Blob Blame History Raw
From 085966b0eddd9786003e4dc3074314ad0626c203 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@redhat.com>
Date: Tue, 23 Jan 2018 18:31:53 -0800
Subject: [PATCH 01/18] Fix Bug 1501436 - TPS CS.cfg should be reflected with
 the changes after an in-place upgrade.

This upgrade script will add the needed config params to an existing CS.cfg for TPS.

The params consist of the params required for the token profile : externalRegISEtoken.

The code also grabs the unsecure phone home url out of the instances's server.xml.
This way the new profile is configured exactly like what happens when doing a pkispawn.
The correct nonsecure url will be in place.

Added some review changes. Also we modified the python properties file class to be able to
handle a property value that happens to contain the delimeter "=". Ex name=cn=people.

Added directory server/upgrade/10.5.1 so rhel can use it when performing this upgrade.

Change-Id: I2478013b396082ffdc3d99ed86a821ec86ac4c5d
(cherry picked from commit 2d1390f5d2f0ca653d03f936c601cd4cb7a488fd)
(cherry picked from commit bf199fa8b2215d68765117b79626a72374d71981)
---
 base/common/python/pki/__init__.py                 |   9 +-
 base/server/upgrade/10.5.1/.gitignore              |   4 +
 .../10.5.5/01-AddTPSExternalRegISEtokenParams      | 383 +++++++++++++++++++++
 3 files changed, 391 insertions(+), 5 deletions(-)
 create mode 100644 base/server/upgrade/10.5.1/.gitignore
 create mode 100755 base/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams

diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py
index 1a6f5c2..dbe5629 100644
--- a/base/common/python/pki/__init__.py
+++ b/base/common/python/pki/__init__.py
@@ -485,14 +485,13 @@ class PropertyFile(object):
         for i, line in enumerate(self.lines):
 
             # parse <key> <delimiter> <value>
-            match = re.match(r'^\s*(\S*)\s*%s\s*(.*)\s*$' % self.delimiter,
+            match = re.match(r'^\s*([^%s]*)\s*%s\s*(.*)\s*$' % (self.delimiter, self.delimiter),
                              line)
 
             if not match:
                 continue
 
             key = match.group(1)
-
             if key.lower() == name.lower():
                 return i
 
@@ -511,7 +510,7 @@ class PropertyFile(object):
         for line in self.lines:
 
             # parse <key> <delimiter> <value>
-            match = re.match(r'^\s*(\S*)\s*%s\s*(.*)\s*$' % self.delimiter,
+            match = re.match(r'^\s*([^%s]*)\s*%s\s*(.*)\s*$' % (self.delimiter, self.delimiter),
                              line)
 
             if not match:
@@ -540,7 +539,7 @@ class PropertyFile(object):
         for i, line in enumerate(self.lines):
 
             # parse <key> <delimiter> <value>
-            match = re.match(r'^\s*(\S*)\s*%s\s*(.*)\s*$' % self.delimiter,
+            match = re.match(r'^\s*([^%s]*)\s*%s\s*(.*)\s*$' % (self.delimiter, self.delimiter),
                              line)
 
             if not match:
@@ -569,7 +568,7 @@ class PropertyFile(object):
         for i, line in enumerate(self.lines):
 
             # parse <key> <delimiter> <value>
-            match = re.match(r'^\s*(\S*)\s*%s\s*(.*)\s*$' % self.delimiter,
+            match = re.match(r'^\s*([^%s]*)\s*%s\s*(.*)\s*$' % (self.delimiter, self.delimiter),
                              line)
 
