From ae472954d4b1a62b368acf044ac5e7c15ef8d0e4 Mon Sep 17 00:00:00 2001
From: John Magne <jmagne@mharmsen-rhel7.usersys.redhat.com>
Date: Fri, 19 Oct 2018 19:23:37 -0400
Subject: [PATCH 03/19] Resolves: Bug 1624097 - CC: Identify version/release of
pki-ca, pki-kra, pki-ocsp, pki-tks, and pki-tps remotely.
---
.../netscape/cms/servlet/csadmin/GetStatus.java | 48 ++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java
index 1d2d0e6..338e26b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java
@@ -18,6 +18,7 @@
package com.netscape.cms.servlet.csadmin;
import java.io.IOException;
+import java.io.FileInputStream;
import java.util.Locale;
import javax.servlet.ServletConfig;
@@ -34,6 +35,8 @@ import com.netscape.cms.servlet.base.CMSServlet;
import com.netscape.cms.servlet.base.UserInfo;
import com.netscape.cms.servlet.common.CMSRequest;
import com.netscape.cmsutil.xml.XMLObject;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.lang.StringUtils;
public class GetStatus extends CMSServlet {
@@ -41,6 +44,8 @@ public class GetStatus extends CMSServlet {
*
*/
private static final long serialVersionUID = -2852842030221659847L;
+ // File below will be a member of a pki theme package.
+ private static final String productVersionFILE = "/usr/share/pki/CS_SERVER_VERSION";
public GetStatus() {
super();
@@ -80,6 +85,13 @@ public class GetStatus extends CMSServlet {
xmlObj.addItemToContainer(root, "Type", type);
xmlObj.addItemToContainer(root, "Status", status);
xmlObj.addItemToContainer(root, "Version", version);
+ // File below will be a member of a pki theme package.
+ String productVersion = getProductVersion(productVersionFILE);
+
+ if(!StringUtils.isEmpty(productVersion)) {
+ xmlObj.addItemToContainer(root,"ProductVersion", productVersion);
+ }
+
byte[] cb = xmlObj.toByteArray();
outputResult(httpResp, "application/xml", cb);
@@ -108,4 +120,40 @@ public class GetStatus extends CMSServlet {
return locale;
}
+ /**
+ * Return the product version if the file: /usr/share/pki/CS_SERVER_VERSION
+ * exists.
+ *
+ * Caller only cares if there is a string or not, exceptions handled here.
+ */
+ private String getProductVersion(String versionFilePathName) {
+ String version = null;
+ FileInputStream inputStream = null;
+
+ if(StringUtils.isEmpty(versionFilePathName)) {
+ CMS.debug("Missing product version file path!");
+ return null;
+ }
+
+ try {
+ inputStream = new FileInputStream(versionFilePathName);
+ String contents = IOUtils.toString(inputStream);
+
+ if(contents != null) {
+ CMS.debug("Returning product version: " + version);
+ version = contents.trim();
+ }
+ } catch (Exception e) {
+ CMS.debug("Failed to read product version String. " + e);
+ }
+ finally {
+ if(inputStream != null) {
+ try {
+ inputStream.close();
+ } catch (IOException e) {
+ }
+ }
+ }
+ return version;
+ }
}
--
1.8.3.1
From 28452a131f11d6372beb6bc262b7c26bb4cb1961 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Fri, 14 Sep 2018 19:19:23 -0600
Subject: [PATCH 04/19] Ticket 2865 X500Name.directoryStringEncodingOrder
overridden by CSR encoding
https://pagure.io/dogtagpki/issue/2865 coverity fixes
(cherry picked from commit b375305e00dedc4127e5aa1b97e11dcc26a68f72)
---
.../netscape/cms/profile/def/UserSubjectNameDefault.java | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java
index 636b045..459735e 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java
@@ -105,7 +105,13 @@ public class UserSubjectNameDefault extends EnrollDefault {
* keep the old name so that the attribute
* encodings are preserved. */
X500Name oldX500name = oldName.getX500Name();
- if (x500name.toString().equals(oldX500name.toString())) {
+ if (x500name == null) {
+ CMS.debug( method
+ + "new Subject DN is null; "
+ + "retaining current value."
+ );
+ x500name = oldX500name;
+ } else if (x500name.toString().equals(oldX500name.toString())) {
CMS.debug( method
+ "new Subject DN has same string representation "
+ "as current value; retaining current value."
@@ -196,6 +202,12 @@ public class UserSubjectNameDefault extends EnrollDefault {
// to the certinfo
CertificateSubjectName req_sbj = request.getExtDataInCertSubjectName(
IEnrollProfile.REQUEST_SUBJECT_NAME);
+ if (req_sbj == null) {
+ // failed to retrieve subject name
+ CMS.debug("UserSubjectNameDefault: populate req_sbj is null");
+ throw new EProfileException(CMS.getUserMessage(getLocale(request),
+ "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"));
+ }
try {
info.set(X509CertInfo.SUBJECT, req_sbj);
--
1.8.3.1
From 2180a832fa531120c9fe2dead72b58e615ef4744 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Wed, 22 Aug 2018 18:12:06 -0700
Subject: [PATCH 07/19] ticket #2879 audit events for CA acting as TLS client
This patch provides code for ticket 2879, adding audit events for CS when
acting as a TLS client.
For a running CS system, there are two cases when this happens:
1. When one CS subsystem is talking to another CS subsystem
In this case: HttpClient is used
2. When a CS subsystem is talking to an ldap syste
In this case: PKISocketFactory is used
Events added are:
- LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE
- LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
- LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED
https://pagure.io/dogtagpki/issue/2879
Change-Id: Ib8e4c27c57cb2b13b461c36f37f52dc6a13956f8
(cherry picked from commit add6813cb15673d604f05173585101a6e56745ca)
---
base/ca/shared/conf/CS.cfg | 4 +-
.../event/ClientAccessSessionEstablishEvent.java | 74 +++++++
.../event/ClientAccessSessionTerminatedEvent.java | 53 +++++
base/kra/shared/conf/CS.cfg | 4 +-
base/ocsp/shared/conf/CS.cfg | 4 +-
.../cms/publish/publishers/OCSPPublisher.java | 4 +
.../dogtagpki/server/PKIClientSocketListener.java | 230 +++++++++++++++++++++
base/server/cmsbundle/src/LogMessages.properties | 20 ++
.../cmscore/connector/HttpConnFactory.java | 6 +
.../netscape/cmscore/connector/HttpConnection.java | 42 ++++
.../netscape/cmscore/connector/HttpConnector.java | 10 +
.../com/netscape/cmscore/connector/Resender.java | 8 +-
.../cmscore/ldapconn/PKISocketFactory.java | 9 +-
base/tks/shared/conf/CS.cfg | 4 +-
.../src/com/netscape/cmsutil/http/HttpClient.java | 14 ++
.../netscape/cmsutil/http/JssSSLSocketFactory.java | 8 +
16 files changed, 484 insertions(+), 10 deletions(-)
create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java
create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java
create mode 100644 base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index 92504ff..4cef240 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -905,11 +905,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
log.instance.SignedAudit._002=##
log.instance.SignedAudit._003=##
log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION
+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION
log.instance.SignedAudit._006=##
log.instance.SignedAudit.bufferSize=512
log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG
+log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG
log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
diff --git a/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java
new file mode 100644
index 0000000..f54641a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java
@@ -0,0 +1,74 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.SignedAuditEvent;
+
+public class ClientAccessSessionEstablishEvent extends SignedAuditEvent {
+
+ private static final long serialVersionUID = 1L;
+
+ public final static String CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS =
+ "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS";
+
+ public final static String CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE =
+ "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE";
+
+ public ClientAccessSessionEstablishEvent(String messageID) {
+ super(messageID);
+ }
+
+ public static ClientAccessSessionEstablishEvent createSuccessEvent(
+ String clientHost,
+ String serverHost,
+ String serverPort,
+ String subjectID) {
+
+ ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent(
+ CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS);
+
+ event.setAttribute("ClientHost", clientHost);
+ event.setAttribute("ServerHost", serverHost);
+ event.setAttribute("ServerPort", serverPort);
+ event.setAttribute("SubjectID", subjectID);
+ event.setAttribute("Outcome", ILogger.SUCCESS);
+
+ return event;
+ }
+
+ public static ClientAccessSessionEstablishEvent createFailureEvent(
+ String clientHost,
+ String serverHost,
+ String serverPort,
+ String subjectID,
+ String info) {
+
+ ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent(
+ CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE);
+
+ event.setAttribute("ClientHost", clientHost);
+ event.setAttribute("ServerHost", serverHost);
+ event.setAttribute("ServerPort", serverPort);
+ event.setAttribute("SubjectID", subjectID);
+ event.setAttribute("Outcome", ILogger.FAILURE);
+ event.setAttribute("Info", info);
+
+ return event;
+ }
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java
new file mode 100644
index 0000000..cad0c97
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java
@@ -0,0 +1,53 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.SignedAuditEvent;
+
+public class ClientAccessSessionTerminatedEvent extends SignedAuditEvent {
+
+ private static final long serialVersionUID = 1L;
+
+ public final static String CLIENT_ACCESS_SESSION_TERMINATED =
+ "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED";
+
+ public ClientAccessSessionTerminatedEvent(String messageID) {
+ super(messageID);
+ }
+
+ public static ClientAccessSessionTerminatedEvent createEvent(
+ String clientHost,
+ String serverHost,
+ String serverPort,
+ String subjectID,
+ String info) {
+
+ ClientAccessSessionTerminatedEvent event = new ClientAccessSessionTerminatedEvent(
+ CLIENT_ACCESS_SESSION_TERMINATED);
+
+ event.setAttribute("ClientHost", clientHost);
+ event.setAttribute("ServerHost", serverHost);
+ event.setAttribute("ServerPort", serverPort);
+ event.setAttribute("SubjectID", subjectID);
+ event.setAttribute("Outcome", ILogger.SUCCESS);
+ event.setAttribute("Info", info);
+
+ return event;
+ }
+}
diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
index 878e5f8..6108576 100644
--- a/base/kra/shared/conf/CS.cfg
+++ b/base/kra/shared/conf/CS.cfg
@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
log.instance.SignedAudit._002=##
log.instance.SignedAudit._003=##
log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION
+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION
log.instance.SignedAudit._006=##
log.instance.SignedAudit.bufferSize=512
log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL
+log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL
log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure)
log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure)
log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure)
diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg
index b412e5e..d2e5256 100644
--- a/base/ocsp/shared/conf/CS.cfg
+++ b/base/ocsp/shared/conf/CS.cfg
@@ -216,11 +216,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
log.instance.SignedAudit._002=##
log.instance.SignedAudit._003=##
log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION
+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION
log.instance.SignedAudit._006=##
log.instance.SignedAudit.bufferSize=512
log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
+log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
log.instance.SignedAudit.expirationTime=0
diff --git a/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java b/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java
index 11d44b8..d15523e 100644
--- a/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java
+++ b/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java
@@ -42,6 +42,8 @@ import com.netscape.cmsutil.http.HttpRequest;
import com.netscape.cmsutil.http.JssSSLSocketFactory;
import com.netscape.cmsutil.util.Utils;
+import org.dogtagpki.server.PKIClientSocketListener;
+
import netscape.ldap.LDAPConnection;
/**
@@ -247,12 +249,14 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo {
Socket socket = null;
JssSSLSocketFactory factory;
+ PKIClientSocketListener sockListener = new PKIClientSocketListener();
if (mClientAuthEnabled) {
factory = new JssSSLSocketFactory(mNickname);
} else {
factory = new JssSSLSocketFactory();
}
+ factory.addSocketListener(sockListener);
if (mHost != null && mHost.indexOf(' ') != -1) {
// support failover hosts configuration
diff --git a/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java
new file mode 100644
index 0000000..dc49908
--- /dev/null
+++ b/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java
@@ -0,0 +1,230 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package org.dogtagpki.server;
+
+import java.lang.Integer;
+import java.net.InetAddress;
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.WeakHashMap;
+
+import org.mozilla.jss.crypto.X509Certificate;
+import org.mozilla.jss.ssl.SSLAlertDescription;
+import org.mozilla.jss.ssl.SSLAlertEvent;
+import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
+import org.mozilla.jss.ssl.SSLSecurityStatus;
+import org.mozilla.jss.ssl.SSLSocket;
+import org.mozilla.jss.ssl.SSLSocketListener;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.netscape.certsrv.logging.SignedAuditEvent;
+import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent;
+import com.netscape.certsrv.logging.event.ClientAccessSessionTerminatedEvent;
+import com.netscape.cms.logging.SignedAuditLogger;
+import com.netscape.certsrv.apps.CMS;
+
+public class PKIClientSocketListener implements SSLSocketListener {
+
+ private static Logger logger = LoggerFactory.getLogger(PKIClientSocketListener.class);
+ private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger();
+
+ /**
+ * The socketInfos map is a storage for socket information that may not be available
+ * after the socket has been closed such as client IP address and subject ID. The
+ * WeakHashMap is used here to allow the map key (i.e. the socket object) to be
+ * garbage-collected since there is no guarantee that socket will be closed with an
+ * SSL alert for a proper map entry removal.
