 2001
b1e4e4 
From: jmagne <jmagne@redhat.com>
b1e4e4 
Date: Fri, 24 Apr 2020 15:18:29 -0700
b1e4e4 
Subject: [PATCH 1/2] My 10.5 (#389)
b1e4e4
b1e4e4 
* Add AlgorithmId.toStringWithParams, fix toString
b1e4e4
b1e4e4 
    PKI's usage of AlgorithmId.toString() doesn't handle having the
b1e4e4 
    parameters encoded in the toString() representation of the id.
b1e4e4 
    Move toString() back to only having the contents of algName, and
b1e4e4 
    move parameters to a separate method.
b1e4e4
b1e4e4 
    Fix courtesy ascheel.
b1e4e4
b1e4e4 
* Apply contributed patch  - TPS - Searching the certificate DB for a brand new token takes too long. Bad search filter
b1e4e4
b1e4e4 
Resolves:
b1e4e4 
Bug #1710975 - TPS - Searching the certificate DB for a band new token takes too long. Bad search filter.
b1e4e4 
Submited by RHCS-maint.
b1e4e4
b1e4e4 
Co-authored-by: Jack Magne <jmagne@test.host.com>
b1e4e4 
(cherry picked from commit c02de65c98232a848bbeed67c872fd57f51a49fe)
b1e4e4 
---
b1e4e4 
 .../tps/src/org/dogtagpki/server/tps/TPSTokendb.java | 14 ++++++++++----
b1e4e4 
 .../util/src/netscape/security/x509/AlgorithmId.java | 20 +++++++++++++++++---
b1e4e4 
 2 files changed, 27 insertions(+), 7 deletions(-)
b1e4e4
b1e4e4 
diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
b1e4e4 
index 49bfb7f..446fa3f 100644
b1e4e4 
--- a/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
b1e4e4 
+++ b/base/tps/src/org/dogtagpki/server/tps/TPSTokendb.java
b1e4e4 
@@ -370,7 +370,10 @@ public class TPSTokendb {
b1e4e4 
     private boolean isCertOnToken(TPSCertRecord cert, String cuid) {
b1e4e4 
         String method = "TPSTokendb: isCertOnToken: ";
b1e4e4 
         boolean result = false;
b1e4e4 
-        String filter = cuid;
b1e4e4 
+
b1e4e4 
+        Map<String, String> attributes = new HashMap<String, String>();
b1e4e4 
+        attributes.put("tokenID", cuid);
b1e4e4 
+
b1e4e4 
         Iterator<TPSCertRecord> records;
b1e4e4 
         if (cert == null) {
b1e4e4 
             CMS.debug(method + "input param cert null");
b1e4e4 
@@ -385,7 +388,7 @@ public class TPSTokendb {
b1e4e4 
                 "cert serial = " + cert.getSerialNumber() +
b1e4e4 
                 "; token cuid = " + cuid);
b1e4e4 
         try {
b1e4e4 
-            records = tps.certDatabase.findRecords(filter).iterator();
b1e4e4 
+            records = tps.certDatabase.findRecords(null, attributes).iterator();
b1e4e4 
         } catch (Exception e) {
b1e4e4 
             CMS.debug(method + ":" + e);
b1e4e4 
             return false;
b1e4e4 
@@ -430,10 +433,13 @@ public class TPSTokendb {
b1e4e4 
             throw new Exception(method + ": cuid null");
b1e4e4
b1e4e4 
         CMS.debug(method + ":" + " begins for cuid =" + cuid);
b1e4e4 
-        String filter = cuid;
b1e4e4 
+
b1e4e4 
+        Map<String, String> attributes = new HashMap<String, String>();
b1e4e4 
+        attributes.put("tokenID", cuid);
b1e4e4 
+
b1e4e4 
         Iterator<TPSCertRecord> records;
b1e4e4 
         try {
b1e4e4 
-            records = tps.certDatabase.findRecords(filter).iterator();
b1e4e4 
+            records = tps.certDatabase.findRecords(null, attributes).iterator();
b1e4e4 
         } catch (Exception e) {
b1e4e4 
             CMS.debug(method + ":" + e);
b1e4e4 
             throw new Exception(method + ":" + e);
b1e4e4 
diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java
b1e4e4 
index 6ce30e9..a5e4906 100644
b1e4e4 
--- a/base/util/src/netscape/security/x509/AlgorithmId.java
b1e4e4 
+++ b/base/util/src/netscape/security/x509/AlgorithmId.java
b1e4e4 
@@ -624,10 +624,24 @@ public class AlgorithmId implements Serializable, DerEncoder {
b1e4e4 
     }
b1e4e4
b1e4e4 
     /**
b1e4e4 
-     * Returns a string describing the algorithm and its parameters.