             if not match:
diff --git a/base/server/upgrade/10.5.1/.gitignore b/base/server/upgrade/10.5.1/.gitignore
new file mode 100644
index 0000000..5e7d273
--- /dev/null
+++ b/base/server/upgrade/10.5.1/.gitignore
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
diff --git a/base/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams b/base/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams
new file mode 100755
index 0000000..85429cc
--- /dev/null
+++ b/base/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams
@@ -0,0 +1,383 @@
+#!/usr/bin/python
+# Authors:
+#     Jack Magne <jmagne@rehdat.com> based on work <ftweedal@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful',
+
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not', write to the Free Software Foundation', Inc.',
+# 51 Franklin Street', Fifth Floor', Boston', MA 02110-1301 USA.
+#
+# Copyright (C) 2017 Red Hat', Inc.
+# All rights reserved.
+
+from __future__ import absolute_import
+import os.path
+from lxml import etree
+import socket
+
+import pki
+from pki.server.upgrade import PKIServerUpgradeScriptlet
+
+proplist = [
+    ('op.format.externalRegISEtoken.auth.enable', 'true'),
+    ('op.format.externalRegISEtoken.auth.id', 'ldap1'),
+    ('op.format.externalRegISEtoken.ca.conn', 'ca1'),
+    ('op.format.externalRegISEtoken.cardmgr_instance', 'A0000000030000'),
+    ('op.format.externalRegISEtoken.cuidMustMatchKDD', 'false'),
+    ('op.format.externalRegISEtoken.enableBoundedGPKeyVersion', 'true'),
+    ('op.format.externalRegISEtoken.issuerinfo.enable', 'true'),
+    ('op.format.externalRegISEtoken.issuerinfo.value', 'http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome'),
+    ('op.format.externalRegISEtoken.loginRequest.enable', 'true'),
+    ('op.format.externalRegISEtoken.maximumGPKeyVersion', 'FF'),
+    ('op.format.externalRegISEtoken.minimumGPKeyVersion', '01'),
+    ('op.format.externalRegISEtoken.revokeCert', 'false'),
+    ('op.format.externalRegISEtoken.revokeCert.reason', '0'),
+    ('op.format.externalRegISEtoken.rollbackKeyVersionOnPutKeyFailure', 'false'),
+    ('op.format.externalRegISEtoken.tks.conn', 'tks1'),
+    ('op.format.externalRegISEtoken.update.applet.directory', '/usr/share/pki/tps/applets'),
+    ('op.format.externalRegISEtoken.update.applet.emptyToken.enable', 'true'),
+    ('op.format.externalRegISEtoken.update.applet.encryption', 'true'),
+    ('op.format.externalRegISEtoken.update.applet.requiredVersion', '1.4.58768072'),
+    ('op.format.externalRegISEtoken.update.symmetricKeys.enable', 'false'),
+    ('op.format.externalRegISEtoken.update.symmetricKeys.requiredVersion', '1'),
+    ('op.format.externalRegISEtoken.validateCardKeyInfoAgainstTokenDB', 'true'),
+    ('op.enroll.externalRegISEtoken._000', '#########################################'),
+    ('op.enroll.externalRegISEtoken._001', '# Enrollment for externalReg'),
+    ('op.enroll.externalRegISEtoken._002', '#     ID, Signing,Encryption'),
+    ('op.enroll.externalRegISEtoken._003', '#    controlled by registration user record'),
+    ('op.enroll.externalRegISEtoken._004', '#########################################'),
+    ('op.enroll.externalRegISEtoken.auth.enable', 'true'),
+    ('op.enroll.externalRegISEtoken.auth.id', 'ldap1'),
+    ('op.enroll.externalRegISEtoken.cardmgr_instance', 'A0000000030000'),
+    ('op.enroll.externalRegISEtoken.cuidMustMatchKDD', 'false'),
+    ('op.enroll.externalRegISEtoken.enableBoundedGPKeyVersion', 'true'),
+    ('op.enroll.externalRegISEtoken.issuerinfo.enable', 'true'),
+    ('op.enroll.externalRegISEtoken.issuerinfo.value', 'http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.SANpattern', '$auth.edipi$.$auth.pcc$@EXAMPLE.com'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.ca.conn', 'ca1'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.ca.profileId', 'caTokenUserDelegateAuthKeyEnrollment'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.certAttrId', 'c3'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.certId', 'C3'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.cuid_label', '$cuid$'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.dnpattern', 'cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.keySize', '1024'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.keyUsage', '0'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.keyUser', '0'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.label', 'authentication key for $userid$'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.overwrite', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.decrypt', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.derive', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.encrypt', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.private', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.sensitive', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.sign', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.signRecover', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.token', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.unwrap', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.verify', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.verifyRecover', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.wrap', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.privateKeyAttrId', 'k6'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.privateKeyNumber', '6'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.decrypt', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.derive', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.encrypt', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.private', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.sensitive', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.sign', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.signRecover', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.token', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.unwrap', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.verify', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.verifyRecover', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.wrap', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.publicKeyAttrId', 'k7'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.publicKeyNumber', '7'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.holdRevocationUntilLastCredential', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.revokeCert', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.revokeCert.reason', '0'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.revokeExpiredCerts', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.scheme', 'GenerateNewKey'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.holdRevocationUntilLastCredential', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert.reason', '1'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.revokeExpiredCerts', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.scheme', 'GenerateNewKey'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.holdRevocationUntilLastCredential', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.revokeCert', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason', '6'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.revokeExpiredCerts', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.scheme', 'GenerateNewKey'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.holdRevocationUntilLastCredential', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.revokeCert', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.revokeCert.reason', '1'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.revokeExpiredCerts', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.scheme', 'GenerateNewKey'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.serverKeygen.archive', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.serverKeygen.drm.conn', 'kra1'),
+    ('op.enroll.externalRegISEtoken.keyGen.authentication.serverKeygen.enable', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.SANpattern', '$auth.mail$,$auth.edipi$.$auth.pcc$@EXAMPLE.com'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption._000', '#########################################'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption._001', '# encryption cert/keys are "recovered" for this profile'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption._002', '# controlled from User Registartion db'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption._003', '#########################################'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.ca.conn', 'ca1'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.ca.profileId', 'caTokenUserEncryptionKeyEnrollment'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.certAttrId', 'c2'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.certId', 'C2'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.cuid_label', '$cuid$'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.dnpattern', 'cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.keySize', '1024'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.keyUsage', '0'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.keyUser', '0'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.label', 'encryption key for $userid$'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.overwrite', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.decrypt', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.derive', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.encrypt', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.private', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.sensitive', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.sign', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.signRecover', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.token', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.unwrap', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.verify', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.verifyRecover', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.wrap', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.privateKeyAttrId', 'k4'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.privateKeyNumber', '4'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.decrypt', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.derive', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.encrypt', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.private', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.sensitive', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.sign', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.signRecover', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.token', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.unwrap', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.verify', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.verifyRecover', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.wrap', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.publicKeyAttrId', 'k5'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.publicKeyNumber', '5'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastCredential', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.revokeCert', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.revokeCert.reason', '0'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.revokeExpiredCerts', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.scheme', 'RecoverLast'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.holdRevocationUntilLastCredential', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.revokeCert', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.revokeCert.reason', '1'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.revokeExpiredCerts', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.scheme', 'GenerateNewKey'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.holdRevocationUntilLastCredential', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.revokeCert', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.revokeCert.reason', '6'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.revokeExpiredCerts', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.scheme', 'GenerateNewKey'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.holdRevocationUntilLastCredential', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.revokeCert', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.revokeCert.reason', '1'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.revokeExpiredCerts', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.scheme', 'GenerateNewKey'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.serverKeygen.archive', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.serverKeygen.drm.conn', 'kra1'),
+    ('op.enroll.externalRegISEtoken.keyGen.encryption.serverKeygen.enable', 'True'),
+    ('op.enroll.externalRegISEtoken.keyGen.keyType.num', '3'),
+    ('op.enroll.externalRegISEtoken.keyGen.keyType.value.0', 'signing'),
+    ('op.enroll.externalRegISEtoken.keyGen.keyType.value.1', 'authentication'),
+    ('op.enroll.externalRegISEtoken.keyGen.keyType.value.2', 'encryption'),
+    ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.num', '3'),
+    ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.value.0', 'signing'),
+    ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.value.1', 'authentication'),
+    ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.value.2', 'encryption'),
+    ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.num', '3'),
+    ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.value.0', 'signing'),
+    ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.value.1', 'authentication'),
+    ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.value.2', 'encryption'),
+    ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.num', '3'),
+    ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.value.0', 'signing'),
+    ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.value.1', 'authentication'),
+    ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.value.2', 'encryption'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.SANpattern', '$auth.mail$'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.ca.conn', 'ca1'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.ca.profileId', 'caTokenUserDelegateSigningKeyEnrollment'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.certAttrId', 'c1'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.certId', 'C1'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.cuid_label', '$cuid$'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.dnpattern', 'cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.keySize', '1024'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.keyUsage', '0'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.keyUser', '0'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.label', 'signing key for $userid$'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.overwrite', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.decrypt', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.derive', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.encrypt', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.private', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.sensitive', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.sign', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.signRecover', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.token', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.unwrap', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.verify', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.verifyRecover', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.wrap', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.privateKeyAttrId', 'k2'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.privateKeyNumber', '2'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.decrypt', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.derive', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.encrypt', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.private', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.sensitive', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.sign', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.signRecover', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.token', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.unwrap', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.verify', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.verifyRecover', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.wrap', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.publicKeyAttrId', 'k3'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.publicKeyNumber', '3'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.holdRevocationUntilLastCredential', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.revokeCert', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.revokeCert.reason', '0'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.revokeExpiredCerts', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.scheme', 'GenerateNewKey'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.holdRevocationUntilLastCredential', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.revokeCert', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.revokeCert.reason', '1'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.revokeExpiredCerts', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.scheme', 'GenerateNewKey'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.holdRevocationUntilLastCredential', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.revokeCert', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.revokeCert.reason', '6'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.revokeExpiredCerts', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.scheme', 'GenerateNewKey'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.holdRevocationUntilLastCredential', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.revokeCert', 'true'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.revokeCert.reason', '1'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.revokeExpiredCerts', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.scheme', 'GenerateNewKey'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.serverKeygen.archive', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.serverKeygen.drm.conn', 'kra1'),
+    ('op.enroll.externalRegISEtoken.keyGen.signing.serverKeygen.enable', 'false'),
+    ('op.enroll.externalRegISEtoken.keyGen.tokenName', '$auth.cn$'),
+    ('op.enroll.externalRegISEtoken.loginRequest.enable', 'true'),
+    ('op.enroll.externalRegISEtoken.maximumGPKeyVersion', 'FF'),
+    ('op.enroll.externalRegISEtoken.minimumGPKeyVersion', '01'),
+    ('op.enroll.externalRegISEtoken.pinReset.enable', 'true'),
+    ('op.enroll.externalRegISEtoken.pinReset.pin.maxLen', '10'),
+    ('op.enroll.externalRegISEtoken.pinReset.pin.maxRetries', '127'),
+    ('op.enroll.externalRegISEtoken.pinReset.pin.minLen', '4'),
+    ('op.enroll.externalRegISEtoken.pkcs11obj.compress.enable', 'true'),
+    ('op.enroll.externalRegISEtoken.pkcs11obj.enable', 'true'),
+    ('op.enroll.externalRegISEtoken.renewal._000', '#########################################'),
+    ('op.enroll.externalRegISEtoken.renewal._001', '# Token Renewal.'),
+    ('op.enroll.externalRegISEtoken.renewal._002', '#'),
+    ('op.enroll.externalRegISEtoken.renewal._003', '# For each token in TPS UI, set the'),
+    ('op.enroll.externalRegISEtoken.renewal._004', '# following to trigger renewal'),
+    ('op.enroll.externalRegISEtoken.renewal._005', '# operations:'),
+    ('op.enroll.externalRegISEtoken.renewal._006', '#'),
+    ('op.enroll.externalRegISEtoken.renewal._007', '#     RENEW=YES'),
+    ('op.enroll.externalRegISEtoken.renewal._008', '#'),
+    ('op.enroll.externalRegISEtoken.renewal._009', '# Optional grace period enforcement'),
+    ('op.enroll.externalRegISEtoken.renewal._010', '# must coincide exactly with what'),
+    ('op.enroll.externalRegISEtoken.renewal._011', '# the CA enforces.'),
+    ('op.enroll.externalRegISEtoken.renewal._012', '#'),
+    ('op.enroll.externalRegISEtoken.renewal._013', '# In case of renewal, encryption certId'),
+    ('op.enroll.externalRegISEtoken.renewal._014', '# values are for completeness only, server'),
+    ('op.enroll.externalRegISEtoken.renewal._015', '# code calculates actual values used.'),
+    ('op.enroll.externalRegISEtoken.renewal._016', '#'),
+    ('op.enroll.externalRegISEtoken.renewal._017', '#########################################'),
+    ('op.enroll.externalRegISEtoken.renewal.authentication.ca.conn', 'ca1'),
+    ('op.enroll.externalRegISEtoken.renewal.authentication.ca.profileId', 'caTokenUserDelegateAuthKeyRenewal'),
+    ('op.enroll.externalRegISEtoken.renewal.authentication.certAttrId', 'c3'),
+    ('op.enroll.externalRegISEtoken.renewal.authentication.certId', 'C3'),
+    ('op.enroll.externalRegISEtoken.renewal.authentication.enable', 'true'),
+    ('op.enroll.externalRegISEtoken.renewal.authentication.gracePeriod.after', '30'),
+    ('op.enroll.externalRegISEtoken.renewal.authentication.gracePeriod.before', '30'),
+    ('op.enroll.externalRegISEtoken.renewal.authentication.gracePeriod.enable', 'false'),
+    ('op.enroll.externalRegISEtoken.renewal.keyType.num', '2'),
+    ('op.enroll.externalRegISEtoken.renewal.keyType.value.0', 'signing'),
+    ('op.enroll.externalRegISEtoken.renewal.keyType.value.1', 'authentication'),
+    ('op.enroll.externalRegISEtoken.renewal.signing.ca.conn', 'ca1'),
+    ('op.enroll.externalRegISEtoken.renewal.signing.ca.profileId', 'caTokenUserSigningKeyRenewal'),
+    ('op.enroll.externalRegISEtoken.renewal.signing.certAttrId', 'c1'),
+    ('op.enroll.externalRegISEtoken.renewal.signing.certId', 'C1'),
+    ('op.enroll.externalRegISEtoken.renewal.signing.enable', 'true'),
+    ('op.enroll.externalRegISEtoken.renewal.signing.gracePeriod.after', '30'),
+    ('op.enroll.externalRegISEtoken.renewal.signing.gracePeriod.before', '30'),
+    ('op.enroll.externalRegISEtoken.renewal.signing.gracePeriod.enable', 'false'),
+    ('op.enroll.externalRegISEtoken.rollbackKeyVersionOnPutKeyFailure', 'false'),
+    ('op.enroll.externalRegISEtoken.temporaryToken.tokenType', 'externalRegISEtokenTemporary'),
+    ('op.enroll.externalRegISEtoken.tks.conn', 'tks1'),
+    ('op.enroll.externalRegISEtoken.update.applet.directory', '/usr/share/pki/tps/applets'),
+    ('op.enroll.externalRegISEtoken.update.applet.emptyToken.enable', 'true'),
+    ('op.enroll.externalRegISEtoken.update.applet.enable', 'true'),
+    ('op.enroll.externalRegISEtoken.update.applet.encryption', 'true'),
+    ('op.enroll.externalRegISEtoken.update.applet.requiredVersion', '1.4.58768072'),
+    ('op.enroll.externalRegISEtoken.update.symmetricKeys.enable', 'false'),
+    ('op.enroll.externalRegISEtoken.update.symmetricKeys.requiredVersion', '1'),
+    ('op.enroll.externalRegISEtoken.validateCardKeyInfoAgainstTokenDB', 'true')
+]
+
+
+class AddTPSExternalRegISEtokenParams(PKIServerUpgradeScriptlet):
+    def __init__(self):
+        super(AddTPSExternalRegISEtokenParams, self).__init__()
+        self.parser = etree.XMLParser(remove_blank_text=True)
+        self.message = 'Add token profile params for externalRegISEtoken for TPS CS.cfg'
+
+    def upgrade_subsystem(self, instance, subsystem):
+        if subsystem.name == 'tps':
+            self.upgrade_config(instance, subsystem)
+
+    def upgrade_config(self, instance, subsystem):  # pylint: disable=W0613
+        filename = os.path.join(subsystem.conf_dir, 'CS.cfg')
+        server_xml = os.path.join(instance.conf_dir, 'server.xml')
+        self.backup(filename)
+        properties = pki.PropertyFile(filename)
+        properties.read()
+
+        # Get the unsecure phone home url out of the server.xml
+
+        tps_unsecure_port = None
+        hostname = socket.gethostname()
+
+        document = etree.parse(server_xml, self.parser)
+        server = document.getroot()
+        connectors = server.findall('.//Connector')
+
+        for connector in connectors:
+            # find the Secure connector
+            name = connector.get('name')
+            if name != 'Unsecure':
+                continue
+            else:
+                tps_unsecure_port = connector.get('port')
+
+        # if the property exists, leave it alone', otherwise set
+        # it to the value defined above
+        # replace the standard non secure phone home url with value
+        # from the server.xml file, which is known correct
+
+        for k, v in proplist:
+            cur = properties.get(k)
+            if cur is None:
+                properties.set(k, v)
+                # handle the case when we have an issuer url to plug in
+                if k.find("issuerinfo.value") != -1:
+                    if tps_unsecure_port is not None:
+                        properties.set(k, "http://" + hostname + ":" + tps_unsecure_port + "/tps/phoneHome")
+
+        properties.write()
-- 
1.8.3.1


From 42152f3c4b43e4aeb5c08223df2f0998f56a4c34 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 25 Jan 2018 03:48:35 +0100
Subject: [PATCH 03/18] Updated RollingLogFile.EXPIRATION_TIME.