+ */
+ Map<SSLSocket,Map<String,Object>> socketInfos = new WeakHashMap<>();
+
+ @Override
+ public void alertReceived(SSLAlertEvent event) {
+ String method = "PKIClientSocketListener.alertReceived: ";
+CMS.debug(method + "begins");
+ try {
+ SSLSocket socket = event.getSocket();
+
+ InetAddress serverAddress = socket.getInetAddress();
+ InetAddress clientAddress = socket.getLocalAddress();
+ String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
+ String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
+ String serverPort = Integer.toString(socket.getPort());
+
+ SSLSecurityStatus status = socket.getStatus();
+/*
+ X509Certificate peerCertificate = status.getPeerCertificate();
+ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
+ String subjectID = subjectDN == null ? "" : subjectDN.toString();
+*/
+String subjectID = "SYSTEM";
+
+ int description = event.getDescription();
+ String reason = SSLAlertDescription.valueOf(description).toString();
+
+ logger.debug("SSL alert received:");
+ logger.debug(" - reason: " + reason);
+ logger.debug(" - client: " + clientIP);
+ logger.debug(" - server: " + serverIP);
+ logger.debug(" - subject: " + subjectID);
+
+
+ signedAuditLogger.log(ClientAccessSessionTerminatedEvent.createEvent(
+ clientIP,
+ serverIP,
+ serverPort,
+ subjectID,
+ reason));
+
+ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED");
+CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort + " reason=" + reason);
+
+ } catch (Exception e) {
+ logger.error(e.getMessage(), e);
+ }
+ }
+
+ @Override
+ public void alertSent(SSLAlertEvent event) {
+ String method = "PKIClientSocketListener.alertSent: ";
+CMS.debug(method + "begins");
+ try {
+ SSLSocket socket = event.getSocket();
+
+ int description = event.getDescription();
+CMS.debug(method + "got description:"+ description);
+ String reason = SSLAlertDescription.valueOf(description).toString();
+CMS.debug(method + "got reason:"+ reason);
+
+ SignedAuditEvent auditEvent;
+ String clientIP;
+ String serverIP;
+ String serverPort;
+ String subjectID;
+
+ if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) {
+
+ // get socket info from socketInfos map since socket has been closed
+ Map<String,Object> info = socketInfos.get(socket);
+ clientIP = (String)info.get("clientIP");
+ serverIP = (String)info.get("serverIP");
+ serverPort = (String)info.get("serverPort");
+ subjectID = (String)info.get("subjectID");
+
+ auditEvent = ClientAccessSessionTerminatedEvent.createEvent(
+ clientIP,
+ serverIP,
+ serverPort,
+ subjectID,
+ reason);
+
+ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED");
+ CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP+ " serverPort=" + serverPort + " reason=" + reason);
+
+ } else {
+
+ // get socket info from the socket itself
+ InetAddress serverAddress = socket.getInetAddress();
+ InetAddress clientAddress = socket.getLocalAddress();
+
+ clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
+ serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
+ serverPort = Integer.toString(socket.getPort());
+
+ SSLSecurityStatus status = socket.getStatus();
+/*
+ X509Certificate peerCertificate = status.getPeerCertificate();
+ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
+ subjectID = subjectDN == null ? "" : subjectDN.toString();
+*/
+subjectID = "SYSTEM";
+
+ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent(
+ clientIP,
+ serverIP,
+ serverPort,
+ subjectID,
+ reason);
+
+ }
+
+ logger.debug("SSL alert sent:");
+ logger.debug(" - reason: " + reason);
+ logger.debug(" - client: " + clientIP);
+ logger.debug(" - server: " + serverIP);
+ logger.debug(" - subject: " + subjectID);
+
+ signedAuditLogger.log(auditEvent);
+
+ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE");
+CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort + " reason=" + reason);
+
+ } catch (Exception e) {
+ logger.error(e.getMessage(), e);
+ }
+ }
+
+ @Override
+ public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
+ String method = "PKIClientSocketListener.handshakeCompleted: ";
+CMS.debug(method + "begins");
+ try {
+ SSLSocket socket = event.getSocket();
+
+ InetAddress serverAddress = socket.getInetAddress();
+ InetAddress clientAddress = socket.getLocalAddress();
+ String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
+ String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
+ String serverPort = Integer.toString(socket.getPort());
+
+ SSLSecurityStatus status = socket.getStatus();
+/*
+ X509Certificate peerCertificate = status.getPeerCertificate();
+ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
+ String subjectID = subjectDN == null ? "" : subjectDN.toString();
+*/
+String subjectID = "SYSTEM";
+
+ logger.debug("Handshake completed:");
+ logger.debug(" - client: " + clientIP);
+ logger.debug(" - server: " + serverIP);
+ logger.debug(" - subject: " + subjectID);
+
+ // store socket info in socketInfos map
+ Map<String,Object> info = new HashMap<>();
+ info.put("clientIP", clientIP);
+ info.put("serverIP", serverIP);
+ info.put("serverPort", serverPort);
+ info.put("subjectID", subjectID);
+ socketInfos.put(socket, info);
+
+ signedAuditLogger.log(ClientAccessSessionEstablishEvent.createSuccessEvent(
+ clientIP,
+ serverIP,
+ serverPort,
+ subjectID));
+
+ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS");
+CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort);
+
+ } catch (Exception e) {
+ logger.error(e.getMessage(), e);
+ }
+ }
+}
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index d534506..a8a8deb 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2775,6 +2775,26 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
<type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated
+#
+# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE
+# access session failed to establish when Certificate System acts as client
+#
+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
+<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client
+#
+# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
+# - used when access session was established successfully when
+# Certificate System acts as client
+#
+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
+<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client
+#
+# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED
+# - used when access session was terminated when Certificate System acts as client
+#
+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
+<type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client
+
###########################
#Unselectable signedAudit Events
diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java
index 47f5e61..e4f92b4 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java
@@ -27,6 +27,8 @@ import com.netscape.certsrv.logging.ILogger;
import com.netscape.cmsutil.http.JssSSLSocketFactory;
import com.netscape.cmsutil.net.ISocketFactory;
+import org.dogtagpki.server.PKIClientSocketListener;
+
/**
* Factory for getting HTTP Connections to a HTTPO server
*/
@@ -127,6 +129,10 @@ public class HttpConnFactory {
try {
ISocketFactory tFactory = new JssSSLSocketFactory(mNickname, mClientCiphers);
+ PKIClientSocketListener sockListener = new PKIClientSocketListener()
+;
+ JssSSLSocketFactory factory = (JssSSLSocketFactory) tFactory;
+ factory.addSocketListener(sockListener);
if (mTimeout == 0) {
retConn = CMS.getHttpConnection(mDest, tFactory);
diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java
index fbd3268..649fa80 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java
@@ -18,7 +18,10 @@
package com.netscape.cmscore.connector;
import java.io.IOException;
+import java.lang.Integer;
import java.net.InetSocketAddress;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.List;
@@ -28,14 +31,24 @@ import com.netscape.certsrv.connector.IHttpConnection;
import com.netscape.certsrv.connector.IPKIMessage;
import com.netscape.certsrv.connector.IRemoteAuthority;
import com.netscape.certsrv.connector.IRequestEncoder;
+import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent;
+import com.netscape.certsrv.logging.SignedAuditEvent;
+import com.netscape.cms.logging.SignedAuditLogger;
import com.netscape.cmscore.util.Debug;
import com.netscape.cmsutil.http.HttpClient;
import com.netscape.cmsutil.http.HttpRequest;
import com.netscape.cmsutil.http.HttpResponse;
import com.netscape.cmsutil.net.ISocketFactory;
+import org.dogtagpki.server.PKIClientSocketListener;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
public class HttpConnection implements IHttpConnection {
+ private static Logger logger = LoggerFactory.getLogger(PKIClientSocketListener.class);
+ private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger();
+
protected IRemoteAuthority mDest = null;
protected HttpRequest mHttpreq = new HttpRequest();
protected IRequestEncoder mReqEncoder = null;
@@ -43,12 +56,18 @@ public class HttpConnection implements IHttpConnection {
int timeout = 0;
List<InetSocketAddress> targets;
+ String localIP = "localhost";
public HttpConnection(IRemoteAuthority dest, ISocketFactory factory,
int timeout // seconds
) {
CMS.debug("HttpConnection: Creating HttpConnection with timeout=" + timeout);
+ try {
+ localIP = InetAddress.getLocalHost().getHostAddress();
+ } catch (UnknownHostException e) {
+ // default to "localhost";
+ }
mDest = dest;
mReqEncoder = new HttpRequestEncoder();
@@ -118,6 +137,7 @@ public class HttpConnection implements IHttpConnection {
void connect() throws IOException {
IOException exception = null;
+ SignedAuditEvent auditEvent;
// try all targets
for (InetSocketAddress target : targets) {
@@ -136,6 +156,14 @@ public class HttpConnection implements IHttpConnection {
} catch (IOException e) {
exception = e;
CMS.debug("HttpConnection: Unable to connect to " + hostname + ":" + port + ": " + e);
+ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent(
+ localIP,
+ hostname,
+ Integer.toString(port),
+ "SYSTEM",
+ "connect:" +e.toString());
+ signedAuditLogger.log(auditEvent);
+
// try the next target immediately
}
}
@@ -229,6 +257,13 @@ public class HttpConnection implements IHttpConnection {
HttpResponse resp = null;
boolean reconnected = false;
+ SignedAuditEvent auditEvent;
+ String localIP = "localhost";
+ try {
+ localIP = InetAddress.getLocalHost().getHostAddress();
+ } catch (UnknownHostException e) {
+ // default to "localhost";
+ }
if (getRequestURI() == null) {
throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "URI not set in HttpRequest"));
@@ -266,6 +301,13 @@ public class HttpConnection implements IHttpConnection {
resp = mHttpClient.send(mHttpreq);
} catch (IOException e) {
+ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent(
+ localIP,
+ mHttpClient.getHost(),
+ mHttpClient.getPort(),
+ "SYSTEM",
+ "send:" +e.toString());
+ signedAuditLogger.log(auditEvent);
CMS.debug(e);
diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java
index 398becc..0588bf4 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java
@@ -35,6 +35,8 @@ import com.netscape.cmsutil.http.HttpResponse;
import com.netscape.cmsutil.http.JssSSLSocketFactory;
import com.netscape.cmsutil.net.ISocketFactory;
+import org.dogtagpki.server.PKIClientSocketListener;
+
public class HttpConnector implements IConnector {
protected IAuthority mSource = null;
protected IRemoteAuthority mDest = null;
@@ -55,8 +57,12 @@ public class HttpConnector implements IConnector {
mTimeout = 0;
mSource = source;
mDest = dest;
+ PKIClientSocketListener sockListener = new PKIClientSocketListener();
mFactory = new JssSSLSocketFactory(nickName, clientCiphers);
+ JssSSLSocketFactory factory = (JssSSLSocketFactory)mFactory;
+ factory.addSocketListener(sockListener);
+
int minConns = config.getInteger("minHttpConns", 1);
int maxConns = config.getInteger("maxHttpConns", 15);
@@ -82,8 +88,12 @@ public class HttpConnector implements IConnector {
mSource = source;
mDest = dest;
mTimeout = timeout;
+ PKIClientSocketListener sockListener = new PKIClientSocketListener();
mFactory = new JssSSLSocketFactory(nickName, clientCiphers);
+ JssSSLSocketFactory factory = (JssSSLSocketFactory) mFactory;
+ factory.addSocketListener(sockListener);
+
int minConns = config.getInteger("minHttpConns", 1);
int maxConns = config.getInteger("maxHttpConns", 15);
diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java b/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java
index e6d9ced..cc73077 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java
@@ -39,6 +39,8 @@ import com.netscape.certsrv.request.RequestStatus;
import com.netscape.cmscore.util.Debug;
import com.netscape.cmsutil.http.JssSSLSocketFactory;
+import org.dogtagpki.server.PKIClientSocketListener;
+
/**
* Resend requests at intervals to the server to check if it's been completed.