b1e4e4 
+     * Returns a string describing only the algorithm without parameters.
b1e4e4 
+     *
b1e4e4 
+     * Use toStringWithParams() for algorithm name and paramaters, or
b1e4e4 
+     * paramsToString() for just parameters.
b1e4e4 
      */
b1e4e4 
     public String toString() {
b1e4e4 
-        return (algName() + " " + paramsToString());
b1e4e4 
+        return algName();
b1e4e4 
+    }
b1e4e4 
+
b1e4e4 
+    /**
b1e4e4 
+     * Returns a string describing the algorithm and its parameters.
b1e4e4 
+     */
b1e4e4 
+    public String toStringWithParams() {
b1e4e4 
+        if (params == null) {
b1e4e4 
+            return algName();
b1e4e4 
+        }
b1e4e4 
+
b1e4e4 
+        return algName() + " " + paramsToString();
b1e4e4 
     }
b1e4e4
b1e4e4 
     /**
b1e4e4 
@@ -1030,7 +1044,7 @@ public class AlgorithmId implements Serializable, DerEncoder {
b1e4e4 
      */
b1e4e4 
     public static final String[] ALL_SIGNING_ALGORITHMS = new String[]
b1e4e4 
     {
b1e4e4 
-            "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA","SHA256withRSA/PSS","SHA384withRSA/PSS","SHA5121withRSA/PSS",
b1e4e4 
+            "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA","SHA256withRSA/PSS","SHA384withRSA/PSS","SHA512withRSA/PSS",
b1e4e4 
             "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" };
b1e4e4
b1e4e4 
     public static void dumpBytes(byte[] data)
b1e4e4 
--
b1e4e4 
1.8.3.1
b1e4e4
b1e4e4
b1e4e4 
From 5cfb515d0ab1a32a1dafa1c12088e52c21569bd8 Mon Sep 17 00:00:00 2001
b1e4e4 
From: Christina Fu <cfu@redhat.com>
b1e4e4 
Date: Mon, 4 May 2020 09:43:30 -0700
b1e4e4 
Subject: [PATCH 2/2] Bug 1794213 Additional Server-Side Kyegen Enrollment
b1e4e4 
 support and touch-up
b1e4e4
b1e4e4 
This patch
b1e4e4 
  - adds support for automatic approval (e.g. UidPwdDirAuth)
b1e4e4 
  - adds support for the "enableArchival" parameter for ServerKeygenUserKeyDefault per profile
b1e4e4 
  - fixes the accidental disablement of DSA key generation in AsymKeyGenService.java
b1e4e4 
  - Clears some of the unneeded items in the request
b1e4e4 
  - zeroize password in memory
b1e4e4
b1e4e4 
https://bugzilla.redhat.com/show_bug.cgi?id=1794213
b1e4e4 
(cherry picked from commit 9ab687e9a5104b260c958e59b3ca87e753b2fd73)
b1e4e4 
---
b1e4e4 
 .../shared/profiles/ca/caServerKeygen_UserCert.cfg |  1 +
b1e4e4 
 .../src/com/netscape/certsrv/request/IRequest.java |  1 +
b1e4e4 
 .../src/com/netscape/kra/AsymKeyGenService.java    |  6 ++--
b1e4e4 
 base/kra/src/com/netscape/kra/RecoveryService.java | 30 +++++++++++++++---
b1e4e4 
 .../cms/profile/common/CAEnrollProfile.java        | 28 ++++++++++++++++
b1e4e4 
 .../profile/def/ServerKeygenUserKeyDefault.java    | 25 ++++++++++++---
b1e4e4 
 .../cms/servlet/connector/ConnectorServlet.java    | 14 --------
b1e4e4 
 .../cms/servlet/profile/ProfileProcessServlet.java |  8 ++---
b1e4e4 
 .../cms/servlet/profile/ProfileSubmitServlet.java  | 37 +++++++++++++++++++++-
b1e4e4 
 base/server/cmsbundle/src/UserMessages.properties  |  6 ++--
b1e4e4 
 10 files changed, 123 insertions(+), 33 deletions(-)
b1e4e4
b1e4e4 
diff --git a/base/ca/shared/profiles/ca/caServerKeygen_UserCert.cfg b/base/ca/shared/profiles/ca/caServerKeygen_UserCert.cfg
b1e4e4 
index b449163..b8c3e10 100644
b1e4e4 
--- a/base/ca/shared/profiles/ca/caServerKeygen_UserCert.cfg
b1e4e4 
+++ b/base/ca/shared/profiles/ca/caServerKeygen_UserCert.cfg
b1e4e4 
@@ -42,6 +42,7 @@ policyset.userCertSet.3.default.class_id=serverKeygenUserKeyDefaultImpl
b1e4e4 
 policyset.userCertSet.3.default.name=Server-Side Keygen Default
b1e4e4 
 policyset.userCertSet.3.default.params.keyType=RSA
b1e4e4 
 policyset.userCertSet.3.default.params.keySize=2048
b1e4e4 
+policyset.userCertSet.3.default.params.enableArchival=true
b1e4e4 
 policyset.userCertSet.4.constraint.class_id=noConstraintImpl
b1e4e4 