The RollingLogFile.EXPIRATION_TIME has been changed to 0 such that
log expiration is disabled in case the log.instance.*.expirationTime
parameter is missing from the CS.cfg.

https://pagure.io/dogtagpki/issue/2656

Change-Id: I8c8c7a1560f986920244f9660b0de10e197f93b4
(cherry picked from commit e2a72fff7413cf084cf5f629cbaa0e8a9c2c64a0)
(cherry picked from commit 4b48f2c589f4320e23632ceccd9b20dba7ca140f)
---
 base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
index d804850..e0eb1df 100644
--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
@@ -66,7 +66,7 @@ public class RollingLogFile extends LogFile {
     /**
      * The default expiration time in seconds
      */
-    static final String EXPIRATION_TIME = "2592000";
+    static final String EXPIRATION_TIME = "0";
 
     /**
      * The maximum file size in bytes
-- 
1.8.3.1


From 2c1653d822d40b5d305f76a225d18614ad3ecd89 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 25 Jan 2018 04:32:23 +0100
Subject: [PATCH 04/18] Merged TOKEN_APPLET_UPGRADE events.

The TOKEN_APPLET_UPGRADE_* events have been merged into a single
event with different outcomes. Also, it has been encapsulated into
TokenAppletUpgradeEvent class.

https://pagure.io/dogtagpki/issue/2656

Change-Id: Ifa34eacaa5a0da1c8026eb702e09828234d7f0f5
(cherry picked from commit c006503ca9f99389da85da091a856d226a7eb244)
(cherry picked from commit 5d3ddcd3335023e4f8d3303fdeac95de2ea2851f)
---
 .../com/netscape/certsrv/logging/AuditEvent.java   |  4 --
 .../logging/event/TokenAppletUpgradeEvent.java     | 56 ++++++++++++++++++++++
 base/server/cmsbundle/src/LogMessages.properties   |  8 ++--
 .../server/tps/processor/TPSProcessor.java         | 21 ++++----
 4 files changed, 72 insertions(+), 17 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/logging/event/TokenAppletUpgradeEvent.java

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 8aebd0f..6bf2df6 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -133,10 +133,6 @@ public class AuditEvent extends LogEvent {
             "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9";
     public final static String TOKEN_FORMAT_FAILURE =
             "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9";
-    public final static String TOKEN_APPLET_UPGRADE_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9";
-    public final static String TOKEN_APPLET_UPGRADE_FAILURE =
-            "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9";
     public final static String TOKEN_KEY_CHANGEOVER_REQUIRED =
             "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10";
     public final static String TOKEN_KEY_CHANGEOVER_SUCCESS =
diff --git a/base/common/src/com/netscape/certsrv/logging/event/TokenAppletUpgradeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/TokenAppletUpgradeEvent.java
new file mode 100644
index 0000000..06df664
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/TokenAppletUpgradeEvent.java
@@ -0,0 +1,56 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2018 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.SignedAuditEvent;
+
+public class TokenAppletUpgradeEvent extends SignedAuditEvent {
+
+    private static final long serialVersionUID = 1L;
+
+    public final static String TOKEN_APPLET_UPGRADE_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS";
+
+    public final static String TOKEN_APPLET_UPGRADE_FAILURE =
+            "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE";
+
+    public TokenAppletUpgradeEvent(
+            String messageID,
+            String ip,
+            String subjectID,
+            String cuid,
+            String msn,
+            String outcome,
+            String keyVersion,
+            String oldAppletVersion,
+            String newAppletVersion,
+            String info) {
+
+        super(messageID);
+
+        setAttribute("IP", ip);
+        setAttribute("SubjectID", subjectID);
+        setAttribute("CUID", cuid);
+        setAttribute("MSN", msn);
+        setAttribute("Outcome", outcome);
+        setAttribute("KeyVersion", keyVersion);
+        setAttribute("oldAppletVersion", oldAppletVersion);
+        setAttribute("newAppletVersion", newAppletVersion);
+        setAttribute("Info", info);
+    }
+}
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index 4ec6c39..183987f 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2235,8 +2235,8 @@ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_
 # CertSubject must be the certificate subject name of the certificate request
 # CMCSignerInfo must be a unique String representation for the CMC request signer
 #
-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY] User signed CMC request signature verification success
-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY] User signed CMC request signature verification failure
+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success
+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure
 
 # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST
 # - used for TPS to TKS to get random challenge data
@@ -2613,12 +2613,12 @@ LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9=<type=TOKEN_FORMAT_FAILURE>:[AuditEv
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS
 # - used when token apple upgrade succeeded
-LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9=<type=TOKEN_APPLET_UPGRADE_SUCCESS>:[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade success
+LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success
 #
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE
 # - used when token apple upgrade failed
-LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9=<type=TOKEN_APPLET_UPGRADE_FAILURE>:[AuditEvent=TOKEN_APPLET_UPGRADE_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade failure
+LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED
 # - used when token key changeover is required
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index a78db64..1093d78 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -95,6 +95,7 @@ import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.LogEvent;
+import com.netscape.certsrv.logging.event.TokenAppletUpgradeEvent;
 import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.cms.logging.Logger;
 import com.netscape.cms.logging.SignedAuditLogger;
@@ -4164,27 +4165,29 @@ public class TPSProcessor {
             String newVersion,
             String info) {
 
-        String auditType = "";
+        String auditType;
+
         switch (status) {
         case "success":
-            auditType = AuditEvent.TOKEN_APPLET_UPGRADE_SUCCESS;
+            auditType = TokenAppletUpgradeEvent.TOKEN_APPLET_UPGRADE_SUCCESS;
             break;
         default:
-            auditType = AuditEvent.TOKEN_APPLET_UPGRADE_FAILURE;
+            auditType = TokenAppletUpgradeEvent.TOKEN_APPLET_UPGRADE_FAILURE;
         }
 
-        String auditMessage = CMS.getLogMessage(
+        TokenAppletUpgradeEvent event = new TokenAppletUpgradeEvent(
                 auditType,
-                (session != null) ? session.getIpAddress() : null,
+                session != null ? session.getIpAddress() : null,
                 userid,
-                (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
-                (aInfo != null) ? aInfo.getMSNString() : null,
+                aInfo != null ? aInfo.getCUIDhexStringPlain() : null,
+                aInfo != null ? aInfo.getMSNString() : null,
                 status,
                 keyVersion,
-                (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+                aInfo != null ? aInfo.getFinalAppletVersion() : null,
                 newVersion,
                 info);
-        audit(auditMessage);
+
+        signedAuditLogger.log(event);
     }
 
     protected void auditKeyChangeoverRequired(AppletInfo aInfo,
-- 
1.8.3.1


From 7ab4d71f5a6c5c5ff8be1bbeaac6528ec652cc32 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 25 Jan 2018 04:49:06 +0100
Subject: [PATCH 05/18] Merged TOKEN_KEY_CHANGEOVER events.

The TOKEN_KEY_CHANGEOVER_* events have been merged into a single
event with different outcomes. Also, it has been encapsulated into
TokenKeyChangeoverEvent class.

https://pagure.io/dogtagpki/issue/2656

Change-Id: I09c5179645c2037ff6208e923f35177104e5babd
(cherry picked from commit 2c614e982805349b1c28f8647cd2be615c9ca1cd)
(cherry picked from commit 64bd7ecf033385972988b7c675ee446be8537644)
---
 .../com/netscape/certsrv/logging/AuditEvent.java   |  4 --
 .../logging/event/TokenKeyChangeoverEvent.java     | 58 ++++++++++++++++++++++
 base/server/cmsbundle/src/LogMessages.properties   |  4 +-
 .../server/tps/processor/TPSProcessor.java         | 21 ++++----
 4 files changed, 72 insertions(+), 15 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/logging/event/TokenKeyChangeoverEvent.java

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 6bf2df6..131b2a9 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -135,10 +135,6 @@ public class AuditEvent extends LogEvent {
             "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9";
     public final static String TOKEN_KEY_CHANGEOVER_REQUIRED =
             "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10";
-    public final static String TOKEN_KEY_CHANGEOVER_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10";
-    public final static String TOKEN_KEY_CHANGEOVER_FAILURE =
-            "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10";
     public final static String TOKEN_AUTH_FAILURE =
             "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9";
     public final static String TOKEN_AUTH_SUCCESS =
diff --git a/base/common/src/com/netscape/certsrv/logging/event/TokenKeyChangeoverEvent.java b/base/common/src/com/netscape/certsrv/logging/event/TokenKeyChangeoverEvent.java
new file mode 100644
index 0000000..5bbfe26
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/TokenKeyChangeoverEvent.java
@@ -0,0 +1,58 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2018 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.SignedAuditEvent;
+
+public class TokenKeyChangeoverEvent extends SignedAuditEvent {
+
+    private static final long serialVersionUID = 1L;
+
+    public final static String TOKEN_KEY_CHANGEOVER_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS";
+
+    public final static String TOKEN_KEY_CHANGEOVER_FAILURE =
+            "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE";
+
+    public TokenKeyChangeoverEvent(
+            String messageID,
+            String ip,
+            String subjectID,
+            String cuid,
+            String msn,
+            String outcome,
+            String tokenType,
+            String appletVersion,
+            String oldKeyVersion,
+            String newKeyVersion,
+            String info) {
+
+        super(messageID);
+
+        setAttribute("IP", ip);
+        setAttribute("SubjectID", subjectID);
+        setAttribute("CUID", cuid);
+        setAttribute("MSN", msn);
+        setAttribute("Outcome", outcome);
+        setAttribute("tokenType", tokenType);
+        setAttribute("AppletVersion", appletVersion);
+        setAttribute("oldKeyVersion", oldKeyVersion);
+        setAttribute("newKeyVersion", newKeyVersion);
+        setAttribute("Info", info);
+    }
+}
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index 183987f..9ca508a 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2627,12 +2627,12 @@ LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=<type=TOKEN_KEY_CHANGEOVER
 # LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS
 # - used when token key changeover succeeded
 # - Info usually is unused for success
-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10=<type=TOKEN_KEY_CHANGEOVER_SUCCESS>:[AuditEvent=TOKEN_KEY_CHANGEOVER_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover success
+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE
 # - used when token key changeover failed
 # - Info is used for storing more info in case of failure
-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10=<type=TOKEN_KEY_CHANGEOVER_FAILURE>:[AuditEvent=TOKEN_KEY_CHANGEOVER_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover failure
+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE
 # - used when authentication failed
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 1093d78..811c9a7 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -96,6 +96,7 @@ import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.LogEvent;
 import com.netscape.certsrv.logging.event.TokenAppletUpgradeEvent;
+import com.netscape.certsrv.logging.event.TokenKeyChangeoverEvent;
 import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.cms.logging.Logger;
 import com.netscape.cms.logging.SignedAuditLogger;
@@ -4218,28 +4219,30 @@ public class TPSProcessor {
             String newKeyVersion,
             String info) {
 
-        String auditType = "";
+        String auditType;
+
         switch (status) {
         case "success":
-            auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_SUCCESS;
+            auditType = TokenKeyChangeoverEvent.TOKEN_KEY_CHANGEOVER_SUCCESS;
             break;
         default:
-            auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_FAILURE;
+            auditType = TokenKeyChangeoverEvent.TOKEN_KEY_CHANGEOVER_FAILURE;
         }
 
-        String auditMessage = CMS.getLogMessage(
+        TokenKeyChangeoverEvent event = new TokenKeyChangeoverEvent(
                 auditType,
-                (session != null) ? session.getIpAddress() : null,
+                session != null ? session.getIpAddress() : null,
                 userid,
-                (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
-                (aInfo != null) ? aInfo.getMSNString() : null,
+                aInfo != null ? aInfo.getCUIDhexStringPlain() : null,
+                aInfo != null ? aInfo.getMSNString() : null,
                 status,
                 getSelectedTokenType(),
-                (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+                aInfo != null ? aInfo.getFinalAppletVersion() : null,
                 oldKeyVersion,
                 newKeyVersion,
                 info);
-        audit(auditMessage);
+
+        signedAuditLogger.log(event);
     }
 
     /*
-- 
1.8.3.1


From 6bf58209dda17ab2e76e6038e7a6209539e37816 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 21 Apr 2017 20:16:16 +0200
Subject: [PATCH 06/18] Updated default audit events.