* Default interval is 5 minutes.
@@ -127,7 +129,11 @@ public class Resender implements IResender {
if (! connected) {
CMS.debug("Connecting ...");
- mConn = new HttpConnection(mDest, new JssSSLSocketFactory(mNickName, mClientCiphers));
+ PKIClientSocketListener sockListener = new PKIClientSocketListener();
+ JssSSLSocketFactory factory = new JssSSLSocketFactory(mNickName, mClientCiphers);
+ factory.addSocketListener(sockListener);
+
+ mConn = new HttpConnection(mDest, factory);
initRequests();
connected = true;
}
diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
index d0c23ed..e9f28c9 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
@@ -35,6 +35,8 @@ import com.netscape.certsrv.base.IConfigStore;
import netscape.ldap.LDAPException;
import netscape.ldap.LDAPSSLSocketFactoryExt;
+import org.dogtagpki.server.PKIClientSocketListener;
+
/**
* Uses HCL ssl socket.
*
@@ -46,6 +48,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
private String mClientAuthCertNickname;
private boolean mClientAuth;
private boolean keepAlive;
+ PKIClientSocketListener sockListener = null;
public PKISocketFactory() {
init();
@@ -67,6 +70,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
IConfigStore cs = CMS.getConfigStore();
keepAlive = cs.getBoolean("tcp.keepAlive", true);
CMS.debug("TCP Keep-Alive: " + keepAlive);
+ sockListener = new PKIClientSocketListener();
} catch (Exception e) {
CMS.debug(e);
@@ -75,6 +79,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
}
public SSLSocket makeSSLSocket(String host, int port) throws UnknownHostException, IOException {
+ String method = "ldapconn/PKISocketFactory.makeSSLSocket: ";
+ CMS.debug(method + "begins");
/*
* let inherit TLS range and cipher settings
@@ -100,6 +106,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
s.setUseClientMode(true);
s.enableV2CompatibleHello(false);
+ s.addSocketListener(sockListener);
+
SSLHandshakeCompletedListener listener = null;
listener = new ClientHandshakeCB(this);
@@ -119,7 +127,6 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
}
public Socket makeSocket(String host, int port) throws LDAPException {
-
Socket s = null;
try {
diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg
index e9bf03e..60a3355 100644
--- a/base/tks/shared/conf/CS.cfg
+++ b/base/tks/shared/conf/CS.cfg
@@ -208,11 +208,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
log.instance.SignedAudit._002=##
log.instance.SignedAudit._003=##
log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION
+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION
log.instance.SignedAudit._006=##
log.instance.SignedAudit.bufferSize=512
log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
+log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
log.instance.SignedAudit.expirationTime=0
diff --git a/base/util/src/com/netscape/cmsutil/http/HttpClient.java b/base/util/src/com/netscape/cmsutil/http/HttpClient.java
index db042a7..2204e19 100644
--- a/base/util/src/com/netscape/cmsutil/http/HttpClient.java
+++ b/base/util/src/com/netscape/cmsutil/http/HttpClient.java
@@ -46,6 +46,9 @@ public class HttpClient {
protected BufferedReader mBufferedReader = null;
protected SSLCertificateApprovalCallback mCertApprovalCallback = null;
protected boolean mConnected = false;
+ // for auditing purposes
+ protected String mHost;
+ protected String mPort;
public HttpClient() {
}
@@ -63,6 +66,9 @@ public class HttpClient {
int timeout // milliseconds
) throws IOException {
+ mHost = host;
+ mPort = Integer.toString(port);
+
if (mFactory != null) {
if (mCertApprovalCallback == null) {
mSocket = mFactory.makeSocket(host, port, timeout);
@@ -149,6 +155,14 @@ public class HttpClient {
return mSocket;
}
+ public String getHost() {
+ return mHost;
+ }
+
+ public String getPort() {
+ return mPort;
+ }
+
/**
* unit test
*/
diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
index eaed821..0d176ad 100644
--- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
+++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java
@@ -27,6 +27,7 @@ import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback;
import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
import org.mozilla.jss.ssl.SSLHandshakeCompletedListener;
import org.mozilla.jss.ssl.SSLSocket;
+import org.mozilla.jss.ssl.SSLSocketListener;
import com.netscape.cmsutil.net.ISocketFactory;
import com.netscape.cmsutil.crypto.CryptoUtil;
@@ -40,6 +41,7 @@ public class JssSSLSocketFactory implements ISocketFactory {
private String mClientAuthCertNickname = null;
private String mClientCiphers = null;
private SSLSocket s = null;
+ private SSLSocketListener sockListener = null;
public JssSSLSocketFactory() {
}
@@ -83,6 +85,8 @@ public class JssSSLSocketFactory implements ISocketFactory {
listener = new ClientHandshakeCB(this);
s.addHandshakeCompletedListener(listener);
+ if (this.sockListener != null)
+ s.addSocketListener(this.sockListener);
if (mClientAuthCertNickname != null) {
// 052799 setClientCertNickname does not
@@ -131,6 +135,10 @@ public class JssSSLSocketFactory implements ISocketFactory {
return s;
}
+ public void addSocketListener(SSLSocketListener sl) {
+ this.sockListener = sl;
+ }
+
public void log(int level, String msg) {
}
--
1.8.3.1
From 44030bf381dc868e64c0e80d112bce72a626e8fb Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Fri, 31 Aug 2018 08:52:22 -0700
Subject: [PATCH 09/19] Ticket2960 add SHA384 ciphers and cleanup profiles
Note: this is a 2nd attempt as the first attempt was reverted due to
"breakage" of post-checkin-enablement of the IPA CI, which is
speculated to have used a server cert as a client cert which violated
one of the very essence of the "profile cleanup" part of the original
patch; As a compromise, the clientAuth bit was added back to all
non-CMC *server* profiles so the patch will pass the IPA CI.
The revised patch has been adquately tested in addition to passing
the IPA CI.
This patch adds SHA384 ciphers to the cipher lists (RSA & EC)
CryptoUtil.java contains changes to clientECCiphers:
- RSA ciphers comemented out
- SHA384 ciphers are added but RSA ones commented out
Also added SHA384withRSA to ca.profiles.defaultSigningAlgsAllowed.
In addition, a few cleanups are done:
- all MD2, MD5 from allowed signing key algs from profiles
- server profiles:
* removed clientAuth oid 1.3.6.1.5.5.7.3.2 from cmc server profiles
* fixed a couple KU's (RSA vs EC) that had true/false flipped
- caCMCkraStorageCert.cfg
* removed EKU (funny it had clientAuth)
- caCMCkraTransportCert.cfg
* removed EKU (funny it had clientAuth)
- base/ca/shared/conf/eccServerCert.profile
* added the missing CommonNameToSANDefault
Tested with the following:
- installation of an RSA CA and a KRA (strip down to only SHA384 ciphers)
* performed successful agent access
* tested key archival
- installation of an EC CA (strip down to only SHA384 ciphers)
* performed successful agent access
* tested an agent-signed CMC request and submitted/issued successfully
using HttpClient
The above tests showed:
- The SHA384 ciphers work out of box
- The TLS server and client profiles changes did not break any TLS connections.
- The KRA storage and transport profile changes did not break anything.