 policyset.userCertSet.4.constraint.name=No Constraint
b1e4e4 
 policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
b1e4e4 
diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java
b1e4e4 
index 47dde82..7193791 100644
b1e4e4 
--- a/base/common/src/com/netscape/certsrv/request/IRequest.java
b1e4e4 
+++ b/base/common/src/com/netscape/certsrv/request/IRequest.java
b1e4e4 
@@ -199,6 +199,7 @@ public interface IRequest extends Serializable {
b1e4e4
b1e4e4 
     // Server-side Keygen enrollment
b1e4e4 
     //public static final String SERVER_SIDE_KEYGEN_ENROLL = "serverSideKeygenEnroll";
b1e4e4 
+    public static final String SERVER_SIDE_KEYGEN_ENROLL_ENABLE_ARCHIVAL = "serverSideKeygenEnrollEnableArchival";
b1e4e4 
     public static final String SSK_STAGE = "serverSideKeygenStage";
b1e4e4 
     public static final String SSK_STAGE_KEYGEN = "serverSideKeygenStage_keygen";
b1e4e4 
     public static final String SSK_STAGE_KEY_RETRIEVE = "serverSideKeygenStage_key_retrieve";
b1e4e4 
diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
b1e4e4 
index 61f86ff..0aa0862 100644
b1e4e4 
--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
b1e4e4 
+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
b1e4e4 
@@ -102,9 +102,7 @@ public class AsymKeyGenService implements IService {
b1e4e4 
         boolean isEC = false;
b1e4e4 
         String errmsg ="";
b1e4e4
b1e4e4 
-        if (algorithm.toUpperCase().equals("RSA"))
b1e4e4 
-            keySize = Integer.valueOf(keySizeStr);
b1e4e4 
-        else {
b1e4e4 
+        if (algorithm.toUpperCase().equals("EC")) {
b1e4e4 
             isEC = true;
b1e4e4 
             switch (keySizeStr) {
b1e4e4 
                case "nistp256":
b1e4e4 
@@ -127,6 +125,8 @@ public class AsymKeyGenService implements IService {
b1e4e4 
                         errmsg));
b1e4e4 
                     throw new EBaseException("Errors in ServerSideKeygenEnroll generating Asymmetric key: " + errmsg);
b1e4e4 
             }
b1e4e4 
+        } else {
b1e4e4 
+            keySize = Integer.valueOf(keySizeStr);
b1e4e4 
         }
b1e4e4
b1e4e4 
         String realm = request.getRealm();
b1e4e4 
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
b1e4e4 
index fc6edeb..c5229ea 100644
b1e4e4 
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
b1e4e4 
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
b1e4e4 
@@ -168,7 +168,6 @@ public class RecoveryService implements IService {
b1e4e4 
                 isSSKeygen = true;
b1e4e4 
                 CryptoToken token = CryptoUtil.getKeyStorageToken("internal");
b1e4e4
b1e4e4 
-                // serverKeygenP12Pass = request.getExtDataInString("serverSideKeygenP12Passwd");
b1e4e4 
                 byte[] sessionWrappedPassphrase = (byte[]) request.getExtDataInByteArray("serverSideKeygenP12PasswdEnc");
b1e4e4 
                 if (sessionWrappedPassphrase == null) {
b1e4e4 
                     throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR" + "Server-Side Keygen Enroll Key Retrieval: sessionWrappedPassphrase not found in Request"));
b1e4e4 
@@ -210,16 +209,21 @@ public class RecoveryService implements IService {
b1e4e4 
                         ivps, sessionWrappedPassphrase, unwrappedSessionKey,
b1e4e4 
                         encryptAlgorithm);
b1e4e4 
                 serverKeygenP12Pass = new String(passphrase, "UTF-8");
b1e4e4 
-                // TODO: do this after it's done being used later:
b1e4e4 
-                // CryptoUtil.obscureBytes(serverKeygenP12Pass, "random");
b1e4e4 
+                CryptoUtil.obscureBytes(passphrase, "random");
b1e4e4 
             }
b1e4e4 
         } catch (Exception e) {
b1e4e4 
             CMS.debug("RecoveryService exception: use internal token :"
b1e4e4 
                     + e.toString());
b1e4e4 
             ct = cm.getInternalCryptoToken();
b1e4e4 
+        } finally {