The default audit events and their filters have been updated in
all PKI subsystem configuration files.

https://pagure.io/dogtagpki/issue/2656

Change-Id: I867a38a366ad7cc23d71f2a0c22996a9ccce8088
(cherry picked from commit d928a667e6d573ce1d1d936d3c3682945bb0f9fc)
(cherry picked from commit a67cfbaee71e3f2254fb8ee201bd47fbcd60d834)
---
 base/ca/shared/conf/CS.cfg   |  8 +++++++-
 base/kra/shared/conf/CS.cfg  | 16 +++++++++++++++-
 base/ocsp/shared/conf/CS.cfg |  3 ++-
 base/tks/shared/conf/CS.cfg  |  3 ++-
 base/tps/shared/conf/CS.cfg  |  5 ++++-
 5 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index 908407b..76a7057 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -909,8 +909,14 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
 log.instance.SignedAudit._006=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
+log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
+log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
+log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
+log.instance.SignedAudit.filters.FULL_CRL_GENERATION=(Outcome=Failure)
+log.instance.SignedAudit.filters.OCSP_GENERATION=(Outcome=Failure)
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
+log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
 log.instance.SignedAudit.expirationTime=0
 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit
 log.instance.SignedAudit.flushInterval=5
diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
index a5ddab6..06bd0fe 100644
--- a/base/kra/shared/conf/CS.cfg
+++ b/base/kra/shared/conf/CS.cfg
@@ -304,8 +304,22 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
 log.instance.SignedAudit._006=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED
+log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure)
+log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure)
+log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure)
+log.instance.SignedAudit.filters.KEY_RECOVERY_AGENT_LOGIN=(Outcome=Failure)
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
+log.instance.SignedAudit.filters.SECURITY_DATA_ARCHIVAL_REQUEST=(Outcome=Failure)
+log.instance.SignedAudit.filters.SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=(Outcome=Failure)
+log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST=(Outcome=Failure)
+log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=(Outcome=Failure)
+log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=(Outcome=Failure)
+log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
+log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST=(Outcome=Failure)
+log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST=PROCESSED (Outcome=Failure)
+log.instance.SignedAudit.filters.SYMKEY_GENERATION_REQUEST=(Outcome=Failure)
+log.instance.SignedAudit.filters.SYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure)
 log.instance.SignedAudit.expirationTime=0
 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit
 log.instance.SignedAudit.flushInterval=5
diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg
index 13c9bcf..dc993b0 100644
--- a/base/ocsp/shared/conf/CS.cfg
+++ b/base/ocsp/shared/conf/CS.cfg
@@ -220,8 +220,9 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
 log.instance.SignedAudit._006=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
+log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
 log.instance.SignedAudit.expirationTime=0
 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ocsp_cert-ocsp_audit
 log.instance.SignedAudit.flushInterval=5
diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg
index 751398f..d1da996 100644
--- a/base/tks/shared/conf/CS.cfg
+++ b/base/tks/shared/conf/CS.cfg
@@ -212,8 +212,9 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
 log.instance.SignedAudit._006=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
+log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
 log.instance.SignedAudit.expirationTime=0
 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/tks_cert-tks_audit
 log.instance.SignedAudit.flushInterval=5
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index c244d19..c44bc75 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -229,8 +229,11 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM
 log.instance.SignedAudit._006=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=SELFTESTS_EXECUTION,AUTHZ,AUTH,ROLE_ASSUME,CIMC_CERT_VERIFICATION,CONFIG_SIGNED_AUDIT,CONFIG_ROLE,CONFIG_AUTH,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER_SUCCESS,TOKEN_KEY_CHANGEOVER_FAILURE,CONFIG_TOKEN_PROFILE,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_GENERAL,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_RECORD,CONFIG_TOKEN_AUTHENTICATOR,TOKEN_STATE_CHANGE,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
+log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
+log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure)
+log.instance.SignedAudit.filters.TOKEN_KEY_CHANGEOVER=(Outcome=Failure)
 log.instance.SignedAudit.unselected.events=
 log.instance.SignedAudit.mandatory.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING
 log.instance.SignedAudit.expirationTime=0
-- 
1.8.3.1


From 6bf945e96d8c41e21eb22105e46c33f11f2be26c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 26 Jan 2018 20:56:45 +0100
Subject: [PATCH 07/18] Using case-insensitive audit event filter.

The code that evaluates audit event filter has been modified to
use case-insensitive attribute value comparison.

https://pagure.io/dogtagpki/issue/2656

Change-Id: I548dee048b0ed70779fb67a8cdfc39943f2bc9b7
(cherry picked from commit a1ff57e0b84a4737771511268c5b92a8af975ca3)
(cherry picked from commit 5e4785bf697fc2844255c3499b2944c84899aa3e)
---
 base/server/cms/src/com/netscape/cms/logging/LogFile.java | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
index 738eabf..510e796 100644
--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
@@ -1202,7 +1202,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
 
         String stringAttr = (String)attr;
 
-        return value.equals(stringAttr);
+        return value.equalsIgnoreCase(stringAttr);
     }
 
     public boolean eval(SignedAuditEvent event, JDAPFilterSubString filter) {
@@ -1215,18 +1215,18 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
         if (attr == null) return false;
         if (!(attr instanceof String)) return false;
 
-        String stringAttr = (String)attr;
+        String stringAttr = ((String)attr).toLowerCase();
 
         // check initial substring
         String initialSubstring = filter.getInitialSubstring();
         if (initialSubstring != null) {
-            if (!stringAttr.startsWith(initialSubstring)) return false;
+            if (!stringAttr.startsWith(initialSubstring.toLowerCase())) return false;
             stringAttr = stringAttr.substring(initialSubstring.length());
         }
 
         // check any substrings
         for (String anySubstring : filter.getAnySubstrings()) {
-            int p = stringAttr.indexOf(anySubstring);
+            int p = stringAttr.indexOf(anySubstring.toLowerCase());
             if (p < 0) return false;
             stringAttr = stringAttr.substring(p + anySubstring.length());
         }
@@ -1234,7 +1234,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
         // check final substring
         String finalSubstring = filter.getFinalSubstring();
         if (finalSubstring != null) {
-            if (!stringAttr.endsWith(finalSubstring)) return false;
+            if (!stringAttr.endsWith(finalSubstring.toLowerCase())) return false;
         }
 
         return true;
-- 
1.8.3.1


From 37a29eeb71a0e9adb81eb0e4c00fa36afcb17598 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 12 Dec 2017 01:59:53 +0100
Subject: [PATCH 08/18] Fixed pylint warnings.

Some Python files have been modified to avoid pylint warnings due
to subsequent changes.

https://pagure.io/dogtagpki/issue/167

Change-Id: If16e5d7f60cef776c6b65ad9f803b178ba52bc85
(cherry picked from commit c2f4157973880d7c0744718b0887ac184f085bcb)
(cherry picked from commit 75542c58f88f204c2f80d029946e65df7c26a54f)
---
 .../python/pki/server/deployment/pkihelper.py      |  2 +-
 .../server/deployment/scriptlets/configuration.py  | 44 +++++++++++-----------
 base/server/sbin/pkidestroy                        |  1 +
 base/server/sbin/pkispawn                          |  1 +
 4 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 7f88873..8195e28 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -4109,7 +4109,7 @@ class ConfigClient:
         if not nickname:
             nickname = cert.nickname
 
-        config.pki_log.info("loading %s certificate" % nickname,
+        config.pki_log.info("loading %s certificate", nickname,
                             extra=config.PKI_INDENTATION_LEVEL_2)
 
         cert.cert = nssdb.get_cert(nickname)
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 43e9d83..2cda5e0 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -94,7 +94,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         cert_id = self.get_cert_id(subsystem, tag)
 
         config.pki_log.info(
-            "generating %s CSR in %s" % (cert_id, csr_path),
+            "generating %s CSR in %s", cert_id, csr_path,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         subject_dn = deployer.mdict['pki_%s_subject_dn' % cert_id]
@@ -361,7 +361,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             return
 
         config.pki_log.info(
-            "importing %s CSR from %s" % (tag, csr_path),
+            "importing %s CSR from %s", tag, csr_path,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         with open(csr_path) as f:
@@ -377,7 +377,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             return
 
         config.pki_log.info(
-            "importing ca_signing CSR from %s" % csr_path,
+            "importing ca_signing CSR from %s", csr_path,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         with open(csr_path) as f:
@@ -404,7 +404,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         nickname = deployer.mdict['pki_ca_signing_nickname']
 
         config.pki_log.info(
-            "importing ca_signing certificate from %s" % cert_file,
+            "importing ca_signing certificate from %s", cert_file,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         nssdb.import_cert_chain(
@@ -421,7 +421,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         nickname = deployer.mdict['pki_ocsp_signing_nickname']
 
         config.pki_log.info(
-            "importing ca_ocsp_signing certificate from %s" % cert_file,
+            "importing ca_ocsp_signing certificate from %s", cert_file,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         nssdb.import_cert_chain(
@@ -438,7 +438,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         nickname = deployer.mdict['pki_sslserver_nickname']
 
         config.pki_log.info(
-            "importing sslserver certificate from %s" % cert_file,
+            "importing sslserver certificate from %s", cert_file,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         nssdb.import_cert_chain(
@@ -455,7 +455,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         nickname = deployer.mdict['pki_subsystem_nickname']
 
         config.pki_log.info(
-            "importing subsystem certificate from %s" % cert_file,
+            "importing subsystem certificate from %s", cert_file,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         nssdb.import_cert_chain(
@@ -472,7 +472,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         nickname = deployer.mdict['pki_audit_signing_nickname']
 
         config.pki_log.info(
-            "importing audit_signing certificate from %s" % cert_file,
+            "importing audit_signing certificate from %s", cert_file,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         nssdb.import_cert_chain(
@@ -494,7 +494,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 
         try:
             config.pki_log.info(
-                "importing admin certificate from %s" % cert_file,
+                "importing admin certificate from %s", cert_file,
                 extra=config.PKI_INDENTATION_LEVEL_2)
 
             client_nssdb.import_cert_chain(
@@ -514,7 +514,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         nickname = deployer.mdict['pki_storage_nickname']
 
         config.pki_log.info(
-            "importing kra_storage certificate from %s" % cert_file,
+            "importing kra_storage certificate from %s", cert_file,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         nssdb.import_cert_chain(
@@ -531,7 +531,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         nickname = deployer.mdict['pki_transport_nickname']
 
         config.pki_log.info(
-            "importing kra_transport certificate from %s" % cert_file,
+            "importing kra_transport certificate from %s", cert_file,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         nssdb.import_cert_chain(
@@ -548,7 +548,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         nickname = deployer.mdict['pki_ocsp_signing_nickname']
 
         config.pki_log.info(
-            "importing ocsp_signing certificate from %s" % cert_file,
+            "importing ocsp_signing certificate from %s", cert_file,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         nssdb.import_cert_chain(
@@ -563,7 +563,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             return
 
         config.pki_log.info(
-            "importing certificates and keys from %s" % pkcs12_file,
+            "importing certificates and keys from %s", pkcs12_file,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         pkcs12_password = deployer.mdict['pki_external_pkcs12_password']
@@ -578,7 +578,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         nickname = deployer.mdict['pki_cert_chain_nickname']
 
         config.pki_log.info(
-            "importing certificate chain from %s" % chain_file,
+            "importing certificate chain from %s", chain_file,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         nssdb.import_cert_chain(
@@ -787,7 +787,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             return
 
         config.pki_log.info(
-            "validating %s certificate" % tag,
+            "validating %s certificate", tag,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         subsystem.validate_system_cert(tag)
@@ -820,7 +820,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             nickname = deployer.mdict['pki_self_signed_nickname']
 
             config.pki_log.info(
-                "checking existing SSL server cert: %s" % nickname,
+                "checking existing SSL server cert: %s", nickname,
                 extra=config.PKI_INDENTATION_LEVEL_2)
 
             pem_cert = nssdb.get_cert(nickname)
@@ -831,7 +831,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 hostname = cn.value
 
                 config.pki_log.info(
-                    "existing SSL server cert is for %s" % hostname,
+                    "existing SSL server cert is for %s", hostname,
                     extra=config.PKI_INDENTATION_LEVEL_2)
 
                 # if hostname is correct, don't create temp cert
@@ -839,13 +839,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                     return False
 
                 config.pki_log.info(
-                    "removing SSL server cert for %s" % hostname,
+                    "removing SSL server cert for %s", hostname,
                     extra=config.PKI_INDENTATION_LEVEL_2)
 
                 nssdb.remove_cert(nickname, remove_key=True)
 
             config.pki_log.info(
-                "creating temp SSL server cert for %s" % deployer.mdict['pki_hostname'],
+                "creating temp SSL server cert for %s", deployer.mdict['pki_hostname'],
                 extra=config.PKI_INDENTATION_LEVEL_2)
 
             # TODO: replace with pki-server create-cert sslserver --temp
@@ -911,7 +911,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         token = deployer.mdict['pki_token_name']
 
         config.pki_log.info(
-            "removing temp SSL server cert from internal token: %s" % nickname,
+            "removing temp SSL server cert from internal token: %s", nickname,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         nssdb = instance.open_nssdb()
@@ -934,7 +934,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         token = deployer.mdict['pki_token_name']
 
         config.pki_log.info(
-            "importing permanent SSL server cert into %s token: %s" % (token, nickname),
+            "importing permanent SSL server cert into %s token: %s", token, nickname,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         tmpdir = tempfile.mkdtemp()
@@ -1121,7 +1121,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 
         restart_server = os.path.join(instance.conf_dir, 'restart_server_after_configuration')
         config.pki_log.debug(
-            'creating %s' % restart_server,
+            'creating %s', restart_server,
             extra=config.PKI_INDENTATION_LEVEL_2)
 
         open(restart_server, 'a').close()
diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy
index 0b6ef6b..23feba1 100755
--- a/base/server/sbin/pkidestroy
+++ b/base/server/sbin/pkidestroy
@@ -265,6 +265,7 @@ def log_error_details():
     config.pki_log.debug(e_stacktrace, extra=config.PKI_INDENTATION_LEVEL_2)
     del e_type, e_value, e_stacktrace
 
+
 # PKI Deployment Entry Point
 if __name__ == "__main__":
     signal.signal(signal.SIGINT, interrupt_handler)
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index d671ba7..052edb4 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -874,6 +874,7 @@ def log_error_details():
     config.pki_log.debug(e_stacktrace, extra=config.PKI_INDENTATION_LEVEL_2)
     del e_type, e_value, e_stacktrace
 
+
 # PKI Deployment Entry Point
 if __name__ == "__main__":
     signal.signal(signal.SIGINT, interrupt_handler)
-- 
1.8.3.1


From 66c0aeb997f840c3253a78f30d90273834833f7e Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 30 Jan 2018 03:19:21 +0100
Subject: [PATCH 09/18] Refactored pkispawn and pkidestroy logger configuration

The method that configures the loggers for pkispawn and pkidestroy
has been modified to configure the global pki logger as well.

https://pagure.io/dogtagpki/issue/2916

Change-Id: I66b532a87c1e728ad2adc673e35dfc6bcb568570
(cherry picked from commit 5dcab6c7ef62d08c51bca90ece03198b82c54aef)
(cherry picked from commit 094d238a75f0335f9c374f65f0bc1d913ea49444)
---
 .../python/pki/server/deployment/pkilogging.py     | 26 +++++++++++++---------
 base/server/sbin/pkidestroy                        | 15 +++++--------
 base/server/sbin/pkispawn                          | 16 +++++--------
 3 files changed, 26 insertions(+), 31 deletions(-)

diff --git a/base/server/python/pki/server/deployment/pkilogging.py b/base/server/python/pki/server/deployment/pkilogging.py
index 7a7afd7..2634189 100644
--- a/base/server/python/pki/server/deployment/pkilogging.py
+++ b/base/server/python/pki/server/deployment/pkilogging.py
@@ -24,6 +24,8 @@ import logging
 import os
 import pprint
 
+from pki.server.deployment import pkiconfig as config
+
 sensitive_parameters = []
 
 # Initialize 'pretty print' for objects
@@ -46,15 +48,9 @@ def log_format(given_dict):
 
 # PKI Deployment Logging Functions
 def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name):
-    if not os.path.isdir(log_dir):
-        try:
-            os.makedirs(log_dir)
-        except OSError:
-            return OSError
 
-    # Configure logger
-    logger = logging.getLogger(name)
-    logger.setLevel(log_level)
+    if not os.path.isdir(log_dir):
+        os.makedirs(log_dir)
 
     # Configure console handler
     console = logging.StreamHandler()
@@ -63,7 +59,6 @@ def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name):
                                        '%(levelname)-8s ' +
                                        '%(indent)s%(message)s')
     console.setFormatter(console_format)
-    logger.addHandler(console)
 
     # Configure file handler
     log_file = logging.FileHandler(log_dir + "/" + log_name, 'w')
@@ -73,6 +68,15 @@ def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name):
                                     '%(indent)s%(message)s',
                                     '%Y-%m-%d %H:%M:%S')
     log_file.setFormatter(file_format)
-    logger.addHandler(log_file)
 
-    return logger
+    # Configure pkispawn/pkidestroy logger
+    config.pki_log = logging.getLogger(name)
+    config.pki_log.setLevel(log_level)
+    config.pki_log.addHandler(console)
+    config.pki_log.addHandler(log_file)
+
+    # Configure pki logger
+    logger = logging.getLogger('pki')
+    logger.setLevel(log_level)
+    logger.addHandler(console)
+    logger.addHandler(log_file)
diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy
index 23feba1..4df74a4 100755
--- a/base/server/sbin/pkidestroy
+++ b/base/server/sbin/pkidestroy
@@ -195,16 +195,11 @@ def main(argv):
                           deployer.log_timestamp + "." + "log"
     print('Log file: %s/%s' % (config.pki_log_dir, config.pki_log_name))
 
-    rv = pkilogging.enable_pki_logger(config.pki_log_dir,
-                                      config.pki_log_name,
-                                      config.pki_log_level,
-                                      config.pki_console_log_level,
-                                      "pkidestroy")
-    if rv != OSError:
-        config.pki_log = rv
-    else:
-        print(log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir)
-        sys.exit(1)
+    pkilogging.enable_pki_logger(config.pki_log_dir,
+                                 config.pki_log_name,
+                                 config.pki_log_level,
+                                 config.pki_console_log_level,
+                                 "pkidestroy")
 
     # Read the specified PKI configuration file.
     rv = parser.read_pki_configuration_file()
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index 052edb4..b2ac8b4 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -651,16 +651,12 @@ def start_logging():
                           "-" + "spawn" + "." + \
                           deployer.log_timestamp + "." + "log"
     print('Log file: %s/%s' % (config.pki_log_dir, config.pki_log_name))
-    rv = pkilogging.enable_pki_logger(config.pki_log_dir,
-                                      config.pki_log_name,
-                                      config.pki_log_level,
-                                      config.pki_console_log_level,
-                                      "pkispawn")
-    if rv != OSError:
-        config.pki_log = rv
-    else:
-        print(log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir)
-        sys.exit(1)
+
+    pkilogging.enable_pki_logger(config.pki_log_dir,
+                                 config.pki_log_name,
+                                 config.pki_log_level,
+                                 config.pki_console_log_level,
+                                 "pkispawn")
 
 
 def create_master_dictionary(parser):
-- 
1.8.3.1


From e5278b1633c9fd2df170291349fc0c07d91fd1d5 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 30 Jan 2018 03:25:11 +0100
Subject: [PATCH 10/18] Added pki.nssdb logger.

To help troubleshooting, the pki.nssdb module has been modified to
generate debug logs using the standard Python logger.

https://pagure.io/dogtagpki/issue/2916

Change-Id: Iba74df01fd796fa9fe5fa48f117721d790b7337c
(cherry picked from commit 2660c8cae34451d6525a481d60075b1749f344c2)
(cherry picked from commit 9431707fb93c000dcdd0eb89516dfc09bd5e55ac)
---
 base/common/python/pki/nssdb.py | 35 +++++++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index b2339aa..60f57c7 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -22,6 +22,7 @@
 
 from __future__ import absolute_import
 import base64
+import logging
 import os
 import shutil
 import subprocess
@@ -42,6 +43,10 @@ CERT_FOOTER = '-----END CERTIFICATE-----'
 PKCS7_HEADER = '-----BEGIN PKCS7-----'
 PKCS7_FOOTER = '-----END PKCS7-----'
 
+logger = logging.LoggerAdapter(
+    logging.getLogger(__name__),
+    extra={'indent': ''})
+
 
 def convert_data(data, input_format, output_format, header=None, footer=None):
     if input_format == output_format:
@@ -173,8 +178,11 @@ class NSSDatabase(object):
                 '-t', ''
             ]
 
-            # Ignore return code due to bug #1393668.
-            subprocess.call(cmd)
+            logger.debug('Command: %s', ' '.join(cmd))
+            rc = subprocess.call(cmd)
+
+            if rc:
+                logger.warning('certutil returned non-zero exit code (bug #1393668)')
 
         # If HSM is not used, or cert has trust attributes,
         # import cert into internal token.
@@ -189,6 +197,7 @@ class NSSDatabase(object):
                 '-t', trust_attributes
             ]
 
+            logger.debug('Command: %s', ' '.join(cmd))
             subprocess.check_call(cmd)
 
     def add_ca_cert(self, cert_file, trust_attributes=None):
@@ -209,6 +218,7 @@ class NSSDatabase(object):
         if trust_attributes:
             cmd.extend(['--trust', trust_attributes])
 
+        logger.debug('Command: %s', ' '.join(cmd))
         subprocess.check_call(cmd)
 
     def modify_cert(self, nickname, trust_attributes):
@@ -227,15 +237,19 @@ class NSSDatabase(object):
             '-t', trust_attributes
         ])
 
+        logger.debug('Command: %s', ' '.join(cmd))
         subprocess.check_call(cmd)
 
     def create_noise(self, noise_file, size=2048):
-        subprocess.check_call([
+        cmd = [
             'openssl',
             'rand',
             '-out', noise_file,
             str(size)
-        ])
+        ]
+
+        logger.debug('Command: %s', ' '.join(cmd))
+        subprocess.check_call(cmd)
 
     def create_request(self, subject_dn, request_file, noise_file=None,
                        key_type=None, key_size=None, curve=None,
@@ -359,6 +373,8 @@ class NSSDatabase(object):
 
                 cmd.append(','.join(exts))
 
+            logger.debug('Command: %s', ' '.join(cmd))
+
             # generate binary request
             p = subprocess.Popen(cmd,
                                  stdin=subprocess.PIPE,
@@ -553,6 +569,8 @@ class NSSDatabase(object):
 
             keystroke += '\n'
 
+        logger.debug('Command: %s', ' '.join(cmd))
+
         p = subprocess.Popen(cmd,
                              stdin=subprocess.PIPE,
                              stdout=subprocess.PIPE,
@@ -625,6 +643,7 @@ class NSSDatabase(object):
             '-d', self.directory
         ]
 
+        logger.debug('Command: %s', ' '.join(cmd))
         subprocess.check_call(cmd)
 
     def get_cert(self, nickname, output_format='pem'):
@@ -656,6 +675,8 @@ class NSSDatabase(object):
             output_format_option
         ])
 
+        logger.debug('Command: %s', ' '.join(cmd))
+
         pipes = subprocess.Popen(cmd, stdout=subprocess.PIPE,
                                  stderr=subprocess.PIPE)
         cert_data, std_err = pipes.communicate()
@@ -693,6 +714,8 @@ class NSSDatabase(object):
             '-n', fullname
         ])
 
+        logger.debug('Command: %s', ' '.join(cmd))
+
         cert_details = subprocess.check_output(
             cmd, stderr=subprocess.STDOUT)
         cert_pem = subprocess.check_output(
@@ -743,6 +766,7 @@ class NSSDatabase(object):
             '-n', nickname
         ])
 
+        logger.debug('Command: %s', ' '.join(cmd))
         subprocess.check_call(cmd)
 
     def import_cert_chain(self, nickname, cert_chain_file,
@@ -816,6 +840,7 @@ class NSSDatabase(object):
                 '--output-suffix', suffix
             ]
 
+            logger.debug('Command: %s', ' '.join(cmd))
             subprocess.check_call(cmd)
 
             # Count the number of certs in the chain.
@@ -889,6 +914,7 @@ class NSSDatabase(object):
             if overwrite:
                 cmd.extend(['--overwrite'])
 
+            logger.debug('Command: %s', ' '.join(cmd))
             subprocess.check_call(cmd)
 
         finally:
@@ -952,6 +978,7 @@ class NSSDatabase(object):
             if nicknames:
                 cmd.extend(nicknames)
 
+            logger.debug('Command: %s', ' '.join(cmd))
             subprocess.check_call(cmd)
 
         finally:
-- 
1.8.3.1


From f5781c6df5a35c23512dff6e538a5dc3811a7e2f Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 30 Jan 2018 03:27:38 +0100
Subject: [PATCH 11/18] Fixed NSSDatabase.get_cert().

The NSSDatabase.get_cert() method has been modified to ignore the
certutil exit code due to bug #1539996.

https://pagure.io/dogtagpki/issue/2916

Change-Id: I10e489d14bdaaace9f917b797a7da14ac64a9a67
(cherry picked from commit bde116f2ce0482a1597486010e68fb7706ddd97c)
(cherry picked from commit 6cc361d6c5776b96037910d6bc0811d145f725db)
---
 base/common/python/pki/nssdb.py | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index 60f57c7..f32121e 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -33,7 +33,6 @@ import datetime
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 
-
 CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----'
 CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----'
 
@@ -677,17 +676,26 @@ class NSSDatabase(object):
 
         logger.debug('Command: %s', ' '.join(cmd))
 
-        pipes = subprocess.Popen(cmd, stdout=subprocess.PIPE,
-                                 stderr=subprocess.PIPE)
-        cert_data, std_err = pipes.communicate()
+        p = subprocess.Popen(cmd,
+                             stdout=subprocess.PIPE,
+                             stderr=subprocess.PIPE)
+
+        cert_data, std_err = p.communicate()
 
-        if pipes.returncode != 0:
+        if std_err:
             # certutil returned an error
             # raise exception unless its not cert not found
             if std_err.startswith('certutil: Could not find cert: '):
                 return None
 
-            raise Exception(std_err.strip())
+            raise Exception('Could not find cert: %s: %s' % (fullname, std_err.strip()))
+
+        if not cert_data:
+            # certutil did not return data
+            return None
+
+        if p.returncode != 0:
+            logger.warning('certutil returned non-zero exit code (bug #1539996)')
 
         if output_format == 'base64':
             cert_data = base64.b64encode(cert_data)
-- 
1.8.3.1


From 4498d77e9b6b220d364094ea8222b70453f9ca9a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 30 Jan 2018 16:56:21 +0100
Subject: [PATCH 12/18] Fixed NSSDatabase.get_cert_info().

The NSSDatabase.get_cert_info() has been modified to use get_cert()
to retrieve the cert since it has the workaround for bug #1539996.
Then it will use Python Cryptography to get the cert info.

A new method has been added into pki module to convert X.509 Name
into NSS-style DN string.

https://pagure.io/dogtagpki/issue/2916

Change-Id: I726e2c442e5b7f351dac2d9515e9f13965d7de3f
(cherry picked from commit d6a70005e314ba3d53e32886262c45a9d4544b5d)
(cherry picked from commit 9ad1d47bee65a76b878d6c2298e7bcbc345df31f)
---
 base/common/python/pki/__init__.py | 59 ++++++++++++++++++++++++++++++++++++++
 base/common/python/pki/nssdb.py    | 44 ++++++----------------------
 2 files changed, 67 insertions(+), 36 deletions(-)

diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py
index dbe5629..f3aff51 100644
--- a/base/common/python/pki/__init__.py
+++ b/base/common/python/pki/__init__.py
@@ -26,6 +26,7 @@ from __future__ import print_function
 
 from functools import wraps
 import os
+import cryptography.x509
 import random
 import re
 import string
@@ -51,6 +52,64 @@ CERT_FOOTER = "-----END CERTIFICATE-----"
 #  - backslash since it's causing SSL handshake failure
 PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[]^_`{|}~'
 
+# Map from X.509 attribute OID to short name.
+# Source: https://github.com/freeipa/freeipa/blob/master/ipapython/dn.py
+ATTR_NAME_BY_OID = {
+    cryptography.x509.oid.NameOID.COMMON_NAME: 'CN',
+    cryptography.x509.oid.NameOID.COUNTRY_NAME: 'C',
+    cryptography.x509.oid.NameOID.LOCALITY_NAME: 'L',
+    cryptography.x509.oid.NameOID.STATE_OR_PROVINCE_NAME: 'ST',
+    cryptography.x509.oid.NameOID.ORGANIZATION_NAME: 'O',
+    cryptography.x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME: 'OU',
+    cryptography.x509.oid.NameOID.SERIAL_NUMBER: 'serialNumber',
+    cryptography.x509.oid.NameOID.SURNAME: 'SN',
+    cryptography.x509.oid.NameOID.GIVEN_NAME: 'givenName',
+    cryptography.x509.oid.NameOID.TITLE: 'title',
+    cryptography.x509.oid.NameOID.GENERATION_QUALIFIER: 'generationQualifier',
+    cryptography.x509.oid.NameOID.DN_QUALIFIER: 'dnQualifier',
+    cryptography.x509.oid.NameOID.PSEUDONYM: 'pseudonym',
+    cryptography.x509.oid.NameOID.DOMAIN_COMPONENT: 'DC',
+    cryptography.x509.oid.NameOID.EMAIL_ADDRESS: 'E',
+    cryptography.x509.oid.NameOID.JURISDICTION_COUNTRY_NAME:
+        'incorporationCountry',
+    cryptography.x509.oid.NameOID.JURISDICTION_LOCALITY_NAME:
+        'incorporationLocality',
+    cryptography.x509.oid.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME:
+        'incorporationState',
+    cryptography.x509.oid.NameOID.BUSINESS_CATEGORY: 'businessCategory',
+    cryptography.x509.ObjectIdentifier('2.5.4.9'): 'STREET',
+    cryptography.x509.ObjectIdentifier('2.5.4.17'): 'postalCode',
+    cryptography.x509.ObjectIdentifier('0.9.2342.19200300.100.1.1'): 'UID',
+}
+
+
+def convert_x509_name_to_dn(name):
+    """
+    Convert X.509 Name into NSS-style DN string.
+
+    See also:
+    - https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Name
+    - https://cryptography.io/en/latest/x509/reference/#cryptography.x509.NameAttribute
+    - https://cryptography.io/en/latest/x509/reference/#cryptography.x509.ObjectIdentifier
+
+    :param name: X.509 Name
+    :type name: cryptography.x509.Name
+    :returns: str -- DN string.
+    """
+    dn = None
+
+    for attr in name:
+        oid = attr.oid
+        attr_name = ATTR_NAME_BY_OID.get(oid, oid.dotted_string)
+        rdn = '%s=%s' % (attr_name, attr.value)
+
+        if dn:
+            dn = rdn + ',' + dn
+        else:
+            dn = rdn
+
+    return dn
+
 
 def read_text(message,
               options=None, default=None, delimiter=':',
diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py
index f32121e..7c2602e 100644
--- a/base/common/python/pki/nssdb.py
+++ b/base/common/python/pki/nssdb.py
@@ -27,12 +27,13 @@ import os
 import shutil
 import subprocess
 import tempfile
-import re
 import datetime
 
 from cryptography import x509
 from cryptography.hazmat.backends import default_backend
 
+import pki
+
 CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----'
 CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----'
 
@@ -705,55 +706,26 @@ class NSSDatabase(object):
     def get_cert_info(self, nickname):
 
         cert = dict()
-        cmd = [
-            'certutil',
-            '-L',
-            '-d', self.directory
-        ]
 
-        fullname = nickname
-
-        if self.token:
-            cmd.extend(['-h', self.token])
-            fullname = self.token + ':' + fullname
-
-        cmd.extend([
-            '-f', self.password_file,
-            '-n', fullname
-        ])
-
-        logger.debug('Command: %s', ' '.join(cmd))
-
-        cert_details = subprocess.check_output(
-            cmd, stderr=subprocess.STDOUT)
-        cert_pem = subprocess.check_output(
-            cmd + ['-a'], stderr=subprocess.STDOUT)
+        cert_pem = self.get_cert(nickname)
 
         cert_obj = x509.load_pem_x509_certificate(
             cert_pem, backend=default_backend())
 
         cert["serial_number"] = cert_obj.serial_number
 
-        cert["issuer"] = re.search(
-            r'Issuer:(.*)', cert_details).group(1).strip().replace('"', '')
-        cert["subject"] = re.search(
-            r'Subject:(.*)', cert_details).group(1).strip().replace('"', '')
-
-        str_not_before = re.search(
-            r'Not Before.?:(.*)', cert_details).group(1).strip()
-        cert["not_before"] = self.convert_time_to_millis(str_not_before)
+        cert["issuer"] = pki.convert_x509_name_to_dn(cert_obj.issuer)
+        cert["subject"] = pki.convert_x509_name_to_dn(cert_obj.subject)
 
-        str_not_after = re.search(
-            r'Not After.?:(.*)', cert_details).group(1).strip()
-        cert["not_after"] = self.convert_time_to_millis(str_not_after)
+        cert["not_before"] = self.convert_time_to_millis(cert_obj.not_valid_before)
+        cert["not_after"] = self.convert_time_to_millis(cert_obj.not_valid_after)
 
         return cert
 
     @staticmethod
     def convert_time_to_millis(date):
         epoch = datetime.datetime.utcfromtimestamp(0)
-        stripped_date = datetime.datetime.strptime(date, "%a %b %d %H:%M:%S %Y")
-        return (stripped_date - epoch).total_seconds() * 1000
+        return (date - epoch).total_seconds() * 1000
 
     def remove_cert(self, nickname, remove_key=False):
 
-- 
1.8.3.1


From 6829dde05fd27555a0e8f1de278c7013e5d22073 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Wed, 31 Jan 2018 17:01:55 -0700
Subject: [PATCH 13/18] Enable FIPS ciphers as the new default cipher suites

https://pagure.io/dogtagpki/issue/2855

Change-Id: I968cd0e08f69401cb30ecdbdc86eb1f5049a5f37
(cherry picked from commit 8f3700681ea2cbcc3dbe0c768dca177051e9a243)
(cherry picked from commit 427edd6d16d7d74bb98bb0cda7c0bf67a4463bb9)
---
 .../python/pki/server/deployment/pkiparser.py      |  16 ++--
 base/server/share/conf/ciphers.info                | 105 ++++++++++++++++-----
 2 files changed, 87 insertions(+), 34 deletions(-)

diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index b91c674..b64e99b 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -1111,7 +1111,7 @@ class PKIConfigParser:
             self.mdict['TOMCAT_SERVER_PORT_SLOT'] = \
                 self.mdict['pki_tomcat_server_port']
             self.mdict['TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT'] = \
-                "tls1_0:tls1_2"
+                "tls1_1:tls1_2"
             self.mdict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \
                 "tls1_1:tls1_2"
             ##
@@ -1171,18 +1171,18 @@ class PKIConfigParser:
                     "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \
                     "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \
                     "-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
-                    "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \
-                    "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \
-                    "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \
-                    "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
-                    "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
+                    "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \
+                    "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \
+                    "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \
+                    "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \
+                    "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
                     "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
                     "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
                     "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
                     "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
                     "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
-                    "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \
-                    "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \
+                    "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \
+                    "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \
                     "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
                     "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \
                     "+TLS_RSA_WITH_AES_128_CBC_SHA," + \
diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info
index 70d704c..b3e74d3 100644
--- a/base/server/share/conf/ciphers.info
+++ b/base/server/share/conf/ciphers.info
@@ -6,67 +6,120 @@
 #
 # This file contains the default sslRangeCiphers that come with this version of
 # the PKI software in its <instance>/conf/server.xml file.
+#
 # Depending on which kind of SSL server you have, you want to reference the
-# corresponding cipher suite for making adjustments to your instance server.xml.
+# corresponding cipher suite for making adjustments to your instance
+# server.xml.
 #
 #
 #        About the TLS range related parameters:
+#
 #              'sslVersionRangeStream'
 #              'sslVersionRangeDatagram'
 #              'sslRangeCiphers'
-#        The sslVersionRangeStream and sslVersionRangeDatagram by default
-#        contains values that are supported by the native NSS. Changes can
-#        be made to restrict or relax the support.
-#        The sslRangeCiphers by default conatins a list of ciphers best
-#        for the type of the server installed. Changes can be made to suit
-#        each site's needs.
-#        Although TLS1.2 ciphers (SHA256)  are preferred, many older clients
-#        do not support them.  For example,
-#        the following "preferred modern" ciphers are on by default, and by
-#        simply limiting the sslVersionRange* parameters, they can be turned off.
+#
+#        The default sslVersionRangeStream and sslVersionRangeDatagram
+#        parameters contain values that are supported by the native NSS.
+#        Changes can be made to restrict or relax the support.
+#
+#        The default sslRangeCiphers parameter contains a list of ciphers best
+#        suited for the type of the server installed.  Changes can be made to
+#        suit each site's needs.
+#
+#        Although TLS1.2 ciphers (SHA256) are preferred, many older clients
+#        do not support them.  For example, the following "preferred modern"
+#        ciphers are on by default, and by simply limiting the
+#        sslVersionRange* parameters, they can be turned off.
+#
 #            TLS_RSA_WITH_AES_128_CBC_SHA256,
 #            TLS_RSA_WITH_AES_256_CBC_SHA256,
 #            TLS_RSA_WITH_AES_128_GCM_SHA256,
 #            TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 #            TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+#
 #        The TLS_ECDHE_RSA_* ciphers provide Perfect Forward Secrecy,
 #        which, while provide added security to the already secure and adequate
-#        TLS_RSA_* ciphers, requries 3 times longer to establish SSL sessions.
+#        TLS_RSA_* ciphers, requires 3 times longer to establish SSL sessions.
 #        In our testing environment, some HSM might also have issues providing
 #        subsystem->subsystem SSL handshake.  We are therefore turning them
 #        off by default.  One can enable them manually by turning the "-" to
 #        "+" under sslRangeCiphers and restart the subsystem.
+#
 #            TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 #            TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 #            TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
 #            TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 #            TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
-#        The following  ciphers are supported in rhel7.2 or greater, and they
-#        are off by default, and can be turned on by sites running rhel7.2 or
-#        greater:
+#
+#        The following ciphers are supported in RHEL 7.2 or greater, and
+#        are turned on by default. They can be turned off by sites running
+#        older versions of RHEL:
+#
 #            TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
 #            TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
 #            TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
 #            TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
 #            TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
 #            TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
-#        Although the following (somewhat weaker ciphers, in CBC mode), though
-#        adaquate for the CS operations, they can be turned off if needed:
+#
+#        The following somewhat weaker ciphers (in CBC mode), though
+#        adequate for the CS operations, can be turned off if so desired:
+#
 #            TLS_RSA_WITH_AES_128_CBC_SHA,
 #            TLS_RSA_WITH_AES_256_CBC_SHA,
+#
 #        Note: In an EC CS server setup, you will see by default that the
-#           following RSA ciphers are left on.  Those are used for installation
-#           where the actual systems certs have not yet been crated, and a
-#           temporary RSA ssl server cert is at play.
-#           Those can be turned off manually by sites.
-#               TLS_RSA_WITH_AES_256_CBC_SHA256,
-#               TLS_RSA_WITH_AES_128_GCM_SHA256
-#           These ciphers might be removed by the installation script in some
-#           future release.
+#              following RSA ciphers are left on.  Those are used for
+#              installation where the actual systems certs have not yet been
+#              created, and a temporary RSA ssl server cert is at play.
+#
+#              Those can be turned off manually by sites.
+#
+#                  TLS_RSA_WITH_AES_256_CBC_SHA256,
+#                  TLS_RSA_WITH_AES_128_GCM_SHA256
+#
+#              These ciphers might be removed by the installation script in
+#              some future release.
+#
+#        For RHEL 7.5 or greater:
+#
+#            * all '3DES' ciphers have been disabled,
+#            * the default sslVersionRangeStream and
+#              sslVersionRangeDatagram ranges have been upgraded to
+#              only allow ciphers in the TLS1.1 to TLS1.2 range, and
+#            * the default sslRangeCiphers values have been altered to
+#              include all recommended 'FIPS' ciphers for both RSA and ECC
+#              servers regardless of whether 'FIPS' is enabled or disabled
+#
+#            Default ciphers enabled for RSA servers:
+#
+#                +TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+#                +TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+#                +TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+#                +TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+#                +TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+#                +TLS_RSA_WITH_AES_128_CBC_SHA256,
+#                +TLS_RSA_WITH_AES_256_CBC_SHA256,
+#                +TLS_RSA_WITH_AES_128_CBC_SHA,
+#                +TLS_RSA_WITH_AES_256_CBC_SHA
+#
+#                NOTE: The last two ciphers, TLS_RSA_WITH_AES_128_CBC_SHA,
+#                      and TLS_RSA_WITH_AES_256_CBC_SHA, may need to remain
+#                      enabled in order to talk to the LDAP server
+#                      during pkispawn installation/configuration.
+#
+#            Default ciphers enabled for ECC servers:
+#
+#                +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+#                +TLS_RSA_WITH_AES_256_CBC_SHA,
+#                +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+#                +TLS_RSA_WITH_AES_256_CBC_SHA256,
+#                +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+#                +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 #
 ##
 # For RSA servers:
-           sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
+           sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
 #
 #
 # For ECC servers:
-- 
1.8.3.1


From 8b5528c04e949be96641222e4f87b125fa4c2ca1 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 1 Feb 2018 01:24:15 +0100
Subject: [PATCH 14/18] Fixed inconsistent CERT_REQUEST_PROCESSED outcomes.

