|
 |
b80204 |
From 14e44691ef0b61220d390afb745496b7d62945ee Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b80204 |
Date: Tue, 30 May 2017 21:15:44 +0200
|
|
|
b80204 |
Subject: [PATCH 04/27] Added pkispawn options for two-step installation.
|
|
|
981330 |
|
|
|
b80204 |
New --skip-configuration and --skip-installation options have
|
|
|
b80204 |
been added to pkispawn to provide a mechanism to set the
|
|
|
b80204 |
pki_skip_configuration and pki_skip_installation parameters
|
|
|
b80204 |
without changing the deployment configuration file.
|
|
|
981330 |
|
|
|
b80204 |
https://pagure.io/dogtagpki/issue/2707
|
|
|
b80204 |
|
|
|
b80204 |
Change-Id: I069b51b5be65dee2fe0f4ca75e3693bcd21007de
|
|
|
981330 |
---
|
|
|
b80204 |
base/server/sbin/pkispawn | 40 ++++++++++++++++++++++++++++++++++------
|
|
|
b80204 |
1 file changed, 34 insertions(+), 6 deletions(-)
|
|
|
981330 |
|
|
|
b80204 |
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
|
|
|
b80204 |
index 9e2ebc8..742f579 100755
|
|
|
b80204 |
--- a/base/server/sbin/pkispawn
|
|
|
b80204 |
+++ b/base/server/sbin/pkispawn
|
|
|
b80204 |
@@ -91,6 +91,18 @@ def main(argv):
|
|
|
b80204 |
dest='precheck', action='store_true',
|
|
|
b80204 |
help='Execute pre-checks and exit')
|
|
|
981330 |
|
|
|
b80204 |
+ parser.optional.add_argument(
|
|
|
b80204 |
+ '--skip-configuration',
|
|
|
b80204 |
+ dest='skip_configuration',
|
|
|
b80204 |
+ action='store_true',
|
|
|
b80204 |
+ help='skip configuration step')
|
|
|
b80204 |
+
|
|
|
b80204 |
+ parser.optional.add_argument(
|
|
|
b80204 |
+ '--skip-installation',
|
|
|
b80204 |
+ dest='skip_installation',
|
|
|
b80204 |
+ action='store_true',
|
|
|
b80204 |
+ help='skip installation step')
|
|
|
b80204 |
+
|
|
|
b80204 |
args = parser.process_command_line_arguments()
|
|
|
981330 |
|
|
|
b80204 |
config.default_deployment_cfg = \
|
|
|
b80204 |
@@ -475,6 +487,24 @@ def main(argv):
|
|
|
b80204 |
sys.exit(1)
|
|
|
b80204 |
|
|
|
b80204 |
start_logging()
|
|
|
b80204 |
+
|
|
|
b80204 |
+ # Read the specified PKI configuration file.
|
|
|
b80204 |
+ rv = parser.read_pki_configuration_file()
|
|
|
b80204 |
+ if rv != 0:
|
|
|
b80204 |
+ config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv,
|
|
|
b80204 |
+ extra=config.PKI_INDENTATION_LEVEL_0)
|
|
|
b80204 |
+ sys.exit(1)
|
|
|
b80204 |
+
|
|
|
b80204 |
+ # --skip-configuration
|
|
|
b80204 |
+ if args.skip_configuration:
|
|
|
b80204 |
+ parser.set_property(deployer.subsystem_name,
|
|
|
b80204 |
+ 'pki_skip_configuration', 'True')
|
|
|
b80204 |
+
|
|
|
b80204 |
+ # --skip-installation
|
|
|
b80204 |
+ if args.skip_installation:
|
|
|
b80204 |
+ parser.set_property(deployer.subsystem_name,
|
|
|
b80204 |
+ 'pki_skip_installation', 'True')
|
|
|
b80204 |
+
|
|
|
b80204 |
create_master_dictionary(parser)
|
|
|
b80204 |
|
|
|
b80204 |
if not interactive and \
|
|
|
b80204 |
@@ -635,23 +665,21 @@ def start_logging():
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
def create_master_dictionary(parser):
|
|
|
b80204 |
- # Read the specified PKI configuration file.
|
|
|
b80204 |
- rv = parser.read_pki_configuration_file()
|
|
|
b80204 |
- if rv != 0:
|
|
|
b80204 |
- config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv,
|
|
|
b80204 |
- extra=config.PKI_INDENTATION_LEVEL_0)
|
|
|
b80204 |
- sys.exit(1)
|
|
|
b80204 |
|
|
|
b80204 |
# Read in the PKI slots configuration file.
|
|
|
b80204 |
parser.compose_pki_slots_dictionary()
|
|
|
b80204 |
+
|
|
|
b80204 |
config.pki_log.debug(log.PKI_DICTIONARY_SLOTS,
|
|
|
b80204 |
extra=config.PKI_INDENTATION_LEVEL_0)
|
|
|
b80204 |
config.pki_log.debug(pkilogging.log_format(parser.slots_dict),
|
|
|
b80204 |
extra=config.PKI_INDENTATION_LEVEL_0)
|
|
|
b80204 |
+
|
|
|
b80204 |
# Combine the various sectional dictionaries into a PKI master dictionary
|
|
|
b80204 |
parser.compose_pki_master_dictionary()
|
|
|
b80204 |
+
|
|
|
b80204 |
parser.mdict['pki_spawn_log'] = \
|
|
|
b80204 |
config.pki_log_dir + "/" + config.pki_log_name
|
|
|
b80204 |
+
|
|
|
b80204 |
config.pki_log.debug(log.PKI_DICTIONARY_MASTER,
|
|
|
b80204 |
extra=config.PKI_INDENTATION_LEVEL_0)
|
|
|
b80204 |
config.pki_log.debug(pkilogging.log_format(parser.mdict),
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
b80204 |
From 9af1746463bec2e62c990279d857635f693cfac7 Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b80204 |
Date: Tue, 30 May 2017 21:07:59 +0200
|
|
|
b80204 |
Subject: [PATCH 05/27] Fixed two-step subordinate CA installation.
|
|
|
981330 |
|
|
|
b80204 |
The initialization scriptlet has been fixed to verify the subsystem
|
|
|
b80204 |
existence properly when running the second step of the two-step
|
|
|
b80204 |
subordinate CA installation.
|
|
|
981330 |
|
|
|
b80204 |
https://pagure.io/dogtagpki/issue/2707
|
|
|
981330 |
|
|
|
b80204 |
Change-Id: I0cc8ca21fda8637b4b34f4c5a1c108d213f638f8
|
|
|
981330 |
---
|
|
|
b80204 |
.../pki/server/deployment/scriptlets/initialization.py | 12 +++++++++---
|
|
|
b80204 |
1 file changed, 9 insertions(+), 3 deletions(-)
|
|
|
981330 |
|
|
|
b80204 |
diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py
|
|
|
b80204 |
index 4dc4e9a..1ae77e4 100644
|
|
|
b80204 |
--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py
|
|
|
b80204 |
+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py
|
|
|
b80204 |
@@ -54,13 +54,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
|
|
|
b80204 |
else:
|
|
|
b80204 |
config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__,
|
|
|
b80204 |
extra=config.PKI_INDENTATION_LEVEL_1)
|
|
|
981330 |
+
|
|
|
b80204 |
+ # Verify that the subsystem already exists for the following cases:
|
|
|
b80204 |
+ # - External CA (Step 2)
|
|
|
b80204 |
+ # - Stand-alone PKI (Step 2)
|
|
|
b80204 |
+ # - Two-step installation (Step 2)
|
|
|
981330 |
+
|
|
|
b80204 |
if (deployer.mdict['pki_subsystem'] == "CA" or
|
|
|
b80204 |
config.str2bool(deployer.mdict['pki_standalone'])) and \
|
|
|
b80204 |
- config.str2bool(deployer.mdict['pki_external_step_two']):
|
|
|
b80204 |
- # verify that this External CA (Step 2), or Stand-alone PKI
|
|
|
b80204 |
- # (Step 2) currently EXISTS for this "instance"
|
|
|
b80204 |
+ config.str2bool(deployer.mdict['pki_external_step_two']) or \
|
|
|
b80204 |
+ config.str2bool(deployer.mdict['pki_skip_installation']):
|
|
|
b80204 |
deployer.instance.verify_subsystem_exists()
|
|
|
b80204 |
deployer.mdict['pki_skip_installation'] = "True"
|
|
|
b80204 |
+
|
|
|
b80204 |
else:
|
|
|
b80204 |
# verify that this type of "subsystem" does NOT yet
|
|
|
b80204 |
# exist for this "instance"
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
b80204 |
From 0984d8a114b326a75b2c32cd9da2b7dee23920bb Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: Ade Lee <alee@redhat.com>
|
|
|
b80204 |
Date: Fri, 26 May 2017 22:57:07 -0400
|
|
|
b80204 |
Subject: [PATCH 07/27] Convert CMC code to use AES
|
|
|
981330 |
|
|
|
b80204 |
* Switched out CrytoUtil calls that use DES and replaced them
|
|
|
b80204 |
with AES equivalents. Removed these now unneeded methods.
|
|
|
b80204 |
* Added 16 byte constant IV for AES operations. This must be
|
|
|
b80204 |
replaced by a randomly generated IV. Added TODOs where IVs
|
|
|
b80204 |
should be replaced.
|
|
|
b80204 |
* Corrected misspellings of "enreypted" in both request fields
|
|
|
b80204 |
and variable names
|
|
|
b80204 |
* Removed some code from null checks where the result could
|
|
|
b80204 |
never be null. These cases were flagged in eclipse as dead
|
|
|
b80204 |
code.
|
|
|
981330 |
|
|
|
b80204 |
Change-Id: Iec0c0e86fd772af8b3c9588f11a0ea1e517776fb
|
|
|
981330 |
---
|
|
|
b80204 |
.../src/com/netscape/cmstools/CMCRequest.java | 18 +++-
|
|
|
b80204 |
.../netscape/cms/profile/common/EnrollProfile.java | 111 ++++++++++++++-------
|
|
|
b80204 |
.../cms/servlet/common/CMCOutputTemplate.java | 40 ++++----
|
|
|
b80204 |
.../com/netscape/cmsutil/crypto/CryptoUtil.java | 84 ++--------------
|
|
|
b80204 |
4 files changed, 113 insertions(+), 140 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
|
|
|
b80204 |
index 9c41403..8d49b20 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
|
|
|
b80204 |
@@ -52,6 +52,9 @@ import org.mozilla.jss.asn1.SET;
|
|
|
b80204 |
import org.mozilla.jss.asn1.UTF8String;
|
|
|
b80204 |
import org.mozilla.jss.crypto.CryptoToken;
|
|
|
b80204 |
import org.mozilla.jss.crypto.DigestAlgorithm;
|
|
|
b80204 |
+import org.mozilla.jss.crypto.EncryptionAlgorithm;
|
|
|
b80204 |
+import org.mozilla.jss.crypto.IVParameterSpec;
|
|
|
b80204 |
+import org.mozilla.jss.crypto.KeyWrapAlgorithm;
|
|
|
b80204 |
import org.mozilla.jss.crypto.ObjectNotFoundException;
|
|
|
b80204 |
import org.mozilla.jss.crypto.PrivateKey;
|
|
|
b80204 |
import org.mozilla.jss.crypto.Signature;
|
|
|
b80204 |
@@ -1718,19 +1721,30 @@ public class CMCRequest {
|
|
|
b80204 |
CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName);
|
|
|
b80204 |
SymmetricKey symKey = CryptoUtil.unwrap(
|
|
|
b80204 |
token,
|
|
|
b80204 |
+ SymmetricKey.AES,
|
|
|
b80204 |
+ 128,
|
|
|
b80204 |
SymmetricKey.Usage.DECRYPT,
|
|
|
b80204 |
privKey,
|
|
|
b80204 |
- recipient.getEncryptedKey().toByteArray());
|
|
|
b80204 |
+ recipient.getEncryptedKey().toByteArray(),
|
|
|
b80204 |
+ KeyWrapAlgorithm.RSA);
|
|
|
b80204 |
+
|
|
|
b80204 |
if (symKey == null) {
|
|
|
b80204 |
System.out.println(method + "symKey returned null from CryptoUtil.unwrap(). Abort!");
|
|
|
b80204 |
System.exit(1);
|
|
|
b80204 |
}
|
|
|
b80204 |
System.out.println(method + "symKey unwrapped.");
|
|
|
981330 |
|
|
|
b80204 |
+ // TODO(alee) The code below should be replaced by code that generates a random IV
|
|
|
b80204 |
+ byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
|
|
|
b80204 |
+ IVParameterSpec default_iv = new IVParameterSpec(iv);
|
|
|
b80204 |
+
|
|
|
b80204 |
byte challenge[] = CryptoUtil.decryptUsingSymmetricKey(
|
|
|
b80204 |
token,
|
|
|
b80204 |
+ default_iv,
|
|
|
b80204 |
encCI.getEncryptedContent().toByteArray(),
|
|
|
b80204 |
- symKey);
|
|
|
b80204 |
+ symKey,
|
|
|
b80204 |
+ EncryptionAlgorithm.AES_128_CBC);
|
|
|
b80204 |
+
|
|
|
b80204 |
if (challenge == null) {
|
|
|
b80204 |
System.out
|
|
|
b80204 |
.println(method + "challenge returned null from CryptoUtil.decryptUsingSymmetricKey(). Abort!");
|
|
|
b80204 |
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
|
|
|
b80204 |
index 1443a0a..12fb736 100644
|
|
|
b80204 |
--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
|
|
|
b80204 |
+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
|
|
|
b80204 |
@@ -45,7 +45,11 @@ import org.mozilla.jss.asn1.SET;
|
|
|
b80204 |
import org.mozilla.jss.asn1.UTF8String;
|
|
|
b80204 |
import org.mozilla.jss.crypto.CryptoToken;
|
|
|
b80204 |
import org.mozilla.jss.crypto.DigestAlgorithm;
|
|
|
b80204 |
+import org.mozilla.jss.crypto.EncryptionAlgorithm;
|
|
|
b80204 |
import org.mozilla.jss.crypto.HMACAlgorithm;
|
|
|
b80204 |
+import org.mozilla.jss.crypto.IVParameterSpec;
|
|
|
b80204 |
+import org.mozilla.jss.crypto.KeyGenAlgorithm;
|
|
|
b80204 |
+import org.mozilla.jss.crypto.KeyWrapAlgorithm;
|
|
|
b80204 |
import org.mozilla.jss.crypto.PrivateKey;
|
|
|
b80204 |
import org.mozilla.jss.crypto.SymmetricKey;
|
|
|
b80204 |
import org.mozilla.jss.pkcs10.CertificationRequest;
|
|
|
b80204 |
@@ -399,6 +403,10 @@ public abstract class EnrollProfile extends BasicProfile
|
|
|
b80204 |
String tokenName = CMS.getConfigStore().getString("cmc.token", CryptoUtil.INTERNAL_TOKEN_NAME);
|
|
|
b80204 |
token = CryptoUtil.getCryptoToken(tokenName);
|
|
|
981330 |
|
|
|
b80204 |
+ // TODO(alee) Replace the IV definition with a call that generates a random IV of the correct length
|
|
|
b80204 |
+ byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
|
|
|
b80204 |
+ IVParameterSpec ivps = new IVParameterSpec(iv);
|
|
|
b80204 |
+
|
|
|
b80204 |
PublicKey userPubKey = X509Key.parsePublicKey(new DerValue(req_key_data));
|
|
|
b80204 |
if (userPubKey == null) {
|
|
|
b80204 |
msg = method + "userPubKey null after X509Key.parsePublicKey";
|
|
|
b80204 |
@@ -406,37 +414,57 @@ public abstract class EnrollProfile extends BasicProfile
|
|
|
b80204 |
throw new EBaseException(msg);
|
|
|
b80204 |
}
|
|
|
981330 |
|
|
|
b80204 |
- SymmetricKey symKey = CryptoUtil.generateKey(token);
|
|
|
b80204 |
- byte[] pop_encreyptedData = CryptoUtil.encryptUsingSymmetricKey(
|
|
|
b80204 |
- token, symKey, challenge);
|
|
|
b80204 |
- if (pop_encreyptedData == null) {
|
|
|
b80204 |
- msg = method + "pop_encreyptedData null";
|
|
|
b80204 |
+ SymmetricKey symKey = CryptoUtil.generateKey(
|
|
|
b80204 |
+ token,
|
|
|
b80204 |
+ KeyGenAlgorithm.AES,
|
|
|
b80204 |
+ 128,
|
|
|
b80204 |
+ null,
|
|
|
b80204 |
+ true);
|
|
|
b80204 |
+
|
|
|
b80204 |
+ byte[] pop_encryptedData = CryptoUtil.encryptUsingSymmetricKey(
|
|
|
b80204 |
+ token,
|
|
|
b80204 |
+ symKey,
|
|
|
b80204 |
+ challenge,
|
|
|
b80204 |
+ EncryptionAlgorithm.AES_128_CBC,
|
|
|
b80204 |
+ ivps);
|
|
|
b80204 |
+
|
|
|
b80204 |
+ if (pop_encryptedData == null) {
|
|
|
b80204 |
+ msg = method + "pop_encryptedData null";
|
|
|
b80204 |
CMS.debug(msg);
|
|
|
b80204 |
throw new EBaseException(msg);
|
|
|
b80204 |
}
|
|
|
981330 |
|
|
|
b80204 |
- byte[] pop_sysPubEncreyptedSession = CryptoUtil.wrapUsingPublicKey(
|
|
|
b80204 |
- token, issuanceProtPubKey, symKey);
|
|
|
b80204 |
- if (pop_sysPubEncreyptedSession == null) {
|
|
|
b80204 |
- msg = method + "pop_sysPubEncreyptedSession null";
|
|
|
b80204 |
+ byte[] pop_sysPubEncryptedSession = CryptoUtil.wrapUsingPublicKey(
|
|
|
b80204 |
+ token,
|
|
|
b80204 |
+ issuanceProtPubKey,
|
|
|
b80204 |
+ symKey,
|
|
|
b80204 |
+ KeyWrapAlgorithm.RSA);
|
|
|
b80204 |
+
|
|
|
b80204 |
+ if (pop_sysPubEncryptedSession == null) {
|
|
|
b80204 |
+ msg = method + "pop_sysPubEncryptedSession null";
|
|
|
b80204 |
CMS.debug(msg);
|
|
|
b80204 |
throw new EBaseException(msg);
|
|
|
b80204 |
}
|
|
|
981330 |
|
|
|
b80204 |
- byte[] pop_userPubEncreyptedSession = CryptoUtil.wrapUsingPublicKey(
|
|
|
b80204 |
- token, userPubKey, symKey);
|
|
|
b80204 |
- if (pop_userPubEncreyptedSession == null) {
|
|
|
b80204 |
- msg = method + "pop_userPubEncreyptedSession null";
|
|
|
b80204 |
+
|
|
|
b80204 |
+ byte[] pop_userPubEncryptedSession = CryptoUtil.wrapUsingPublicKey(
|
|
|
b80204 |
+ token,
|
|
|
b80204 |
+ userPubKey,
|
|
|
b80204 |
+ symKey,
|
|
|
b80204 |
+ KeyWrapAlgorithm.RSA);
|
|
|
b80204 |
+
|
|
|
b80204 |
+ if (pop_userPubEncryptedSession == null) {
|
|
|
b80204 |
+ msg = method + "pop_userPubEncryptedSession null";
|
|
|
b80204 |
CMS.debug(msg);
|
|
|
b80204 |
throw new EBaseException(msg);
|
|
|
b80204 |
}
|
|
|
b80204 |
CMS.debug(method + "POP challenge fields generated successfully...setting request extData");
|
|
|
981330 |
|
|
|
b80204 |
- req.setExtData("pop_encreyptedData", pop_encreyptedData);
|
|
|
b80204 |
+ req.setExtData("pop_encryptedData", pop_encryptedData);
|
|
|
981330 |
|
|
|
b80204 |
- req.setExtData("pop_sysPubEncreyptedSession", pop_sysPubEncreyptedSession);
|
|
|
b80204 |
+ req.setExtData("pop_sysPubEncryptedSession", pop_sysPubEncryptedSession);
|
|
|
981330 |
|
|
|
b80204 |
- req.setExtData("pop_userPubEncreyptedSession", pop_userPubEncreyptedSession);
|
|
|
b80204 |
+ req.setExtData("pop_userPubEncryptedSession", pop_userPubEncryptedSession);
|
|
|
981330 |
|
|
|
b80204 |
// now compute and set witness
|
|
|
b80204 |
CMS.debug(method + "now compute and set witness");
|
|
|
b80204 |
@@ -1038,19 +1066,19 @@ public abstract class EnrollProfile extends BasicProfile
|
|
|
b80204 |
}
|
|
|
981330 |
|
|
|
b80204 |
// now verify the POP witness
|
|
|
b80204 |
- byte[] pop_encreyptedData = req.getExtDataInByteArray("pop_encreyptedData");
|
|
|
b80204 |
- if (pop_encreyptedData == null) {
|
|
|
b80204 |
+ byte[] pop_encryptedData = req.getExtDataInByteArray("pop_encryptedData");
|
|
|
b80204 |
+ if (pop_encryptedData == null) {
|
|
|
b80204 |
msg = method +
|
|
|
b80204 |
- "pop_encreyptedData not found in request:" +
|
|
|
b80204 |
+ "pop_encryptedData not found in request:" +
|
|
|
b80204 |
reqId.toString();
|
|
|
b80204 |
CMS.debug(msg);
|
|
|
b80204 |
return null;
|
|
|
b80204 |
}
|
|
|
981330 |
|
|
|
b80204 |
- byte[] pop_sysPubEncreyptedSession = req.getExtDataInByteArray("pop_sysPubEncreyptedSession");
|
|
|
b80204 |
- if (pop_sysPubEncreyptedSession == null) {
|
|
|
b80204 |
+ byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession");
|
|
|
b80204 |
+ if (pop_sysPubEncryptedSession == null) {
|
|
|
b80204 |
msg = method +
|
|
|
b80204 |
- "pop_sysPubEncreyptedSession not found in request:" +
|
|
|
b80204 |
+ "pop_sysPubEncryptedSession not found in request:" +
|
|
|
b80204 |
reqId.toString();
|
|
|
b80204 |
CMS.debug(msg);
|
|
|
b80204 |
return null;
|
|
|
b80204 |
@@ -1082,17 +1110,31 @@ public abstract class EnrollProfile extends BasicProfile
|
|
|
981330 |
|
|
|
b80204 |
SymmetricKey symKey = CryptoUtil.unwrap(
|
|
|
b80204 |
token,
|
|
|
b80204 |
+ SymmetricKey.AES,
|
|
|
b80204 |
+ 128,
|
|
|
b80204 |
SymmetricKey.Usage.DECRYPT,
|
|
|
b80204 |
issuanceProtPrivKey,
|
|
|
b80204 |
- pop_sysPubEncreyptedSession);
|
|
|
b80204 |
+ pop_sysPubEncryptedSession,
|
|
|
b80204 |
+ KeyWrapAlgorithm.RSA);
|
|
|
b80204 |
+
|
|
|
b80204 |
if (symKey == null) {
|
|
|
b80204 |
msg = "symKey null after CryptoUtil.unwrap returned";
|
|
|
b80204 |
CMS.debug(msg);
|
|
|
b80204 |
return null;
|
|
|
b80204 |
}
|
|
|
981330 |
|
|
|
b80204 |
+ // TODO(alee) The code below should be replaced by code that gets the IV from the Pop request
|
|
|
b80204 |
+ // This IV is supposed to be random
|
|
|
b80204 |
+ byte[] iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
|
|
|
b80204 |
+ IVParameterSpec default_iv = new IVParameterSpec(iv);
|
|
|
b80204 |
+
|
|
|
b80204 |
byte[] challenge_b = CryptoUtil.decryptUsingSymmetricKey(
|
|
|
b80204 |
- token, pop_encreyptedData, symKey);
|
|
|
b80204 |
+ token,
|
|
|
b80204 |
+ default_iv,
|
|
|
b80204 |
+ pop_encryptedData,
|
|
|
b80204 |
+ symKey,
|
|
|
b80204 |
+ EncryptionAlgorithm.AES_128_CBC);
|
|
|
981330 |
+
|
|
|
b80204 |
if (challenge_b == null) {
|
|
|
b80204 |
msg = method + "challenge_b null after decryptUsingSymmetricKey returned";
|
|
|
b80204 |
CMS.debug(msg);
|
|
|
b80204 |
@@ -1596,23 +1638,16 @@ public abstract class EnrollProfile extends BasicProfile
|
|
|
b80204 |
witness_bytes,
|
|
|
b80204 |
hashAlg, macAlg);
|
|
|
981330 |
|
|
|
b80204 |
- String authMgrID =
|
|
|
b80204 |
- (String) sessionContext.get(SessionContext.AUTH_MANAGER_ID);
|
|
|
b80204 |
String auditSubjectID = null;
|
|
|
981330 |
|
|
|
b80204 |
if (verified) {
|
|
|
b80204 |
- // update auditSubjectID
|
|
|
b80204 |
- if (sessionContext != null) {
|
|
|
b80204 |
- auditSubjectID = (String)
|
|
|
b80204 |
- sessionContext.get(SessionContext.USER_ID);
|
|
|
b80204 |
- CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID);
|
|
|
b80204 |
- CMS.debug(method + "identity verified. Updating auditSubjectID");
|
|
|
b80204 |
- CMS.debug(method + "updated auditSubjectID is:"+ ident_string);
|
|
|
b80204 |
- auditSubjectID = ident_string;
|
|
|
b80204 |
- sessionContext.put(SessionContext.USER_ID, auditSubjectID);
|
|
|
b80204 |
- } else { //very unlikely
|
|
|
b80204 |
- CMS.debug(method + "sessionContext null; cannot update auditSubjectID");
|
|
|
b80204 |
- }
|
|
|
b80204 |
+ auditSubjectID = (String)
|
|
|
b80204 |
+ sessionContext.get(SessionContext.USER_ID);
|
|
|
b80204 |
+ CMS.debug(method + "current auditSubjectID was:"+ auditSubjectID);
|
|
|
b80204 |
+ CMS.debug(method + "identity verified. Updating auditSubjectID");
|
|
|
b80204 |
+ CMS.debug(method + "updated auditSubjectID is:"+ ident_string);
|
|
|
b80204 |
+ auditSubjectID = ident_string;
|
|
|
b80204 |
+ sessionContext.put(SessionContext.USER_ID, auditSubjectID);
|
|
|
981330 |
|
|
|
b80204 |
auditMessage = CMS.getLogMessage(
|
|
|
b80204 |
AuditEvent.CMC_PROOF_OF_IDENTIFICATION,
|
|
|
b80204 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
b80204 |
index c130a1e..8e47298 100644
|
|
|
b80204 |
--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
b80204 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
b80204 |
@@ -43,6 +43,7 @@ import org.mozilla.jss.asn1.SEQUENCE;
|
|
|
b80204 |
import org.mozilla.jss.asn1.SET;
|
|
|
b80204 |
import org.mozilla.jss.asn1.UTF8String;
|
|
|
b80204 |
import org.mozilla.jss.crypto.DigestAlgorithm;
|
|
|
b80204 |
+import org.mozilla.jss.crypto.EncryptionAlgorithm;
|
|
|
b80204 |
import org.mozilla.jss.crypto.SignatureAlgorithm;
|
|
|
b80204 |
import org.mozilla.jss.pkcs11.PK11PubKey;
|
|
|
b80204 |
import org.mozilla.jss.pkix.cert.Certificate;
|
|
|
b80204 |
@@ -433,10 +434,7 @@ public class CMCOutputTemplate {
|
|
|
981330 |
|
|
|
b80204 |
ResponseBody respBody = new ResponseBody(controlSeq,
|
|
|
b80204 |
cmsSeq, otherMsgSeq);
|
|
|
b80204 |
- if (respBody != null)
|
|
|
b80204 |
- CMS.debug(method + " after new ResponseBody, respBody not null");
|
|
|
b80204 |
- else
|
|
|
b80204 |
- CMS.debug(method + " after new ResponseBody, respBody null");
|
|
|
b80204 |
+ CMS.debug(method + " after new ResponseBody, respBody not null");
|
|
|
981330 |
|
|
|
b80204 |
ContentInfo contentInfo = getContentInfo(respBody, certs);
|
|
|
b80204 |
ByteArrayOutputStream fos = new ByteArrayOutputStream();
|
|
|
b80204 |
@@ -489,30 +487,25 @@ public class CMCOutputTemplate {
|
|
|
b80204 |
CMS.debug(method + "popChallengeRequired true");
|
|
|
981330 |
|
|
|
b80204 |
byte[] cmc_msg = req.getExtDataInByteArray(IEnrollProfile.CTX_CERT_REQUEST);
|
|
|
b80204 |
- byte[] pop_encreyptedData = req.getExtDataInByteArray("pop_encreyptedData");
|
|
|
b80204 |
+ byte[] pop_encryptedData = req.getExtDataInByteArray("pop_encryptedData");
|
|
|
b80204 |
//don't need this for encryptedPOP, but need to check for existence anyway
|
|
|
b80204 |
- byte[] pop_sysPubEncreyptedSession = req.getExtDataInByteArray("pop_sysPubEncreyptedSession");
|
|
|
b80204 |
- byte[] pop_userPubEncreyptedSession = req.getExtDataInByteArray("pop_userPubEncreyptedSession");
|
|
|
b80204 |
- if ((pop_encreyptedData != null) &&
|
|
|
b80204 |
- (pop_sysPubEncreyptedSession != null) &&
|
|
|
b80204 |
- (pop_userPubEncreyptedSession != null)) {
|
|
|
b80204 |
+ byte[] pop_sysPubEncryptedSession = req.getExtDataInByteArray("pop_sysPubEncryptedSession");
|
|
|
b80204 |
+ byte[] pop_userPubEncryptedSession = req.getExtDataInByteArray("pop_userPubEncryptedSession");
|
|
|
b80204 |
+ if ((pop_encryptedData != null) &&
|
|
|
b80204 |
+ (pop_sysPubEncryptedSession != null) &&
|
|
|
b80204 |
+ (pop_userPubEncryptedSession != null)) {
|
|
|
b80204 |
// generate encryptedPOP here
|
|
|
b80204 |
// algs are hard-coded for now
|
|
|
981330 |
|
|
|
b80204 |
try {
|
|
|
b80204 |
EnvelopedData envData = CryptoUtil.createEnvelopedData(
|
|
|
b80204 |
- pop_encreyptedData,
|
|
|
b80204 |
- pop_userPubEncreyptedSession);
|
|
|
b80204 |
+ pop_encryptedData,
|
|
|
b80204 |
+ pop_userPubEncryptedSession);
|
|
|
b80204 |
if (envData == null) {
|
|
|
b80204 |
msg = "envData null returned by createEnvelopedData";
|
|
|
b80204 |
throw new EBaseException(method + msg);
|
|
|
b80204 |
}
|
|
|
b80204 |
ContentInfo ci = new ContentInfo(envData);
|
|
|
b80204 |
- if (ci == null) {
|
|
|
b80204 |
- msg = "ci null from new ContentInfo";
|
|
|
b80204 |
- CMS.debug(msg);
|
|
|
b80204 |
- throw new EBaseException(method + msg);
|
|
|
b80204 |
- }
|
|
|
b80204 |
CMS.debug(method + "now we can compose encryptedPOP");
|
|
|
b80204 |
|
|
|
b80204 |
TaggedRequest.Template tReqTemplate = new TaggedRequest.Template();
|
|
|
b80204 |
@@ -524,17 +517,18 @@ public class CMCOutputTemplate {
|
|
|
b80204 |
throw new EBaseException(method + msg);
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
+ // TODO(alee) The code below should be replaced by code that generates a random IV
|
|
|
b80204 |
+ byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
|
|
|
981330 |
+
|
|
|
b80204 |
+ OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID();
|
|
|
b80204 |
+ AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv));
|
|
|
981330 |
+
|
|
|
b80204 |
encPop = new EncryptedPOP(
|
|
|
b80204 |
tReq,
|
|
|
b80204 |
ci,
|
|
|
b80204 |
- CryptoUtil.getDefaultEncAlg(),
|
|
|
b80204 |
+ aid,
|
|
|
b80204 |
CryptoUtil.getDefaultHashAlg(),
|
|
|
b80204 |
new OCTET_STRING(req.getExtDataInByteArray("pop_witness")));
|
|
|
b80204 |
- if (encPop == null) {
|
|
|
b80204 |
- msg = "encPop null returned by new EncryptedPOP";
|
|
|
b80204 |
- CMS.debug(msg);
|
|
|
b80204 |
- throw new EBaseException(method + msg);
|
|
|
b80204 |
- }
|
|
|
981330 |
|
|
|
b80204 |
} catch (Exception e) {
|
|
|
b80204 |
CMS.debug(method + " excepton:" + e);
|
|
|
b80204 |
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
b80204 |
index 8b8c443..95b8f81 100644
|
|
|
b80204 |
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
b80204 |
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
b80204 |
@@ -2572,15 +2572,15 @@ public class CryptoUtil {
|
|
|
b80204 |
throw new Exception(method + msg);
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
+ // TODO(alee) Replace the below with a random IV that is likely passed in
|
|
|
b80204 |
+ byte[] default_iv = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
|
|
|
b80204 |
+ OBJECT_IDENTIFIER oid = EncryptionAlgorithm.AES_128_CBC.toOID();
|
|
|
b80204 |
+ AlgorithmIdentifier aid = new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv));
|
|
|
b80204 |
+
|
|
|
b80204 |
EncryptedContentInfo encCInfo = new EncryptedContentInfo(
|
|
|
b80204 |
ContentInfo.DATA,
|
|
|
b80204 |
- getDefaultEncAlg(),
|
|
|
b80204 |
+ aid,
|
|
|
b80204 |
new OCTET_STRING(encContent));
|
|
|
b80204 |
- if (encCInfo == null) {
|
|
|
b80204 |
- msg = method + "encCInfo null from new EncryptedContentInfo";
|
|
|
b80204 |
- System.out.println(msg);
|
|
|
b80204 |
- throw new Exception(method + msg);
|
|
|
b80204 |
- }
|
|
|
b80204 |
|
|
|
b80204 |
Name name = new Name();
|
|
|
b80204 |
name.addCommonName("unUsedIssuerName"); //unused; okay for cmc EncryptedPOP
|
|
|
b80204 |
@@ -2589,11 +2589,6 @@ public class CryptoUtil {
|
|
|
b80204 |
new IssuerAndSerialNumber(name, new INTEGER(0)), //unUsed
|
|
|
b80204 |
new AlgorithmIdentifier(RSA_ENCRYPTION, new NULL()),
|
|
|
b80204 |
new OCTET_STRING(encSymKey));
|
|
|
b80204 |
- if (recipient == null) {
|
|
|
b80204 |
- msg = method + "recipient null from new RecipientInfo";
|
|
|
b80204 |
- System.out.println(msg);
|
|
|
b80204 |
- throw new Exception(method + msg);
|
|
|
b80204 |
- }
|
|
|
b80204 |
|
|
|
b80204 |
SET recipients = new SET();
|
|
|
b80204 |
recipients.addElement(recipient);
|
|
|
b80204 |
@@ -2615,77 +2610,14 @@ public class CryptoUtil {
|
|
|
b80204 |
* the defaults
|
|
|
981330 |
*/
|
|
|
b80204 |
|
|
|
b80204 |
- private static byte default_iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
|
|
|
b80204 |
- private static IVParameterSpec default_IV = new IVParameterSpec(default_iv);
|
|
|
b80204 |
-
|
|
|
b80204 |
- // this generates a temporary 128 bit AES symkey with defaults
|
|
|
b80204 |
- public static SymmetricKey generateKey(CryptoToken token) throws Exception {
|
|
|
b80204 |
- return generateKey(token,
|
|
|
b80204 |
-//TODO: KeyGenAlgorithm.AES, 128,
|
|
|
b80204 |
- KeyGenAlgorithm.DES3, 128 /*unused*/,
|
|
|
b80204 |
- null, true);
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
- // decryptUsingSymmetricKey with default algorithms
|
|
|
b80204 |
- public static byte[] decryptUsingSymmetricKey(CryptoToken token, byte[] encryptedData, SymmetricKey wrappingKey) throws Exception {
|
|
|
b80204 |
- return decryptUsingSymmetricKey(token, default_IV, encryptedData,
|
|
|
b80204 |
- wrappingKey,
|
|
|
b80204 |
- EncryptionAlgorithm.DES3_CBC_PAD);
|
|
|
b80204 |
-//TODO: EncryptionAlgorithm.AES_128_CBC);
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
- // encryptUsingSymmetricKey with default algorithms
|
|
|
b80204 |
- public static byte[] encryptUsingSymmetricKey(CryptoToken token, SymmetricKey wrappingKey, byte[] data) throws Exception {
|
|
|
b80204 |
- return encryptUsingSymmetricKey(
|
|
|
b80204 |
- token,
|
|
|
b80204 |
- wrappingKey,
|
|
|
b80204 |
- data,
|
|
|
b80204 |
- EncryptionAlgorithm.DES3_CBC_PAD,
|
|
|
b80204 |
-//TODO: EncryptionAlgorithm.AES_128_CBC,
|
|
|
b80204 |
- default_IV);
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
- // wrapUsingPublicKey using default algorithm
|
|
|
b80204 |
- public static byte[] wrapUsingPublicKey(CryptoToken token, PublicKey wrappingKey, SymmetricKey data) throws Exception {
|
|
|
b80204 |
- return wrapUsingPublicKey(token, wrappingKey, data, KeyWrapAlgorithm.RSA);
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
- // unwrap sym key using default algorithms
|
|
|
b80204 |
- public static SymmetricKey unwrap(CryptoToken token, SymmetricKey.Usage usage, PrivateKey wrappingKey, byte[] wrappedSymKey) throws Exception {
|
|
|
b80204 |
- return unwrap(
|
|
|
b80204 |
- token,
|
|
|
b80204 |
-//TODO: SymmetricKey.AES,
|
|
|
b80204 |
- SymmetricKey.DES3,
|
|
|
b80204 |
- 0,
|
|
|
b80204 |
- usage,
|
|
|
b80204 |
- wrappingKey,
|
|
|
b80204 |
- wrappedSymKey,
|
|
|
b80204 |
- getDefaultKeyWrapAlg());
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
- public static AlgorithmIdentifier getDefaultEncAlg()
|
|
|
b80204 |
- throws Exception {
|
|
|
b80204 |
- OBJECT_IDENTIFIER oid =
|
|
|
b80204 |
- EncryptionAlgorithm.DES3_CBC.toOID();
|
|
|
b80204 |
-//TODO: EncryptionAlgorithm.AES_128_CBC.toOID();
|
|
|
b80204 |
-
|
|
|
b80204 |
- AlgorithmIdentifier aid =
|
|
|
b80204 |
- new AlgorithmIdentifier(oid, new OCTET_STRING(default_iv));
|
|
|
b80204 |
- return aid;
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
public static String getDefaultHashAlgName() {
|
|
|
b80204 |
return ("SHA-256");
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
- public static KeyWrapAlgorithm getDefaultKeyWrapAlg() {
|
|
|
b80204 |
- return KeyWrapAlgorithm.RSA;
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
public static AlgorithmIdentifier getDefaultHashAlg()
|
|
|
b80204 |
throws Exception {
|
|
|
b80204 |
AlgorithmIdentifier hashAlg;
|
|
|
b80204 |
- hashAlg = new AlgorithmIdentifier(CryptoUtil.getHashAlgorithmOID("SHA-256"));
|
|
|
b80204 |
+ hashAlg = new AlgorithmIdentifier(CryptoUtil.getHashAlgorithmOID(getDefaultHashAlgName()));
|
|
|
b80204 |
return hashAlg;
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
@@ -2768,8 +2700,6 @@ public class CryptoUtil {
|
|
|
981330 |
*/
|
|
|
b80204 |
public static String getNameFromHashAlgorithm(AlgorithmIdentifier ai)
|
|
|
b80204 |
throws NoSuchAlgorithmException {
|
|
|
b80204 |
- OBJECT_IDENTIFIER oid = null;
|
|
|
b80204 |
-
|
|
|
b80204 |
System.out.println("CryptoUtil: getNameFromHashAlgorithm: " + ai.getOID().toString());
|
|
|
b80204 |
if (ai != null) {
|
|
|
b80204 |
if (ai.getOID().equals((DigestAlgorithm.SHA256).toOID())) {
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
b80204 |
From 772e05e746570c13afeb60516c07a3fb95ca3e78 Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b80204 |
Date: Thu, 1 Jun 2017 23:38:04 +0200
|
|
|
b80204 |
Subject: [PATCH 10/27] Removed superfluous deployment configuration backup.
|
|
|
981330 |
|
|
|
b80204 |
The pkispawn has been modified to generate a temporary backup
|
|
|
b80204 |
file (instead of permanent and timestamped backup files) of the
|
|
|
b80204 |
deployment configuration file before normalizing its content.
|
|
|
b80204 |
The temporary backup will be removed automatically when the
|
|
|
b80204 |
normalization is complete.
|
|
|
981330 |
|
|
|
b80204 |
https://pagure.io/dogtagpki/issue/2674
|
|
|
981330 |
|
|
|
b80204 |
Change-Id: Ia541e23314acc120954fa574d1f6f885961c8047
|
|
|
981330 |
---
|
|
|
b80204 |
base/server/sbin/pkispawn | 7 +------
|
|
|
b80204 |
1 file changed, 1 insertion(+), 6 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
|
|
|
b80204 |
index 742f579..1aa7079 100755
|
|
|
b80204 |
--- a/base/server/sbin/pkispawn
|
|
|
b80204 |
+++ b/base/server/sbin/pkispawn
|
|
|
b80204 |
@@ -34,8 +34,6 @@ try:
|
|
|
b80204 |
import ldap
|
|
|
b80204 |
import os
|
|
|
b80204 |
import requests
|
|
|
b80204 |
- import time
|
|
|
b80204 |
- from time import strftime as date
|
|
|
b80204 |
import traceback
|
|
|
b80204 |
import pki
|
|
|
b80204 |
from pki.server.deployment import pkiconfig as config
|
|
|
b80204 |
@@ -610,12 +608,9 @@ def main(argv):
|
|
|
981330 |
|
|
|
981330 |
|
|
|
b80204 |
def sanitize_user_deployment_cfg(cfg):
|
|
|
b80204 |
- # Generate a timestamp
|
|
|
b80204 |
- ticks = time.time()
|
|
|
b80204 |
- timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks))
|
|
|
b80204 |
|
|
|
b80204 |
# Correct any section headings in the user's configuration file
|
|
|
b80204 |
- for line in fileinput.FileInput(cfg, inplace=1, backup='.' + timestamp):
|
|
|
b80204 |
+ for line in fileinput.FileInput(cfg, inplace=1):
|
|
|
b80204 |
# Remove extraneous leading and trailing whitespace from all lines
|
|
|
b80204 |
line = line.strip()
|
|
|
b80204 |
# Normalize section headings to match '/etc/pki/default.cfg'
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
b80204 |
From f7b6305396581f5916498cc4ea8247596bf39aaf Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: Matthew Harmsen <mharmsen@redhat.com>
|
|
|
b80204 |
Date: Fri, 2 Jun 2017 02:10:02 +0200
|
|
|
b80204 |
Subject: [PATCH 11/27] Fixed pylint issues
|
|
|
b80204 |
|
|
|
b80204 |
- https://pagure.io/dogtagpki/issue/2713 - Build failure due to Pylint issues
|
|
|
981330 |
---
|
|
|
b80204 |
base/common/python/pki/cli/pkcs12.py | 4 ++--
|
|
|
b80204 |
base/common/python/pki/encoder.py | 12 ++++++------
|
|
|
b80204 |
base/server/python/pki/server/cli/audit.py | 8 ++++----
|
|
|
b80204 |
base/server/python/pki/server/cli/ca.py | 16 ++++++++--------
|
|
|
b80204 |
base/server/python/pki/server/cli/db.py | 8 ++++----
|
|
|
b80204 |
base/server/python/pki/server/cli/kra.py | 20 ++++++++++----------
|
|
|
b80204 |
base/server/python/pki/server/cli/ocsp.py | 4 ++--
|
|
|
b80204 |
base/server/python/pki/server/cli/subsystem.py | 4 ++--
|
|
|
b80204 |
base/server/python/pki/server/cli/tks.py | 4 ++--
|
|
|
b80204 |
base/server/python/pki/server/cli/tps.py | 20 ++++++++++----------
|
|
|
b80204 |
base/server/python/pki/server/upgrade.py | 3 ---
|
|
|
b80204 |
11 files changed, 50 insertions(+), 53 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
|
|
|
b80204 |
index 8934d33..6b99fcf 100644
|
|
|
b80204 |
--- a/base/common/python/pki/cli/pkcs12.py
|
|
|
b80204 |
+++ b/base/common/python/pki/cli/pkcs12.py
|
|
|
b80204 |
@@ -62,10 +62,10 @@ class PKCS12ImportCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
981330 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
|
|
|
b80204 |
try:
|
|
|
b80204 |
- opts, _ = getopt.gnu_getopt(args, 'v', [
|
|
|
b80204 |
+ opts, _ = getopt.gnu_getopt(argv, 'v', [
|
|
|
b80204 |
'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
|
|
|
b80204 |
'no-trust-flags', 'no-user-certs', 'no-ca-certs', 'overwrite',
|
|
|
b80204 |
'verbose', 'debug', 'help'])
|
|
|
b80204 |
diff --git a/base/common/python/pki/encoder.py b/base/common/python/pki/encoder.py
|
|
|
b80204 |
index 8485ab8..d3298bc 100644
|
|
|
b80204 |
--- a/base/common/python/pki/encoder.py
|
|
|
b80204 |
+++ b/base/common/python/pki/encoder.py
|
|
|
b80204 |
@@ -82,14 +82,14 @@ class CustomTypeEncoder(json.JSONEncoder):
|
|
|
b80204 |
"""
|
|
|
b80204 |
# pylint: disable=E0202
|
|
|
b80204 |
|
|
|
b80204 |
- def default(self, obj):
|
|
|
b80204 |
+ def default(self, o):
|
|
|
b80204 |
for k, v in iteritems(TYPES):
|
|
|
b80204 |
- if isinstance(obj, v):
|
|
|
b80204 |
- return {k: obj.__dict__}
|
|
|
b80204 |
+ if isinstance(o, v):
|
|
|
b80204 |
+ return {k: o.__dict__}
|
|
|
b80204 |
for t in itervalues(NOTYPES):
|
|
|
b80204 |
- if isinstance(obj, t):
|
|
|
b80204 |
- return self.attr_name_conversion(obj.__dict__, type(obj))
|
|
|
b80204 |
- return json.JSONEncoder.default(self, obj)
|
|
|
b80204 |
+ if isinstance(o, t):
|
|
|
b80204 |
+ return self.attr_name_conversion(o.__dict__, type(o))
|
|
|
b80204 |
+ return json.JSONEncoder.default(self, o)
|
|
|
b80204 |
|
|
|
b80204 |
@staticmethod
|
|
|
b80204 |
def attr_name_conversion(attr_dict, object_class):
|
|
|
b80204 |
diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
|
|
|
b80204 |
index 0833ca8..a19ca8c 100644
|
|
|
b80204 |
--- a/base/server/python/pki/server/cli/audit.py
|
|
|
b80204 |
+++ b/base/server/python/pki/server/cli/audit.py
|
|
|
b80204 |
@@ -56,10 +56,10 @@ class AuditFileFindCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
|
|
|
b80204 |
try:
|
|
|
b80204 |
- opts, _ = getopt.gnu_getopt(args, 'i:v', [
|
|
|
b80204 |
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
b80204 |
'instance=',
|
|
|
b80204 |
'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
@@ -129,10 +129,10 @@ class AuditFileVerifyCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
|
|
|
b80204 |
try:
|
|
|
b80204 |
- opts, _ = getopt.gnu_getopt(args, 'i:v', [
|
|
|
b80204 |
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
b80204 |
'instance=',
|
|
|
b80204 |
'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py
|
|
|
b80204 |
index 550e511..48c7dba 100644
|
|
|
b80204 |
--- a/base/server/python/pki/server/cli/ca.py
|
|
|
b80204 |
+++ b/base/server/python/pki/server/cli/ca.py
|
|
|
b80204 |
@@ -78,10 +78,10 @@ class CACertChainExportCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
|
|
|
b80204 |
try:
|
|
|
b80204 |
- opts, _ = getopt.gnu_getopt(args, 'i:v', [
|
|
|
b80204 |
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
b80204 |
'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
|
|
|
b80204 |
'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
@@ -190,10 +190,10 @@ class CACertRequestFindCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
|
|
|
b80204 |
try:
|
|
|
b80204 |
- opts, _ = getopt.gnu_getopt(args, 'i:v', [
|
|
|
b80204 |
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
b80204 |
'instance=', 'cert=', 'cert-file=',
|
|
|
b80204 |
'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
@@ -268,10 +268,10 @@ class CACertRequestShowCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
|
|
|
b80204 |
try:
|
|
|
b80204 |
- opts, args = getopt.gnu_getopt(args, 'i:v', [
|
|
|
b80204 |
+ opts, args = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
b80204 |
'instance=', 'output-file=',
|
|
|
b80204 |
'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
@@ -356,10 +356,10 @@ class CAClonePrepareCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
|
|
|
b80204 |
try:
|
|
|
b80204 |
- opts, _ = getopt.gnu_getopt(args, 'i:v', [
|
|
|
b80204 |
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
b80204 |
'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
|
|
|
b80204 |
'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py
|
|
|
b80204 |
index 17b1a2f..3df911c 100644
|
|
|
b80204 |
--- a/base/server/python/pki/server/cli/db.py
|
|
|
b80204 |
+++ b/base/server/python/pki/server/cli/db.py
|
|
|
b80204 |
@@ -58,10 +58,10 @@ class DBSchemaUpgrade(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
try:
|
|
|
b80204 |
opts, _ = getopt.gnu_getopt(
|
|
|
b80204 |
- args, 'i:D:w:v', ['instance=', 'bind-dn=', 'bind-password=',
|
|
|
b80204 |
+ argv, 'i:D:w:v', ['instance=', 'bind-dn=', 'bind-password=',
|
|
|
b80204 |
'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
except getopt.GetoptError as e:
|
|
|
b80204 |
@@ -150,10 +150,10 @@ class DBUpgrade(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
try:
|
|
|
b80204 |
opts, _ = getopt.gnu_getopt(
|
|
|
b80204 |
- args, 'i:v', ['instance=', 'verbose', 'help'])
|
|
|
b80204 |
+ argv, 'i:v', ['instance=', 'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
except getopt.GetoptError as e:
|
|
|
b80204 |
print('ERROR: ' + str(e))
|
|
|
b80204 |
diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
|
|
|
b80204 |
index 3724014..6c1ade9 100644
|
|
|
b80204 |
--- a/base/server/python/pki/server/cli/kra.py
|
|
|
b80204 |
+++ b/base/server/python/pki/server/cli/kra.py
|
|
|
b80204 |
@@ -81,10 +81,10 @@ class KRAClonePrepareCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
|
|
|
b80204 |
try:
|
|
|
b80204 |
- opts, _ = getopt.gnu_getopt(args, 'i:v', [
|
|
|
b80204 |
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
b80204 |
'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
|
|
|
b80204 |
'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
@@ -203,10 +203,10 @@ class KRADBVLVFindCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
try:
|
|
|
b80204 |
opts, _ = getopt.gnu_getopt(
|
|
|
b80204 |
- args,
|
|
|
b80204 |
+ argv,
|
|
|
b80204 |
'i:D:w:x:g:v',
|
|
|
b80204 |
['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
|
|
|
b80204 |
'verbose', 'help']
|
|
|
b80204 |
@@ -315,10 +315,10 @@ class KRADBVLVAddCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
try:
|
|
|
b80204 |
opts, _ = getopt.gnu_getopt(
|
|
|
b80204 |
- args,
|
|
|
b80204 |
+ argv,
|
|
|
b80204 |
'i:D:w:x:g:v',
|
|
|
b80204 |
['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
|
|
|
b80204 |
'verbose', 'help']
|
|
|
b80204 |
@@ -421,10 +421,10 @@ class KRADBVLVDeleteCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
try:
|
|
|
b80204 |
opts, _ = getopt.gnu_getopt(
|
|
|
b80204 |
- args,
|
|
|
b80204 |
+ argv,
|
|
|
b80204 |
'i:D:w:x:g:v',
|
|
|
b80204 |
['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
|
|
|
b80204 |
'verbose', 'help']
|
|
|
b80204 |
@@ -543,10 +543,10 @@ class KRADBVLVReindexCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
try:
|
|
|
b80204 |
opts, _ = getopt.gnu_getopt(
|
|
|
b80204 |
- args,
|
|
|
b80204 |
+ argv,
|
|
|
b80204 |
'i:D:w:x:g:v',
|
|
|
b80204 |
['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
|
|
|
b80204 |
'verbose', 'help']
|
|
|
b80204 |
diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py
|
|
|
b80204 |
index 3e9b6aa..b3e4e45 100644
|
|
|
b80204 |
--- a/base/server/python/pki/server/cli/ocsp.py
|
|
|
b80204 |
+++ b/base/server/python/pki/server/cli/ocsp.py
|
|
|
b80204 |
@@ -67,10 +67,10 @@ class OCSPClonePrepareCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
|
|
|
b80204 |
try:
|
|
|
b80204 |
- opts, _ = getopt.gnu_getopt(args, 'i:v', [
|
|
|
b80204 |
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
b80204 |
'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
|
|
|
b80204 |
'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
|
|
|
b80204 |
index 8395bd2..10af8ca 100644
|
|
|
b80204 |
--- a/base/server/python/pki/server/cli/subsystem.py
|
|
|
b80204 |
+++ b/base/server/python/pki/server/cli/subsystem.py
|
|
|
b80204 |
@@ -66,10 +66,10 @@ class SubsystemFindCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
|
|
|
b80204 |
try:
|
|
|
b80204 |
- opts, _ = getopt.gnu_getopt(args, 'i:v', [
|
|
|
b80204 |
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
b80204 |
'instance=',
|
|
|
b80204 |
'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py
|
|
|
b80204 |
index 0e6a998..0bfaca1 100644
|
|
|
b80204 |
--- a/base/server/python/pki/server/cli/tks.py
|
|
|
b80204 |
+++ b/base/server/python/pki/server/cli/tks.py
|
|
|
b80204 |
@@ -67,10 +67,10 @@ class TKSClonePrepareCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
|
|
|
b80204 |
try:
|
|
|
b80204 |
- opts, _ = getopt.gnu_getopt(args, 'i:v', [
|
|
|
b80204 |
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
b80204 |
'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
|
|
|
b80204 |
'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py
|
|
|
b80204 |
index 03df8de..a34bbd9 100644
|
|
|
b80204 |
--- a/base/server/python/pki/server/cli/tps.py
|
|
|
b80204 |
+++ b/base/server/python/pki/server/cli/tps.py
|
|
|
b80204 |
@@ -76,10 +76,10 @@ class TPSClonePrepareCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
|
|
|
b80204 |
try:
|
|
|
b80204 |
- opts, _ = getopt.gnu_getopt(args, 'i:v', [
|
|
|
b80204 |
+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
b80204 |
'instance=', 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=',
|
|
|
b80204 |
'verbose', 'help'])
|
|
|
b80204 |
|
|
|
b80204 |
@@ -195,10 +195,10 @@ class TPSDBVLVFindCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
try:
|
|
|
b80204 |
opts, _ = getopt.gnu_getopt(
|
|
|
b80204 |
- args,
|
|
|
b80204 |
+ argv,
|
|
|
b80204 |
'i:D:w:x:g:v',
|
|
|
b80204 |
['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
|
|
|
b80204 |
'verbose', 'help']
|
|
|
b80204 |
@@ -306,10 +306,10 @@ class TPSDBVLVAddCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
try:
|
|
|
b80204 |
opts, _ = getopt.gnu_getopt(
|
|
|
b80204 |
- args,
|
|
|
b80204 |
+ argv,
|
|
|
b80204 |
'i:D:w:x:g:v',
|
|
|
b80204 |
['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
|
|
|
b80204 |
'verbose', 'help']
|
|
|
b80204 |
@@ -419,10 +419,10 @@ class TPSDBVLVDeleteCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
try:
|
|
|
b80204 |
opts, _ = getopt.gnu_getopt(
|
|
|
b80204 |
- args,
|
|
|
b80204 |
+ argv,
|
|
|
b80204 |
'i:D:w:x:g:v',
|
|
|
b80204 |
['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
|
|
|
b80204 |
'verbose', 'help']
|
|
|
b80204 |
@@ -554,10 +554,10 @@ class TPSDBVLVReindexCLI(pki.cli.CLI):
|
|
|
b80204 |
print(' --help Show help message.')
|
|
|
b80204 |
print()
|
|
|
b80204 |
|
|
|
b80204 |
- def execute(self, args):
|
|
|
b80204 |
+ def execute(self, argv):
|
|
|
b80204 |
try:
|
|
|
b80204 |
opts, _ = getopt.gnu_getopt(
|
|
|
b80204 |
- args,
|
|
|
b80204 |
+ argv,
|
|
|
b80204 |
'i:D:w:x:g:v',
|
|
|
b80204 |
['instance=', 'bind-dn=', 'bind-password=', 'generate-ldif=',
|
|
|
b80204 |
'verbose', 'help']
|
|
|
b80204 |
diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py
|
|
|
b80204 |
index 2c72e48..926c683 100644
|
|
|
b80204 |
--- a/base/server/python/pki/server/upgrade.py
|
|
|
b80204 |
+++ b/base/server/python/pki/server/upgrade.py
|
|
|
b80204 |
@@ -38,9 +38,6 @@ SUBSYSTEM_TRACKER = '%s/CS.cfg'
|
|
|
b80204 |
|
|
|
b80204 |
class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet):
|
|
|
b80204 |
|
|
|
b80204 |
- def __init__(self):
|
|
|
b80204 |
- super(PKIServerUpgradeScriptlet, self).__init__()
|
|
|
981330 |
-
|
|
|
b80204 |
def get_backup_dir(self):
|
|
|
b80204 |
return BACKUP_DIR + '/' + str(self.version) + '/' + str(self.index)
|
|
|
b80204 |
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|
|
|
981330 |
|
|
|
b80204 |
From b3d851b864dc986a9af8ffcb1962f8e7b4de3114 Mon Sep 17 00:00:00 2001
|
|
|
981330 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b80204 |
Date: Thu, 1 Jun 2017 04:54:05 +0200
|
|
|
b80204 |
Subject: [PATCH 12/27] Added upgrade script for keepAliveTimeout.
|
|
|
981330 |
|
|
|
b80204 |
An upgrade script has been added to set the keepAliveTimeout
|
|
|
b80204 |
attribute for the Secure connector in the server.xml.
|
|
|
981330 |
|
|
|
b80204 |
https://pagure.io/dogtagpki/issue/2687
|
|
|
981330 |
|
|
|
b80204 |
Change-Id: Ia61ed49d0ffc26d4bb44738c71fc663bde37fb1d
|
|
|
981330 |
---
|
|
|
b80204 |
base/common/upgrade/10.4.1/.gitignore | 4 ++
|
|
|
b80204 |
base/common/upgrade/10.4.2/.gitignore | 4 ++
|
|
|
b80204 |
base/common/upgrade/10.4.3/.gitignore | 4 ++
|
|
|
b80204 |
base/common/upgrade/10.4.4/.gitignore | 4 ++
|
|
|
b80204 |
base/common/upgrade/10.4.5/.gitignore | 4 ++
|
|
|
b80204 |
base/common/upgrade/10.4.6/.gitignore | 4 ++
|
|
|
b80204 |
base/server/upgrade/10.4.3/.gitignore | 4 ++
|
|
|
b80204 |
base/server/upgrade/10.4.4/.gitignore | 4 ++
|
|
|
b80204 |
base/server/upgrade/10.4.5/.gitignore | 4 ++
|
|
|
b80204 |
.../upgrade/10.4.6/01-UpdateKeepAliveTimeout | 59 ++++++++++++++++++++++
|
|
|
b80204 |
10 files changed, 95 insertions(+)
|
|
|
b80204 |
create mode 100644 base/common/upgrade/10.4.1/.gitignore
|
|
|
b80204 |
create mode 100644 base/common/upgrade/10.4.2/.gitignore
|
|
|
b80204 |
create mode 100644 base/common/upgrade/10.4.3/.gitignore
|
|
|
b80204 |
create mode 100644 base/common/upgrade/10.4.4/.gitignore
|
|
|
b80204 |
create mode 100644 base/common/upgrade/10.4.5/.gitignore
|
|
|
b80204 |
create mode 100644 base/common/upgrade/10.4.6/.gitignore
|
|
|
b80204 |
create mode 100644 base/server/upgrade/10.4.3/.gitignore
|
|
|
b80204 |
create mode 100644 base/server/upgrade/10.4.4/.gitignore
|
|
|
b80204 |
create mode 100644 base/server/upgrade/10.4.5/.gitignore
|
|
|
b80204 |
create mode 100755 base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/common/upgrade/10.4.1/.gitignore b/base/common/upgrade/10.4.1/.gitignore
|
|
|
b80204 |
new file mode 100644
|
|
|
b80204 |
index 0000000..5e7d273
|
|
|
b80204 |
--- /dev/null
|
|
|
b80204 |
+++ b/base/common/upgrade/10.4.1/.gitignore
|
|
|
b80204 |
@@ -0,0 +1,4 @@
|
|
|
b80204 |
+# Ignore everything in this directory
|
|
|
b80204 |
+*
|
|
|
b80204 |
+# Except this file
|
|
|
b80204 |
+!.gitignore
|
|
|
b80204 |
diff --git a/base/common/upgrade/10.4.2/.gitignore b/base/common/upgrade/10.4.2/.gitignore
|
|
|
b80204 |
new file mode 100644
|
|
|
b80204 |
index 0000000..5e7d273
|
|
|
b80204 |
--- /dev/null
|
|
|
b80204 |
+++ b/base/common/upgrade/10.4.2/.gitignore
|
|
|
b80204 |
@@ -0,0 +1,4 @@
|
|
|
b80204 |
+# Ignore everything in this directory
|
|
|
b80204 |
+*
|
|
|
b80204 |
+# Except this file
|
|
|
b80204 |
+!.gitignore
|
|
|
b80204 |
diff --git a/base/common/upgrade/10.4.3/.gitignore b/base/common/upgrade/10.4.3/.gitignore
|
|
|
b80204 |
new file mode 100644
|
|
|
b80204 |
index 0000000..5e7d273
|
|
|
b80204 |
--- /dev/null
|
|
|
b80204 |
+++ b/base/common/upgrade/10.4.3/.gitignore
|
|
|
b80204 |
@@ -0,0 +1,4 @@
|
|
|
b80204 |
+# Ignore everything in this directory
|
|
|
b80204 |
+*
|
|
|
b80204 |
+# Except this file
|
|
|
b80204 |
+!.gitignore
|
|
|
b80204 |
diff --git a/base/common/upgrade/10.4.4/.gitignore b/base/common/upgrade/10.4.4/.gitignore
|
|
|
b80204 |
new file mode 100644
|
|
|
b80204 |
index 0000000..5e7d273
|
|
|
b80204 |
--- /dev/null
|
|
|
b80204 |
+++ b/base/common/upgrade/10.4.4/.gitignore
|
|
|
b80204 |
@@ -0,0 +1,4 @@
|
|
|
b80204 |
+# Ignore everything in this directory
|
|
|
b80204 |
+*
|
|
|
b80204 |
+# Except this file
|
|
|
b80204 |
+!.gitignore
|
|
|
b80204 |
diff --git a/base/common/upgrade/10.4.5/.gitignore b/base/common/upgrade/10.4.5/.gitignore
|
|
|
b80204 |
new file mode 100644
|
|
|
b80204 |
index 0000000..5e7d273
|
|
|
b80204 |
--- /dev/null
|
|
|
b80204 |
+++ b/base/common/upgrade/10.4.5/.gitignore
|
|
|
b80204 |
@@ -0,0 +1,4 @@
|
|
|
b80204 |
+# Ignore everything in this directory
|
|
|
b80204 |
+*
|
|
|
b80204 |
+# Except this file
|
|
|
b80204 |
+!.gitignore
|
|
|
b80204 |
diff --git a/base/common/upgrade/10.4.6/.gitignore b/base/common/upgrade/10.4.6/.gitignore
|
|
|
b80204 |
new file mode 100644
|
|
|
b80204 |
index 0000000..5e7d273
|
|
|
b80204 |
--- /dev/null
|
|
|
b80204 |
+++ b/base/common/upgrade/10.4.6/.gitignore
|
|
|
b80204 |
@@ -0,0 +1,4 @@
|
|
|
b80204 |
+# Ignore everything in this directory
|
|
|
b80204 |
+*
|
|
|
b80204 |
+# Except this file
|
|
|
b80204 |
+!.gitignore
|
|
|
b80204 |
diff --git a/base/server/upgrade/10.4.3/.gitignore b/base/server/upgrade/10.4.3/.gitignore
|
|
|
b80204 |
new file mode 100644
|
|
|
b80204 |
index 0000000..5e7d273
|
|
|
b80204 |
--- /dev/null
|
|
|
b80204 |
+++ b/base/server/upgrade/10.4.3/.gitignore
|
|
|
b80204 |
@@ -0,0 +1,4 @@
|
|
|
b80204 |
+# Ignore everything in this directory
|
|
|
b80204 |
+*
|
|
|
b80204 |
+# Except this file
|
|
|
b80204 |
+!.gitignore
|
|
|
b80204 |
diff --git a/base/server/upgrade/10.4.4/.gitignore b/base/server/upgrade/10.4.4/.gitignore
|
|
|
b80204 |
new file mode 100644
|
|
|
b80204 |
index 0000000..5e7d273
|
|
|
b80204 |
--- /dev/null
|
|
|
b80204 |
+++ b/base/server/upgrade/10.4.4/.gitignore
|
|
|
b80204 |
@@ -0,0 +1,4 @@
|
|
|
b80204 |
+# Ignore everything in this directory
|
|
|
b80204 |
+*
|
|
|
b80204 |
+# Except this file
|
|
|
b80204 |
+!.gitignore
|
|
|
b80204 |
diff --git a/base/server/upgrade/10.4.5/.gitignore b/base/server/upgrade/10.4.5/.gitignore
|
|
|
981330 |
new file mode 100644
|
|
|
b80204 |
index 0000000..5e7d273
|
|
|
981330 |
--- /dev/null
|
|
|
b80204 |
+++ b/base/server/upgrade/10.4.5/.gitignore
|
|
|
b80204 |
@@ -0,0 +1,4 @@
|
|
|
b80204 |
+# Ignore everything in this directory
|
|
|
b80204 |
+*
|
|
|
b80204 |
+# Except this file
|
|
|
b80204 |
+!.gitignore
|
|
|
b80204 |
diff --git a/base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout b/base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout
|
|
|
b80204 |
new file mode 100755
|
|
|
b80204 |
index 0000000..31c4d1b
|
|
|
b80204 |
--- /dev/null
|
|
|
b80204 |
+++ b/base/server/upgrade/10.4.6/01-UpdateKeepAliveTimeout
|
|
|
b80204 |
@@ -0,0 +1,59 @@
|
|
|
981330 |
+#!/usr/bin/python
|
|
|
981330 |
+# Authors:
|
|
|
981330 |
+# Endi S. Dewata <edewata@redhat.com>
|
|
|
981330 |
+#
|
|
|
981330 |
+# This program is free software; you can redistribute it and/or modify
|
|
|
981330 |
+# it under the terms of the GNU General Public License as published by
|
|
|
981330 |
+# the Free Software Foundation; version 2 of the License.
|
|
|
981330 |
+#
|
|
|
981330 |
+# This program is distributed in the hope that it will be useful,
|
|
|
981330 |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
981330 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
981330 |
+# GNU General Public License for more details.
|
|
|
981330 |
+#
|
|
|
981330 |
+# You should have received a copy of the GNU General Public License along
|
|
|
981330 |
+# with this program; if not, write to the Free Software Foundation, Inc.,
|
|
|
981330 |
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
981330 |
+#
|
|
|
b80204 |
+# Copyright (C) 2017 Red Hat, Inc.
|
|
|
981330 |
+# All rights reserved.
|
|
|
b80204 |
+#
|
|
|
981330 |
+
|
|
|
981330 |
+from __future__ import absolute_import
|
|
|
981330 |
+import os
|
|
|
b80204 |
+from lxml import etree
|
|
|
981330 |
+
|
|
|
b80204 |
+import pki
|
|
|
981330 |
+
|
|
|
981330 |
+
|
|
|
b80204 |
+class UpdateKeepAliveTimeout(
|
|
|
b80204 |
+ pki.server.upgrade.PKIServerUpgradeScriptlet):
|
|
|
981330 |
+
|
|
|
981330 |
+ def __init__(self):
|
|
|
b80204 |
+ super(UpdateKeepAliveTimeout, self).__init__()
|
|
|
b80204 |
+ self.message = 'Update keepAliveTimeout parameter'
|
|
|
b80204 |
+
|
|
|
981330 |
+ self.parser = etree.XMLParser(remove_blank_text=True)
|
|
|
981330 |
+
|
|
|
981330 |
+ def upgrade_instance(self, instance):
|
|
|
981330 |
+
|
|
|
b80204 |
+ server_xml = os.path.join(instance.conf_dir, 'server.xml')
|
|
|
b80204 |
+ self.backup(server_xml)
|
|
|
b80204 |
+
|
|
|
b80204 |
+ document = etree.parse(server_xml, self.parser)
|
|
|
b80204 |
+
|
|
|
b80204 |
+ server = document.getroot()
|
|
|
b80204 |
+ connectors = server.findall('.//Connector')
|
|
|
b80204 |
+
|
|
|
b80204 |
+ for connector in connectors:
|
|
|
b80204 |
+
|
|
|
b80204 |
+ # find the Secure connector
|
|
|
b80204 |
+ name = connector.get('name')
|
|
|
b80204 |
+ if name != 'Secure':
|
|
|
b80204 |
+ continue
|
|
|
b80204 |
+
|
|
|
b80204 |
+ # set the keepAliveTimeout parameter to 5 minutes
|
|
|
b80204 |
+ connector.set('keepAliveTimeout', '300000')
|
|
|
b80204 |
+
|
|
|
b80204 |
+ with open(server_xml, 'wb') as f:
|
|
|
b80204 |
+ document.write(f, pretty_print=True, encoding='utf-8')
|
|
|
b80204 |
--
|
|
|
b80204 |
1.8.3.1
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
From 03235ab51d102ba722e71adf00d2f721c77cd222 Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b80204 |
Date: Thu, 1 Jun 2017 21:02:41 +0200
|
|
|
b80204 |
Subject: [PATCH 15/27] Fixed random password generator.
|
|
|
b80204 |
|
|
|
b80204 |
The equal sign is no longer used to generate random password
|
|
|
b80204 |
since it's already used as token name and password delimiter in
|
|
|
b80204 |
password.conf.
|
|
|
b80204 |
|
|
|
b80204 |
https://pagure.io/dogtagpki/issue/2556
|
|
|
b80204 |
|
|
|
b80204 |
Change-Id: Id59f9aae4d01958f69c305e7d5cda44ce5c81c84
|
|
|
b80204 |
---
|
|
|
b80204 |
base/common/python/pki/__init__.py | 11 ++++++++---
|
|
|
b80204 |
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py
|
|
|
b80204 |
index 1fc5385..0478b32 100644
|
|
|
b80204 |
--- a/base/common/python/pki/__init__.py
|
|
|
b80204 |
+++ b/base/common/python/pki/__init__.py
|
|
|
b80204 |
@@ -45,6 +45,11 @@ PACKAGE_VERSION = SHARE_DIR + '/VERSION'
|
|
|
b80204 |
CERT_HEADER = "-----BEGIN CERTIFICATE-----"
|
|
|
b80204 |
CERT_FOOTER = "-----END CERTIFICATE-----"
|
|
|
b80204 |
|
|
|
b80204 |
+# Valid punctuation characters for random password.
|
|
|
b80204 |
+# This is identical to string.punctuation minus the equal
|
|
|
b80204 |
+# sign since it's used as delimiter in password.conf.
|
|
|
b80204 |
+PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[\\]^_`{|}~'
|
|
|
b80204 |
+
|
|
|
b80204 |
|
|
|
b80204 |
def read_text(message,
|
|
|
b80204 |
options=None, default=None, delimiter=':',
|
|
|
b80204 |
@@ -139,7 +144,7 @@ def generate_password():
|
|
|
b80204 |
* digits (string.digits)
|
|
|
b80204 |
* ASCII lowercase letters (string.ascii_lowercase)
|
|
|
b80204 |
* ASCII uppercase letters (string.ascii_uppercase)
|
|
|
b80204 |
- * ASCII non-alphanumeric characters (string.punctuation)
|
|
|
b80204 |
+ * ASCII non-alphanumeric characters (PUNCTUATIONS)
|
|
|
b80204 |
* non-ASCII characters
|
|
|
b80204 |
|
|
|
b80204 |
If an ASCII uppercase letter is the first character of the password,
|
|
|
b80204 |
@@ -159,7 +164,7 @@ def generate_password():
|
|
|
b80204 |
valid_chars = string.digits +\
|
|
|
b80204 |
string.ascii_lowercase +\
|
|
|
b80204 |
string.ascii_uppercase +\
|
|
|
b80204 |
- string.punctuation
|
|
|
b80204 |
+ PUNCTUATIONS
|
|
|
b80204 |
|
|
|
b80204 |
chars = []
|
|
|
b80204 |
|
|
|
b80204 |
@@ -168,7 +173,7 @@ def generate_password():
|
|
|
b80204 |
chars.append(rnd.choice(string.digits))
|
|
|
b80204 |
chars.append(rnd.choice(string.ascii_lowercase))
|
|
|
b80204 |
chars.append(rnd.choice(string.ascii_uppercase))
|
|
|
b80204 |
- chars.append(rnd.choice(string.punctuation))
|
|
|
b80204 |
+ chars.append(rnd.choice(PUNCTUATIONS))
|
|
|
b80204 |
|
|
|
b80204 |
# add 6 additional random chars
|
|
|
b80204 |
chars.extend(rnd.choice(valid_chars) for i in range(6))
|
|
|
b80204 |
--
|
|
|
b80204 |
1.8.3.1
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
From 08bf26f786b8d233382c6fedfad5d33d8c11d78f Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: Ade Lee <alee@redhat.com>
|
|
|
b80204 |
Date: Thu, 1 Jun 2017 17:46:27 -0400
|
|
|
b80204 |
Subject: [PATCH 16/27] Fix NPE in audit log invocation
|
|
|
b80204 |
|
|
|
b80204 |
Some audit log objects take a RequestId or KeyId, on which we call
|
|
|
b80204 |
toString(). In some cases, we were creating a KeyId or RequestId
|
|
|
b80204 |
with null values, resulting in an NPE. We fix these in this patch.
|
|
|
b80204 |
|
|
|
b80204 |
Bugzilla BZ# 1458043
|
|
|
b80204 |
|
|
|
b80204 |
Change-Id: I38d5a20e9920966c8414d56afd7690dc3c11a1db
|
|
|
b80204 |
---
|
|
|
b80204 |
base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java | 3 ++-
|
|
|
b80204 |
base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | 4 ++--
|
|
|
b80204 |
3 files changed, 8 insertions(+), 4 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
|
|
|
b80204 |
index ed20394..5e3b8a9 100644
|
|
|
b80204 |
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
|
|
|
b80204 |
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
|
|
|
b80204 |
@@ -1128,7 +1128,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
|
|
|
b80204 |
r = queue.findRequest(new RequestId(reqID));
|
|
|
b80204 |
|
|
|
b80204 |
auditAgents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS);
|
|
|
b80204 |
- keyID = new KeyId(r.getExtDataInBigInteger("serialNumber"));
|
|
|
b80204 |
+ BigInteger serialNumber = r.getExtDataInBigInteger("serialNumber");
|
|
|
b80204 |
+ keyID = serialNumber != null? new KeyId(serialNumber) : null;
|
|
|
b80204 |
|
|
|
b80204 |
// set transient parameters
|
|
|
b80204 |
params = createVolatileRequest(r.getRequestId());
|
|
|
b80204 |
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
|
|
|
b80204 |
index c0b5cdd..891b083 100644
|
|
|
b80204 |
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
|
|
|
b80204 |
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
|
|
|
b80204 |
@@ -283,7 +283,7 @@ public class TokenKeyRecoveryService implements IService {
|
|
|
b80204 |
// retrieve based on Certificate
|
|
|
b80204 |
String cert_s = request.getExtDataInString(ATTR_USER_CERT);
|
|
|
b80204 |
String keyid_s = request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID);
|
|
|
b80204 |
- KeyId keyId = new KeyId(request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID));
|
|
|
b80204 |
+ KeyId keyId = keyid_s != null ? new KeyId(keyid_s): null;
|
|
|
b80204 |
/* have to have at least one */
|
|
|
b80204 |
if ((cert_s == null) && (keyid_s == null)) {
|
|
|
b80204 |
CMS.debug("TokenKeyRecoveryService: not receive cert or keyid");
|
|
|
b80204 |
@@ -593,7 +593,7 @@ public class TokenKeyRecoveryService implements IService {
|
|
|
b80204 |
return true;
|
|
|
b80204 |
|
|
|
b80204 |
} catch (Exception e) {
|
|
|
b80204 |
- CMS.debug("TokenKeyRecoveryService: " + e.toString());
|
|
|
b80204 |
+ CMS.debug(e);
|
|
|
b80204 |
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
--
|
|
|
b80204 |
1.8.3.1
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
From 29dbed75f1c214a065cd3bcc438d0584fd980d4f Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b80204 |
Date: Fri, 2 Jun 2017 18:46:01 +0200
|
|
|
b80204 |
Subject: [PATCH 17/27] Excluded backslash from random password.
|
|
|
b80204 |
|
|
|
b80204 |
The backslash is no longer used for generating random password
|
|
|
b80204 |
since it's causing SSL hanshake failure.
|
|
|
b80204 |
|
|
|
b80204 |
https://pagure.io/dogtagpki/issue/2676
|
|
|
b80204 |
|
|
|
b80204 |
Change-Id: I2e63769b16fc3fa617b27dccb7b85f139714a411
|
|
|
b80204 |
---
|
|
|
b80204 |
base/common/python/pki/__init__.py | 7 ++++---
|
|
|
b80204 |
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py
|
|
|
b80204 |
index 0478b32..1a6f5c2 100644
|
|
|
b80204 |
--- a/base/common/python/pki/__init__.py
|
|
|
b80204 |
+++ b/base/common/python/pki/__init__.py
|
|
|
b80204 |
@@ -46,9 +46,10 @@ CERT_HEADER = "-----BEGIN CERTIFICATE-----"
|
|
|
b80204 |
CERT_FOOTER = "-----END CERTIFICATE-----"
|
|
|
b80204 |
|
|
|
b80204 |
# Valid punctuation characters for random password.
|
|
|
b80204 |
-# This is identical to string.punctuation minus the equal
|
|
|
b80204 |
-# sign since it's used as delimiter in password.conf.
|
|
|
b80204 |
-PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[\\]^_`{|}~'
|
|
|
b80204 |
+# This is based on string.punctuation except:
|
|
|
b80204 |
+# - equal sign since it's used as delimiter in password.conf
|
|
|
b80204 |
+# - backslash since it's causing SSL handshake failure
|
|
|
b80204 |
+PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[]^_`{|}~'
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
def read_text(message,
|
|
|
b80204 |
--
|
|
|
b80204 |
1.8.3.1
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
From a614eb15476adb00df571d3ea05fdd8ea282141d Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
|
|
|
b80204 |
Date: Fri, 2 Jun 2017 15:40:52 -0700
|
|
|
b80204 |
Subject: [PATCH 18/27] Resolve #1663 Add SCP03 support .
|
|
|
b80204 |
|
|
|
b80204 |
This particular fix resolves a simple issue when formatting a token in FIPS mode for SCP03.
|
|
|
b80204 |
---
|
|
|
b80204 |
base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java | 7 ++++---
|
|
|
b80204 |
base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 4 ++++
|
|
|
b80204 |
2 files changed, 8 insertions(+), 3 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
|
|
|
b80204 |
index 5e5646b..3b80f27 100644
|
|
|
b80204 |
--- a/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
|
|
|
b80204 |
+++ b/base/tps/src/org/dogtagpki/server/tps/channel/SecureChannel.java
|
|
|
b80204 |
@@ -421,10 +421,11 @@ public class SecureChannel {
|
|
|
b80204 |
throw new TPSException(method + "Failed to calculate card cryptogram!", TPSStatus.STATUS_ERROR_SECURE_CHANNEL);
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
- CMS.debug(method + " dumped macSessionKey: " + new TPSBuffer(macSessionKey.getEncoded()).toHexString() );
|
|
|
b80204 |
+ if(cardCryptogram != null)
|
|
|
b80204 |
+ CMS.debug(method + " actual card cryptogram " + cardCryptogram.toHexString());
|
|
|
b80204 |
|
|
|
b80204 |
- CMS.debug(method + " actual card cryptogram " + cardCryptogram.toHexString());
|
|
|
b80204 |
- CMS.debug(method + " calculated card cryptogram " + calculatedCardCryptogram.toHexString());
|
|
|
b80204 |
+ if(calculatedCardCryptogram != null)
|
|
|
b80204 |
+ CMS.debug(method + " calculated card cryptogram " + calculatedCardCryptogram.toHexString());
|
|
|
b80204 |
|
|
|
b80204 |
ExternalAuthenticateAPDUGP211 externalAuth = new ExternalAuthenticateAPDUGP211(hostCryptogram,
|
|
|
b80204 |
/* secLevel */secLevelGP211);
|
|
|
b80204 |
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
b80204 |
index 0f96915..e1a5748 100644
|
|
|
b80204 |
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
b80204 |
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
b80204 |
@@ -957,6 +957,10 @@ public class TPSProcessor {
|
|
|
b80204 |
kekSessionKeySCP03 = (PK11SymKey) protocol.unwrapWrappedSymKeyOnToken(token, sharedSecret,
|
|
|
b80204 |
kekSessionKeyBuff.toBytesArray(), false, SymmetricKey.AES);
|
|
|
b80204 |
|
|
|
b80204 |
+ CMS.debug(" encSessionKeySCP03 " + encSessionKeySCP03);
|
|
|
b80204 |
+ CMS.debug(" macSessionKeySCP03 " + macSessionKeySCP03);
|
|
|
b80204 |
+ CMS.debug(" kekSessionKeySCP03 " + kekSessionKeySCP03);
|
|
|
b80204 |
+
|
|
|
b80204 |
channel = new SecureChannel(this, encSessionKeySCP03, macSessionKeySCP03, kekSessionKeySCP03,
|
|
|
b80204 |
drmDesKeyBuff, kekDesKeyBuff,
|
|
|
b80204 |
keyCheckBuff, keyDiversificationData, cardChallenge,
|
|
|
b80204 |
--
|
|
|
b80204 |
1.8.3.1
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
From af41896f083e1101b1ba62f6cc8c9be6064c6786 Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b80204 |
Date: Sat, 3 Jun 2017 02:07:04 +0200
|
|
|
b80204 |
Subject: [PATCH 19/27] Refactored MainCLI.loadPassword() (part 1).
|
|
|
b80204 |
|
|
|
b80204 |
The method that loads password from a file in MainCLI has been
|
|
|
b80204 |
renamed into loadPassword() and modified to return early for
|
|
|
b80204 |
clarity.
|
|
|
b80204 |
|
|
|
b80204 |
https://pagure.io/dogtagpki/issue/2717
|
|
|
b80204 |
|
|
|
b80204 |
Change-Id: I9b031c31040c2d00f04d9997abcdae38163bf6d5
|
|
|
b80204 |
---
|
|
|
b80204 |
.../src/com/netscape/cmstools/cli/MainCLI.java | 24 ++++++++++++----------
|
|
|
b80204 |
1 file changed, 13 insertions(+), 11 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
b80204 |
index 1b9c569..2402196 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
b80204 |
@@ -229,7 +229,7 @@ public class MainCLI extends CLI {
|
|
|
b80204 |
options.addOption(null, "version", false, "Show version number.");
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
- public String[] readPlaintextPasswordFromFile(String pwfile) throws Exception {
|
|
|
b80204 |
+ public String[] loadPassword(String pwfile) throws Exception {
|
|
|
b80204 |
String[] tokenPassword = { null, null };
|
|
|
b80204 |
BufferedReader br = null;
|
|
|
b80204 |
String delimiter = "=";
|
|
|
b80204 |
@@ -238,11 +238,16 @@ public class MainCLI extends CLI {
|
|
|
b80204 |
br = new BufferedReader(new FileReader(pwfile));
|
|
|
b80204 |
|
|
|
b80204 |
String line = br.readLine();
|
|
|
b80204 |
- if (line != null) {
|
|
|
b80204 |
- if (line.isEmpty()) {
|
|
|
b80204 |
- throw new Exception("File '" + pwfile + "' does not define a token or a password!");
|
|
|
b80204 |
|
|
|
b80204 |
- } else if (line.contains(delimiter)) {
|
|
|
b80204 |
+ if (line == null) {
|
|
|
b80204 |
+ throw new Exception("File '" + pwfile + "' is empty!");
|
|
|
b80204 |
+ }
|
|
|
b80204 |
+
|
|
|
b80204 |
+ if (line.isEmpty()) {
|
|
|
b80204 |
+ throw new Exception("File '" + pwfile + "' does not define a token or a password!");
|
|
|
b80204 |
+ }
|
|
|
b80204 |
+
|
|
|
b80204 |
+ if (line.contains(delimiter)) {
|
|
|
b80204 |
// Process 'token=password' format:
|
|
|
b80204 |
//
|
|
|
b80204 |
// Token: tokenPassword[0]
|
|
|
b80204 |
@@ -270,10 +275,7 @@ public class MainCLI extends CLI {
|
|
|
b80204 |
// Set simple 'password' (do not trim leading/trailing whitespace)
|
|
|
b80204 |
tokenPassword[1] = line;
|
|
|
b80204 |
}
|
|
|
b80204 |
- } else {
|
|
|
b80204 |
- // Case of an empty password file
|
|
|
b80204 |
- throw new Exception("File '" + pwfile + "' is empty!");
|
|
|
b80204 |
- }
|
|
|
b80204 |
+
|
|
|
b80204 |
} finally {
|
|
|
b80204 |
if (br != null) {
|
|
|
b80204 |
br.close();
|
|
|
b80204 |
@@ -397,7 +399,7 @@ public class MainCLI extends CLI {
|
|
|
b80204 |
|
|
|
b80204 |
if (certPasswordFile != null) {
|
|
|
b80204 |
// read client security database password from specified file
|
|
|
b80204 |
- tokenPasswordPair = readPlaintextPasswordFromFile(certPasswordFile);
|
|
|
b80204 |
+ tokenPasswordPair = loadPassword(certPasswordFile);
|
|
|
b80204 |
// XXX TBD set client security database token
|
|
|
b80204 |
|
|
|
b80204 |
certPassword = tokenPasswordPair[1];
|
|
|
b80204 |
@@ -411,7 +413,7 @@ public class MainCLI extends CLI {
|
|
|
b80204 |
|
|
|
b80204 |
if (passwordFile != null) {
|
|
|
b80204 |
// read user password from specified file
|
|
|
b80204 |
- tokenPasswordPair = readPlaintextPasswordFromFile(passwordFile);
|
|
|
b80204 |
+ tokenPasswordPair = loadPassword(passwordFile);
|
|
|
b80204 |
// XXX TBD set user token
|
|
|
b80204 |
|
|
|
b80204 |
password = tokenPasswordPair[1];
|
|
|
b80204 |
--
|
|
|
b80204 |
1.8.3.1
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
From 9741b7873005419b922ba79c61ef98ae17cb58be Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b80204 |
Date: Sat, 3 Jun 2017 02:03:32 +0200
|
|
|
b80204 |
Subject: [PATCH 20/27] Refactored MainCLI.loadPassword() (part 2).
|
|
|
b80204 |
|
|
|
b80204 |
The MainCLI.loadPassword() has been modified to fix the code
|
|
|
b80204 |
indentation.
|
|
|
b80204 |
|
|
|
b80204 |
https://pagure.io/dogtagpki/issue/2717
|
|
|
b80204 |
|
|
|
b80204 |
Change-Id: I7d208f1f4568f2fb1323ab206f45af5c0338b53f
|
|
|
b80204 |
---
|
|
|
b80204 |
.../src/com/netscape/cmstools/cli/MainCLI.java | 49 +++++++++++-----------
|
|
|
b80204 |
1 file changed, 25 insertions(+), 24 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
b80204 |
index 2402196..2b6b173 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
b80204 |
@@ -247,35 +247,36 @@ public class MainCLI extends CLI {
|
|
|
b80204 |
throw new Exception("File '" + pwfile + "' does not define a token or a password!");
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
- if (line.contains(delimiter)) {
|
|
|
b80204 |
- // Process 'token=password' format:
|
|
|
b80204 |
- //
|
|
|
b80204 |
- // Token: tokenPassword[0]
|
|
|
b80204 |
- // Password: tokenPassword[1]
|
|
|
b80204 |
- //
|
|
|
b80204 |
- tokenPassword = line.split(delimiter, 2);
|
|
|
b80204 |
-
|
|
|
b80204 |
- // Always trim leading/trailing whitespace from 'token'
|
|
|
b80204 |
- tokenPassword[0] = tokenPassword[0].trim();
|
|
|
b80204 |
-
|
|
|
b80204 |
- // Check for undefined 'token'
|
|
|
b80204 |
- if (tokenPassword[0].isEmpty()) {
|
|
|
b80204 |
- // Set default 'token'
|
|
|
b80204 |
- tokenPassword[0] = CryptoUtil.INTERNAL_TOKEN_NAME;
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
- // Check for undefined 'password'
|
|
|
b80204 |
- if (tokenPassword[1].isEmpty()) {
|
|
|
b80204 |
- throw new Exception("File '" + pwfile + "' does not define a password!");
|
|
|
b80204 |
- }
|
|
|
b80204 |
- } else {
|
|
|
b80204 |
+ if (line.contains(delimiter)) {
|
|
|
b80204 |
+ // Process 'token=password' format:
|
|
|
b80204 |
+ //
|
|
|
b80204 |
+ // Token: tokenPassword[0]
|
|
|
b80204 |
+ // Password: tokenPassword[1]
|
|
|
b80204 |
+ //
|
|
|
b80204 |
+ tokenPassword = line.split(delimiter, 2);
|
|
|
b80204 |
+
|
|
|
b80204 |
+ // Always trim leading/trailing whitespace from 'token'
|
|
|
b80204 |
+ tokenPassword[0] = tokenPassword[0].trim();
|
|
|
b80204 |
+
|
|
|
b80204 |
+ // Check for undefined 'token'
|
|
|
b80204 |
+ if (tokenPassword[0].isEmpty()) {
|
|
|
b80204 |
// Set default 'token'
|
|
|
b80204 |
tokenPassword[0] = CryptoUtil.INTERNAL_TOKEN_NAME;
|
|
|
b80204 |
+ }
|
|
|
b80204 |
|
|
|
b80204 |
- // Set simple 'password' (do not trim leading/trailing whitespace)
|
|
|
b80204 |
- tokenPassword[1] = line;
|
|
|
b80204 |
+ // Check for undefined 'password'
|
|
|
b80204 |
+ if (tokenPassword[1].isEmpty()) {
|
|
|
b80204 |
+ throw new Exception("File '" + pwfile + "' does not define a password!");
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
+ } else {
|
|
|
b80204 |
+ // Set default 'token'
|
|
|
b80204 |
+ tokenPassword[0] = CryptoUtil.INTERNAL_TOKEN_NAME;
|
|
|
b80204 |
+
|
|
|
b80204 |
+ // Set simple 'password' (do not trim leading/trailing whitespace)
|
|
|
b80204 |
+ tokenPassword[1] = line;
|
|
|
b80204 |
+ }
|
|
|
b80204 |
+
|
|
|
b80204 |
} finally {
|
|
|
b80204 |
if (br != null) {
|
|
|
b80204 |
br.close();
|
|
|
b80204 |
--
|
|
|
b80204 |
1.8.3.1
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
From 729468e46612569da4c93b15bc0d674099003aba Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b80204 |
Date: Sat, 3 Jun 2017 02:28:00 +0200
|
|
|
b80204 |
Subject: [PATCH 21/27] Refactored MainCLI.loadPassword() (part 3).
|
|
|
b80204 |
|
|
|
b80204 |
The MainCLI.loadPassword() has been modified to use try-with-
|
|
|
b80204 |
resources. Some log messages have been added for clarity.
|
|
|
b80204 |
|
|
|
b80204 |
https://pagure.io/dogtagpki/issue/2717
|
|
|
b80204 |
|
|
|
b80204 |
Change-Id: Ic4950ba677613565f548b51d1f985177c6726510
|
|
|
b80204 |
---
|
|
|
b80204 |
.../src/com/netscape/cmstools/cli/MainCLI.java | 21 +++++++++------------
|
|
|
b80204 |
1 file changed, 9 insertions(+), 12 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
b80204 |
index 2b6b173..dcc60e2 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
b80204 |
@@ -230,12 +230,11 @@ public class MainCLI extends CLI {
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
public String[] loadPassword(String pwfile) throws Exception {
|
|
|
b80204 |
+
|
|
|
b80204 |
String[] tokenPassword = { null, null };
|
|
|
b80204 |
- BufferedReader br = null;
|
|
|
b80204 |
String delimiter = "=";
|
|
|
b80204 |
|
|
|
b80204 |
- try {
|
|
|
b80204 |
- br = new BufferedReader(new FileReader(pwfile));
|
|
|
b80204 |
+ try (BufferedReader br = new BufferedReader(new FileReader(pwfile))) {
|
|
|
b80204 |
|
|
|
b80204 |
String line = br.readLine();
|
|
|
b80204 |
|
|
|
b80204 |
@@ -276,11 +275,6 @@ public class MainCLI extends CLI {
|
|
|
b80204 |
// Set simple 'password' (do not trim leading/trailing whitespace)
|
|
|
b80204 |
tokenPassword[1] = line;
|
|
|
b80204 |
}
|
|
|
b80204 |
-
|
|
|
b80204 |
- } finally {
|
|
|
b80204 |
- if (br != null) {
|
|
|
b80204 |
- br.close();
|
|
|
b80204 |
- }
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
return tokenPassword;
|
|
|
b80204 |
@@ -399,7 +393,7 @@ public class MainCLI extends CLI {
|
|
|
b80204 |
config.setCertNickname(certNickname);
|
|
|
b80204 |
|
|
|
b80204 |
if (certPasswordFile != null) {
|
|
|
b80204 |
- // read client security database password from specified file
|
|
|
b80204 |
+ if (verbose) System.out.println("Loading NSS password from " + certPasswordFile);
|
|
|
b80204 |
tokenPasswordPair = loadPassword(certPasswordFile);
|
|
|
b80204 |
// XXX TBD set client security database token
|
|
|
b80204 |
|
|
|
b80204 |
@@ -413,7 +407,7 @@ public class MainCLI extends CLI {
|
|
|
b80204 |
config.setUsername(username);
|
|
|
b80204 |
|
|
|
b80204 |
if (passwordFile != null) {
|
|
|
b80204 |
- // read user password from specified file
|
|
|
b80204 |
+ if (verbose) System.out.println("Loading user password from " + passwordFile);
|
|
|
b80204 |
tokenPasswordPair = loadPassword(passwordFile);
|
|
|
b80204 |
// XXX TBD set user token
|
|
|
b80204 |
|
|
|
b80204 |
@@ -494,15 +488,18 @@ public class MainCLI extends CLI {
|
|
|
b80204 |
|
|
|
b80204 |
// If password is specified, use password to access security token
|
|
|
b80204 |
if (config.getCertPassword() != null) {
|
|
|
b80204 |
- if (verbose) System.out.println("Logging into security token");
|
|
|
b80204 |
+
|
|
|
b80204 |
try {
|
|
|
b80204 |
CryptoManager manager = CryptoManager.getInstance();
|
|
|
b80204 |
|
|
|
b80204 |
String tokenName = config.getTokenName();
|
|
|
b80204 |
- CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName);
|
|
|
b80204 |
+ if (verbose) System.out.println("Getting " + (tokenName == null ? "internal" : tokenName) + " token");
|
|
|
b80204 |
|
|
|
b80204 |
+ CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName);
|
|
|
b80204 |
manager.setThreadToken(token);
|
|
|
b80204 |
|
|
|
b80204 |
+ if (verbose) System.out.println("Logging into " + token.getName());
|
|
|
b80204 |
+
|
|
|
b80204 |
Password password = new Password(config.getCertPassword().toCharArray());
|
|
|
b80204 |
token.login(password);
|
|
|
b80204 |
|
|
|
b80204 |
--
|
|
|
b80204 |
1.8.3.1
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
From d4e5176702b3a08a67233e069ac211e95e01b228 Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b80204 |
Date: Sat, 3 Jun 2017 01:32:37 +0200
|
|
|
b80204 |
Subject: [PATCH 22/27] Refactored CLI.runExternal().
|
|
|
b80204 |
|
|
|
b80204 |
The methods for running external commands in various CLI classes
|
|
|
b80204 |
have been merged into CLI.runExternal().
|
|
|
b80204 |
|
|
|
b80204 |
https://pagure.io/dogtagpki/issue/2717
|
|
|
b80204 |
|
|
|
b80204 |
Change-Id: I5b6d136db699d3bb48e4f36f7f187d0240bbbf62
|
|
|
b80204 |
---
|
|
|
b80204 |
.../src/com/netscape/cmstools/cli/CLI.java | 35 ++++++++++++++++++++++
|
|
|
b80204 |
.../src/com/netscape/cmstools/cli/MainCLI.java | 10 +++----
|
|
|
b80204 |
.../cmstools/client/ClientCertImportCLI.java | 23 ++------------
|
|
|
b80204 |
.../cmstools/client/ClientCertModifyCLI.java | 35 +++++-----------------
|
|
|
b80204 |
.../cmstools/client/ClientCertRequestCLI.java | 10 +++----
|
|
|
b80204 |
.../cmstools/client/ClientCertShowCLI.java | 27 +++--------------
|
|
|
b80204 |
.../netscape/cmstools/client/ClientInitCLI.java | 25 ++++++----------
|
|
|
b80204 |
7 files changed, 65 insertions(+), 100 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
|
|
|
b80204 |
index 4911b8a..60db7a1 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/cli/CLI.java
|
|
|
b80204 |
@@ -18,6 +18,7 @@
|
|
|
b80204 |
|
|
|
b80204 |
package com.netscape.cmstools.cli;
|
|
|
b80204 |
|
|
|
b80204 |
+import java.io.IOException;
|
|
|
b80204 |
import java.util.ArrayList;
|
|
|
b80204 |
import java.util.Collection;
|
|
|
b80204 |
import java.util.LinkedHashMap;
|
|
|
b80204 |
@@ -351,4 +352,38 @@ public class CLI {
|
|
|
b80204 |
public static void setVerbose(boolean verbose) {
|
|
|
b80204 |
CLI.verbose = verbose;
|
|
|
b80204 |
}
|
|
|
b80204 |
+
|
|
|
b80204 |
+ public void runExternal(List<String> command) throws CLIException, IOException, InterruptedException {
|
|
|
b80204 |
+ String[] array = command.toArray(new String[command.size()]);
|
|
|
b80204 |
+ runExternal(array);
|
|
|
b80204 |
+ }
|
|
|
b80204 |
+
|
|
|
b80204 |
+ public void runExternal(String[] command) throws CLIException, IOException, InterruptedException {
|
|
|
b80204 |
+
|
|
|
b80204 |
+ if (verbose) {
|
|
|
b80204 |
+
|
|
|
b80204 |
+ System.out.print("External command:");
|
|
|
b80204 |
+
|
|
|
b80204 |
+ for (String c : command) {
|
|
|
b80204 |
+
|
|
|
b80204 |
+ boolean quote = c.contains(" ");
|
|
|
b80204 |
+
|
|
|
b80204 |
+ System.out.print(" ");
|
|
|
b80204 |
+
|
|
|
b80204 |
+ if (quote) System.out.print("\"");
|
|
|
b80204 |
+ System.out.print(c);
|
|
|
b80204 |
+ if (quote) System.out.print("\"");
|
|
|
b80204 |
+ }
|
|
|
b80204 |
+
|
|
|
b80204 |
+ System.out.println();
|
|
|
b80204 |
+ }
|
|
|
b80204 |
+
|
|
|
b80204 |
+ Runtime rt = Runtime.getRuntime();
|
|
|
b80204 |
+ Process p = rt.exec(command);
|
|
|
b80204 |
+ int rc = p.waitFor();
|
|
|
b80204 |
+
|
|
|
b80204 |
+ if (rc != 0) {
|
|
|
b80204 |
+ throw new CLIException("External command failed. RC: " + rc, rc);
|
|
|
b80204 |
+ }
|
|
|
b80204 |
+ }
|
|
|
b80204 |
}
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
b80204 |
index dcc60e2..51861b5 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
|
|
|
b80204 |
@@ -473,12 +473,10 @@ public class MainCLI extends CLI {
|
|
|
b80204 |
"--empty-password"
|
|
|
b80204 |
};
|
|
|
b80204 |
|
|
|
b80204 |
- Runtime rt = Runtime.getRuntime();
|
|
|
b80204 |
- Process p = rt.exec(commands);
|
|
|
b80204 |
-
|
|
|
b80204 |
- int rc = p.waitFor();
|
|
|
b80204 |
- if (rc != 0) {
|
|
|
b80204 |
- throw new Exception("Unable to create security database: " + certDatabase.getAbsolutePath() + " (rc: " + rc + ")");
|
|
|
b80204 |
+ try {
|
|
|
b80204 |
+ runExternal(commands);
|
|
|
b80204 |
+ } catch (Exception e) {
|
|
|
b80204 |
+ throw new Exception("Unable to create security database", e);
|
|
|
b80204 |
}
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
|
|
|
b80204 |
index 9cb3e67..687dfc4 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
|
|
|
b80204 |
@@ -21,14 +21,12 @@ package com.netscape.cmstools.client;
|
|
|
b80204 |
import java.io.File;
|
|
|
b80204 |
import java.io.FileOutputStream;
|
|
|
b80204 |
import java.io.FileWriter;
|
|
|
b80204 |
-import java.io.IOException;
|
|
|
b80204 |
import java.io.PrintWriter;
|
|
|
b80204 |
import java.net.URI;
|
|
|
b80204 |
import java.util.Arrays;
|
|
|
b80204 |
|
|
|
b80204 |
import org.apache.commons.cli.CommandLine;
|
|
|
b80204 |
import org.apache.commons.cli.Option;
|
|
|
b80204 |
-import org.apache.commons.lang.StringUtils;
|
|
|
b80204 |
|
|
|
b80204 |
import com.netscape.certsrv.cert.CertClient;
|
|
|
b80204 |
import com.netscape.certsrv.cert.CertData;
|
|
|
b80204 |
@@ -283,8 +281,7 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
};
|
|
|
b80204 |
|
|
|
b80204 |
try {
|
|
|
b80204 |
- run(command);
|
|
|
b80204 |
-
|
|
|
b80204 |
+ runExternal(command);
|
|
|
b80204 |
} catch (Exception e) {
|
|
|
b80204 |
throw new Exception("Unable to import certificate file", e);
|
|
|
b80204 |
}
|
|
|
b80204 |
@@ -305,25 +302,9 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
};
|
|
|
b80204 |
|
|
|
b80204 |
try {
|
|
|
b80204 |
- run(command);
|
|
|
b80204 |
-
|
|
|
b80204 |
+ runExternal(command);
|
|
|
b80204 |
} catch (Exception e) {
|
|
|
b80204 |
throw new Exception("Unable to import PKCS #12 file", e);
|
|
|
b80204 |
}
|
|
|
b80204 |
}
|
|
|
b80204 |
-
|
|
|
b80204 |
- public void run(String[] command) throws IOException, InterruptedException {
|
|
|
b80204 |
-
|
|
|
b80204 |
- if (verbose) {
|
|
|
b80204 |
- System.out.println("Command: " + StringUtils.join(command, " "));
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
- Runtime rt = Runtime.getRuntime();
|
|
|
b80204 |
- Process p = rt.exec(command);
|
|
|
b80204 |
- int rc = p.waitFor();
|
|
|
b80204 |
-
|
|
|
b80204 |
- if (rc != 0) {
|
|
|
b80204 |
- throw new IOException("Command failed. RC: " + rc);
|
|
|
b80204 |
- }
|
|
|
b80204 |
- }
|
|
|
b80204 |
}
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java
|
|
|
b80204 |
index f229e67..8ae7c6d 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertModifyCLI.java
|
|
|
b80204 |
@@ -18,8 +18,6 @@
|
|
|
b80204 |
|
|
|
b80204 |
package com.netscape.cmstools.client;
|
|
|
b80204 |
|
|
|
b80204 |
-import java.io.IOException;
|
|
|
b80204 |
-
|
|
|
b80204 |
import org.apache.commons.cli.CommandLine;
|
|
|
b80204 |
import org.apache.commons.cli.Option;
|
|
|
b80204 |
|
|
|
b80204 |
@@ -75,38 +73,19 @@ public class ClientCertModifyCLI extends CLI {
|
|
|
b80204 |
|
|
|
b80204 |
String trustAttributes = cmd.getOptionValue("trust", "u,u,u");
|
|
|
b80204 |
|
|
|
b80204 |
- int rc = modifyCert(
|
|
|
b80204 |
- mainCLI.certDatabase.getAbsolutePath(),
|
|
|
b80204 |
- nickname,
|
|
|
b80204 |
- trustAttributes);
|
|
|
b80204 |
-
|
|
|
b80204 |
- if (rc != 0) {
|
|
|
b80204 |
- MainCLI.printMessage("Modified failed");
|
|
|
b80204 |
- return;
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
- MainCLI.printMessage("Modified certificate \"" + nickname + "\"");
|
|
|
b80204 |
- }
|
|
|
b80204 |
-
|
|
|
b80204 |
- public int modifyCert(
|
|
|
b80204 |
- String dbPath,
|
|
|
b80204 |
- String nickname,
|
|
|
b80204 |
- String trustAttributes) throws IOException, InterruptedException {
|
|
|
b80204 |
-
|
|
|
b80204 |
String[] command = {
|
|
|
b80204 |
"/usr/bin/certutil", "-M",
|
|
|
b80204 |
- "-d", dbPath,
|
|
|
b80204 |
+ "-d", mainCLI.certDatabase.getAbsolutePath(),
|
|
|
b80204 |
"-n", nickname,
|
|
|
b80204 |
"-t", trustAttributes
|
|
|
b80204 |
};
|
|
|
b80204 |
|
|
|
b80204 |
- return run(command);
|
|
|
b80204 |
- }
|
|
|
981330 |
-
|
|
|
b80204 |
- public int run(String[] command) throws IOException, InterruptedException {
|
|
|
b80204 |
+ try {
|
|
|
b80204 |
+ runExternal(command);
|
|
|
b80204 |
+ } catch (Exception e) {
|
|
|
b80204 |
+ throw new Exception("Unable to modify certificate", e);
|
|
|
b80204 |
+ }
|
|
|
b80204 |
|
|
|
b80204 |
- Runtime rt = Runtime.getRuntime();
|
|
|
b80204 |
- Process p = rt.exec(command);
|
|
|
b80204 |
- return p.waitFor();
|
|
|
b80204 |
+ MainCLI.printMessage("Modified certificate \"" + nickname + "\"");
|
|
|
b80204 |
}
|
|
|
b80204 |
}
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
|
|
|
b80204 |
index 696ab8b..a14bb24 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
|
|
|
b80204 |
@@ -386,12 +386,10 @@ public class ClientCertRequestCLI extends CLI {
|
|
|
b80204 |
"-n", subjectDN
|
|
|
b80204 |
};
|
|
|
b80204 |
|
|
|
b80204 |
- Runtime rt = Runtime.getRuntime();
|
|
|
b80204 |
- Process p = rt.exec(commands);
|
|
|
981330 |
-
|
|
|
b80204 |
- int rc = p.waitFor();
|
|
|
b80204 |
- if (rc != 0) {
|
|
|
b80204 |
- throw new Exception("CSR generation failed");
|
|
|
b80204 |
+ try {
|
|
|
b80204 |
+ runExternal(commands);
|
|
|
b80204 |
+ } catch (Exception e) {
|
|
|
b80204 |
+ throw new Exception("CSR generation failed", e);
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
if (verbose) {
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java
|
|
|
b80204 |
index 2242b37..bb60fbf 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertShowCLI.java
|
|
|
b80204 |
@@ -20,13 +20,11 @@ package com.netscape.cmstools.client;
|
|
|
b80204 |
|
|
|
b80204 |
import java.io.File;
|
|
|
b80204 |
import java.io.FileWriter;
|
|
|
b80204 |
-import java.io.IOException;
|
|
|
b80204 |
import java.io.PrintWriter;
|
|
|
b80204 |
|
|
|
b80204 |
import org.apache.commons.cli.CommandLine;
|
|
|
b80204 |
import org.apache.commons.cli.Option;
|
|
|
b80204 |
import org.apache.commons.lang.RandomStringUtils;
|
|
|
b80204 |
-import org.apache.commons.lang.StringUtils;
|
|
|
b80204 |
import org.mozilla.jss.crypto.X509Certificate;
|
|
|
b80204 |
|
|
|
b80204 |
import com.netscape.certsrv.client.PKIClient;
|
|
|
b80204 |
@@ -192,8 +190,7 @@ public class ClientCertShowCLI extends CLI {
|
|
|
b80204 |
};
|
|
|
b80204 |
|
|
|
b80204 |
try {
|
|
|
b80204 |
- run(command);
|
|
|
981330 |
-
|
|
|
b80204 |
+ runExternal(command);
|
|
|
b80204 |
} catch (Exception e) {
|
|
|
b80204 |
throw new Exception("Unable to export PKCS #12 file", e);
|
|
|
b80204 |
}
|
|
|
b80204 |
@@ -215,8 +212,7 @@ public class ClientCertShowCLI extends CLI {
|
|
|
b80204 |
};
|
|
|
b80204 |
|
|
|
b80204 |
try {
|
|
|
b80204 |
- run(command);
|
|
|
981330 |
-
|
|
|
b80204 |
+ runExternal(command);
|
|
|
b80204 |
} catch (Exception e) {
|
|
|
b80204 |
throw new Exception("Unable to export certificate", e);
|
|
|
b80204 |
}
|
|
|
b80204 |
@@ -238,8 +234,7 @@ public class ClientCertShowCLI extends CLI {
|
|
|
b80204 |
};
|
|
|
b80204 |
|
|
|
b80204 |
try {
|
|
|
b80204 |
- run(command);
|
|
|
b80204 |
-
|
|
|
b80204 |
+ runExternal(command);
|
|
|
b80204 |
} catch (Exception e) {
|
|
|
b80204 |
throw new Exception("Unable to export private key", e);
|
|
|
b80204 |
}
|
|
|
b80204 |
@@ -261,23 +256,9 @@ public class ClientCertShowCLI extends CLI {
|
|
|
b80204 |
};
|
|
|
b80204 |
|
|
|
b80204 |
try {
|
|
|
b80204 |
- run(command);
|
|
|
b80204 |
-
|
|
|
b80204 |
+ runExternal(command);
|
|
|
b80204 |
} catch (Exception e) {
|
|
|
b80204 |
throw new Exception("Unable to export client certificate and private key", e);
|
|
|
b80204 |
}
|
|
|
b80204 |
}
|
|
|
b80204 |
-
|
|
|
b80204 |
- public void run(String[] command) throws IOException, InterruptedException {
|
|
|
b80204 |
-
|
|
|
b80204 |
- if (verbose) System.out.println("Command: " + StringUtils.join(command, " "));
|
|
|
b80204 |
-
|
|
|
b80204 |
- Runtime rt = Runtime.getRuntime();
|
|
|
b80204 |
- Process p = rt.exec(command);
|
|
|
b80204 |
- int rc = p.waitFor();
|
|
|
b80204 |
-
|
|
|
b80204 |
- if (rc != 0) {
|
|
|
b80204 |
- throw new IOException("Command failed. RC: " + rc);
|
|
|
b80204 |
- }
|
|
|
b80204 |
- }
|
|
|
b80204 |
}
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java
|
|
|
b80204 |
index 893b40b..7e018de 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientInitCLI.java
|
|
|
b80204 |
@@ -95,12 +95,11 @@ public class ClientInitCLI extends CLI {
|
|
|
b80204 |
File passwordFile = new File(certDatabase, "password.txt");
|
|
|
b80204 |
|
|
|
b80204 |
try {
|
|
|
b80204 |
- String[] commands = {
|
|
|
b80204 |
- "/usr/bin/certutil", "-N",
|
|
|
b80204 |
- "-d", certDatabase.getAbsolutePath(),
|
|
|
b80204 |
- };
|
|
|
b80204 |
-
|
|
|
b80204 |
- List<String> list = new ArrayList<>(Arrays.asList(commands));
|
|
|
b80204 |
+ List<String> list = new ArrayList<>();
|
|
|
b80204 |
+ list.add("/usr/bin/certutil");
|
|
|
b80204 |
+ list.add("-N");
|
|
|
b80204 |
+ list.add("-d");
|
|
|
b80204 |
+ list.add(certDatabase.getAbsolutePath());
|
|
|
b80204 |
|
|
|
b80204 |
if (mainCLI.config.getCertPassword() == null) {
|
|
|
b80204 |
list.add("--empty-password");
|
|
|
b80204 |
@@ -114,16 +113,10 @@ public class ClientInitCLI extends CLI {
|
|
|
b80204 |
list.add(passwordFile.getAbsolutePath());
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
- commands = new String[list.size()];
|
|
|
b80204 |
- list.toArray(commands);
|
|
|
981330 |
-
|
|
|
b80204 |
- Runtime rt = Runtime.getRuntime();
|
|
|
b80204 |
- Process p = rt.exec(commands);
|
|
|
981330 |
-
|
|
|
b80204 |
- int rc = p.waitFor();
|
|
|
b80204 |
- if (rc != 0) {
|
|
|
b80204 |
- MainCLI.printMessage("Client initialization failed");
|
|
|
b80204 |
- return;
|
|
|
b80204 |
+ try {
|
|
|
b80204 |
+ runExternal(list);
|
|
|
b80204 |
+ } catch (Exception e) {
|
|
|
b80204 |
+ throw new Exception("Client initialization failed", e);
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
MainCLI.printMessage("Client initialized");
|
|
|
b80204 |
--
|
|
|
b80204 |
1.8.3.1
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
From 3ef47867df74eb9dce408b88756ccce7d7438da5 Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b80204 |
Date: Sat, 3 Jun 2017 00:29:29 +0200
|
|
|
b80204 |
Subject: [PATCH 23/27] Fixed pki client-cert-import CLI.
|
|
|
b80204 |
|
|
|
b80204 |
The pki client-cert-import CLI has been modified to provide a
|
|
|
b80204 |
password file when invoking the certutil -A command.
|
|
|
b80204 |
|
|
|
b80204 |
https://pagure.io/dogtagpki/issue/2717
|
|
|
b80204 |
|
|
|
b80204 |
Change-Id: If32f9eeb39d140aaef38c9bc1933f3ae0f57a5a2
|
|
|
b80204 |
---
|
|
|
b80204 |
.../cmstools/client/ClientCertImportCLI.java | 94 +++++++++++++++-------
|
|
|
b80204 |
1 file changed, 66 insertions(+), 28 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
|
|
|
b80204 |
index 687dfc4..1c67f99 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
|
|
|
b80204 |
@@ -23,7 +23,9 @@ import java.io.FileOutputStream;
|
|
|
b80204 |
import java.io.FileWriter;
|
|
|
b80204 |
import java.io.PrintWriter;
|
|
|
b80204 |
import java.net.URI;
|
|
|
b80204 |
+import java.util.ArrayList;
|
|
|
b80204 |
import java.util.Arrays;
|
|
|
b80204 |
+import java.util.List;
|
|
|
b80204 |
|
|
|
b80204 |
import org.apache.commons.cli.CommandLine;
|
|
|
b80204 |
import org.apache.commons.cli.Option;
|
|
|
b80204 |
@@ -128,6 +130,20 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
String serialNumber = cmd.getOptionValue("serial");
|
|
|
b80204 |
String trustAttributes = cmd.getOptionValue("trust");
|
|
|
b80204 |
|
|
|
b80204 |
+ File nssdbPasswordFile = null;
|
|
|
b80204 |
+
|
|
|
b80204 |
+ if (mainCLI.config.getCertPassword() != null) {
|
|
|
b80204 |
+
|
|
|
b80204 |
+ // store NSS database password in a temporary file
|
|
|
b80204 |
+
|
|
|
b80204 |
+ nssdbPasswordFile = File.createTempFile("pki-client-cert-import-", ".nssdb-pwd");
|
|
|
b80204 |
+ nssdbPasswordFile.deleteOnExit();
|
|
|
b80204 |
+
|
|
|
b80204 |
+ try (PrintWriter out = new PrintWriter(new FileWriter(nssdbPasswordFile))) {
|
|
|
b80204 |
+ out.print(mainCLI.config.getCertPassword());
|
|
|
b80204 |
+ }
|
|
|
b80204 |
+ }
|
|
|
b80204 |
+
|
|
|
b80204 |
// load the certificate
|
|
|
b80204 |
if (certPath != null) {
|
|
|
b80204 |
|
|
|
b80204 |
@@ -137,7 +153,8 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
trustAttributes = "u,u,u";
|
|
|
b80204 |
|
|
|
b80204 |
importCert(
|
|
|
b80204 |
- mainCLI.certDatabase.getAbsolutePath(),
|
|
|
b80204 |
+ mainCLI.certDatabase,
|
|
|
b80204 |
+ nssdbPasswordFile,
|
|
|
b80204 |
certPath,
|
|
|
b80204 |
nickname,
|
|
|
b80204 |
trustAttributes);
|
|
|
b80204 |
@@ -150,7 +167,8 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
trustAttributes = "CT,c,";
|
|
|
b80204 |
|
|
|
b80204 |
importCert(
|
|
|
b80204 |
- mainCLI.certDatabase.getAbsolutePath(),
|
|
|
b80204 |
+ mainCLI.certDatabase,
|
|
|
b80204 |
+ nssdbPasswordFile,
|
|
|
b80204 |
caCertPath,
|
|
|
b80204 |
nickname,
|
|
|
b80204 |
trustAttributes);
|
|
|
b80204 |
@@ -164,7 +182,7 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
|
|
|
b80204 |
} else if (pkcs12Password != null) {
|
|
|
b80204 |
// store password into a temporary file
|
|
|
b80204 |
- File pkcs12PasswordFile = File.createTempFile("pki-client-cert-import-", ".pwd");
|
|
|
b80204 |
+ File pkcs12PasswordFile = File.createTempFile("pki-client-cert-import-", ".pkcs12-pwd");
|
|
|
b80204 |
pkcs12PasswordFile.deleteOnExit();
|
|
|
b80204 |
|
|
|
b80204 |
try (PrintWriter out = new PrintWriter(new FileWriter(pkcs12PasswordFile))) {
|
|
|
b80204 |
@@ -182,8 +200,8 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
|
|
|
b80204 |
// import certificates and private key into PKCS #12 file
|
|
|
b80204 |
importPKCS12(
|
|
|
b80204 |
- mainCLI.certDatabase.getAbsolutePath(),
|
|
|
b80204 |
- mainCLI.config.getCertPassword(),
|
|
|
b80204 |
+ mainCLI.certDatabase,
|
|
|
b80204 |
+ nssdbPasswordFile,
|
|
|
b80204 |
pkcs12Path,
|
|
|
b80204 |
pkcs12PasswordPath);
|
|
|
b80204 |
|
|
|
b80204 |
@@ -212,7 +230,8 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
trustAttributes = "CT,c,";
|
|
|
b80204 |
|
|
|
b80204 |
importCert(
|
|
|
b80204 |
- mainCLI.certDatabase.getAbsolutePath(),
|
|
|
b80204 |
+ mainCLI.certDatabase,
|
|
|
b80204 |
+ nssdbPasswordFile,
|
|
|
b80204 |
certFile.getAbsolutePath(),
|
|
|
b80204 |
nickname,
|
|
|
b80204 |
trustAttributes);
|
|
|
b80204 |
@@ -245,7 +264,8 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
trustAttributes = "u,u,u";
|
|
|
b80204 |
|
|
|
b80204 |
importCert(
|
|
|
b80204 |
- mainCLI.certDatabase.getAbsolutePath(),
|
|
|
b80204 |
+ mainCLI.certDatabase,
|
|
|
b80204 |
+ nssdbPasswordFile,
|
|
|
b80204 |
certFile.getAbsolutePath(),
|
|
|
b80204 |
nickname,
|
|
|
b80204 |
trustAttributes);
|
|
|
b80204 |
@@ -263,8 +283,9 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
public void importCert(
|
|
|
b80204 |
- String dbPath,
|
|
|
b80204 |
- String certPath,
|
|
|
b80204 |
+ File dbPath,
|
|
|
b80204 |
+ File dbPasswordFile,
|
|
|
b80204 |
+ String certFile,
|
|
|
b80204 |
String nickname,
|
|
|
b80204 |
String trustAttributes) throws Exception {
|
|
|
b80204 |
|
|
|
b80204 |
@@ -272,13 +293,23 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
throw new Exception("Missing certificate nickname.");
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
- String[] command = {
|
|
|
b80204 |
- "/bin/certutil", "-A",
|
|
|
b80204 |
- "-d", dbPath,
|
|
|
b80204 |
- "-i", certPath,
|
|
|
b80204 |
- "-n", nickname,
|
|
|
b80204 |
- "-t", trustAttributes
|
|
|
b80204 |
- };
|
|
|
b80204 |
+ List<String> command = new ArrayList<>();
|
|
|
b80204 |
+ command.add("/bin/certutil");
|
|
|
b80204 |
+ command.add("-A");
|
|
|
b80204 |
+ command.add("-d");
|
|
|
b80204 |
+ command.add(dbPath.getAbsolutePath());
|
|
|
b80204 |
+
|
|
|
b80204 |
+ if (dbPasswordFile != null) {
|
|
|
b80204 |
+ command.add("-f");
|
|
|
b80204 |
+ command.add(dbPasswordFile.getAbsolutePath());
|
|
|
b80204 |
+ }
|
|
|
b80204 |
+
|
|
|
b80204 |
+ command.add("-i");
|
|
|
b80204 |
+ command.add(certFile);
|
|
|
b80204 |
+ command.add("-n");
|
|
|
b80204 |
+ command.add(nickname);
|
|
|
b80204 |
+ command.add("-t");
|
|
|
b80204 |
+ command.add(trustAttributes);
|
|
|
b80204 |
|
|
|
b80204 |
try {
|
|
|
b80204 |
runExternal(command);
|
|
|
b80204 |
@@ -288,18 +319,25 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
public void importPKCS12(
|
|
|
b80204 |
- String dbPath,
|
|
|
b80204 |
- String dbPassword,
|
|
|
b80204 |
- String pkcs12Path,
|
|
|
b80204 |
- String pkcs12PasswordPath) throws Exception {
|
|
|
b80204 |
-
|
|
|
b80204 |
- String[] command = {
|
|
|
b80204 |
- "/bin/pk12util",
|
|
|
b80204 |
- "-d", dbPath,
|
|
|
b80204 |
- "-K", dbPassword,
|
|
|
b80204 |
- "-i", pkcs12Path,
|
|
|
b80204 |
- "-w", pkcs12PasswordPath
|
|
|
b80204 |
- };
|
|
|
b80204 |
+ File dbPath,
|
|
|
b80204 |
+ File dbPasswordFile,
|
|
|
b80204 |
+ String pkcs12File,
|
|
|
b80204 |
+ String pkcs12PasswordFile) throws Exception {
|
|
|
b80204 |
+
|
|
|
b80204 |
+ List<String> command = new ArrayList<>();
|
|
|
b80204 |
+ command.add("/bin/pk12util");
|
|
|
b80204 |
+ command.add("-d");
|
|
|
b80204 |
+ command.add(dbPath.getAbsolutePath());
|
|
|
b80204 |
+
|
|
|
b80204 |
+ if (dbPasswordFile != null) {
|
|
|
b80204 |
+ command.add("-k");
|
|
|
b80204 |
+ command.add(dbPasswordFile.getAbsolutePath());
|
|
|
b80204 |
+ }
|
|
|
b80204 |
+
|
|
|
b80204 |
+ command.add("-i");
|
|
|
b80204 |
+ command.add(pkcs12File);
|
|
|
b80204 |
+ command.add("-w");
|
|
|
b80204 |
+ command.add(pkcs12PasswordFile);
|
|
|
b80204 |
|
|
|
b80204 |
try {
|
|
|
b80204 |
runExternal(command);
|
|
|
b80204 |
--
|
|
|
b80204 |
1.8.3.1
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
From 64b7b7abfed29b6a520be66414139364d713461e Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
b80204 |
Date: Sat, 3 Jun 2017 03:52:09 +0200
|
|
|
b80204 |
Subject: [PATCH 24/27] Fixed default CA cert trust flags in pki CLI.
|
|
|
b80204 |
|
|
|
b80204 |
The pki CLI has been modified to use CT,C,C as the default trust
|
|
|
b80204 |
flags for CA certificate import operations.
|
|
|
b80204 |
|
|
|
b80204 |
https://pagure.io/dogtagpki/issue/2726
|
|
|
b80204 |
|
|
|
b80204 |
Change-Id: I68c5a0303459319cc746a77703d0a420f4f68377
|
|
|
b80204 |
---
|
|
|
b80204 |
base/common/python/pki/cli/pkcs12.py | 2 +-
|
|
|
b80204 |
.../src/com/netscape/cmstools/client/ClientCertImportCLI.java | 4 ++--
|
|
|
b80204 |
.../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 1 +
|
|
|
b80204 |
3 files changed, 4 insertions(+), 3 deletions(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/common/python/pki/cli/pkcs12.py b/base/common/python/pki/cli/pkcs12.py
|
|
|
b80204 |
index 6b99fcf..2f8aabf 100644
|
|
|
b80204 |
--- a/base/common/python/pki/cli/pkcs12.py
|
|
|
b80204 |
+++ b/base/common/python/pki/cli/pkcs12.py
|
|
|
b80204 |
@@ -237,7 +237,7 @@ class PKCS12ImportCLI(pki.cli.CLI):
|
|
|
b80204 |
trust_flags = cert_info['trust_flags']
|
|
|
b80204 |
else:
|
|
|
b80204 |
# default trust flags for CA certificates
|
|
|
b80204 |
- trust_flags = 'CT,c,c'
|
|
|
b80204 |
+ trust_flags = 'CT,C,C'
|
|
|
b80204 |
|
|
|
b80204 |
if main_cli.verbose:
|
|
|
b80204 |
print('Exporting %s (%s) from PKCS #12 file' % (nickname, cert_id))
|
|
|
b80204 |
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
|
|
|
b80204 |
index 1c67f99..844453e 100644
|
|
|
b80204 |
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
|
|
|
b80204 |
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java
|
|
|
b80204 |
@@ -164,7 +164,7 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
if (verbose) System.out.println("Importing CA certificate from " + caCertPath + ".");
|
|
|
b80204 |
|
|
|
b80204 |
if (trustAttributes == null)
|
|
|
b80204 |
- trustAttributes = "CT,c,";
|
|
|
b80204 |
+ trustAttributes = "CT,C,C";
|
|
|
b80204 |
|
|
|
b80204 |
importCert(
|
|
|
b80204 |
mainCLI.certDatabase,
|
|
|
b80204 |
@@ -227,7 +227,7 @@ public class ClientCertImportCLI extends CLI {
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
if (trustAttributes == null)
|
|
|
b80204 |
- trustAttributes = "CT,c,";
|
|
|
b80204 |
+ trustAttributes = "CT,C,C";
|
|
|
b80204 |
|
|
|
b80204 |
importCert(
|
|
|
b80204 |
mainCLI.certDatabase,
|
|
|
b80204 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
b80204 |
index c9a375f..ebade36 100644
|
|
|
b80204 |
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
b80204 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
b80204 |
@@ -1113,6 +1113,7 @@ public class ConfigurationUtils {
|
|
|
b80204 |
| InternalCertificate.VALID_CA);
|
|
|
b80204 |
|
|
|
b80204 |
} else if (isAuditSigningCert(name)) {
|
|
|
b80204 |
+ // set trust flags to u,u,Pu
|
|
|
b80204 |
icert.setObjectSigningTrust(InternalCertificate.USER
|
|
|
b80204 |
| InternalCertificate.VALID_PEER
|
|
|
b80204 |
| InternalCertificate.TRUSTED_PEER);
|
|
|
b80204 |
--
|
|
|
b80204 |
1.8.3.1
|
|
|
b80204 |
|
|
|
b80204 |
|
|
|
b80204 |
From c0b2daef934a8f5ac1c61d673865348aa2a0f702 Mon Sep 17 00:00:00 2001
|
|
|
b80204 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
b80204 |
Date: Thu, 25 May 2017 15:32:14 +1000
|
|
|
b80204 |
Subject: [PATCH 25/27] Improve exception message for null
|
|
|
b80204 |
AuthorityKeyIdentifier
|
|
|
b80204 |
|
|
|
b80204 |
When the Authority Key Identifier extension cannot be instantiated,
|
|
|
b80204 |
we currently fail with a generic "extension not found" error
|
|
|
b80204 |
message. Throw a better exception for this case in particular, and
|
|
|
b80204 |
improve the exception message for the general case of attempting to
|
|
|
b80204 |
add a null exception.
|
|
|
b80204 |
|
|
|
b80204 |
Fixes: https://pagure.io/dogtagpki/issue/2705
|
|
|
b80204 |
Change-Id: Ic79742d8a228391275ffe5bfeef0a324f6b431bd
|
|
|
b80204 |
---
|
|
|
b80204 |
.../netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java | 4 ++++
|
|
|
b80204 |
base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java | 2 +-
|
|
|
b80204 |
2 files changed, 5 insertions(+), 1 deletion(-)
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java
|
|
|
b80204 |
index 42931de..f8d8b44 100644
|
|
|
b80204 |
--- a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java
|
|
|
b80204 |
+++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java
|
|
|
b80204 |
@@ -183,6 +183,10 @@ public class AuthorityKeyIdentifierExtDefault extends CAEnrollDefault {
|
|
|
b80204 |
} catch (EBaseException e) {
|
|
|
b80204 |
throw new EProfileException(e);
|
|
|
b80204 |
}
|
|
|
b80204 |
+ if (ext == null) {
|
|
|
b80204 |
+ throw new EProfileException(
|
|
|
b80204 |
+ "Could not instantiate AuthorityKeyIdentifier extension.");
|
|
|
b80204 |
+ }
|
|
|
b80204 |
addExtension(PKIXExtensions.AuthorityKey_Id.toString(), ext, info);
|
|
|
b80204 |
}
|
|
|
b80204 |
|
|
|
b80204 |
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
|
|
|
b80204 |
index 1d5bfc4..6192888 100644
|
|
|
b80204 |
--- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
|
|
|
b80204 |
+++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
|
|
|
b80204 |
@@ -367,7 +367,7 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe
|
|
|
b80204 |
protected void addExtension(String name, Extension ext, X509CertInfo info)
|
|
|
b80204 |
throws EProfileException {
|
|
|
b80204 |
if (ext == null) {
|
|
|
b80204 |
- throw new EProfileException("extension not found");
|
|
|
b80204 |
+ throw new EProfileException("addExtension: extension '" + name + "' is null");
|
|
|
b80204 |
}
|
|
|
b80204 |
CertificateExtensions exts = null;
|
|
|
b80204 |
|
|
|
981330 |
--
|
|
|
981330 |
1.8.3.1
|
|
|
981330 |
|