b1e4e4 
+            // delete SSK items from request
b1e4e4 
+            request.setExtData("serverSideKeygenP12PasswdTransSession", "");
b1e4e4 
+            request.setExtData("serverSideKeygenP12PasswdEnc", "");
b1e4e4 
+            request.deleteExtData("serverSideKeygenP12PasswdTransSession");
b1e4e4 
+            request.deleteExtData("serverSideKeygenP12PasswdEnc");
b1e4e4 
         }
b1e4e4 
         if (ct == null) {
b1e4e4 
-            throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR" + "cannot get crypto token"));
b1e4e4 
+            throw new EBaseException(CMS.getUserMessage("CMS_BASE_TOKEN_NOT_FOUND" + "cannot get crypto token"));
b1e4e4 
         }
b1e4e4
b1e4e4 
         IStatsSubsystem statsSub = (IStatsSubsystem) CMS.getSubsystem("stats");
b1e4e4 
@@ -349,6 +353,7 @@ public class RecoveryService implements IService {
b1e4e4 
                 //We don't need this data any more
b1e4e4 
                 JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID);
b1e4e4 
                 jssSubsystem.obscureBytes(privateKeyData);
b1e4e4 
+
b1e4e4 
             }
b1e4e4
b1e4e4 
             if (statsSub != null) {
b1e4e4 
@@ -384,13 +389,28 @@ public class RecoveryService implements IService {
b1e4e4 
             }
b1e4e4 
         }
b1e4e4
b1e4e4 
-        // cfu
b1e4e4 
         if (isSSKeygen) {
b1e4e4 
             CMS.debug("RecoveryService: putting p12 in request");
b1e4e4 
             byte[] p12b = (byte[])params.get(ATTR_PKCS12);
b1e4e4 
             // IEnrollProfile.REQUEST_ISSUED_P12
b1e4e4 
             request.setExtData("req_issued_p12" /*ATTR_PKCS12*/, p12b);
b1e4e4 
+
b1e4e4 
+            // if key archival is not enabled, delete the key record.
b1e4e4 
+            // for Server-Side keygen enrollment, key archival is determined
b1e4e4 
+            // by the enableArchival parameter in the enrollment profiile:
b1e4e4 
+            // e.g.
b1e4e4 
+            //     policyset.userCertSet.3.default.params.enableArchival
b1e4e4 
+            // Note that if the enableArchival parameter does not exist in
b1e4e4 
+            // the profile, the default value to that is set to *false*
b1e4e4 
+            // in the request in ServerKeygenUserKeyDefault
b1e4e4 
+            boolean isArchival = request.getExtDataInBoolean(IRequest.SERVER_SIDE_KEYGEN_ENROLL_ENABLE_ARCHIVAL, true);
b1e4e4 
+            if (isArchival) {
b1e4e4 
+                CMS.debug("RecoveryService: serviceRequest: Server-Side Keygen isArchival true, key record kept");
b1e4e4 
+            } else
b1e4e4 
+                mStorage.deleteKeyRecord(serialno);
b1e4e4 
+                CMS.debug("RecoveryService: serviceRequest: Server-Side Keygen isArchival false, key record not kept");
b1e4e4 
         }
b1e4e4 
+
b1e4e4 
         mKRA.log(ILogger.LL_INFO, "key " +
b1e4e4 
                 serialno.toString() +
b1e4e4 
                 " recovered");
b1e4e4 
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
b1e4e4 
index 138a2ec..f8b547d 100644
b1e4e4 
--- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
b1e4e4 
+++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
b1e4e4 
@@ -131,8 +131,25 @@ public class CAEnrollProfile extends EnrollProfile {
b1e4e4 
         // if PKI Archive Option present, send this request
b1e4e4 
         // to DRM
b1e4e4 
         byte optionsData[] = request.getExtDataInByteArray(REQUEST_ARCHIVE_OPTIONS);
b1e4e4 
+        byte[] transWrappedSessionKey = null;
b1e4e4 
+        byte[] sessionWrappedPassphrase = null;
b1e4e4 
         if (isSSKeygen) { // Server-Side Keygen enrollment
b1e4e4 
             request.setExtData(IRequest.SSK_STAGE, IRequest.SSK_STAGE_KEYGEN);
b1e4e4 
+
b1e4e4 
+            /*
b1e4e4 
+             * temporarily remove the items not needed for SSK_STAGE_KEYGEN
b1e4e4 
+             * so not to pass them to KRA.