Some CERT_REQUEST_PROCESSED events in ProcessCertReq have been
modified to generate a FAILURE outcome since there is no cert
issued for the request.

https://pagure.io/dogtagpki/issue/2838

Change-Id: I38656f950599f06bd9969c278137fdd192e26ae8
(cherry picked from commit 8319105ba04976494e05030ee5340b5879ad6a48)
(cherry picked from commit 5af21f519b7bbc6106ede549ed81974520e21e5d)
---
 .../cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
index bfa83b7..bb1a2a9 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
@@ -966,7 +966,7 @@ public class ProcessCertReq extends CMSServlet {
                             // store a message in the signed audit log file
                             // (manual "agent" cert request processed
                             //  - "accepted")
-                            audit(CertRequestProcessedEvent.createSuccessEvent(
+                            audit(CertRequestProcessedEvent.createFailureEvent(
                                         auditSubjectID,
                                         auditRequesterID,
                                         auditInfoName,
@@ -1087,7 +1087,7 @@ public class ProcessCertReq extends CMSServlet {
 
                     // store a message in the signed audit log file
                     // (manual "agent" cert request processed - "rejected")
-                    audit(CertRequestProcessedEvent.createSuccessEvent(
+                    audit(CertRequestProcessedEvent.createFailureEvent(
                                 auditSubjectID,
                                 auditRequesterID,
                                 auditInfoName,
@@ -1145,7 +1145,7 @@ public class ProcessCertReq extends CMSServlet {
 
                     // store a message in the signed audit log file
                     // (manual "agent" cert request processed - "cancelled")
-                    audit(CertRequestProcessedEvent.createSuccessEvent(
+                    audit(CertRequestProcessedEvent.createFailureEvent(
                                 auditSubjectID,
                                 auditRequesterID,
                                 auditInfoName,
-- 
1.8.3.1


From 6a049ee93e1311c32482289092f765bac09e09a4 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Thu, 1 Feb 2018 13:02:03 -0500
Subject: [PATCH 15/18] More fixes for non-standard users

Needed to fix some python code that was added that works only on Python 3.
The top level directories for the registry should be owned by
root and be world readable/executable so that different users
can read the registry.

Change-Id: Ic0ce188cb678ff66e1a7370451f8df2285fc1282
cherry-pick from 79e8a8e99a3c9c6d16b63bb5d4b2b18a4b828b11

(cherry picked from commit e37ddfbc8b54e17dbe081221f6c849732a30ebe2)
---
 base/common/CMakeLists.txt                                 | 12 ++++++++++++
 base/server/python/pki/server/deployment/pkihelper.py      |  8 ++------
 .../server/deployment/scriptlets/infrastructure_layout.py  | 14 ++++++++++----
 .../pki/server/deployment/scriptlets/instance_layout.py    |  5 +++--
 4 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt
index d7856e1..3e8659d 100644
--- a/base/common/CMakeLists.txt
+++ b/base/common/CMakeLists.txt
@@ -135,6 +135,18 @@ install(
 
 install(
     DIRECTORY
+    DESTINATION
+        /etc/sysconfig/pki
+)
+
+install(
+    DIRECTORY
+    DESTINATION
+        /etc/sysconfig/pki/tomcat
+)
+
+install(
+    DIRECTORY
         man/
     DESTINATION
         ${MAN_INSTALL_DIR}
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 8195e28..79f1e57 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -1019,8 +1019,6 @@ class Instance:
             raise
 
     def get_instance_status(self, secure_connection=True):
-        pki_protocol = None
-        pki_port = None
         if secure_connection:
             pki_protocol = "https"
             pki_port = self.mdict['pki_https_port']
@@ -2956,7 +2954,6 @@ class ServerCertNickConf:
             try:
                 # overwrite value inside 'serverCertNick.conf'
                 with open(self.servercertnick_conf, "w") as fd:
-                    sslserver_nickname = None
                     if self.step_two:
                         # use final HSM name
                         sslserver_nickname = (self.token_name + ":" +
@@ -3581,7 +3578,7 @@ class Systemd(object):
         if not parser.has_section(section):
             parser.add_section(section)
 
-        parser[section][param] = value
+        parser.set(section, param, value)
 
     def write_overrides(self):
         for fname, parser in self.overrides.items():
@@ -3589,7 +3586,7 @@ class Systemd(object):
             if not os.path.exists(override_file):
                 self.create_override_file(override_file)
             with open(override_file, 'w') as fp:
-                parser.write(fp, space_around_delimiters=False)
+                parser.write(fp)
 
     def daemon_reload(self, critical_failure=True):
         """PKI Deployment execution management lifecycle function.
@@ -4067,7 +4064,6 @@ class ConfigClient:
             os.path.dirname(self.mdict['pki_admin_csr_path']))
         with open(self.mdict['pki_admin_csr_path'], "w") as f:
             f.write("-----BEGIN CERTIFICATE REQUEST-----\n")
-        admin_certreq = None
         with open(os.path.join(
                   self.mdict['pki_client_database_dir'],
                   "admin_pkcs10.bin.asc"), "r") as f:
diff --git a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py
index 2573e4e..bfcca60 100644
--- a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py
+++ b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py
@@ -53,9 +53,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         # registry directories for storage of a copy of the original
         # deployment configuration file used to spawn this instance,
         # and save a copy of this file
-        deployer.directory.create(deployer.mdict['pki_registry_path'])
-        deployer.directory.create(
-            deployer.mdict['pki_instance_type_registry_path'])
+        #
+        # Unless a prefix is used, the top level directories should exist
+        # and be owned by the rpm
+        if deployer.mdict['pki_root_prefix'] != "":
+            deployer.directory.create(deployer.mdict['pki_registry_path'])
+            deployer.directory.create(
+                deployer.mdict['pki_instance_type_registry_path'])
+
         deployer.directory.create(deployer.mdict['pki_instance_registry_path'])
         deployer.directory.create(
             deployer.mdict['pki_subsystem_registry_path'])
@@ -129,4 +134,5 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 deployer.directory.delete(
                     deployer.mdict['pki_configuration_path'])
             # remove top-level infrastructure registry
-            deployer.directory.delete(deployer.mdict['pki_registry_path'])
+            if deployer.mdict['pki_root_prefix'] != "":
+                deployer.directory.delete(deployer.mdict['pki_registry_path'])
diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
index 4eb5496..2095212 100644
--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py
@@ -214,8 +214,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             deployer.mdict['pki_instance_registry_path'])
         # remove Tomcat PKI registry (if empty)
         if deployer.instance.tomcat_instances() == 0:
-            deployer.directory.delete(
-                deployer.mdict['pki_instance_type_registry_path'])
+            if deployer.mdict['pki_root_prefix'] != "":
+                deployer.directory.delete(
+                    deployer.mdict['pki_instance_type_registry_path'])
 
 
 # Callback only when the /usr/share/pki/server/conf directory
-- 
1.8.3.1


From 63aca0e86b21de2673180d7d1e6c2a2750b2dc86 Mon Sep 17 00:00:00 2001
From: Amol Kahat <akahat@redhat.com>
Date: Fri, 28 Apr 2017 01:31:10 +0530
Subject: [PATCH 17/18] Added man page for PKCS10Client

(cherry picked from commit 774fbef5a913227c1764f6a29842771c3dc545ee)
---
 base/java-tools/man/man1/PKCS10Client.1 | 95 +++++++++++++++++++++++++++++++++
 1 file changed, 95 insertions(+)
 create mode 100644 base/java-tools/man/man1/PKCS10Client.1

diff --git a/base/java-tools/man/man1/PKCS10Client.1 b/base/java-tools/man/man1/PKCS10Client.1
new file mode 100644
index 0000000..e85c833
--- /dev/null
+++ b/base/java-tools/man/man1/PKCS10Client.1
@@ -0,0 +1,95 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH PKCS10Client 1 "April 28, 2017" "version 10.4" "PKI PKCS10Client certificate request tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh        disable hyphenation
+.\" .hy        enable hyphenation
+.\" .ad l      left justify
+.\" .ad b      justify to both left and right margins
+.\" .nf        disable filling
+.\" .fi        enable filling
+.\" .br        insert line break
+.\" .sp <n>    insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+PKCS10Client \- Used to generate 1024-bit RSA key pair in the security database.
+
+.SH SYNOPSIS
+.PP
+\fBUsage: PKCS10Client -d <location of certdb> -h <token name> -p <token password> -a <algorithm: 'rsa' or 'ec'> -l <rsa key length> -c <ec curve name> -o <output file which saves the base64 PKCS10> -n <subjectDN>\fP
+
+Available ECC curve names (if provided by the crypto module): nistp256 (secp256r1), nistp384 (secp384r1), nistp521 (secp521r1), nistk163 (sect163k1), sect163r1,nistb163 (sect163r2), sect193r1, sect193r2, nistk233 (sect233k1), nistb233 (sect233r1), sect239k1, nistk283 (sect283k1), nistb283 (sect283r1), nistk409 (sect409k1), nistb409 (sect409r1), nistk571 (sect571k1), nistb571 (sect571r1), secp160k1, secp160r1, secp160r2, secp192k1, nistp192 (secp192r1, prime192v1), secp224k1, nistp224 (secp224r1), secp256k1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2
+
+To get a certificate from the CA, the certificate request needs to be submitted to and approved by a CA agent. Once approved, a certificate is created for the request, and certificate attributes, such as extensions, are populated according to certificate profiles.
+
+Optionally, for ECC key generation per definition in JSS pkcs11.PK11KeyPairGenerator.
+
+.SH DESCRIPTION
+.PP
+The PKCS #10 utility, \fBPKCS10Client\fP, generates a 1024-bit RSA key pair in the security database, constructs a PKCS#10 certificate request with the public key, and outputs the request to a file.
+.PP
+\fBPKCS #10\fP is a certification request syntax standard defined by RSA. A CA may support multiple types of certificate requests. The Certificate System CA supports KEYGEN, PKCS#10, CRMF, and CMC.
+.PP
+
+.SH OPTIONS
+.PP
+\fBPKCS10Client\fP parameters:
+.PP
+.TP
+.B -d <directory_of_NSS_security_database>
+The directory containing the \fBcert8.db\fP, \fBkey3.db\fP, and \fBsecmod.db\fP files. This is usually the client's personal directory.
+
+.TP
+.B -h <token_name>
+Name of the token. By default it takes 'internal'.
+
+.TP
+.B -p <token_passwd>
+The password to the token.
+
+.TP
+.B -l <algorithm: 'rsa' or 'ec'>
+The algorithm type either 'rsa' or 'ec'. By default it takes 'rsa'.
+
+.TP
+.B -c <curve_name>
+Eleptic Curve cryptography curve name.
+.TP
+.B -o <output_file>
+Sets the path and filename to output the new PKCS #10 certificate in base64 format.
+
+.TP
+.B -n <subject_DN>
+Gives the subject DN of the certificate.
+
+.TP
+.B -k <true for enabling encoding of attribute values; false for default encoding of attribute values; default is false>
+
+.TP
+.B -t <true for temporary(session); false for permanent(token); default is false>
+
+.TP
+.B -s <1 for sensitive; 0 for non-sensitive; -1 temporaryPairMode dependent; default is -1>
+
+.TP
+.B -e <1 for extractable; 0 for non-extractable; -1 token dependent; default is -1>
+
+
+.TP   Also optional for ECC key generation:
+
+.TP
+.B -x <true for SSL cert that does ECDH ECDSA; false otherwise; default false>
+
+.TP
+.B -y <true for adding SubjectKeyIdentifier extensionfor self-signed cmc requests; false otherwise; default false>
+
+.SH AUTHORS
+Amol Kahat <akahat@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2017 Red Hat, Inc. This is licensed under the GNU General Public
+License, version 2 (GPLv2). A copy of this license is available at
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
-- 
1.8.3.1