fixes https://pagure.io/dogtagpki/issue/2960
Change-Id: Ia41dfbcec972cb18752b50056f29edf61cb3ce61
(cherry picked from commit 97e290663f29d5b2c5afab18e4a7c90af05c874c)
---
base/ca/shared/conf/CS.cfg | 2 +-
base/ca/shared/conf/eccAdminCert.profile | 2 +-
base/ca/shared/conf/eccServerCert.profile | 4 +++-
base/ca/shared/conf/rsaAdminCert.profile | 2 +-
base/ca/shared/profiles/ca/AdminCert.cfg | 6 +++---
base/ca/shared/profiles/ca/ECAdminCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caAdminCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caAgentFileSigning.cfg | 2 +-
base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caCMCECserverCert.cfg | 2 +-
base/ca/shared/profiles/ca/caCMCUserCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 8 +-------
base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg | 8 +-------
base/ca/shared/profiles/ca/caCMCserverCert.cfg | 2 +-
base/ca/shared/profiles/ca/caCrossSignedCACert.cfg | 2 +-
base/ca/shared/profiles/ca/caDirBasedDualCert.cfg | 8 ++++----
base/ca/shared/profiles/ca/caDirPinUserCert.cfg | 2 +-
base/ca/shared/profiles/ca/caDirUserCert.cfg | 2 +-
base/ca/shared/profiles/ca/caDualCert.cfg | 6 +++---
base/ca/shared/profiles/ca/caDualRAuserCert.cfg | 2 +-
base/ca/shared/profiles/ca/caECAdminCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caECDirPinUserCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caECDirUserCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caECDualCert.cfg | 3 +--
base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg | 2 +-
base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caECUserCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caEncUserCert.cfg | 2 +-
base/ca/shared/profiles/ca/caIPAserviceCert.cfg | 2 +-
base/ca/shared/profiles/ca/caInstallCACert.cfg | 2 +-
base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg | 2 +-
base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg | 2 +-
base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg | 2 +-
base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg | 2 +-
base/ca/shared/profiles/ca/caJarSigningCert.cfg | 2 +-
base/ca/shared/profiles/ca/caOtherCert.cfg | 2 +-
base/ca/shared/profiles/ca/caRACert.cfg | 2 +-
base/ca/shared/profiles/ca/caRARouterCert.cfg | 2 +-
base/ca/shared/profiles/ca/caRAagentCert.cfg | 2 +-
base/ca/shared/profiles/ca/caRAserverCert.cfg | 12 ++++++++----
base/ca/shared/profiles/ca/caRouterCert.cfg | 2 +-
base/ca/shared/profiles/ca/caSigningUserCert.cfg | 2 +-
base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 4 ++--
base/ca/shared/profiles/ca/caStorageCert.cfg | 10 ++--------
base/ca/shared/profiles/ca/caTPSCert.cfg | 2 +-
base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg | 2 +-
base/ca/shared/profiles/ca/caUserCert.cfg | 2 +-
base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg | 2 +-
.../netscape/cms/profile/common/CACertCAEnrollProfile.java | 2 +-
.../src/com/netscape/cms/profile/def/SigningAlgDefault.java | 2 +-
base/server/python/pki/server/deployment/pkiparser.py | 10 ++++++++--
base/server/share/conf/ciphers.info | 4 ++--
base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 12 ++++++++++--
56 files changed, 103 insertions(+), 102 deletions(-)
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index 6b39b0a..4cef240 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -666,7 +666,7 @@ ca.notification.requestInQ.senderEmail=
ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_NAME]
ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
ca.ocsp_signing.tokenname=internal
-ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC
+ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC
ca.publish.createOwnDNEntry=false
ca.publish.queue.enable=true
ca.publish.queue.maxNumberOfThreads=3
diff --git a/base/ca/shared/conf/eccAdminCert.profile b/base/ca/shared/conf/eccAdminCert.profile
index 46d157a..219944a 100644
--- a/base/ca/shared/conf/eccAdminCert.profile
+++ b/base/ca/shared/conf/eccAdminCert.profile
@@ -26,7 +26,7 @@ list=2,4,5,6,7
6.default.params.keyUsageCritical=true
6.default.params.keyUsageDigitalSignature=true
6.default.params.keyUsageNonRepudiation=true
-6.default.params.keyUsageDataEncipherment=true
+6.default.params.keyUsageDataEncipherment=false
6.default.params.keyUsageKeyEncipherment=false
6.default.params.keyUsageKeyAgreement=true
6.default.params.keyUsageKeyCertSign=false
diff --git a/base/ca/shared/conf/eccServerCert.profile b/base/ca/shared/conf/eccServerCert.profile
index 8c679f7..d990e77 100644
--- a/base/ca/shared/conf/eccServerCert.profile
+++ b/base/ca/shared/conf/eccServerCert.profile
@@ -6,7 +6,7 @@ name=All Purpose SSL server cert with ECC keys Profile
description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers
profileIDMapping=caECServerCert
profileSetIDMapping=serverCertSet
-list=2,4,5,6,7
+list=2,4,5,6,7,8
2.default.class=com.netscape.cms.profile.def.ValidityDefault
2.default.name=Validity Default
2.default.params.range=720
@@ -37,3 +37,5 @@ list=2,4,5,6,7
7.default.name=Extended Key Usage Extension Default
7.default.params.exKeyUsageCritical=false
7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
+8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault
+8.default.name=copy CN to SAN Default
diff --git a/base/ca/shared/conf/rsaAdminCert.profile b/base/ca/shared/conf/rsaAdminCert.profile
index 5e84d74..7b3668c 100644
--- a/base/ca/shared/conf/rsaAdminCert.profile
+++ b/base/ca/shared/conf/rsaAdminCert.profile
@@ -26,7 +26,7 @@ list=2,4,5,6,7
6.default.params.keyUsageCritical=true
6.default.params.keyUsageDigitalSignature=true
6.default.params.keyUsageNonRepudiation=true
-6.default.params.keyUsageDataEncipherment=true
+6.default.params.keyUsageDataEncipherment=false
6.default.params.keyUsageKeyEncipherment=true
6.default.params.keyUsageKeyAgreement=false
6.default.params.keyUsageKeyCertSign=false
diff --git a/base/ca/shared/profiles/ca/AdminCert.cfg b/base/ca/shared/profiles/ca/AdminCert.cfg
index 7879614..18cbc2f 100644
--- a/base/ca/shared/profiles/ca/AdminCert.cfg
+++ b/base/ca/shared/profiles/ca/AdminCert.cfg
@@ -53,7 +53,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.adminCertSet.6.constraint.params.keyUsageCritical=true
policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true
-policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false
@@ -65,7 +65,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default
policyset.adminCertSet.6.default.params.keyUsageCritical=true
policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false
@@ -80,7 +80,7 @@ policyset.adminCertSet.7.default.params.exKeyUsageCritical=false
policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.adminCertSet.8.constraint.name=No Constraint
-policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.adminCertSet.8.default.name=Signing Alg
policyset.adminCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/ECAdminCert.cfg b/base/ca/shared/profiles/ca/ECAdminCert.cfg
index e00022e..38562a6 100644
--- a/base/ca/shared/profiles/ca/ECAdminCert.cfg
+++ b/base/ca/shared/profiles/ca/ECAdminCert.cfg
@@ -53,7 +53,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.adminCertSet.6.constraint.params.keyUsageCritical=true
policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true
-policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false
policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true
policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false
@@ -65,7 +65,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default
policyset.adminCertSet.6.default.params.keyUsageCritical=true
policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false
policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true
policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false
diff --git a/base/ca/shared/profiles/ca/caAdminCert.cfg b/base/ca/shared/profiles/ca/caAdminCert.cfg
index 86a3b11..6598677 100644
--- a/base/ca/shared/profiles/ca/caAdminCert.cfg
+++ b/base/ca/shared/profiles/ca/caAdminCert.cfg
@@ -54,7 +54,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.adminCertSet.6.constraint.params.keyUsageCritical=true
policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true
-policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false
@@ -66,7 +66,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default
policyset.adminCertSet.6.default.params.keyUsageCritical=true
policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false
diff --git a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg
index 5608373..cc65afc 100644
--- a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg
+++ b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg
@@ -80,7 +80,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.3
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg
index b7b4881..226c05c 100644
--- a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg
@@ -52,7 +52,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
@@ -64,7 +64,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default
policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false
policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true
policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
diff --git a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg
index 53b0c4d..68c59fb 100644
--- a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg
@@ -76,7 +76,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg
index df47758..657b98e 100644
--- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg
@@ -52,7 +52,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
@@ -64,7 +64,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default
policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
index 1c2630d..908f584 100644
--- a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
@@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=drmStorageCertSet
-policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9
+policyset.drmStorageCertSet.list=1,2,3,4,5,6,9
policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint
policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.*
@@ -71,12 +71,6 @@ policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false
policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl
-policyset.drmStorageCertSet.7.constraint.name=No Constraint
-policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
-policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default
-policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false
-policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.drmStorageCertSet.9.constraint.name=No Constraint
policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
index 3d00408..628253d 100644
--- a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
@@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=transportCertSet
-policyset.transportCertSet.list=1,2,3,4,5,6,7,8
+policyset.transportCertSet.list=1,2,3,4,5,6,8
policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.transportCertSet.1.constraint.name=Subject Name Constraint
policyset.transportCertSet.1.constraint.params.pattern=CN=.*
@@ -71,12 +71,6 @@ policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.transportCertSet.6.default.params.keyUsageCrlSign=false
policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.transportCertSet.7.constraint.class_id=noConstraintImpl
-policyset.transportCertSet.7.constraint.name=No Constraint
-policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
-policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default
-policyset.transportCertSet.7.default.params.exKeyUsageCritical=false
-policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.transportCertSet.8.constraint.name=No Constraint
policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg
index 9ad9fac..628fc50 100644
--- a/base/ca/shared/profiles/ca/caCMCserverCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg
@@ -76,7 +76,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
diff --git a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg
index 8fafbdf..efc35a3 100644
--- a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg
+++ b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg
@@ -76,7 +76,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default
policyset.caCertSet.8.default.params.critical=false
policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.caCertSet.9.constraint.name=No Constraint
-policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.caCertSet.9.default.name=Signing Alg
policyset.caCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg b/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg
index 3f34684..ac761c9 100644
--- a/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg
+++ b/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg
@@ -1,6 +1,6 @@
desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later.
visible=true
-enable=true
+enable=false
enableBy=admin
name=Directory-authenticated User Signing & Encryption Certificates Enrollment
auth.instance_id=UserDirEnrollment
@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1
policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.encryptionCertSet.9.constraint.name=No Constraint
-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.encryptionCertSet.9.default.name=Signing Alg
policyset.encryptionCertSet.9.default.params.signingAlg=-
@@ -161,8 +161,8 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.signingCertSet.9.constraint.name=No Constraint
-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.signingCertSet.9.default.name=Signing Alg
policyset.signingCertSet.9.default.params.signingAlg=-
-policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
diff --git a/base/ca/shared/profiles/ca/caDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caDirPinUserCert.cfg
index af2b5e5..f9e24b9 100644
--- a/base/ca/shared/profiles/ca/caDirPinUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caDirPinUserCert.cfg
@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.userCertSet.9.constraint.name=No Constraint
-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.userCertSet.9.default.name=Signing Alg
policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg
index 0b7f6b7..2e90d97 100644
--- a/base/ca/shared/profiles/ca/caDirUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg
@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.userCertSet.9.constraint.name=No Constraint
-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.userCertSet.9.default.name=Signing Alg
policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg
index 87036d1..c5cf168 100644
--- a/base/ca/shared/profiles/ca/caDualCert.cfg
+++ b/base/ca/shared/profiles/ca/caDualCert.cfg
@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1
policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.encryptionCertSet.9.constraint.name=No Constraint
-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.encryptionCertSet.9.default.name=Signing Alg
policyset.encryptionCertSet.9.default.params.signingAlg=-
@@ -161,8 +161,8 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.signingCertSet.9.constraint.name=No Constraint
-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.signingCertSet.9.default.name=Signing Alg
policyset.signingCertSet.9.default.params.signingAlg=-
-policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
diff --git a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg
index 7d61b36..e25b4bb 100644
--- a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg
+++ b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg
@@ -88,7 +88,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.userCertSet.9.constraint.name=No Constraint
-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.userCertSet.9.default.name=Signing Alg
policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECAdminCert.cfg b/base/ca/shared/profiles/ca/caECAdminCert.cfg
index d57bae1..84cab82 100644
--- a/base/ca/shared/profiles/ca/caECAdminCert.cfg
+++ b/base/ca/shared/profiles/ca/caECAdminCert.cfg
@@ -54,7 +54,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.adminCertSet.6.constraint.params.keyUsageCritical=true
policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true
-policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false
policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true
policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false
@@ -66,7 +66,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default
policyset.adminCertSet.6.default.params.keyUsageCritical=true
policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false
policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true
policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false
diff --git a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg
index 4143102..7b33de6 100644
--- a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg
@@ -57,7 +57,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.userCertSet.6.constraint.params.keyUsageCritical=true
policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false
policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true
policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
@@ -69,7 +69,7 @@ policyset.userCertSet.6.default.name=Key Usage Default
policyset.userCertSet.6.default.params.keyUsageCritical=true
policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false
policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true
policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
index b65999e..11eafa7 100644
--- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
@@ -57,7 +57,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.userCertSet.6.constraint.params.keyUsageCritical=true
policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false
policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true
policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
@@ -69,7 +69,7 @@ policyset.userCertSet.6.default.name=Key Usage Default
policyset.userCertSet.6.default.params.keyUsageCritical=true
policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false
policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true
policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
diff --git a/base/ca/shared/profiles/ca/caECDualCert.cfg b/base/ca/shared/profiles/ca/caECDualCert.cfg
index 0a56caf..663aa13 100644
--- a/base/ca/shared/profiles/ca/caECDualCert.cfg
+++ b/base/ca/shared/profiles/ca/caECDualCert.cfg
@@ -161,8 +161,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.signingCertSet.9.constraint.name=No Constraint
-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.signingCertSet.9.default.name=Signing Alg
policyset.signingCertSet.9.default.params.signingAlg=-
-policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
index 48e6499..b3cc471 100644
--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
@@ -48,7 +48,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
@@ -60,7 +60,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.cmcUserCertSet.6.default.name=Key Usage Default
policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
index b24cb03..822e96b 100644
--- a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
@@ -51,7 +51,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
@@ -63,7 +63,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.cmcUserCertSet.6.default.name=Key Usage Default
policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
index e7b60ee..5a817df 100644
--- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
+++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
@@ -59,7 +59,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
@@ -71,7 +71,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.cmcUserCertSet.6.default.name=Key Usage Default
policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
diff --git a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
index 8580544..24d61ca 100644
--- a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
@@ -78,7 +78,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
index 8df3576..3d072a2 100644
--- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
@@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
@@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.cmcUserCertSet.6.default.name=Key Usage Default
policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
diff --git a/base/ca/shared/profiles/ca/caECUserCert.cfg b/base/ca/shared/profiles/ca/caECUserCert.cfg
index a6bf04a..dda7282 100644
--- a/base/ca/shared/profiles/ca/caECUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caECUserCert.cfg
@@ -59,7 +59,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.userCertSet.6.constraint.params.keyUsageCritical=true
policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false
policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true
policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
@@ -71,7 +71,7 @@ policyset.userCertSet.6.default.name=Key Usage Default
policyset.userCertSet.6.default.params.keyUsageCritical=true
policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false
policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true
policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
diff --git a/base/ca/shared/profiles/ca/caEncUserCert.cfg b/base/ca/shared/profiles/ca/caEncUserCert.cfg
index 07e78f9..c166b28 100644
--- a/base/ca/shared/profiles/ca/caEncUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caEncUserCert.cfg
@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1
policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.encryptionCertSet.9.constraint.name=No Constraint
-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.encryptionCertSet.9.default.name=Signing Alg
policyset.encryptionCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg
index 9603758..42d802e 100644
--- a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg
+++ b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg
@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caInstallCACert.cfg b/base/ca/shared/profiles/ca/caInstallCACert.cfg
index 7bdb180..ba942d7 100644
--- a/base/ca/shared/profiles/ca/caInstallCACert.cfg
+++ b/base/ca/shared/profiles/ca/caInstallCACert.cfg
@@ -80,7 +80,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default
policyset.caCertSet.8.default.params.critical=false
policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.caCertSet.9.constraint.name=No Constraint
-policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.caCertSet.9.default.name=Signing Alg
policyset.caCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
index 5acc174..60d560d 100644
--- a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
+++ b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg
@@ -80,7 +80,7 @@ policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false
policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.drmStorageCertSet.9.constraint.name=No Constraint
-policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.drmStorageCertSet.9.default.name=Signing Alg
policyset.drmStorageCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg
index 8788f94..982c868 100644
--- a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg
+++ b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg
@@ -65,7 +65,7 @@ policyset.ocspCertSet.8.default.name=OCSP No Check Extension
policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false
policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.ocspCertSet.9.constraint.name=No Constraint
-policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.ocspCertSet.9.default.name=Signing Alg
policyset.ocspCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
index de3c2a5..25538e7 100644
--- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
@@ -78,7 +78,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint
policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
diff --git a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
index 9f7680a..bdc69bc 100644
--- a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
+++ b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg
@@ -80,7 +80,7 @@ policyset.transportCertSet.7.default.params.exKeyUsageCritical=false
policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.transportCertSet.8.constraint.name=No Constraint
-policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.transportCertSet.8.default.name=Signing Alg
policyset.transportCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caJarSigningCert.cfg b/base/ca/shared/profiles/ca/caJarSigningCert.cfg
index f5f5e62..8aea48d 100644
--- a/base/ca/shared/profiles/ca/caJarSigningCert.cfg
+++ b/base/ca/shared/profiles/ca/caJarSigningCert.cfg
@@ -80,7 +80,7 @@ policyset.caJarSigningSet.5.default.params.nsCertSSLClient=false
policyset.caJarSigningSet.5.default.params.nsCertSSLServer=false
policyset.caJarSigningSet.6.constraint.class_id=signingAlgConstraintImpl
policyset.caJarSigningSet.6.constraint.name=No Constraint
-policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.caJarSigningSet.6.default.class_id=signingAlgDefaultImpl
policyset.caJarSigningSet.6.default.name=Signing Alg
policyset.caJarSigningSet.6.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caOtherCert.cfg b/base/ca/shared/profiles/ca/caOtherCert.cfg
index e5cf627..5b8f50e 100644
--- a/base/ca/shared/profiles/ca/caOtherCert.cfg
+++ b/base/ca/shared/profiles/ca/caOtherCert.cfg
@@ -79,7 +79,7 @@ policyset.otherCertSet.7.default.params.exKeyUsageCritical=false
policyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.otherCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.otherCertSet.8.constraint.name=No Constraint
-policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.otherCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.otherCertSet.8.default.name=Signing Alg
policyset.otherCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caRACert.cfg b/base/ca/shared/profiles/ca/caRACert.cfg
index 9774566..fb1199e 100644
--- a/base/ca/shared/profiles/ca/caRACert.cfg
+++ b/base/ca/shared/profiles/ca/caRACert.cfg
@@ -79,7 +79,7 @@ policyset.raCertSet.7.default.params.exKeyUsageCritical=false
policyset.raCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.raCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.raCertSet.8.constraint.name=No Constraint
-policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.raCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.raCertSet.8.default.name=Signing Alg
policyset.raCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caRARouterCert.cfg b/base/ca/shared/profiles/ca/caRARouterCert.cfg
index 05b3a72..c504285 100644
--- a/base/ca/shared/profiles/ca/caRARouterCert.cfg
+++ b/base/ca/shared/profiles/ca/caRARouterCert.cfg
@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caRAagentCert.cfg b/base/ca/shared/profiles/ca/caRAagentCert.cfg
index 2199b26..db22f90 100644
--- a/base/ca/shared/profiles/ca/caRAagentCert.cfg
+++ b/base/ca/shared/profiles/ca/caRAagentCert.cfg
@@ -89,7 +89,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.userCertSet.9.constraint.name=No Constraint
-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.userCertSet.9.default.name=Signing Alg
policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caRAserverCert.cfg b/base/ca/shared/profiles/ca/caRAserverCert.cfg
index 3a6cefa..e2406b4 100644
--- a/base/ca/shared/profiles/ca/caRAserverCert.cfg
+++ b/base/ca/shared/profiles/ca/caRAserverCert.cfg
@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=serverCertSet
-policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9
policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.serverCertSet.1.constraint.name=Subject Name Constraint
policyset.serverCertSet.1.constraint.params.pattern=CN=.*
@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
@@ -79,7 +79,11 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.9.default.name=copy CN to SAN Default
diff --git a/base/ca/shared/profiles/ca/caRouterCert.cfg b/base/ca/shared/profiles/ca/caRouterCert.cfg
index 3364675..b306102 100644
--- a/base/ca/shared/profiles/ca/caRouterCert.cfg
+++ b/base/ca/shared/profiles/ca/caRouterCert.cfg
@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caSigningUserCert.cfg b/base/ca/shared/profiles/ca/caSigningUserCert.cfg
index f197ffa..7fac691 100644
--- a/base/ca/shared/profiles/ca/caSigningUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caSigningUserCert.cfg
@@ -79,7 +79,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.signingCertSet.9.constraint.name=No Constraint
-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.signingCertSet.9.default.name=Signing Alg
policyset.signingCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
index a55873f..6987061 100644
--- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
@@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
@@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.cmcUserCertSet.6.default.name=Key Usage Default
policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
diff --git a/base/ca/shared/profiles/ca/caStorageCert.cfg b/base/ca/shared/profiles/ca/caStorageCert.cfg
index c8e7205..62d6968 100644
--- a/base/ca/shared/profiles/ca/caStorageCert.cfg
+++ b/base/ca/shared/profiles/ca/caStorageCert.cfg
@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl
output.list=o1
output.o1.class_id=certOutputImpl
policyset.list=drmStorageCertSet
-policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9
+policyset.drmStorageCertSet.list=1,2,3,4,5,6,9
policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl
policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint
policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.*
@@ -71,15 +71,9 @@ policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false
policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false
-policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl
-policyset.drmStorageCertSet.7.constraint.name=No Constraint
-policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
-policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default
-policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false
-policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.drmStorageCertSet.9.constraint.name=No Constraint
-policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.drmStorageCertSet.9.default.name=Signing Alg
policyset.drmStorageCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caTPSCert.cfg b/base/ca/shared/profiles/ca/caTPSCert.cfg
index 82a217a..4f98512 100644
--- a/base/ca/shared/profiles/ca/caTPSCert.cfg
+++ b/base/ca/shared/profiles/ca/caTPSCert.cfg
@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg
index 43caf26..ef8ab5f 100644
--- a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg
+++ b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg
@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4
policyset.userCertSet.8.default.params.subjAltNameNumGNs=2
policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.userCertSet.9.constraint.name=No Constraint
-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.userCertSet.9.default.name=Signing Alg
policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caUserCert.cfg b/base/ca/shared/profiles/ca/caUserCert.cfg
index 9164dac..62bc40c 100644
--- a/base/ca/shared/profiles/ca/caUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caUserCert.cfg
@@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.userCertSet.9.constraint.name=No Constraint
-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.userCertSet.9.default.name=Signing Alg
policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg
index 43b6e85..81fc027 100644
--- a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg
+++ b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg
@@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.userCertSet.9.constraint.name=No Constraint
-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.userCertSet.9.default.name=Signing Alg
policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java
index 1ae2f08..c4f2d6b 100644
--- a/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java
+++ b/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java
@@ -76,7 +76,7 @@ public class CACertCAEnrollProfile extends CAEnrollProfile
IConfigStore defConfig4 = def4.getConfigStore();
defConfig4.putString("params.signingAlg", "-");
defConfig4.putString("params.signingAlgsAllowed",
- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA256withEC,SHA384withEC,SHA512withEC");
+ "SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC");
// extensions
IProfilePolicy policy5 =
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java
index 81ad58c..97f221e 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java
@@ -46,7 +46,7 @@ public class SigningAlgDefault extends EnrollDefault {
public static final String VAL_ALGORITHM = "signingAlg";
public static final String DEF_CONFIG_ALGORITHMS =
- "-,MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA";
+ "-,SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA";
public SigningAlgDefault() {
super();
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 53296fc..3e0c9d2 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -1152,7 +1152,9 @@ class PKIConfigParser:
"+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
"-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
- "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
+ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384," + \
+ "+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
else:
self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \
"-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \
@@ -1186,7 +1188,11 @@ class PKIConfigParser:
"-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
"-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
"+TLS_RSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_RSA_WITH_AES_256_CBC_SHA"
+ "+TLS_RSA_WITH_AES_256_CBC_SHA," + \
+ "+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384," + \
+ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," + \
+ "+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + \
+ "-TLS_RSA_WITH_AES_256_GCM_SHA384"
if self.deployer.architecture == 64:
self.mdict['NUXWDOG_JNI_PATH_SLOT'] = (
diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info
index 44c6e4b..e51bffd 100644
--- a/base/server/share/conf/ciphers.info
+++ b/base/server/share/conf/ciphers.info
@@ -123,8 +123,8 @@
#
##
# For RSA servers:
- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384"
#
#
# For ECC servers:
- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index d3036f3..c1688e4 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -188,13 +188,21 @@ public class CryptoUtil {
public static final int LINE_COUNT = 76;
static public final Integer[] clientECCiphers = {
+/*
SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+*/
SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
- SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+// SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+/*
+ SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+ SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+*/
};
static public List<Integer> clientECCipherList = new ArrayList<Integer>(Arrays.asList(clientECCiphers));
--
1.8.3.1
From 992d97189bbcfff3427b1dcc752f6588da25e496 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Fri, 31 Aug 2018 17:08:30 -0700
Subject: [PATCH 10/19] Ticket3027 Disable TLS_RSA_* ciphers for HSM in FIPS
mode
This patch disables the TLS_RSA_* ciphers by default because they do not work
with HSMs in FIPS mode.
ciphers.info is also updated to reflect the changes.
fixes https://pagure.io/dogtagpki/issue/3027
Change-Id: Id720b8697976bb344d6dd8e4471a1bb5403af172
(cherry picked from commit 908514da63dd9364df0f17810d9d41bfb5c596d5)
---
.../python/pki/server/deployment/pkiparser.py | 12 ++--
base/server/share/conf/ciphers.info | 70 ++++++++--------------
2 files changed, 31 insertions(+), 51 deletions(-)
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 3e0c9d2..2397f43 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -1130,7 +1130,7 @@ class PKIConfigParser:
"+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \
"-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_RSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
"+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
"-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
@@ -1146,7 +1146,7 @@ class PKIConfigParser:
"-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
"-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
"-TLS_RSA_WITH_AES_128_CBC_SHA256," + \
- "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \
+ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \
"-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
"+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
"+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
@@ -1183,12 +1183,12 @@ class PKIConfigParser:
"+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
"-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
"+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
- "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \
- "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \
+ "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \
+ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \
"-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
"-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
- "+TLS_RSA_WITH_AES_128_CBC_SHA," + \
- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \
+ "-TLS_RSA_WITH_AES_128_CBC_SHA," + \
+ "-TLS_RSA_WITH_AES_256_CBC_SHA," + \
"+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384," + \
"+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," + \
"+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + \
diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info
index e51bffd..bbb3cf1 100644
--- a/base/server/share/conf/ciphers.info
+++ b/base/server/share/conf/ciphers.info
@@ -26,17 +26,6 @@
# suited for the type of the server installed. Changes can be made to
# suit each site's needs.
#
-# Although TLS1.2 ciphers (SHA256) are preferred, many older clients
-# do not support them. For example, the following "preferred modern"
-# ciphers are on by default, and by simply limiting the
-# sslVersionRange* parameters, they can be turned off.
-#
-# TLS_RSA_WITH_AES_128_CBC_SHA256,
-# TLS_RSA_WITH_AES_256_CBC_SHA256,
-# TLS_RSA_WITH_AES_128_GCM_SHA256,
-# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-#
# The TLS_ECDHE_RSA_* ciphers provide Perfect Forward Secrecy,
# which, while provide added security to the already secure and adequate
# TLS_RSA_* ciphers, requires 3 times longer to establish SSL sessions.
@@ -62,25 +51,6 @@
# TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
# TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
#
-# The following somewhat weaker ciphers (in CBC mode), though
-# adequate for the CS operations, can be turned off if so desired:
-#
-# TLS_RSA_WITH_AES_128_CBC_SHA,
-# TLS_RSA_WITH_AES_256_CBC_SHA,
-#
-# Note: In an EC CS server setup, you will see by default that the
-# following RSA ciphers are left on. Those are used for
-# installation where the actual systems certs have not yet been
-# created, and a temporary RSA ssl server cert is at play.
-#
-# Those can be turned off manually by sites.
-#
-# TLS_RSA_WITH_AES_256_CBC_SHA256,
-# TLS_RSA_WITH_AES_128_GCM_SHA256
-#
-# These ciphers might be removed by the installation script in
-# some future release.
-#
# For RHEL 7.5 or greater:
#
# * all '3DES' ciphers have been disabled,
@@ -98,33 +68,43 @@
# +TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
# +TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
# +TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+# +TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
# +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
# +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
# +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
-# +TLS_RSA_WITH_AES_128_CBC_SHA256,
-# +TLS_RSA_WITH_AES_256_CBC_SHA256,
-# +TLS_RSA_WITH_AES_128_CBC_SHA,
-# +TLS_RSA_WITH_AES_256_CBC_SHA
-#
-# NOTE: The last two ciphers, TLS_RSA_WITH_AES_128_CBC_SHA,
-# and TLS_RSA_WITH_AES_256_CBC_SHA, may need to remain
-# enabled in order to talk to the LDAP server
-# during pkispawn installation/configuration.
+# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+# +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
#
# Default ciphers enabled for ECC servers:
#
# +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-# +TLS_RSA_WITH_AES_256_CBC_SHA,
# +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-# +TLS_RSA_WITH_AES_256_CBC_SHA256,
# +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
-# +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+# +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+# +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+# +TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+#
+# For RHEL 7.6 or greater:
+#
+# The following ciphers do not work with HSM in FIPS mode, and
+# are therefore disabled by default.
+#
+# TLS_RSA_WITH_AES_256_CBC_SHA,
+# TLS_RSA_WITH_AES_128_CBC_SHA,
+# TLS_RSA_WITH_AES_128_CBC_SHA256,
+# TLS_RSA_WITH_AES_256_CBC_SHA256,
+# TLS_RSA_WITH_AES_128_GCM_SHA256,
+# TLS_RSA_WITH_AES_256_GCM_SHA384
+#
+# note:
+# * They are currently not preferred in TLS 1.2
+# * They are deprecated in TLS 1.3
#
##
# For RSA servers:
- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384"
+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384"
#
#
# For ECC servers:
- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
--
1.8.3.1
From 5385791f72c5fab901aa38cbc31fd2fd9af269bf Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Tue, 18 Sep 2018 16:13:29 -0700
Subject: [PATCH 11/19] Bug1628410 CMC: add config to allow non-clientAuth
This patch adds a new parameter, cmc.bypassClientAuth, in the CS.cfg
to allow agents to bypass clientAuth requirement in CMCAuth.
Default value for cmc.bypassClientAuth is false.
In addition, CMC enrollment profile caCMCUserCert "visible" value is
set to false.
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1628410
Change-Id: Ie3efda321472c1e1b27ac4c5ecf63db753ce70fc
(cherry picked from commit 19120d14941b5964a728ab06b0406be3ddeff5d4)
---
base/ca/shared/profiles/ca/caCMCUserCert.cfg | 2 +-
.../com/netscape/cms/authentication/CMCAuth.java | 50 +++++++++++++---------
2 files changed, 30 insertions(+), 22 deletions(-)
diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg
index 657b98e..1f990f2 100644
--- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg
@@ -1,5 +1,5 @@
desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.
-visible=true
+visible=false
enable=true
enableBy=admin
auth.instance_id=CMCAuth
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
index 9b6a819..98d5e29 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
@@ -127,6 +127,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
/* authentication plug-in configuration store */
private IConfigStore mConfig;
+ private boolean mBypassClientAuth = false;
private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke";
@@ -213,6 +214,8 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
mName = name;
mImplName = implName;
mConfig = config;
+ mBypassClientAuth =
+ CMS.getConfigStore().getBoolean("cmc.bypassClientAuth", false);
log(ILogger.LL_INFO, "Initialization complete!");
}
@@ -882,28 +885,33 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
X509Certificate clientCert =
(X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT);
if (clientCert == null) {
- // createAuditSubjectFromCert(auditContext, x509Certs[0]);
- msg = "missing SSL client authentication certificate;";
- CMS.debug(method + msg);
- s.close();
- throw new EMissingCredential(
- CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT"));
- }
- netscape.security.x509.X500Name clientPrincipal =
- (X500Name) clientCert.getSubjectDN();
-
- netscape.security.x509.X500Name cmcPrincipal =
- (X500Name) x509Certs[0].getSubjectDN();
-
- // check ssl client cert against cmc signer
- if (!clientPrincipal.equals(cmcPrincipal)) {
- msg = "SSL client authentication certificate and CMC signer do not match";
- CMS.debug(method + msg);
- s.close();
- throw new EInvalidCredentials(
- CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg);
+ if (mBypassClientAuth) {
+ msg = "missing SSL client authentication certificate; allowed";
+ CMS.debug(method + msg);
+ } else {
+ msg = "missing SSL client authentication certificate;";
+ CMS.debug(method + msg);
+ s.close();
+ throw new EMissingCredential(
+ CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT"));
+ }
} else {
- CMS.debug(method + "ssl client cert principal and cmc signer principal match");
+ netscape.security.x509.X500Name clientPrincipal =
+ (X500Name) clientCert.getSubjectDN();
+
+ netscape.security.x509.X500Name cmcPrincipal =
+ (X500Name) x509Certs[0].getSubjectDN();
+
+ // check ssl client cert against cmc signer
+ if (!clientPrincipal.equals(cmcPrincipal)) {
+ msg = "SSL client authentication certificate and CMC signer do not match";
+ CMS.debug(method + msg);
+ s.close();
+ throw new EInvalidCredentials(
+ CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg);
+ } else {
+ CMS.debug(method + "ssl client cert principal and cmc signer principal match");
+ }
}
PublicKey signKey = cert.getPublicKey();
--
1.8.3.1
From b53d4f5f135432d6bc25b4bc0def1ea4b44705a4 Mon Sep 17 00:00:00 2001
From: Dinesh Prasanth M K <SilleBille@users.noreply.github.com>
Date: Mon, 1 Oct 2018 16:25:08 -0400
Subject: [PATCH 12/19] Fixes password leak of Auth plugins to Audit Logs (#57)
* Auth plugin adds `(sensitive)` instead of plain passwords
to AuditLogs
* Added generic `isSensitive()` to identify Passwords before logging
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
(cherry picked from commit cc2b50fac7542476aef222ab5f1d49d86e38cba1)
---
base/common/src/com/netscape/certsrv/apps/CMS.java | 30 ++++++++++++++++++++++
.../netscape/cms/servlet/admin/AdminServlet.java | 18 ++-----------
.../com/netscape/cms/servlet/base/CMSServlet.java | 21 +--------------
.../netscape/cms/servlet/csadmin/BaseServlet.java | 15 +----------
.../cms/servlet/processors/CAProcessor.java | 16 +-----------
.../servlet/profile/ProfileSubmitCMCServlet.java | 17 ++----------
6 files changed, 37 insertions(+), 80 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
index d04223f..0bf186e 100644
--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
@@ -1672,6 +1672,36 @@ public final class CMS {
}
/**
+ * Check whether the string is contains password
+ *
+ * @param name key string
+ * @return whether key is a password or not
+ */
+ public static boolean isSensitive(String name) {
+ return (name.startsWith("__") ||
+ name.endsWith("password") ||
+ name.endsWith("passwd") ||
+ name.endsWith("pwd") ||
+ name.equalsIgnoreCase("admin_password_again") ||
+ name.equalsIgnoreCase("directoryManagerPwd") ||
+ name.equalsIgnoreCase("bindpassword") ||
+ name.equalsIgnoreCase("bindpwd") ||
+ name.equalsIgnoreCase("passwd") ||
+ name.equalsIgnoreCase("password") ||
+ name.equalsIgnoreCase("pin") ||
+ name.equalsIgnoreCase("pwd") ||
+ name.equalsIgnoreCase("pwdagain") ||
+ name.equalsIgnoreCase("uPasswd") ||
+ name.equalsIgnoreCase("PASSWORD_CACHE_ADD") ||
+ name.startsWith("p12Password") ||
+ name.equalsIgnoreCase("host_challenge") ||
+ name.equalsIgnoreCase("card_challenge") ||
+ name.equalsIgnoreCase("card_cryptogram") ||
+ name.equalsIgnoreCase("drm_trans_desKey") ||
+ name.equalsIgnoreCase("cert_request"));
+ }
+
+ /**
* Main driver to start CMS.
*/
public static void main(String[] args) {
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
index 2b8cec7..ed5393b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
@@ -203,21 +203,7 @@ public class AdminServlet extends HttpServlet {
// __ (double underscores); however, in the event that
// a security parameter slips through, we perform multiple
// additional checks to insure that it is NOT displayed
- if (pn.startsWith("__") ||
- pn.endsWith("password") ||
- pn.endsWith("passwd") ||
- pn.endsWith("pwd") ||
- pn.equalsIgnoreCase("admin_password_again") ||
- pn.equalsIgnoreCase("directoryManagerPwd") ||
- pn.equalsIgnoreCase("bindpassword") ||
- pn.equalsIgnoreCase("bindpwd") ||
- pn.equalsIgnoreCase("passwd") ||
- pn.equalsIgnoreCase("password") ||
- pn.equalsIgnoreCase("pin") ||
- pn.equalsIgnoreCase("pwd") ||
- pn.equalsIgnoreCase("pwdagain") ||
- pn.equalsIgnoreCase("uPasswd") ||
- pn.equalsIgnoreCase("PASSWORD_CACHE_ADD")) {
+ if (CMS.isSensitive(pn)) {
CMS.debug("AdminServlet::service() param name='" + pn +
"' value='(sensitive)'");
} else {
@@ -992,7 +978,7 @@ public class AdminServlet extends HttpServlet {
if (name.equals(Constants.RS_ID)) continue;
String value = null;
- if (name.equalsIgnoreCase("PASSWORD_CACHE_ADD"))
+ if (CMS.isSensitive(name))
value = "(sensitive)";
else
value = req.getParameter(name);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
index f18db1a..0c65702 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
@@ -403,26 +403,7 @@ public abstract class CMSServlet extends HttpServlet {
// __ (double underscores); however, in the event that
// a security parameter slips through, we perform multiple
// additional checks to insure that it is NOT displayed
- if (pn.startsWith("__") ||
- pn.endsWith("password") ||
- pn.endsWith("passwd") ||
- pn.endsWith("pwd") ||
- pn.equalsIgnoreCase("admin_password_again") ||
- pn.equalsIgnoreCase("directoryManagerPwd") ||
- pn.equalsIgnoreCase("bindpassword") ||
- pn.equalsIgnoreCase("bindpwd") ||
- pn.equalsIgnoreCase("passwd") ||
- pn.equalsIgnoreCase("password") ||
- pn.equalsIgnoreCase("pin") ||
- pn.equalsIgnoreCase("pwd") ||
- pn.equalsIgnoreCase("pwdagain") ||
- pn.startsWith("p12Password") ||
- pn.equalsIgnoreCase("uPasswd") ||
- pn.equalsIgnoreCase("host_challenge") ||
- pn.equalsIgnoreCase("card_challenge") ||
- pn.equalsIgnoreCase("card_cryptogram") ||
- pn.equalsIgnoreCase("drm_trans_desKey") ||
- pn.equalsIgnoreCase("cert_request")) {
+ if (CMS.isSensitive(pn)) {
CMS.debug("CMSServlet::service() param name='" + pn +
"' value='(sensitive)'");
} else {
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java
index 3b3ae40..70922dc 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java
@@ -70,20 +70,7 @@ public class BaseServlet extends VelocityServlet {
// __ (double underscores); however, in the event that
// a security parameter slips through, we perform multiple
// additional checks to insure that it is NOT displayed
- if (pn.startsWith("__") ||
- pn.endsWith("password") ||
- pn.endsWith("passwd") ||
- pn.endsWith("pwd") ||
- pn.equalsIgnoreCase("admin_password_again") ||
- pn.equalsIgnoreCase("directoryManagerPwd") ||
- pn.equalsIgnoreCase("bindpassword") ||
- pn.equalsIgnoreCase("bindpwd") ||
- pn.equalsIgnoreCase("passwd") ||
- pn.equalsIgnoreCase("password") ||
- pn.equalsIgnoreCase("pin") ||
- pn.equalsIgnoreCase("pwd") ||
- pn.equalsIgnoreCase("pwdagain") ||
- pn.equalsIgnoreCase("uPasswd")) {
+ if (CMS.isSensitive(pn)) {
CMS.debug("BaseServlet::service() param name='" + pn +
"' value='(sensitive)'");
} else {
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index 62b4242..f732c4d 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -258,21 +258,7 @@ public class CAProcessor extends Processor {
// __ (double underscores); however, in the event that
// a security parameter slips through, we perform multiple
// additional checks to insure that it is NOT displayed
- if (paramName.startsWith("__") ||
- paramName.endsWith("password") ||
- paramName.endsWith("passwd") ||
- paramName.endsWith("pwd") ||
- paramName.equalsIgnoreCase("admin_password_again") ||
- paramName.equalsIgnoreCase("directoryManagerPwd") ||
- paramName.equalsIgnoreCase("bindpassword") ||
- paramName.equalsIgnoreCase("bindpwd") ||
- paramName.equalsIgnoreCase("passwd") ||
- paramName.equalsIgnoreCase("password") ||
- paramName.equalsIgnoreCase("pin") ||
- paramName.equalsIgnoreCase("pwd") ||
- paramName.equalsIgnoreCase("pwdagain") ||
- paramName.equalsIgnoreCase("uPasswd") ||
- paramName.equalsIgnoreCase("cert_request")) {
+ if (CMS.isSensitive(paramName)) {
CMS.debug("CAProcessor: - " + paramName + ": (sensitive)");
} else {
CMS.debug("CAProcessor: - " + paramName + ": " + entry.getValue());
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
index 03e94a8..81a2f2a 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
@@ -47,9 +47,9 @@ import com.netscape.certsrv.authorization.AuthzToken;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.SessionContext;
import com.netscape.certsrv.logging.AuditEvent;
+import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.logging.event.AuthEvent;
import com.netscape.certsrv.logging.event.CertRequestProcessedEvent;
-import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.profile.ECMCBadIdentityException;
import com.netscape.certsrv.profile.ECMCBadMessageCheckException;
import com.netscape.certsrv.profile.ECMCBadRequestException;
@@ -306,20 +306,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
// __ (double underscores); however, in the event that
// a security parameter slips through, we perform multiple
// additional checks to insure that it is NOT displayed
- if (paramName.startsWith("__") ||
- paramName.endsWith("password") ||
- paramName.endsWith("passwd") ||
- paramName.endsWith("pwd") ||
- paramName.equalsIgnoreCase("admin_password_again") ||
- paramName.equalsIgnoreCase("directoryManagerPwd") ||
- paramName.equalsIgnoreCase("bindpassword") ||
- paramName.equalsIgnoreCase("bindpwd") ||
- paramName.equalsIgnoreCase("passwd") ||
- paramName.equalsIgnoreCase("password") ||
- paramName.equalsIgnoreCase("pin") ||
- paramName.equalsIgnoreCase("pwd") ||
- paramName.equalsIgnoreCase("pwdagain") ||
- paramName.equalsIgnoreCase("uPasswd")) {
+ if (CMS.isSensitive(paramName)) {
CMS.debug("ProfileSubmitCMCServlet Input Parameter " +
paramName + "='(sensitive)'");
} else {
--
1.8.3.1
From 4041f30e683307eb96140c8b81e48e62c2e7c34a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 28 Aug 2018 23:08:13 +0200
Subject: [PATCH 13/19] Fixed CA signing cert importation
The pki_ca_signing_cert_path param has been modified to have
an empty value by default.
The import_ca_signing_cert() has been modified such that if
the param is not specified, it will return silently. If the
param contains an invalid path, the method will fail. If the
param contains a valid path to the CA signing cert, the cert
will be imported into the NSS database.
https://pagure.io/dogtagpki/issue/3040
Change-Id: Idde1850744391162495599067c840c47ef47de69
(cherry picked from commit a4f5b17ee96adf79391f9def6e04bb239a779cbe)
---
base/server/etc/default.cfg | 2 +-
base/server/man/man5/pki_default.cfg.5 | 2 +-
.../pki/server/deployment/scriptlets/configuration.py | 19 ++++++++++---------
3 files changed, 12 insertions(+), 11 deletions(-)
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 0f348ee..b92cca7 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -94,7 +94,7 @@ pki_ca_port=%(pki_security_domain_https_port)s
pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA
# DEPRECATED: Use 'pki_ca_signing_cert_path' instead.
-pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert
+pki_external_ca_cert_path=
pki_ca_signing_cert_path=%(pki_external_ca_cert_path)s
pki_client_admin_cert_p12=%(pki_client_dir)s/%(pki_subsystem_type)s_admin_cert.p12
diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5
index fe3cdc7..afdcbfb 100644
--- a/base/server/man/man5/pki_default.cfg.5
+++ b/base/server/man/man5/pki_default.cfg.5
@@ -413,7 +413,7 @@ Required for the second step of a stand-alone PKI process. This is the location
.PP
.B pki_ca_signing_cert_path
.IP
-Required for the second step of a stand-alone PKI process. This is the location of the file containing the external CA's certificate chain (as issued by the external CA). Defaults to '%(pki_instance_configuration_path)s/external_ca_chain.cert'.
+Required for the second step of a stand-alone PKI process. This is the location of the file containing the external CA's certificate chain (as issued by the external CA). Defaults to empty.
.PP
.B pki_external_admin_cert_path
.IP
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index fd043a8..1b62445 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -395,15 +395,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
self.import_system_cert_request(deployer, subsystem, 'subsystem')
self.import_system_cert_request(deployer, subsystem, 'sslserver')
- def import_ca_signing_cert(self, deployer, nssdb, subsystem):
+ def import_ca_signing_cert(self, deployer, nssdb):
param = 'pki_ca_signing_cert_path'
cert_file = deployer.mdict.get(param)
- if not cert_file or not os.path.exists(cert_file):
- if subsystem.name == 'ca':
- raise Exception('Invalid certificate path: %s=%s' % (param, cert_file))
- else:
- return
+
+ if not cert_file:
+ return
+
+ if not os.path.exists(cert_file):
+ raise Exception('Invalid certificate path: %s=%s' % (param, cert_file))
nickname = deployer.mdict['pki_ca_signing_nickname']
@@ -593,14 +594,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
def import_system_certs(self, deployer, nssdb, subsystem):
if subsystem.name == 'ca':
- self.import_ca_signing_cert(deployer, nssdb, subsystem)
+ self.import_ca_signing_cert(deployer, nssdb)
self.import_ca_ocsp_signing_cert(deployer, nssdb)
if subsystem.name == 'kra':
# Always import cert chain into internal token.
internal_nssdb = subsystem.instance.open_nssdb()
try:
- self.import_ca_signing_cert(deployer, internal_nssdb, subsystem)
+ self.import_ca_signing_cert(deployer, internal_nssdb)
finally:
internal_nssdb.close()
@@ -612,7 +613,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# Always import cert chain into internal token.
internal_nssdb = subsystem.instance.open_nssdb()
try:
- self.import_ca_signing_cert(deployer, internal_nssdb, subsystem)
+ self.import_ca_signing_cert(deployer, internal_nssdb)
finally:
internal_nssdb.close()
--
1.8.3.1
From 6fbffb076caea906381e47bc1b6cae9da9892ae4 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 23 Oct 2018 03:31:33 +0200
Subject: [PATCH 14/19] Fixed password prompt in pki CLI
The pki CLI has been modified not to throw an exception when the
user specifies a username without any password. The CLI will then
prompt for a password.
https://pagure.io/dogtagpki/issue/2840
(cherry picked from commit b1bda0a1e7baca575561c08e78d93ae7c7160738)
---
base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 3 ---
1 file changed, 3 deletions(-)
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 711625a..50e5b75 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -378,9 +378,6 @@ public class MainCLI extends CLI {
if (passwordFile != null && password != null) {
throw new Exception("The '-W' and '-w' options are mutually exclusive.");
-
- } else if (passwordFile == null && password == null) {
- throw new Exception("Missing user password.");
}
}
--
1.8.3.1
From 60ad482668db175f297e55a947f55021871ce348 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 17 Oct 2018 18:21:52 +0200
Subject: [PATCH 16/19] Added CMSEngine.disableSubsystem()
The code that calls pki-server subsystem-disable in
SelfTestSubsystem has been moved into CMSEngine.disableSubsystem().
https://pagure.io/dogtagpki/issue/3070
(cherry picked from commit d5b119cdf3693680d5d1518b4b21b436d442708b)
---
base/common/src/com/netscape/certsrv/apps/CMS.java | 4 ++++
.../src/com/netscape/cmscore/apps/CMSEngine.java | 24 +++++++++++++++++++++
.../cmscore/selftests/SelfTestSubsystem.java | 25 +++++-----------------
3 files changed, 33 insertions(+), 20 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
index 0bf186e..b6b74e6 100644
--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
@@ -145,6 +145,10 @@ public final class CMS {
_engine = engine;
}
+ public static ICMSEngine getCMSEngine() {
+ return _engine;
+ }
+
/**
* This method is used for unit tests. It allows the underlying _engine
* to be stubbed out.
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index eaf57fa..2c953cc 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -2042,6 +2042,30 @@ public class CMSEngine implements ICMSEngine {
}
+ public void disableSubsystem() {
+
+ String name = mConfig.get("cs.type");
+ String subsystemID = name.toLowerCase();
+
+ CMS.debug("CMSEngine: Disabling " + name + " subsystem");
+
+ try {
+ ProcessBuilder pb = new ProcessBuilder("pki-server", "subsystem-disable", "-i", instanceId, subsystemID);
+ CMS.debug("Command: " + String.join(" ", pb.command()));
+
+ Process process = pb.inheritIO().start();
+ int rc = process.waitFor();
+
+ if (rc != 0) {
+ CMS.debug("CMSEngine: Unable to disable " + name + " subsystem. RC: " + rc);
+ }
+
+ } catch (Exception e) {
+ CMS.debug("CMSEngine: Unable to disable " + name + " subsystem: " + e.getMessage());
+ CMS.debug(e);
+ }
+ }
+
/**
* shuts down a subsystem list in reverse order.
*/
diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
index 98b53c7..9ed4f8a 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
@@ -50,6 +50,7 @@ import com.netscape.certsrv.selftests.ISelfTest;
import com.netscape.certsrv.selftests.ISelfTestSubsystem;
import com.netscape.cms.logging.Logger;
import com.netscape.cms.logging.SignedAuditLogger;
+import com.netscape.cmscore.apps.CMSEngine;
//////////////////////
// class definition //
@@ -1832,29 +1833,13 @@ public class SelfTestSubsystem
audit(auditMessage);
- CMS.debug("SelfTestSubsystem.startup(): shutdown server");
+ CMS.debug("SelfTestSubsystem: Shutting down server due to selftest failure: " + e.getMessage());
+ CMS.debug(e);
- // shutdown the system gracefully
CMS.shutdown();
- IConfigStore cs = CMS.getConfigStore();
- String instanceID = cs.get("instanceId");
- String subsystemID = cs.get("cs.type").toLowerCase();
-
- System.out.println("SelfTestSubsystem: Disabling \"" + subsystemID + "\" subsystem due to selftest failure.");
-
- try {
- ProcessBuilder pb = new ProcessBuilder("pki-server", "subsystem-disable", "-i", instanceID, subsystemID);
- Process process = pb.inheritIO().start();
- int rc = process.waitFor();
-
- if (rc != 0) {
- System.out.println("SelfTestSubsystem: Unable to disable \"" + subsystemID + "\". RC: " + rc);
- }
-
- } catch (Exception e2) {
- e.printStackTrace();
- }
+ CMSEngine engine = (CMSEngine) CMS.getCMSEngine();
+ engine.disableSubsystem();
}
}
--
1.8.3.1
From 83e911b75bb887bc4f3bf36fc9709401e54b7443 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 17 Oct 2018 18:22:24 +0200
Subject: [PATCH 17/19] Fixed subsystem shutdown on selftest failures
The code that handles selftest failures have been modified
to call CMSEngine.disableSubsystem() to undeploy the web
application. Once undeployed, the web application will no
longer accept client requests, then Tomcat will execute
CMSStartServlet.destroy() which will eventually shutdown
the subsystem.
https://pagure.io/dogtagpki/issue/3070
(cherry picked from commit 7c3711c786ba90fe29b7450530dd8372d5839fcd)
---
.../cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java | 7 ++++---
.../src/com/netscape/cmscore/selftests/SelfTestSubsystem.java | 9 ++++-----
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
index 59a5d62..633b13d 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
@@ -73,6 +73,7 @@ import com.netscape.certsrv.selftests.ESelfTestException;
import com.netscape.certsrv.selftests.ISelfTest;
import com.netscape.certsrv.selftests.ISelfTestSubsystem;
import com.netscape.certsrv.tks.ITKSAuthority;
+import com.netscape.cmscore.apps.CMSEngine;
import com.netscape.cmsutil.crypto.CryptoUtil;
import com.netscape.cmsutil.util.Cert;
import com.netscape.cmsutil.util.Utils;
@@ -3194,10 +3195,10 @@ public final class CMSAdminServlet extends AdminServlet {
+ "\n";
sendResponse(ERROR, content, null, resp);
- CMS.debug("CMSAdminServlet.runSelfTestsOnDemand(): shutdown server");
+ CMS.debug("CMSAdminServlet: Disabling subsystem due to selftest failure: " + e.getMessage());
- // shutdown the system gracefully
- CMS.shutdown();
+ CMSEngine engine = (CMSEngine) CMS.getCMSEngine();
+ engine.disableSubsystem();
return;
} else {
diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
index 9ed4f8a..8ce9a58 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
@@ -537,10 +537,11 @@ public class SelfTestSubsystem
"CMSCORE_SELFTESTS_RUN_ON_DEMAND_FAILED",
instanceFullName));
- CMS.debug("SelfTestSubsystem.runSelfTestsOnDemand(): shutdown server");
+ CMS.debug("SelfTestSubsystem: Disabling subsystem due to selftest failure: " + e.getMessage());
+ CMS.debug(e);
- // shutdown the system gracefully
- CMS.shutdown();
+ CMSEngine engine = (CMSEngine) CMS.getCMSEngine();
+ engine.disableSubsystem();
return;
}
@@ -1836,8 +1837,6 @@ public class SelfTestSubsystem
CMS.debug("SelfTestSubsystem: Shutting down server due to selftest failure: " + e.getMessage());
CMS.debug(e);
- CMS.shutdown();
-
CMSEngine engine = (CMSEngine) CMS.getCMSEngine();
engine.disableSubsystem();
}
--
1.8.3.1
From 81710f32fb9c269f2795b3272b3765a542299eb6 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 17 Oct 2018 18:23:09 +0200
Subject: [PATCH 18/19] Fixed signed audit logging failure handling
The code that handles signed audit logging failures has been
modified to call CMSEngine.disableSubsystem() to undeploy the
web application. Once undeployed, the web application will no
longer accept client requests, then Tomcat will execute
CMSStartServlet.destroy() which will eventually shutdown the
subsystem.
https://pagure.io/dogtagpki/issue/3070
(cherry picked from commit 5e7d7b972f14d65781909f6dfee4ad1e7ecb801a)
---
.../cms/src/com/netscape/cms/logging/LogFile.java | 17 ++++-------------
1 file changed, 4 insertions(+), 13 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
index b04f70d..a4a691b 100644
--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
@@ -79,6 +79,7 @@ import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.logging.LogSource;
import com.netscape.certsrv.logging.SignedAuditEvent;
import com.netscape.certsrv.logging.SystemEvent;
+import com.netscape.cmscore.apps.CMSEngine;
import com.netscape.cmsutil.util.Utils;
import netscape.ldap.client.JDAPAVA;
@@ -422,20 +423,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
// synchronized. We just want to avoid an infinite loop.
mInSignedAuditLogFailureMode = true;
- // Block all new incoming requests
- if (CMS.areRequestsDisabled() == false) {
- // XXX is this a race condition?
- CMS.disableRequests();
- }
-
- // Terminate all requests in process
- CMS.terminateRequests();
-
- // Call graceful shutdown of the CMS server
- // Call force shutdown to get added functionality of
- // making sure to kill the web server.
+ CMS.debug("LogFile: Disabling subsystem due to signed logging failure");
- CMS.forceShutdown();
+ CMSEngine engine = (CMSEngine) CMS.getCMSEngine();
+ engine.disableSubsystem();
}
}
--
1.8.3.1
From bd2b3117334ce0e638bf309a591a0eeb6390253f Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Sat, 20 Oct 2018 04:03:49 +0200
Subject: [PATCH 19/19] Added doc on signed audit logging failures
https://pagure.io/dogtagpki/issue/3070
(cherry picked from commit 54c1b9b04625de6f3493e5d28979a740b31e63b3)
---
docs/admin/Signed_Audit_Logging_Failures.md | 88 +++++++++++++++++++++++++++++
1 file changed, 88 insertions(+)
create mode 100644 docs/admin/Signed_Audit_Logging_Failures.md
diff --git a/docs/admin/Signed_Audit_Logging_Failures.md b/docs/admin/Signed_Audit_Logging_Failures.md
new file mode 100644
index 0000000..17cc3bd
--- /dev/null
+++ b/docs/admin/Signed_Audit_Logging_Failures.md
@@ -0,0 +1,88 @@
+Signed Audit Logging Failures
+=============================
+
+## Overview
+
+If a PKI subsystem is unable to write signed audit log to disk,
+the subsystem will automatically shutdown to prevent it from
+receiving and executing additional operations that cannot be
+logged.
+
+This situation may happen when the disk is full. In that case
+the admin will need to provide additional disk space, then restart
+the subsystem.
+
+Note: auto-shutdown will only work if audit signing is enabled.
+
+## Verifying Auto-Shutdown
+
+To verify auto-shutdown on a CA instance, prepare a small
+partition and assign the proper permissions:
+
+```
+$ mkdir -p /tmp/audit
+$ mount -t tmpfs -o size=2M,mode=0755 tmpfs /tmp/audit
+$ chown pkiuser:pkiuser /tmp/audit
+$ semanage fcontext -a -t pki_tomcat_log_t /tmp/audit
+$ restorecon -vR /tmp/audit
+```
+
+Edit /etc/pki/pki-tomcat/ca/CS.cfg to enable audit signing
+and configure it to store the logs in the above partition:
+
+```
+log.instance.SignedAudit.logSigning=true
+log.instance.SignedAudit.fileName=/tmp/audit/ca_audit
+```
+
+Restart the server:
+
+```
+$ systemctl restart pki-tomcatd@pki-tomcat.service
+```
+
+Create a big file to fill up the partition:
+
+```
+$ dd if=/dev/zero of=/tmp/audit/bigfile bs=1M count=2
+```
+
+Execute some operations to generate audit logs, for example:
+
+```
+$ pki ca-cert-find
+```
+
+When the partition becomes full, the server will no longer able
+to write the signed audit log into the partition, so it will
+generate the following message in console or systemd journal
+(assuming the journal is stored in a different partition that
+is not full):
+
+```
+Failed to flush log "/tmp/audit/ca_audit", error: No space left on device
+```
+
+Then the CA subsystem will shutdown automatically. The server itself
+will still be running and accepting connections, but all requests
+going to the CA subsystem will fail.
+
+To resolve the issue, create more space in the partition by
+removing the big file:
+
+```
+$ rm -f /tmp/audit/bigfile
+```
+
+Then re-enable the CA subsystem with the following command:
+
+```
+$ pki-server subsystem-enable -i pki-tomcat ca
+```
+
+or by restarting the server:
+
+```
+$ systemctl restart pki-tomcatd@pki-tomcat.service
+```
+
--
1.8.3.1