b1e4e4 
+             * They will be put back at SSK_STAGE_KEY_RETRIEVE below
b1e4e4 
+             */
b1e4e4 
+            transWrappedSessionKey = (byte[]) request.getExtDataInByteArray("serverSideKeygenP12PasswdTransSession");
b1e4e4 
+
b1e4e4 
+            sessionWrappedPassphrase = (byte[]) request.getExtDataInByteArray("serverSideKeygenP12PasswdEnc");
b1e4e4 
+
b1e4e4 
+            request.setExtData("serverSideKeygenP12PasswdTransSession", "");
b1e4e4 
+            request.deleteExtData("serverSideKeygenP12PasswdTransSession");
b1e4e4 
+            request.setExtData("serverSideKeygenP12PasswdEnc", "");
b1e4e4 
+            request.deleteExtData("serverSideKeygenP12PasswdEnc");
b1e4e4 
+
b1e4e4 
             try {
b1e4e4 
                 IConnector kraConnector = caService.getKRAConnector();
b1e4e4
b1e4e4 
@@ -326,6 +343,11 @@ public class CAEnrollProfile extends EnrollProfile {
b1e4e4 
             request.setExtData(IRequest.REQ_STATUS, "begin");
b1e4e4 
             request.setExtData("requestType", "recovery");
b1e4e4 
             request.setExtData("cert", theCert); //recognized by kra
b1e4e4 
+
b1e4e4 
+            // putting them back
b1e4e4 
+            request.setExtData("serverSideKeygenP12PasswdEnc", sessionWrappedPassphrase);
b1e4e4 
+            request.setExtData("serverSideKeygenP12PasswdTransSession", transWrappedSessionKey);
b1e4e4 
+
b1e4e4 
             try {
b1e4e4 
                 IConnector kraConnector = caService.getKRAConnector();
b1e4e4
b1e4e4 
@@ -376,6 +398,12 @@ public class CAEnrollProfile extends EnrollProfile {
b1e4e4 
                     throw (ERejectException) e;
b1e4e4 
                 }
b1e4e4 
                 throw new EProfileException(e);
b1e4e4 
+            } finally {
b1e4e4 
+                // cfu TODO: clean them
b1e4e4 
+                    request.setExtData("serverSideKeygenP12PasswdTransSession", "");
b1e4e4 
+                    request.deleteExtData("serverSideKeygenP12PasswdTransSession");
b1e4e4 
+                    request.setExtData("serverSideKeygenP12PasswdEnc", "");
b1e4e4 
+                    request.deleteExtData("serverSideKeygenP12PasswdEnc");
b1e4e4 
             }
b1e4e4 
             CMS.debug(method + "isSSKeygen: response received from KRA");
b1e4e4 
         }
b1e4e4 
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java
b1e4e4 
index 1e2a787..b1eb58e 100644
b1e4e4 
--- a/base/server/cms/src/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java
b1e4e4 
+++ b/base/server/cms/src/com/netscape/cms/profile/def/ServerKeygenUserKeyDefault.java
b1e4e4 
@@ -68,6 +68,7 @@ import com.netscape.certsrv.logging.ILogger;
b1e4e4 
  */
b1e4e4 
 public class ServerKeygenUserKeyDefault extends EnrollDefault {
b1e4e4
b1e4e4 
+    public static final String CONFIG_ENABLE_ARCHIVAL = "enableArchival";
b1e4e4 
     public static final String CONFIG_LEN = "keySize";
b1e4e4 
     public static final String CONFIG_TYPE = "keyType";
b1e4e4 
     public static final String VAL_LEN = "LEN";
b1e4e4 
@@ -84,6 +85,7 @@ public class ServerKeygenUserKeyDefault extends EnrollDefault {
b1e4e4
b1e4e4 
     public ServerKeygenUserKeyDefault() {
b1e4e4 
         super();
b1e4e4 
+        addConfigName(CONFIG_ENABLE_ARCHIVAL);
b1e4e4 
         addConfigName(CONFIG_TYPE);
b1e4e4 
         addConfigName(CONFIG_LEN);
b1e4e4 
         addValueName(VAL_TYPE);
b1e4e4 
@@ -103,18 +105,23 @@ public class ServerKeygenUserKeyDefault extends EnrollDefault {
b1e4e4 
 */
b1e4e4
b1e4e4 
     public IDescriptor getConfigDescriptor(Locale locale, String name) {
b1e4e4 
-        if (name.equals(CONFIG_TYPE)) {
b1e4e4 
+        if (name.equals(CONFIG_ENABLE_ARCHIVAL)) {
b1e4e4 
+            return new Descriptor(IDescriptor.BOOLEAN, null,
b1e4e4 
+                    "false",
b1e4e4 
+                    CMS.getUserMessage(locale,
b1e4e4 
+                    "CMS_PROFILE_SERVER_SIDE_KEYGEN_ENABLE_ARCHIVAL"));
b1e4e4 
+        } else if (name.equals(CONFIG_TYPE)) {
b1e4e4 
             return new Descriptor(IDescriptor.STRING,
b1e4e4 
                     null,
b1e4e4 
                     "RSA",
b1e4e4 
                     CMS.getUserMessage(locale,
b1e4e4 
-                            "CMS_PROFILE_SERVER_KEYGEN_KEYTYPE"));
b1e4e4 
+                            "CMS_PROFILE_SERVER_SIDE_KEYGEN_KEYTYPE"));
b1e4e4 
         } else if (name.equals(CONFIG_LEN)) {
b1e4e4 
             return new Descriptor(IDescriptor.STRING,
b1e4e4 
                     null,
b1e4e4 
                     "2048",
b1e4e4 
                     CMS.getUserMessage(locale,
b1e4e4 
-                            "CMS_PROFILE_SERVER_KEYGEN_KEYSIZE"));
b1e4e4 
+                            "CMS_PROFILE_SERVER_SIDE_KEYGEN_KEYSIZE"));
b1e4e4 
         } else  {
b1e4e4 
             return null;
b1e4e4 
         }
b1e4e4 
@@ -343,11 +350,14 @@ public class ServerKeygenUserKeyDefault extends EnrollDefault {
b1e4e4 
                 // store in request to pass to kra
b1e4e4 
                 request.setExtData(IRequest.SECURITY_DATA_CLIENT_KEY_ID,
b1e4e4 
                         subj);
b1e4e4 
+
b1e4e4 
                 request.setExtData("serverSideKeygenP12PasswdEnc",
b1e4e4 
                         sessionWrappedPassphrase);
b1e4e4 
                 request.setExtData("serverSideKeygenP12PasswdTransSession",
b1e4e4 
                         transWrappedSessionKey);
b1e4e4 
-                // delete the plain text one
b1e4e4 
+
b1e4e4 
+                // delete
b1e4e4 
+                request.setExtData("serverSideKeygenP12Passwd", "");
b1e4e4 
                 request.deleteExtData("serverSideKeygenP12Passwd");
b1e4e4 
             }
b1e4e4
b1e4e4 
@@ -455,6 +465,13 @@ public class ServerKeygenUserKeyDefault extends EnrollDefault {
b1e4e4 
             } else {
b1e4e4 
                 CMS.debug("ServerKeygenUserKeyDefault: populate: serverKeygen to be implemented ");
b1e4e4 
             }
b1e4e4 
+
b1e4e4 
+            // the param "enableArchival" allows the profile to decide whether
b1e4e4 
+            // to archive the keys or not; By default, it is *false*
b1e4e4 
+            boolean enableArchival = getConfigBoolean(CONFIG_ENABLE_ARCHIVAL);
b1e4e4 
+            //CMS.debug(method + "archival enabled: " + enableArchival);
b1e4e4 
+            request.setExtData(IRequest.SERVER_SIDE_KEYGEN_ENROLL_ENABLE_ARCHIVAL, enableArchival? "true":"false");
b1e4e4 
+
b1e4e4 
             info.set(X509CertInfo.KEY, certKey);
b1e4e4 
         } catch (Exception e) {
b1e4e4 
             CMS.debug("ServerKeygenUserKeyDefault: populate " + e.toString());
b1e4e4 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
b1e4e4 
index 5d39f24..fb9ed65 100644
b1e4e4 
--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
b1e4e4 
+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
b1e4e4 
@@ -554,20 +554,6 @@ public class ConnectorServlet extends CMSServlet {
b1e4e4 
             thisreq.setExtData("dbStatus", "NOT_UPDATED");
b1e4e4 
             thisreq.setExtData(IRequest.REQ_STATUS, "begin");
b1e4e4
b1e4e4 
-            /* cfu: let's find out what's in the request again
b1e4e4 
-            CMS.debug("ConnectorServlet: cfu see again what's in request");
b1e4e4 
-            ereq = thisreq.getExtDataKeys();
b1e4e4 
-            while (ereq.hasMoreElements()) {
b1e4e4 
-                String reqKey = ereq.nextElement();
b1e4e4 
-                String reqVal = thisreq.getExtDataInString(reqKey);
b1e4e4 
-                if (reqVal != null) {
b1e4e4 
-                    CMS.debug("ConnectorServlet: - " + reqKey + ": " + reqVal);
b1e4e4 
-                } else {
b1e4e4 
-                    CMS.debug("ConnectorServlet: - " + reqKey + ": no value");
b1e4e4 
-                }
b1e4e4 
-            }
b1e4e4 
-            */
b1e4e4 
-
b1e4e4 
             boolean isSSKeygen = false;
b1e4e4 
             String isSSKeygenStr = thisreq.getExtDataInString("isServerSideKeygen");
b1e4e4 
             if ((isSSKeygenStr != null) && isSSKeygenStr.equalsIgnoreCase("true")) {
b1e4e4 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java
b1e4e4 
index 3bc1853..3c1c439 100644
b1e4e4 
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java
b1e4e4 
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java
b1e4e4 
@@ -174,16 +174,16 @@ public class ProfileProcessServlet extends ProfileServlet {
b1e4e4 
             args.set(ARG_OUTPUT_LIST, outputlist);
b1e4e4 
         }
b1e4e4
b1e4e4 
-        try { //cfu
b1e4e4 
-            CMS.debug("ProfileProcessServlet:cfu: p12 output process begins");
b1e4e4 
+        try {
b1e4e4 
+            //CMS.debug("ProfileProcessServlet: p12 output process begins");
b1e4e4 
             String p12Str = req.getExtDataInString("req_issued_p12");
b1e4e4 
             if (p12Str == null) {
b1e4e4 
                 // not server-side keygen
b1e4e4 
-                // CMS.debug("ProfileProcessServlet:cfu: no p12; not server-side keygen");
b1e4e4 
+                // CMS.debug("ProfileProcessServlet: no p12; not server-side keygen");
b1e4e4 
                 outputTemplate(request, response, args);
b1e4e4 
             } else {
b1e4e4 
                 // found pkcs12 blob
b1e4e4 
-                CMS.debug("ProfileProcessServlet: found p12 " /* + p12Str*/);
b1e4e4 
+                //CMS.debug("ProfileProcessServlet: found p12 " /* + p12Str*/);
b1e4e4 
                 byte[] p12blob = null;
b1e4e4 
                 HttpServletResponse p12_response = cmsReq.getHttpResp();
b1e4e4 
                 p12blob = Utils.base64decode(p12Str);
b1e4e4 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
b1e4e4 
index b18e407..ec13aa2 100644
b1e4e4 
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
b1e4e4 
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitServlet.java
b1e4e4 
@@ -20,6 +20,8 @@ package com.netscape.cms.servlet.profile;
b1e4e4 
 import java.util.Enumeration;
b1e4e4 
 import java.util.HashMap;
b1e4e4 
 import java.util.Locale;
b1e4e4 
+import java.io.IOException;
b1e4e4 
+import java.io.OutputStream;
b1e4e4
b1e4e4 
 import javax.servlet.ServletConfig;
b1e4e4 
 import javax.servlet.ServletException;
b1e4e4 
@@ -202,10 +204,43 @@ public class ProfileSubmitServlet extends ProfileServlet {
b1e4e4 
             args.set(ARG_ERROR_CODE, "0");
b1e4e4 
             args.set(ARG_ERROR_REASON, "");
b1e4e4
b1e4e4 
-            outputTemplate(request, response, args);
b1e4e4 
+            //outputTemplate(request, response, args);
b1e4e4 
+            try {
b1e4e4 
+                //CMS.debug("ProfileSubmitServlet: p12 output process begins");
b1e4e4 
+                String p12Str = reqs[0].getExtDataInString("req_issued_p12");
b1e4e4 
+                if (p12Str == null) {
b1e4e4 
+                    // not server-side keygen
b1e4e4 
+                    // CMS.debug("ProfileProcessServlet:cfu: no p12; not server-side keygen");
b1e4e4 
+                    outputTemplate(request, response, args);
b1e4e4 
+                } else {
b1e4e4 
+                    // found pkcs12 blob
b1e4e4 
+                    //CMS.debug("ProfileProcessServlet: found p12 " /* + p12Str*/);
b1e4e4 
+                    byte[] p12blob = null;
b1e4e4 
+                    HttpServletResponse p12_response = cmsReq.getHttpResp();
b1e4e4 
+                    p12blob = Utils.base64decode(p12Str);
b1e4e4 
+                    OutputStream bos = p12_response.getOutputStream();
b1e4e4 
+                    p12_response.setContentType("application/x-pkcs12");
b1e4e4 
+                    p12_response.setContentLength(p12blob.length);
b1e4e4 
+                    p12_response.setHeader("Content-disposition", "attachment; filename="+  "serverKeyGenCert.p12");
b1e4e4 
+                    bos.write(p12blob);
b1e4e4 
+                    bos.flush();
b1e4e4 
+                    bos.close();
b1e4e4 
+                }
b1e4e4 
+            } catch (IOException e) {
b1e4e4 
+                CMS.debug(e);
b1e4e4 
+                setError(args, e.getMessage(), request, response);
b1e4e4 
+                return;
b1e4e4 
+            }
b1e4e4 
         }
b1e4e4 
     }
b1e4e4
b1e4e4 
+    private void setError(ArgSet args, String reason, HttpServletRequest request, HttpServletResponse response)
b1e4e4 
+            throws EBaseException {
b1e4e4 
+        args.set(ARG_ERROR_CODE, "1");
b1e4e4 
+        args.set(ARG_ERROR_REASON, reason);
b1e4e4 
+        outputTemplate(request, response, args);
b1e4e4 
+    }
b1e4e4 
+
b1e4e4 
     public HashMap<String, Object> processEnrollment(CMSRequest cmsReq) throws EBaseException {
b1e4e4
b1e4e4 
         HttpServletRequest request = cmsReq.getHttpReq();
b1e4e4 
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
b1e4e4 
index 2c57c59..78687a6 100644
b1e4e4 
--- a/base/server/cmsbundle/src/UserMessages.properties
b1e4e4 
+++ b/base/server/cmsbundle/src/UserMessages.properties
b1e4e4 
@@ -844,8 +844,9 @@ CMS_PROFILE_VALIDITY_NOT_BEFORE_GRACE_PERIOD=Grace period for Not Before being s
b1e4e4 
 CMS_PROFILE_VALIDITY_RANGE=Validity Range
b1e4e4 
 CMS_PROFILE_VALIDITY_RANGE_UNIT=Validity Range Unit: year, month, day (default), hour, minute
b1e4e4 
 CMS_PROFILE_VALIDITY_START_TIME=Relative Start Time (in seconds)
b1e4e4 
-CMS_PROFILE_SERVER_KEYGEN_KEYTYPE=Server-side keygen key type
b1e4e4 
-CMS_PROFILE_SERVER_KEYGEN_KEYSIZE=Server-side keygen key size
b1e4e4 
+CMS_PROFILE_SERVER_SIDE_KEYGEN_KEYTYPE=Server-side keygen key type: RSA or EC
b1e4e4 
+CMS_PROFILE_SERVER_SIDE_KEYGEN_KEYSIZE=Server-side keygen key size. For RSA: 1024,2048,3072,or 4096; for EC: nistp256,nistp384,or nistp521
b1e4e4 
+CMS_PROFILE_SERVER_SIDE_KEYGEN_ENABLE_ARCHIVAL=Server-side keygen enable key archival
b1e4e4 
 CMS_PROFILE_NOT_BEFORE_RANDOM_BITS=Not Before Random Bits
b1e4e4 
 CMS_PROFILE_NOT_AFTER_RANDOM_BITS=Not After Random Bits
b1e4e4 
 CMS_PROFILE_BYPASS_CA_NOTAFTER=Bypass CA notAfter constraint
b1e4e4 
@@ -919,6 +920,7 @@ CMS_PROFILE_EXT_VALUE=Extension Value
b1e4e4 
 CMS_PROFILE_KEY=Key
b1e4e4 
 CMS_PROFILE_KEY_LEN=Key Length
b1e4e4 
 CMS_PROFILE_KEY_TYPE=Key Type
b1e4e4 
+CMS_PROFILE_ENABLE_ARCHIVAL=Enable Archival
b1e4e4 
 CMS_PROFILE_KEY_MIN_LEN=Min Key Length
b1e4e4 
 CMS_PROFILE_KEY_MAX_LEN=Max Key Length
b1e4e4 
 CMS_PROFILE_KEY_PARAMETERS=Key Lengths or Curves. For EC use comma separated list of curves, otherise use list of key sizes. Ex: 1024,2048,4096,8192 or: nistp256,nistp384,nistp521,sect163k1,nistk163 for EC.
b1e4e4 
--
b1e4e4 
1.8.3.1
b1e4e4

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation