From 0e6b54df7e0470a5fc18217acc1b800391144ad0 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 21 Feb 2018 18:57:41 +1100
Subject: [PATCH 01/20] libtps.so: link zlib
nss-3.35 no longer links zlib. libtps calls `compress` and
`uncompress` but we were not explicitly linking zlib so the build
fails as of nss-3.35. Include -lz when linking libtps.
Fixes: https://pagure.io/dogtagpki/issue/2946
Change-Id: If26d71d8c6ad2cc89f60c0de26ccf48673971d55
(cherry picked from commit dfeb3c66d107123f173d58bf0a6571eb7fa3f260)
---
base/tps-client/src/CMakeLists.txt | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/base/tps-client/src/CMakeLists.txt b/base/tps-client/src/CMakeLists.txt
index a86e392..229ea0f 100644
--- a/base/tps-client/src/CMakeLists.txt
+++ b/base/tps-client/src/CMakeLists.txt
@@ -25,12 +25,24 @@ set(TPS_SHARED_LIBRARY
CACHE INTERNAL "tps shared library"
)
+find_library(ZLIB_LIBRARY
+ NAMES
+ z
+ PATHS
+ /usr/lib
+ /usr/lib64
+ /usr/local/lib
+ /opt/local/lib
+ /sw/lib
+)
+
set(TPS_LINK_LIBRARIES
${NSPR_LIBRARIES}
${NSS_LIBRARIES}
${APR_LIBRARIES}
${LDAP_LIBRARIES}
${TOKENDB_SHARED_LIBRARY}
+ ${ZLIB_LIBRARY}
)
set(tps_library_SRCS
--
1.8.3.1
From fff31f97e0123b49961972c12ee3ee82f83920de Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Mon, 26 Feb 2018 14:01:18 -0800
Subject: [PATCH 02/20] Ticket #2949 CMCAuth throws
org.mozilla.jss.crypto.TokenException: Unable to insert certificate into
temporary database
This patch addresses the "TokenException: Unable to insert certificate into temporary database" issue caused by CMC authentication. During the CMC authentication, looks like the following JSS CryptoManager call actually tries to import the certificate temporarily into the token and causes conflicts:
public boolean isCertValid(byte[] certPackage, boolean checkSig,
CertUsage certUsage)
That call is not appropriate for the purpose.
Looking closely, certificate validation has been done in various places:
* SSL client authentication (if used)
* the isRevoked() call either in agent authentication or in CMCUserSignedAuth
* the cert.checkValidity() call in CMCUserSignedAuth
The extra isCertValid call is not only redundant but also problematic.
This patch fixes https://pagure.io/dogtagpki/issue/2949
(cherry picked from commit c6630a429f6f4a9b2c2090001f0a2c50e10ba5c4)
Change-Id: I47367b02c8a53a9cfa99b5da370a3a6af1cb9676
---
.../cms/src/com/netscape/cms/authentication/CMCAuth.java | 3 ---
.../com/netscape/cms/authentication/CMCUserSignedAuth.java | 12 ------------
2 files changed, 15 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
index db3ca2b..86ffa2f 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
@@ -945,9 +945,6 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
si.verify(digest, id, pubK);
}
CMS.debug("CMCAuth: finished checking signature");
- // verify signer's certificate using the revocator
- if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient))
- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
// authenticate signer's certificate using the userdb
IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH);
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
index 527b7e5..d92b33b 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
@@ -1132,19 +1132,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
}
CMS.debug(method + "finished checking signature");
- // verify signer's certificate using the revocator
- // ...or not; I think it just checks usage and
- // validity, but not revocation status
- if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) {
- msg = "CMC signing cert is invalid";
- CMS.debug(method + msg);
- s.close();
- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg);
- } else {
- CMS.debug(method + "CMC signature verified; but signer not yet;");
- }
// At this point, the signature has been verified;
-
// now check revocation status of the cert
if (CMS.isRevoked(x509Certs)) {
msg = "CMC signing cert is a revoked certificate";
--
1.8.3.1
From cc55aa9cc84bf9a17641b0fd0e509633bf115e44 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Mon, 12 Feb 2018 22:37:50 +0100
Subject: [PATCH 03/20] Added two-step installation mode in pkispawn man page.
The pkispawn man page has been updated to include the two-step
installation mode.
https://pagure.io/dogtagpki/issue/2938
Change-Id: Icf2edad5477072e33c8eab556b95d5ad4b986131
(cherry picked from commit 7455cc2023c74d0bd72bbb8f224ba880b1364118)
---
base/server/man/man8/pkispawn.8 | 39 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 38 insertions(+), 1 deletion(-)
diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
index 1411592..21f6308 100644
--- a/base/server/man/man8/pkispawn.8
+++ b/base/server/man/man8/pkispawn.8
@@ -18,7 +18,7 @@
pkispawn \- Sets up an instance of Certificate Server.
.SH SYNOPSIS
-pkispawn \-s <subsystem> \-f <config_file> [\-h] [\-v] [\-p <prefix>]
+pkispawn \-s <subsystem> \-f <config_file> [options] [\-p <prefix>]
.SH DESCRIPTION
Sets up a Certificate Server subsystem (CA, KRA, OCSP, TKS, or TPS) in a
@@ -84,6 +84,12 @@ Specifies the path to the user-defined configuration file. This file contains d
.B --precheck
Execute pre-checks and exit.
.TP
+.B --skip-configuration
+Run the first step of the installation (i.e. skipping the instance configuration step).
+.TP
+.B --skip-installation
+Run the second step of the installation (i.e. skipping the instance installation step).
+.TP
.B -h, --help
Prints additional help information.
.TP
@@ -244,6 +250,37 @@ directory server instance has not yet been created.
See \fB pki_default.cfg(5) \fP for more details about available flags.
+.SH TWO-STEP INSTALLATION MODE
+.PP
+pkispawn provides a number of parameters to customize an instance before it is
+created. Usually, most other customization can be done after the server is created.
+However, sometimes certain types of customization need to be done before the server is
+created, but there are no parameters for that. For example, configuring session timeout,
+adding CSR extensions, customizing certificate profiles, configuring TLS ciphers, etc.
+To support such customization, pkispawn provides a two-step installation mode.
+
+Generally, instance creation happens in one step (except for the external CA case).
+Internally, the process happens in two stages. In the first stage, pkispawn will
+install the instance files (e.g. CS.cfg, NSS database, profiles, etc.) in the instance
+directory and customize them based on pkispawn parameters. In the second stage,
+pkispawn will start the instance and configure the instance based on the instance
+configuration files (e.g. initializing database, generating certificates, configuring
+connectors, etc.). The two-step process allows the process to be stopped after the first
+stage, allowing further customization to be done before running the second stage.
+
+To use two-step installation mode, prepare a normal pkispawn configuration file, then
+run pkispawn with the --skip-configuration parameter. For example:
+
+.IP
+\x'-1'\fBpkispawn -s CA -f myconfig.txt --skip-configuration\fR
+
+.PP
+Then customize the files in the instance directory as needed. Finally, finish the
+installation by running pkispawn again with the --skip-installation parameter. For example:
+
+.IP
+\x'-1'\fBpkispawn -s CA -f myconfig.txt --skip-installation\fR
+
.SH EXAMPLES
.SS Installing a root CA
--
1.8.3.1
From 652d8c3616fea5d2632e80889445c7f1497572af Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 22 Feb 2018 10:22:41 +0100
Subject: [PATCH 04/20] Modernize sslget's TLS version and cipher suite
Disable all cipher suites unless NSS says it's a FIPS approved suite.
* SSL 2.0 and SSL 3.0 are disabled
* Broken or weak suites with 3DES, RC4 and effective key bits less than
80 bits are disabled.
Fixes: https://pagure.io/dogtagpki/issue/2918
Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8
Signed-off-by: Christian Heimes <cheimes@redhat.com>
(cherry picked from commit 27142606930f87023e7e1981dfbc76199d4dd240)
---
base/native-tools/src/sslget/sslget.c | 108 +++++++++++++++++++++++++---------
1 file changed, 81 insertions(+), 27 deletions(-)
diff --git a/base/native-tools/src/sslget/sslget.c b/base/native-tools/src/sslget/sslget.c
index bd631c6..b058209 100644
--- a/base/native-tools/src/sslget/sslget.c
+++ b/base/native-tools/src/sslget/sslget.c
@@ -58,6 +58,7 @@
#include "prio.h"
#include "prnetdb.h"
#include "nss.h"
+#include <nss3/sslproto.h>
/* set Tabs to 8 */
@@ -122,7 +123,8 @@ int verbose;
SECItem bigBuf;
-char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg)
+static char*
+ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg)
{
char *passwd = NULL;
@@ -300,7 +302,7 @@ printSecurityInfo(PRFileDesc *fd)
PRBool useModelSocket = PR_TRUE;
-PRInt32
+static PRInt32
do_writes(
void * a
)
@@ -334,7 +336,8 @@ do_writes(
}
-int isLinkLocalAddress(char *address, int family)
+static int
+isLinkLocalAddress(char *address, int family)
{
if ( !address || ( strlen(address) == 0 ) ) {
return 0;
@@ -363,7 +366,7 @@ int isLinkLocalAddress(char *address, int family)
}
-SECStatus
+static SECStatus
do_io( PRFileDesc *ssl_sock, int connection)
{
int countRead = 0;
@@ -472,7 +475,7 @@ do_io( PRFileDesc *ssl_sock, int connection)
return SECSuccess; /* success */
}
-int
+static int
do_connect(
PRNetAddr *addr,
PRFileDesc *model_sock,
@@ -543,7 +546,7 @@ do_connect(
** Since the value returned is an integer (not a string of bytes),
** it is inherently in Host Byte Order.
*/
-PRUint32
+static PRUint32
getIPAddress(const char * hostName)
{
const unsigned char *p;
@@ -565,7 +568,7 @@ getIPAddress(const char * hostName)
return rv;
}
-void
+static void
client_main(
unsigned short port,
int connections,
@@ -576,31 +579,82 @@ client_main(
{
PRFileDesc *model_sock = NULL;
int rv;
-
+ int i;
+ const PRUint16* ssl_ciphers;
+ PRUint16 num_ciphers;
+ PRBool enabled;
+ SSLCipherSuiteInfo info;
+ SSLVersionRange versions = {
+ SSL_LIBRARY_VERSION_TLS_1_1,
+ SSL_LIBRARY_VERSION_TLS_1_2
+ };
FPRINTF(stderr, "port: %d\n", port);
/* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */
NSS_SetDomesticPolicy();
- /* all the SSL2 and SSL3 cipher suites are enabled by default. */
-
- /* enable FIPS ciphers */
- SSL_CipherPrefSetDefault(0xc004 /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0xc003 /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0xc00a /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0x2f /* TLS_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0x35 /* TLS_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0xc008 /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0xc009 /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0xc012 /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0xc013 /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0xc014 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0x32 /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0x38 /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0x33 /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE);
- SSL_CipherPrefSetDefault(0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE);
+ /* disable SSL 2.0 and SSL 3.0 */
+ SSL_VersionRangeSetDefault(ssl_variant_stream, &versions);
+
+ /* disable all weak or non-FIPS compliant ciphers */
+ ssl_ciphers = SSL_GetImplementedCiphers();
+ num_ciphers = SSL_GetNumImplementedCiphers();
+
+ for (i = 0; i < num_ciphers; i++) {
+ if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info, sizeof(info)) == SECSuccess) {
+ SSL_CipherPrefGetDefault(ssl_ciphers[i], &enabled);
+ if (!enabled) {
+ /* Although some NSS versions do not support SHA384, try to enable select SHA384 ciphers by default */
+ if (PL_strcmp(info.cipherSuiteName, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384") == 0) {
+ SSL_CipherPrefSetDefault(0x009f /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */, PR_TRUE);
+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName);
+ }
+ else if (PL_strcmp(info.cipherSuiteName, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384") == 0) {
+ /* NOTE: CBC ciphers may be deprecated in TLS v1.3 */
+ SSL_CipherPrefSetDefault(0xc024 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */, PR_TRUE);
+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName);
+ }
+ else if (PL_strcmp(info.cipherSuiteName, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384") == 0) {
+ SSL_CipherPrefSetDefault(0xc02c /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */, PR_TRUE);
+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName);
+ }
+ else if (PL_strcmp(info.cipherSuiteName, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384") == 0) {
+ /* NOTE: CBC ciphers may be deprecated in TLS v1.3 */
+ SSL_CipherPrefSetDefault(0xc028 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */, PR_TRUE);
+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName);
+ }
+ else if (PL_strcmp(info.cipherSuiteName, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384") == 0) {
+ SSL_CipherPrefSetDefault(0xc030 /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */, PR_TRUE);
+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName);
+ }
+ else if (PL_strcmp(info.cipherSuiteName, "TLS_RSA_WITH_AES_256_GCM_SHA384") == 0) {
+ SSL_CipherPrefSetDefault(0x009d /* TLS_RSA_WITH_AES_256_GCM_SHA384 */, PR_TRUE);
+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName);
+ } else {
+ FPRINTF(stderr, "disabled %-42s\t(disabled by default)\n", info.cipherSuiteName);
+ }
+ }
+ else if (!info.isFIPS) {
+ /* Disable non-FIPS compliant ciphers */
+ enabled = PR_FALSE;
+ FPRINTF(stderr, "disabled %-42s\t(not FIPS)\n", info.cipherSuiteName);
+ }
+ else if (info.symCipher == ssl_calg_rc4) {
+ /* No RC4, see RFC 7465 (recent NSS flag RC4 as not FIPS) */
+ enabled = PR_FALSE;
+ FPRINTF(stderr, "disabled %-42s\t(RC4)\n", info.cipherSuiteName);
+ }
+ else if (info.symCipher == ssl_calg_3des) {
+ /* No 3DES to mitigate SWEET32 attack */
+ enabled = PR_FALSE;
+ FPRINTF(stderr, "disabled %-42s\t(3DES)\n", info.cipherSuiteName);
+ } else {
+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName);
+ }
+ SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled);
+ }
+ }
/*
* Rifle through the values for the host
@@ -694,7 +748,7 @@ client_main(
}
-SECStatus
+static SECStatus
createRequest(
char * url,
char *post,
--
1.8.3.1
From 83c6d20414f4b344994a8112298512d642eae98f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 2 Feb 2018 15:54:50 +1100
Subject: [PATCH 05/20] IPAddressName: remove unused getLength method
Part of: https://pagure.io/dogtagpki/issue/2922
Change-Id: I732bd39446efcce18b6dc597d9c613a6b0a6422d
---
base/util/src/netscape/security/x509/IPAddressName.java | 10 ----------
1 file changed, 10 deletions(-)
diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java
index bb27548..4d08b8c 100644
--- a/base/util/src/netscape/security/x509/IPAddressName.java
+++ b/base/util/src/netscape/security/x509/IPAddressName.java
@@ -166,8 +166,6 @@ public class IPAddressName implements GeneralNameInterface {
interface IPAddr {
public int getIPAddr(String s, byte[] address, int start);
-
- public int getLength();
}
class IPv4Addr implements IPAddr {
@@ -192,10 +190,6 @@ class IPv4Addr implements IPAddr {
}
return nt;
}
-
- public int getLength() {
- return IPv4_LEN;
- }
}
class IPv6Addr implements IPAddr {
@@ -270,8 +264,4 @@ class IPv6Addr implements IPAddr {
}
return 16;
}
-
- public int getLength() {
- return 16;
- }
}
--
1.8.3.1
From 8a2bec1661ff8f86c3501f3d0975fe3fc45e254e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 2 Feb 2018 18:31:46 +1100
Subject: [PATCH 06/20] parseGeneralName: properly parse iPAddress GN with
netmask
There are a couple of problems with iPAddress general name parsing
(primarily used for the Name Constraints extension).
First, an IP address with netmask expressed as e.g.
1.2.3.4,255.0.0.0 or ::1,ffff:: is outright rejected, causing
issuance failure with a message like:
NameConstraintsExtDefault: createExtension
netscape.security.x509.InvalidIPAddressException: Invalid IP
Address '10.10.10.10,255.255.255.0'
Second, an IPv4 address with CIDR-style netmask is misinterpreted as
an IPv6 address _without_ netmask, e.g. the input "192.168.1.1/24"
gets misinterpreted as "c0a8:1c8:ffff:ffff:000:000:000:000", which
is not a conforming value in the Name Constraints extension.
To resolve these problems, separate the handling of these two cases
and fix the logic. A new class, CIDRNetmask, does the heavy lifting
in the CIDR netmask case.
Consider the following configuration (irrelevant keys and key
prefixes omitted for brevity). It contains values which caused
failures or incorrect outputs:
nameConstraintsExcludedSubtreeNameChoice_0=IPAddress
nameConstraintsExcludedSubtreeNameValue_0=10.10.10.10/24
nameConstraintsExcludedSubtreeNameChoice_1=IPAddress
nameConstraintsExcludedSubtreeNameValue_1=10.10.10.10,255.255.255.0
nameConstraintsExcludedSubtreeNameChoice_2=IPAddress
nameConstraintsExcludedSubtreeNameValue_2=dead:beef::1/128
nameConstraintsExcludedSubtreeNameChoice_3=IPAddress
nameConstraintsExcludedSubtreeNameValue_3=dead:beef::,ffff:ffff::
This configuration now succeeds and produces the correct output.
The extension value produced using the above configuration is (per
OpenSSL pretty print):
X509v3 Name Constraints: critical
Excluded:
IP:10.10.10.10/255.255.255.0
IP:10.10.10.10/255.255.255.0
IP:DEAD:BEEF:0:0:0:0:0:1/FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
IP:DEAD:BEEF:0:0:0:0:0:0/FFFF:FFFF:0:0:0:0:0:0
Part of: https://pagure.io/dogtagpki/issue/2922
Change-Id: I61d5fcceadcca28cc951802ee4b95691653dd356
---
.../netscape/cms/profile/def/EnrollDefault.java | 11 +++-
.../src/netscape/security/x509/CIDRNetmask.java | 77 ++++++++++++++++++++++
.../src/netscape/security/x509/IPAddressName.java | 51 +++++++-------
.../security/x509/InvalidNetmaskException.java | 27 ++++++++
4 files changed, 140 insertions(+), 26 deletions(-)
create mode 100644 base/util/src/netscape/security/x509/CIDRNetmask.java
create mode 100644 base/util/src/netscape/security/x509/InvalidNetmaskException.java
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
index 6192888..173ff83 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
@@ -46,6 +46,7 @@ import netscape.security.util.DerInputStream;
import netscape.security.util.DerOutputStream;
import netscape.security.util.DerValue;
import netscape.security.util.ObjectIdentifier;
+import netscape.security.x509.CIDRNetmask;
import netscape.security.x509.CertificateExtensions;
import netscape.security.x509.DNSName;
import netscape.security.x509.EDIPartyName;
@@ -497,9 +498,17 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe
if (nameType.equalsIgnoreCase("IPAddress")) {
CMS.debug("IP Value:" + nameValue);
if (nameValue.indexOf('/') != -1) {
- // CIDR support for NameConstraintsExt
StringTokenizer st = new StringTokenizer(nameValue, "/");
String addr = st.nextToken();
+ CIDRNetmask netmask = new CIDRNetmask(st.nextToken());
+ CMS.debug("addr:" + addr + " CIDR netmask: " + netmask);
+ return new IPAddressName(addr, netmask);
+ } else if (nameValue.indexOf(',') != -1) {
+ // interpret as IPADDR "," NETMASK e.g.
+ // "192.168.1.0,255.255.255.0" (/24)
+ // "2001:0db8:0123:4567::,ffff:ffff:ffff:ffff::" (/64)
+ StringTokenizer st = new StringTokenizer(nameValue, ",");
+ String addr = st.nextToken();
String netmask = st.nextToken();
CMS.debug("addr:" + addr + " netmask: " + netmask);
return new IPAddressName(addr, netmask);
diff --git a/base/util/src/netscape/security/x509/CIDRNetmask.java b/base/util/src/netscape/security/x509/CIDRNetmask.java
new file mode 100644
index 0000000..80f1a79
--- /dev/null
+++ b/base/util/src/netscape/security/x509/CIDRNetmask.java
@@ -0,0 +1,77 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2018 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package netscape.security.x509;
+
+import java.nio.ByteBuffer;
+
+/**
+ * Netmask that is the number of significant bits.
+ */
+public class CIDRNetmask {
+ private int n;
+
+ public CIDRNetmask(String s) {
+ this(Integer.parseInt(s));
+ }
+
+ public CIDRNetmask(int n) {
+ if (n < 0)
+ throw new InvalidNetmaskException("cannot be negative");
+ this.n = n;
+ }
+
+ /**
+ * Write the netmask into a byte buffer.
+ *
+ * Throw InvalidNetmaskException if negative or if the
+ * size exceeds the size of the address type inferred
+ * from the remaining buffer space (which must be 4
+ * bytes for IPv4 and 16 bytes for IPv6).
+ *
+ * exceeds the size of the buffer
+ */
+ protected void write(ByteBuffer buf) {
+ // determine type of addr based on bytes left in buffer
+ int remaining = buf.remaining();
+ int bits = 0;
+ if (remaining == 4)
+ bits = 32;
+ else if (remaining == 16)
+ bits = 128;
+ else
+ throw new InvalidNetmaskException(
+ "cannot determine type of address for netmask");
+
+ if (n > bits)
+ throw new InvalidNetmaskException("netmask exceed address size");
+
+ int maskSigBits = n;
+ for (; remaining > 0; remaining--) {
+ int maskByteSigBits = Math.min(8, maskSigBits);
+ byte maskByte = (byte) (0xff - (0xff >> maskByteSigBits));
+ buf.put(maskByte);
+ maskSigBits = Math.max(maskSigBits - 8, 0);
+ }
+ }
+
+ public String toString() {
+ return "/" + n;
+ }
+
+}
diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java
index 4d08b8c..bc63615 100644
--- a/base/util/src/netscape/security/x509/IPAddressName.java
+++ b/base/util/src/netscape/security/x509/IPAddressName.java
@@ -18,6 +18,7 @@
package netscape.security.x509;
import java.io.IOException;
+import java.nio.ByteBuffer;
import java.util.StringTokenizer;
import netscape.security.util.DerOutputStream;
@@ -77,25 +78,22 @@ public class IPAddressName implements GeneralNameInterface {
* @param netmask the netmask address in the format: n.n.n.n or x:x:x:x:x:x:x:x (RFC 1884)
*/
public IPAddressName(String s, String netmask) {
- // Based on PKIX RFC2459. IPAddress has
- // 8 bytes (instead of 4 bytes) in the
- // context of NameConstraints
- IPAddr ipAddr = null;
- if (s.indexOf(':') != -1) {
- ipAddr = IPv6;
- address = new byte[IPv6_LEN * 2];
- } else {
- ipAddr = IPv4;
- address = new byte[IPv4_LEN * 2];
- }
- StringTokenizer st = new StringTokenizer(s, ",");
- int numFilled = ipAddr.getIPAddr(st.nextToken(), address, 0);
- if (st.hasMoreTokens()) {
- ipAddr.getIPAddr(st.nextToken(), address, numFilled);
- } else {
- for (int i = numFilled; i < address.length; i++)
- address[i] = (byte) 0xff;
- }
+ IPAddr ipAddr = initAddress(true, s);
+ int numFilled = ipAddr.getIPAddr(s, address, 0);
+ ipAddr.getIPAddr(netmask, address, numFilled);
+ }
+
+ /**
+ * IP address with CIDR netmask
+ *
+ * @param s a single IPv4 or IPv6 address
+ * @param mask a CIDR netmask
+ */
+ public IPAddressName(String s, CIDRNetmask mask) {
+ IPAddr ipAddr = initAddress(true, s);
+ int numFilled = ipAddr.getIPAddr(s, address, 0);
+ mask.write(ByteBuffer.wrap(
+ address, address.length / 2, address.length / 2));
}
/**
@@ -105,15 +103,18 @@ public class IPAddressName implements GeneralNameInterface {
* @param s the ip address in the format: n.n.n.n or x:x:x:x:x:x:x:x
*/
public IPAddressName(String s) {
- IPAddr ipAddr = null;
+ IPAddr ipAddr = initAddress(false, s);
+ ipAddr.getIPAddr(s, address, 0);
+ }
+
+ private IPAddr initAddress(boolean withNetmask, String s) {
if (s.indexOf(':') != -1) {
- ipAddr = IPv6;
- address = new byte[IPv6_LEN];
+ address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)];
+ return IPv6;
} else {
- ipAddr = IPv4;
- address = new byte[IPv4_LEN];
+ address = new byte[IPv4_LEN * (withNetmask ? 2 : 1)];
+ return IPv4;
}
- ipAddr.getIPAddr(s, address, 0);
}
/**
diff --git a/base/util/src/netscape/security/x509/InvalidNetmaskException.java b/base/util/src/netscape/security/x509/InvalidNetmaskException.java
new file mode 100644
index 0000000..3041377
--- /dev/null
+++ b/base/util/src/netscape/security/x509/InvalidNetmaskException.java
@@ -0,0 +1,27 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2018 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package netscape.security.x509;
+
+public class InvalidNetmaskException extends RuntimeException {
+
+ public InvalidNetmaskException(String desc) {
+ super("Invalid netmask (" + desc + ")");
+ }
+
+}
--
1.8.3.1
From c9b323331eef1f1934f8430053a72f7b2a21b084 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 5 Feb 2018 14:53:35 +1100
Subject: [PATCH 07/20] GeneralNameInterface: methods for checking name
validity
Some general names may be valid only for describing a single subject
(e.g. Subject Alt Name extension), or for describing a range of
subjects (e.g. Name Constraints extension). For example, an
iPAddress name MUST have 4 (IPv4) or 16 (IPv6) octets in the
"single" context, or 8 (IPv4) or 32 (IPv6) octets in range context.
Add the validSingle() and validSubtree() methods to
GeneralNameInterface and all implementing classes. These methods
can be used to check whether the value is valid for use in the
corresponding context.
Part of: https://pagure.io/dogtagpki/issue/2922
Change-Id: Ib77286b309f1d505fe15313483ec658a55780f83
---
base/util/src/netscape/security/x509/GeneralName.java | 12 ++++++++++++
.../src/netscape/security/x509/GeneralNameInterface.java | 16 ++++++++++++++++
base/util/src/netscape/security/x509/IPAddressName.java | 10 ++++++++++
3 files changed, 38 insertions(+)
diff --git a/base/util/src/netscape/security/x509/GeneralName.java b/base/util/src/netscape/security/x509/GeneralName.java
index 55b5bfc..80d020e 100644
--- a/base/util/src/netscape/security/x509/GeneralName.java
+++ b/base/util/src/netscape/security/x509/GeneralName.java
@@ -197,6 +197,18 @@ public class GeneralName implements GeneralNameInterface {
}
}
+ @Override
+ public boolean validSingle() {
+ if (this == name) return false; // can't happen, but just in case...
+ return name.validSingle();
+ }
+
+ @Override
+ public boolean validSubtree() {
+ if (this == name) return false; // can't happen, but just in case...
+ return name.validSubtree();
+ }
+
/**
* Unwrap this GeneralName until we reach something that is not
* a GeneralName.
diff --git a/base/util/src/netscape/security/x509/GeneralNameInterface.java b/base/util/src/netscape/security/x509/GeneralNameInterface.java
index 7225ccc..61ba06a 100644
--- a/base/util/src/netscape/security/x509/GeneralNameInterface.java
+++ b/base/util/src/netscape/security/x509/GeneralNameInterface.java
@@ -57,4 +57,20 @@ public interface GeneralNameInterface extends java.io.Serializable {
* encoded.
*/
void encode(DerOutputStream out) throws IOException;
+
+ /**
+ * Whether the name is valid as a single name (e.g. for use in
+ * Subject Alternative Name extension).
+ */
+ default boolean validSingle() {
+ return true;
+ }
+
+ /**
+ * Whether the name is valid as a subtree name (e.g. for use in
+ * Name Constraints extension)
+ */
+ default boolean validSubtree() {
+ return true;
+ }
}
diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java
index bc63615..768d2d6 100644
--- a/base/util/src/netscape/security/x509/IPAddressName.java
+++ b/base/util/src/netscape/security/x509/IPAddressName.java
@@ -124,6 +124,16 @@ public class IPAddressName implements GeneralNameInterface {
return (GeneralNameInterface.NAME_IP);
}
+ @Override
+ public boolean validSingle() {
+ return address.length == IPv4_LEN || address.length == IPv6_LEN;
+ }
+
+ @Override
+ public boolean validSubtree() {
+ return address.length == 2*IPv4_LEN || address.length == 2*IPv6_LEN;
+ }
+
/**
* Encode the IPAddress name into the DerOutputStream.
*
--
1.8.3.1
From 9086bedfa105078362573c49a65d0084254ffa35 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Mon, 5 Feb 2018 15:27:05 +1100
Subject: [PATCH 08/20] Check validity of Subject/Issuer Alt Names and Name
Constraints
Different forms of some GeneralName types (in particular, iPAddress)
are valid only in "single subject" or "multiple subject / range"
context. Update SubjectAltNameExtDefault, IssuerAltNameExtDefault
and NameConstraintsExtDefault to check the validity of GeneralName
values for use in the prevailing context.
This change prevents certificates being issued with netmasked
iPAddress values in the SAN/Issuer Alt Name extension, or
non-netmasked iPAddress values in the Name Constraints extension.
Fixes: https://pagure.io/dogtagpki/issue/2922
Change-Id: I42478e2b554e7d53a7c07db59208bf855b476572
---
.../cms/profile/def/IssuerAltNameExtDefault.java | 17 +++++++++++++---
.../cms/profile/def/NameConstraintsExtDefault.java | 23 +++++++++++++++++-----
.../cms/profile/def/SubjectAltNameExtDefault.java | 10 +++++++++-
3 files changed, 41 insertions(+), 9 deletions(-)
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java
index ec20371..924b15a 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java
@@ -164,6 +164,10 @@ public class IssuerAltNameExtDefault extends EnrollExtDefault {
GeneralNameInterface n = parseGeneralName(gname);
if (n != null) {
+ if (!n.validSingle()) {
+ throw new EPropertyException(
+ "Not valid for Issuer Alternative Name: " + gname);
+ }
gn.addElement(n);
}
}
@@ -285,7 +289,7 @@ public class IssuerAltNameExtDefault extends EnrollExtDefault {
}
public IssuerAlternativeNameExtension createExtension(IRequest request)
- throws IOException {
+ throws IOException, EProfileException {
IssuerAlternativeNameExtension ext = null;
try {
@@ -307,8 +311,15 @@ public class IssuerAltNameExtDefault extends EnrollExtDefault {
gname = mapPattern(request, pattern);
}
- gn.addElement(parseGeneralName(
- getConfig(CONFIG_TYPE) + ":" + gname));
+ String gtype = getConfig(CONFIG_TYPE);
+ GeneralNameInterface n = parseGeneralName(gtype + ":" + gname);
+ if (n != null) {
+ if (!n.validSingle()) {
+ throw new EProfileException(
+ "Not valid for Issuer Alternative Name: " + gtype + ":" + gname);
+ }
+ gn.addElement(n);
+ }
ext.set(IssuerAlternativeNameExtension.ISSUER_NAME, gn);
}
ext.setCritical(critical);
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java
index f010b61..a3d41b7 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java
@@ -408,6 +408,10 @@ public class NameConstraintsExtDefault extends EnrollExtDefault {
}
if (gnI != null) {
+ if (!gnI.validSubtree()) {
+ throw new EPropertyException(
+ "Not valid for Name Constraints: " + val);
+ }
gn = new GeneralName(gnI);
} else {
throw new EPropertyException(CMS.getUserMessage(locale,
@@ -591,7 +595,8 @@ public class NameConstraintsExtDefault extends EnrollExtDefault {
addExtension(PKIXExtensions.NameConstraints_Id.toString(), ext, info);
}
- public NameConstraintsExtension createExtension() {
+ public NameConstraintsExtension createExtension()
+ throws EProfileException {
NameConstraintsExtension ext = null;
try {
@@ -632,6 +637,8 @@ public class NameConstraintsExtDefault extends EnrollExtDefault {
ext = new NameConstraintsExtension(critical,
new GeneralSubtrees(v), new GeneralSubtrees(v1));
+ } catch (EProfileException e) {
+ throw e; // re-throw
} catch (Exception e) {
CMS.debug("NameConstraintsExtDefault: createExtension " +
e.toString());
@@ -640,8 +647,9 @@ public class NameConstraintsExtDefault extends EnrollExtDefault {
return ext;
}
- private GeneralSubtree createSubtree(String choice, String value,
- String minS, String maxS) {
+ private GeneralSubtree createSubtree(
+ String choice, String value, String minS, String maxS
+ ) throws EProfileException {
GeneralName gn = null;
GeneralNameInterface gnI = null;
@@ -650,11 +658,16 @@ public class NameConstraintsExtDefault extends EnrollExtDefault {
} catch (IOException e) {
CMS.debug(e.toString());
}
- if (gnI != null)
+ if (gnI != null) {
+ if (!gnI.validSubtree()) {
+ throw new EProfileException(
+ "Not valid for Name Constraints: " + value);
+ }
gn = new GeneralName(gnI);
- else
+ } else {
//throw new EPropertyException("GeneralName must not be null");
return null;
+ }
int min = 0;
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java
index ca3d05f..e99acd2 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java
@@ -277,6 +277,10 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault {
}
GeneralNameInterface n = parseGeneralName(gname);
if (n != null) {
+ if (!n.validSingle()) {
+ throw new EPropertyException(
+ "Not valid for Subject Alternative Name: " + gname);
+ }
gn.addElement(n);
}
}
@@ -428,7 +432,7 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault {
}
public SubjectAlternativeNameExtension createExtension(IRequest request)
- throws IOException {
+ throws IOException, EProfileException {
SubjectAlternativeNameExtension ext = null;
int num = getNumGNs();
@@ -495,6 +499,10 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault {
CMS.debug("adding gname: " + gname);
if (n != null) {
+ if (!n.validSingle()) {
+ throw new EProfileException(
+ "Not valid for Subject Alternative Name: " + gtype + ":" + gname);
+ }
CMS.debug("SubjectAlternativeNameExtension: n not null");
gn.addElement(n);
count++;
--
1.8.3.1
From a66ba7f834d1eb6e828739b74e5c67bbbd741ba8 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 7 Mar 2018 13:42:01 +1100
Subject: [PATCH 09/20] IPAddressName: refactoring
Merge the content of some classes that don't need to be classes into
the main IPAddressName. Rename the 'getIPAddress' method to
'fillIPv(4|6)Address', to better reflect its behaviour. Enhance
initAddress to not only intialise the byte[] but also populate the
address.
Part of: https://pagure.io/dogtagpki/issue/2922
Change-Id: If9cd9f3134ef2086b283a51abc35f2918869aca2
---
.../src/netscape/security/x509/IPAddressName.java | 53 ++++++++++------------
1 file changed, 25 insertions(+), 28 deletions(-)
diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java
index 768d2d6..1c01f58 100644
--- a/base/util/src/netscape/security/x509/IPAddressName.java
+++ b/base/util/src/netscape/security/x509/IPAddressName.java
@@ -65,8 +65,6 @@ public class IPAddressName implements GeneralNameInterface {
protected static final char IPv4_LEN = 4;
protected static final char IPv6_LEN = 16;
- protected static final IPAddr IPv4 = new IPv4Addr();
- protected static final IPAddr IPv6 = new IPv6Addr();
/**
* Create the IPAddressName object with a string representing the
@@ -78,9 +76,11 @@ public class IPAddressName implements GeneralNameInterface {
* @param netmask the netmask address in the format: n.n.n.n or x:x:x:x:x:x:x:x (RFC 1884)
*/
public IPAddressName(String s, String netmask) {
- IPAddr ipAddr = initAddress(true, s);
- int numFilled = ipAddr.getIPAddr(s, address, 0);
- ipAddr.getIPAddr(netmask, address, numFilled);
+ address = initAddress(true, s);
+ if (address.length == IPv4_LEN * 2)
+ fillIPv4Address(netmask, address, address.length / 2);
+ else
+ fillIPv6Address(netmask, address, address.length / 2);
}
/**
@@ -90,8 +90,7 @@ public class IPAddressName implements GeneralNameInterface {
* @param mask a CIDR netmask
*/
public IPAddressName(String s, CIDRNetmask mask) {
- IPAddr ipAddr = initAddress(true, s);
- int numFilled = ipAddr.getIPAddr(s, address, 0);
+ address = initAddress(true, s);
mask.write(ByteBuffer.wrap(
address, address.length / 2, address.length / 2));
}
@@ -103,17 +102,26 @@ public class IPAddressName implements GeneralNameInterface {
* @param s the ip address in the format: n.n.n.n or x:x:x:x:x:x:x:x
*/
public IPAddressName(String s) {
- IPAddr ipAddr = initAddress(false, s);
- ipAddr.getIPAddr(s, address, 0);
+ initAddress(false, s);
}
- private IPAddr initAddress(boolean withNetmask, String s) {
+ /**
+ * Initialise and return a byte[] and write the IP address into it.
+ * If withNetmask == true, the byte[] will be double the size,
+ * with the latter half uninitialised.
+ *
+ * @return byte[] of length 4 or 16 if withNetmask == false,
+ * or length 8 or 32 if withNetmask == true.
+ */
+ private static byte[] initAddress(boolean withNetmask, String s) {
if (s.indexOf(':') != -1) {
- address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)];
- return IPv6;
+ byte[] address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)];
+ fillIPv6Address(s, address, 0);
+ return address;
} else {
- address = new byte[IPv4_LEN * (withNetmask ? 2 : 1)];
- return IPv4;
+ byte[] address = new byte[IPv4_LEN * (withNetmask ? 2 : 1)];
+ fillIPv4Address(s, address, 0);
+ return address;
}
}
@@ -173,19 +181,11 @@ public class IPAddressName implements GeneralNameInterface {
return r.toString();
}
}
-}
-
-interface IPAddr {
- public int getIPAddr(String s, byte[] address, int start);
-}
-
-class IPv4Addr implements IPAddr {
- protected static final int IPv4_LEN = 4;
/**
* Gets an IP v4 address in the form n.n.n.n.
*/
- public int getIPAddr(String s, byte[] address, int start) {
+ public static int fillIPv4Address(String s, byte[] address, int start) {
StringTokenizer st = new StringTokenizer(s, ".");
int nt = st.countTokens();
if (nt != IPv4_LEN)
@@ -201,9 +201,7 @@ class IPv4Addr implements IPAddr {
}
return nt;
}
-}
-class IPv6Addr implements IPAddr {
/**
* Gets an IP address in the forms as defined in RFC1884:<br>
* <ul>
@@ -212,7 +210,7 @@ class IPv6Addr implements IPAddr {
* <li>...:n.n.n.n (with n.n.n.n at the end)
* </ul>
*/
- public int getIPAddr(String s, byte[] address, int start) {
+ public static int fillIPv6Address(String s, byte[] address, int start) {
int lastcolon = -2;
int end = start + 16;
int idx = start;
@@ -223,8 +221,7 @@ class IPv6Addr implements IPAddr {
if (lastcolon == -1)
throw new InvalidIPAddressException(s);
end -= 4;
- IPAddressName.IPv4.getIPAddr(
- s.substring(lastcolon + 1), address, end);
+ fillIPv4Address(s.substring(lastcolon + 1), address, end);
}
try {
String s1 = s;
--
1.8.3.1
From c1aca1d718e9f3590bea9ee934d3dda25fa4ff74 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Wed, 7 Mar 2018 14:56:44 -0800
Subject: [PATCH 10/20] Ticket #2950 Need ECC-specific Enrollment Profiles for
standard conformance
This patch adds ECC-specific enrollment profiles where the Key Usage Extension
bits for SSL server and client certificates are notably different per RFC 6960:
new file: base/ca/shared/conf/ECadminCert.profile
new file: base/ca/shared/conf/ECserverCert.profile
new file: base/ca/shared/conf/ECsubsystemCert.profile
new file: base/ca/shared/profiles/ca/ECAdminCert.cfg
new file: base/ca/shared/profiles/ca/caCMCECUserCert.cfg
new file: base/ca/shared/profiles/ca/caCMCECserverCert.cfg
new file: base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg
new file: base/ca/shared/profiles/ca/caECAdminCert.cfg
new file: base/ca/shared/profiles/ca/caECAgentServerCert.cfg
new file: base/ca/shared/profiles/ca/caECDirPinUserCert.cfg
new file: base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
new file: base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg
new file: base/ca/shared/profiles/ca/caECServerCert.cfg
new file: base/ca/shared/profiles/ca/caECSubsystemCert.cfg
new file: base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
new file: base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
new file: base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
new file: base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
In addition, some existing enrollment profiles are adjusted.
And while in there, signing algorithms with SHA1, MD2, and MD5 are removed
No attempt has been made for TPS enrollment profiles in this round.
No attempt has been made for adding ECDH-appropriate profile.
This patch addresses: https://pagure.io/dogtagpki/issue/2950
Change-Id: I26e7f9888372acbab4fbd185883427ef030d5e8d
(cherry picked from commit 27cf99efe1e52249f226db24ef28b0990a654dd5)
---
base/ca/shared/conf/CS.cfg | 44 +++++++--
base/ca/shared/conf/ECadminCert.profile | 39 ++++++++
base/ca/shared/conf/ECserverCert.profile | 39 ++++++++
base/ca/shared/conf/ECsubsystemCert.profile | 39 ++++++++
base/ca/shared/conf/serverCert.profile | 2 +-
base/ca/shared/conf/subsystemCert.profile | 8 +-
base/ca/shared/profiles/ca/AdminCert.cfg | 4 +-
base/ca/shared/profiles/ca/ECAdminCert.cfg | 86 ++++++++++++++++
base/ca/shared/profiles/ca/caAdminCert.cfg | 6 +-
base/ca/shared/profiles/ca/caAgentServerCert.cfg | 10 +-
base/ca/shared/profiles/ca/caCACert.cfg | 2 +-
base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 86 ++++++++++++++++
base/ca/shared/profiles/ca/caCMCECserverCert.cfg | 90 +++++++++++++++++
.../ca/shared/profiles/ca/caCMCECsubsystemCert.cfg | 86 ++++++++++++++++
base/ca/shared/profiles/ca/caCMCUserCert.cfg | 10 +-
.../shared/profiles/ca/caCMCauditSigningCert.cfg | 2 +-
base/ca/shared/profiles/ca/caCMCcaCert.cfg | 2 +-
base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 2 +-
.../shared/profiles/ca/caCMCkraTransportCert.cfg | 2 +-
base/ca/shared/profiles/ca/caCMCocspCert.cfg | 2 +-
base/ca/shared/profiles/ca/caCMCserverCert.cfg | 10 +-
base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg | 6 +-
base/ca/shared/profiles/ca/caDirUserCert.cfg | 4 +-
base/ca/shared/profiles/ca/caECAdminCert.cfg | 87 ++++++++++++++++
base/ca/shared/profiles/ca/caECAgentServerCert.cfg | 85 ++++++++++++++++
base/ca/shared/profiles/ca/caECDirPinUserCert.cfg | 99 +++++++++++++++++++
base/ca/shared/profiles/ca/caECDirUserCert.cfg | 20 ++--
base/ca/shared/profiles/ca/caECDualCert.cfg | 4 +-
.../profiles/ca/caECFullCMCSelfSignedCert.cfg | 85 ++++++++++++++++
base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 85 ++++++++++++++++
.../profiles/ca/caECFullCMCUserSignedCert.cfg | 94 ++++++++++++++++++
.../profiles/ca/caECInternalAuthServerCert.cfg | 109 +++++++++++++++++++++
.../profiles/ca/caECInternalAuthSubsystemCert.cfg | 88 +++++++++++++++++
base/ca/shared/profiles/ca/caECServerCert.cfg | 85 ++++++++++++++++
.../shared/profiles/ca/caECSimpleCMCUserCert.cfg | 84 ++++++++++++++++
base/ca/shared/profiles/ca/caECSubsystemCert.cfg | 85 ++++++++++++++++
base/ca/shared/profiles/ca/caECUserCert.cfg | 14 +--
base/ca/shared/profiles/ca/caEncECUserCert.cfg | 4 +-
.../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 6 +-
base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 6 +-
.../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 6 +-
.../profiles/ca/caInternalAuthServerCert.cfg | 10 +-
.../profiles/ca/caInternalAuthSubsystemCert.cfg | 10 +-
base/ca/shared/profiles/ca/caOCSPCert.cfg | 2 +-
base/ca/shared/profiles/ca/caServerCert.cfg | 10 +-
base/ca/shared/profiles/ca/caSigningECUserCert.cfg | 4 +-
base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 10 +-
base/ca/shared/profiles/ca/caSubsystemCert.cfg | 10 +-
base/ca/shared/profiles/ca/caUserCert.cfg | 4 +-
49 files changed, 1581 insertions(+), 106 deletions(-)
create mode 100644 base/ca/shared/conf/ECadminCert.profile
create mode 100644 base/ca/shared/conf/ECserverCert.profile
create mode 100644 base/ca/shared/conf/ECsubsystemCert.profile
create mode 100644 base/ca/shared/profiles/ca/ECAdminCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caCMCECUserCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caCMCECserverCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caECAdminCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caECAgentServerCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caECDirPinUserCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caECServerCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
create mode 100644 base/ca/shared/profiles/ca/caECSubsystemCert.cfg
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index 59de904..1d65835 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -233,8 +233,8 @@ ca.scep._004=## ca.scep.nickname=
ca.scep._005=## ca.scep.tokenname=
ca.scep._006=##
ca.scep.enable=false
-ca.scep.hashAlgorithm=SHA1
-ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512
+ca.scep.hashAlgorithm=SHA256
+ca.scep.allowedHashAlgorithms=SHA256,SHA512
ca.scep.encryptionAlgorithm=DES3
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.nonceSizeLimit=16
@@ -666,7 +666,7 @@ ca.notification.requestInQ.senderEmail=
ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_NAME]
ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA
ca.ocsp_signing.tokenname=internal
-ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC
+ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC
ca.publish.createOwnDNEntry=false
ca.publish.queue.enable=true
ca.publish.queue.maxNumberOfThreads=3
@@ -975,7 +975,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
os.userid=nobody
-profile.list=caCMCserverCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
+profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSelfSignedCert,caECFullCMCSelfSignedCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment
profile.caUUIDdeviceCert.class_id=caEnrollImpl
profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg
profile.caManualRenewal.class_id=caEnrollImpl
@@ -986,16 +986,22 @@ profile.caSSLClientSelfRenewal.class_id=caEnrollImpl
profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSSLClientSelfRenewal.cfg
profile.AdminCert.class_id=caEnrollImpl
profile.AdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/AdminCert.cfg
+profile.ECAdminCert.class_id=caEnrollImpl
+profile.ECAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/ECAdminCert.cfg
profile.DomainController.class_id=caEnrollImpl
profile.DomainController.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/DomainController.cfg
profile.caAgentFileSigning.class_id=caEnrollImpl
profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAgentFileSigning.cfg
profile.caAgentServerCert.class_id=caEnrollImpl
profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAgentServerCert.cfg
+profile.caECAgentServerCert.class_id=caEnrollImpl
+profile.caECAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECAgentServerCert.cfg
profile.caRAserverCert.class_id=caEnrollImpl
profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAserverCert.cfg
profile.caCMCUserCert.class_id=caEnrollImpl
profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg
+profile.caCMCECUserCert.class_id=caEnrollImpl
+profile.caCMCECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCECUserCert.cfg
profile.caCMCauditSigningCert.class_id=caEnrollImpl
profile.caCMCauditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCauditSigningCert.cfg
profile.caCMCcaCert.class_id=caEnrollImpl
@@ -1008,8 +1014,12 @@ profile.caCMCocspCert.class_id=caEnrollImpl
profile.caCMCocspCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCocspCert.cfg
profile.caCMCserverCert.class_id=caEnrollImpl
profile.caCMCserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCserverCert.cfg
+profile.caCMCECserverCert.class_id=caEnrollImpl
+profile.caCMCECserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCECserverCert.cfg
profile.caCMCsubsystemCert.class_id=caEnrollImpl
profile.caCMCsubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCsubsystemCert.cfg
+profile.caCMCECsubsystemCert.class_id=caEnrollImpl
+profile.caCMCECsubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCECsubsystemCert.cfg
profile.caCACert.class_id=caEnrollImpl
profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCACert.cfg
profile.caInstallCACert.class_id=caEnrollImpl
@@ -1020,32 +1030,42 @@ profile.caDirBasedDualCert.class_id=caEnrollImpl
profile.caDirBasedDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDirBasedDualCert.cfg
profile.caDirPinUserCert.class_id=caEnrollImpl
profile.caDirPinUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDirPinUserCert.cfg
+profile.caECDirPinUserCert.class_id=caEnrollImpl
+profile.caECDirPinUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECDirPinUserCert.cfg
profile.caDirUserCert.class_id=caEnrollImpl
profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDirUserCert.cfg
profile.caECDirUserCert.class_id=caEnrollImpl
profile.caECDirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECDirUserCert.cfg
profile.caDualCert.class_id=caEnrollImpl
profile.caDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDualCert.cfg
-profile.caECDualCert.class_id=caEnrollImpl
-profile.caECDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECDualCert.cfg
profile.caDualRAuserCert.class_id=caEnrollImpl
profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDualRAuserCert.cfg
profile.caRAagentCert.class_id=caEnrollImpl
profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAagentCert.cfg
profile.caFullCMCUserCert.class_id=caEnrollImpl
profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserCert.cfg
+profile.caECFullCMCUserCert.class_id=caEnrollImpl
+profile.caECFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCUserCert.cfg
profile.caFullCMCUserSignedCert.class_id=caEnrollImpl
profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg
+profile.caECFullCMCUserSignedCert.class_id=caEnrollImpl
+profile.caECFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCUserSignedCert.cfg
profile.caFullCMCSelfSignedCert.class_id=caEnrollImpl
profile.caFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSelfSignedCert.cfg
+profile.caECFullCMCSelfSignedCert.class_id=caEnrollImpl
+profile.caECFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCSelfSignedCert.cfg
profile.caInternalAuthOCSPCert.class_id=caEnrollImpl
profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg
profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl
profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthAuditSigningCert.cfg
profile.caInternalAuthServerCert.class_id=caEnrollImpl
profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthServerCert.cfg
+profile.caECInternalAuthServerCert.class_id=caEnrollImpl
+profile.caECInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECInternalAuthServerCert.cfg
profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl
profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthSubsystemCert.cfg
+profile.caECInternalAuthSubsystemCert.class_id=caEnrollImpl
+profile.caECInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECInternalAuthSubsystemCert.cfg
profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl
profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthDRMstorageCert.cfg
profile.caInternalAuthTransportCert.class_id=caEnrollImpl
@@ -1062,20 +1082,26 @@ profile.caRouterCert.class_id=caEnrollImpl
profile.caRouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRouterCert.cfg
profile.caServerCert.class_id=caEnrollImpl
profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerCert.cfg
+profile.caECServerCert.class_id=caEnrollImpl
+profile.caECServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECServerCert.cfg
profile.caSignedLogCert.class_id=caEnrollImpl
profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSignedLogCert.cfg
-profile.caSigningECUserCert.class_id=caEnrollImpl
-profile.caSigningECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningECUserCert.cfg
profile.caSigningUserCert.class_id=caEnrollImpl
profile.caSigningUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningUserCert.cfg
profile.caSimpleCMCUserCert.class_id=caEnrollImpl
profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSimpleCMCUserCert.cfg
+profile.caECSimpleCMCUserCert.class_id=caEnrollImpl
+profile.caECSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECSimpleCMCUserCert.cfg
profile.caSubsystemCert.class_id=caEnrollImpl
profile.caSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSubsystemCert.cfg
+profile.caECSubsystemCert.class_id=caEnrollImpl
+profile.caECSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECSubsystemCert.cfg
profile.caTPSCert.class_id=caEnrollImpl
profile.caTPSCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTPSCert.cfg
profile.caAdminCert.class_id=caEnrollImpl
profile.caAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAdminCert.cfg
+profile.caECAdminCert.class_id=caEnrollImpl
+profile.caECAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAdminCert.cfg
profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl
profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg
profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl
@@ -1116,8 +1142,6 @@ profile.caIPAserviceCert.class_id=caEnrollImpl
profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caIPAserviceCert.cfg
profile.caEncUserCert.class_id=caEnrollImpl
profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncUserCert.cfg
-profile.caEncECUserCert.class_id=caEnrollImpl
-profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncECUserCert.cfg
registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/registry.cfg
processor.caProfileProcess.getClientCert=true
processor.caProfileProcess.authzMgr=BasicAclAuthz
diff --git a/base/ca/shared/conf/ECadminCert.profile b/base/ca/shared/conf/ECadminCert.profile
new file mode 100644
index 0000000..46d157a
--- /dev/null
+++ b/base/ca/shared/conf/ECadminCert.profile
@@ -0,0 +1,39 @@
+#
+# Admin Certificate
+#
+id=adminCert.profile
+name=All Purpose admin cert with ECC keys Profile
+description=This profile creates an administrator's certificate with ECC keys
+profileIDMapping=caAdminCert
+profileSetIDMapping=adminCertSet
+list=2,4,5,6,7
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
+2.default.name=Validity Default
+2.default.params.range=720
+2.default.params.startTime=0
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
+4.default.name=Authority Key Identifier Default
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
+5.default.name=AIA Extension Default
+5.default.params.authInfoAccessADEnable_0=true
+5.default.params.authInfoAccessADLocationType_0=URIName
+5.default.params.authInfoAccessADLocation_0=
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+5.default.params.authInfoAccessCritical=false
+5.default.params.authInfoAccessNumADs=1
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
+6.default.name=Key Usage Default
+6.default.params.keyUsageCritical=true
+6.default.params.keyUsageDigitalSignature=true
+6.default.params.keyUsageNonRepudiation=true
+6.default.params.keyUsageDataEncipherment=true
+6.default.params.keyUsageKeyEncipherment=false
+6.default.params.keyUsageKeyAgreement=true
+6.default.params.keyUsageKeyCertSign=false
+6.default.params.keyUsageCrlSign=false
+6.default.params.keyUsageEncipherOnly=false
+6.default.params.keyUsageDecipherOnly=false
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
+7.default.name=Extended Key Usage Extension Default
+7.default.params.exKeyUsageCritical=false
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
diff --git a/base/ca/shared/conf/ECserverCert.profile b/base/ca/shared/conf/ECserverCert.profile
new file mode 100644
index 0000000..8c679f7
--- /dev/null
+++ b/base/ca/shared/conf/ECserverCert.profile
@@ -0,0 +1,39 @@
+#
+# ECC Server Certificate
+#
+id=serverCert.profile
+name=All Purpose SSL server cert with ECC keys Profile
+description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers
+profileIDMapping=caECServerCert
+profileSetIDMapping=serverCertSet
+list=2,4,5,6,7
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
+2.default.name=Validity Default
+2.default.params.range=720
+2.default.params.startTime=0
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
+4.default.name=Authority Key Identifier Default
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
+5.default.name=AIA Extension Default
+5.default.params.authInfoAccessADEnable_0=true
+5.default.params.authInfoAccessADLocationType_0=URIName
+5.default.params.authInfoAccessADLocation_0=
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+5.default.params.authInfoAccessCritical=false
+5.default.params.authInfoAccessNumADs=1
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
+6.default.name=Key Usage Default
+6.default.params.keyUsageCritical=true
+6.default.params.keyUsageDigitalSignature=true
+6.default.params.keyUsageNonRepudiation=false
+6.default.params.keyUsageDataEncipherment=true
+6.default.params.keyUsageKeyEncipherment=false
+6.default.params.keyUsageKeyAgreement=true
+6.default.params.keyUsageKeyCertSign=false
+6.default.params.keyUsageCrlSign=false
+6.default.params.keyUsageEncipherOnly=false
+6.default.params.keyUsageDecipherOnly=false
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
+7.default.name=Extended Key Usage Extension Default
+7.default.params.exKeyUsageCritical=false
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
diff --git a/base/ca/shared/conf/ECsubsystemCert.profile b/base/ca/shared/conf/ECsubsystemCert.profile
new file mode 100644
index 0000000..d11dabb
--- /dev/null
+++ b/base/ca/shared/conf/ECsubsystemCert.profile
@@ -0,0 +1,39 @@
+#
+# ECC Subsystem Certificate
+#
+id=subsystemCert.profile
+name=Subsystem cert with ECC keys Profile
+description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients
+profileIDMapping=caECSubsystemCert
+profileSetIDMapping=serverCertSet
+list=2,4,5,6,7
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
+2.default.name=Validity Default
+2.default.params.range=720
+2.default.params.startTime=0
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
+4.default.name=Authority Key Identifier Default
+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
+5.default.name=AIA Extension Default
+5.default.params.authInfoAccessADEnable_0=true
+5.default.params.authInfoAccessADLocationType_0=URIName
+5.default.params.authInfoAccessADLocation_0=
+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+5.default.params.authInfoAccessCritical=false
+5.default.params.authInfoAccessNumADs=1
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
+6.default.name=Key Usage Default
+6.default.params.keyUsageCritical=true
+6.default.params.keyUsageDigitalSignature=true
+6.default.params.keyUsageNonRepudiation=false
+6.default.params.keyUsageDataEncipherment=true
+6.default.params.keyUsageKeyEncipherment=false
+6.default.params.keyUsageKeyAgreement=true
+6.default.params.keyUsageKeyCertSign=false
+6.default.params.keyUsageCrlSign=false
+6.default.params.keyUsageEncipherOnly=false
+6.default.params.keyUsageDecipherOnly=false
+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
+7.default.name=Extended Key Usage Extension Default
+7.default.params.exKeyUsageCritical=false
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile
index 8b436b2..3674cbc 100644
--- a/base/ca/shared/conf/serverCert.profile
+++ b/base/ca/shared/conf/serverCert.profile
@@ -25,7 +25,7 @@ list=2,4,5,6,7
6.default.name=Key Usage Default
6.default.params.keyUsageCritical=true
6.default.params.keyUsageDigitalSignature=true
-6.default.params.keyUsageNonRepudiation=true
+6.default.params.keyUsageNonRepudiation=false
6.default.params.keyUsageDataEncipherment=true
6.default.params.keyUsageKeyEncipherment=true
6.default.params.keyUsageKeyAgreement=false
diff --git a/base/ca/shared/conf/subsystemCert.profile b/base/ca/shared/conf/subsystemCert.profile
index a8f08e4..fa8f84e 100644
--- a/base/ca/shared/conf/subsystemCert.profile
+++ b/base/ca/shared/conf/subsystemCert.profile
@@ -1,10 +1,10 @@
#
-# Server Certificate
+# Subsystem Certificate
#
id=subsystemCert.profile
name=All Purpose SSL server cert Profile
-description=This profile creates an SSL server certificate that is valid for SSL servers
-profileIDMapping=caServerCert
+description=This profile creates a subsystem certificate that is valid for SSL client
+profileIDMapping=caSubsystemCert
profileSetIDMapping=serverCertSet
list=2,4,5,6,7
2.default.class=com.netscape.cms.profile.def.ValidityDefault
@@ -36,4 +36,4 @@ list=2,4,5,6,7
7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
7.default.name=Extended Key Usage Extension Default
7.default.params.exKeyUsageCritical=false
-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
diff --git a/base/ca/shared/profiles/ca/AdminCert.cfg b/base/ca/shared/profiles/ca/AdminCert.cfg
index 292beb4..7879614 100644
--- a/base/ca/shared/profiles/ca/AdminCert.cfg
+++ b/base/ca/shared/profiles/ca/AdminCert.cfg
@@ -30,8 +30,8 @@ policyset.adminCertSet.2.default.params.range=365
policyset.adminCertSet.2.default.params.startTime=0
policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl
policyset.adminCertSet.3.constraint.name=Key Constraint
-policyset.adminCertSet.3.constraint.params.keyType=-
-policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.adminCertSet.3.constraint.params.keyType=RSA
+policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl
policyset.adminCertSet.3.default.name=Key Default
policyset.adminCertSet.4.constraint.class_id=noConstraintImpl
diff --git a/base/ca/shared/profiles/ca/ECAdminCert.cfg b/base/ca/shared/profiles/ca/ECAdminCert.cfg
new file mode 100644
index 0000000..e00022e
--- /dev/null
+++ b/base/ca/shared/profiles/ca/ECAdminCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling Administrator's certificates with ECC keys suitable for use by clients such as browsers.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=
+name=Manual Administrator Certificate Enrollment with ECC keys
+input.list=i1,i2,i3
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+input.i3.class_id=subjectDNInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=adminCertSet
+policyset.adminCertSet.list=1,2,3,4,5,6,7,8
+policyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.adminCertSet.1.constraint.name=Subject Name Constraint
+policyset.adminCertSet.1.constraint.params.pattern=.*
+policyset.adminCertSet.1.constraint.params.accept=true
+policyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.adminCertSet.1.default.name=Subject Name Default
+policyset.adminCertSet.1.default.params.name=
+policyset.adminCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.adminCertSet.2.constraint.name=Validity Constraint
+policyset.adminCertSet.2.constraint.params.range=365
+policyset.adminCertSet.2.constraint.params.notBeforeCheck=false
+policyset.adminCertSet.2.constraint.params.notAfterCheck=false
+policyset.adminCertSet.2.default.class_id=validityDefaultImpl
+policyset.adminCertSet.2.default.name=Validity Default
+policyset.adminCertSet.2.default.params.range=365
+policyset.adminCertSet.2.default.params.startTime=0
+policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.adminCertSet.3.constraint.name=Key Constraint
+policyset.adminCertSet.3.constraint.params.keyType=-
+policyset.adminCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
+policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.adminCertSet.3.default.name=Key Default
+policyset.adminCertSet.4.constraint.class_id=noConstraintImpl
+policyset.adminCertSet.4.constraint.name=No Constraint
+policyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.adminCertSet.4.default.name=Authority Key Identifier Default
+policyset.adminCertSet.5.constraint.class_id=noConstraintImpl
+policyset.adminCertSet.5.constraint.name=No Constraint
+policyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.adminCertSet.5.default.name=AIA Extension Default
+policyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.adminCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.adminCertSet.5.default.params.authInfoAccessCritical=false
+policyset.adminCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.adminCertSet.6.constraint.params.keyUsageCritical=true
+policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.adminCertSet.6.default.name=Key Usage Default
+policyset.adminCertSet.6.default.params.keyUsageCritical=true
+policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.adminCertSet.6.default.params.keyUsageCrlSign=false
+policyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.adminCertSet.7.constraint.class_id=noConstraintImpl
+policyset.adminCertSet.7.constraint.name=No Constraint
+policyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.adminCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.adminCertSet.7.default.params.exKeyUsageCritical=false
+policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.adminCertSet.8.constraint.name=No Constraint
+policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.adminCertSet.8.default.name=Signing Alg
+policyset.adminCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caAdminCert.cfg b/base/ca/shared/profiles/ca/caAdminCert.cfg
index 6eb784b..86a3b11 100644
--- a/base/ca/shared/profiles/ca/caAdminCert.cfg
+++ b/base/ca/shared/profiles/ca/caAdminCert.cfg
@@ -31,8 +31,8 @@ policyset.adminCertSet.2.default.params.range=365
policyset.adminCertSet.2.default.params.startTime=0
policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl
policyset.adminCertSet.3.constraint.name=Key Constraint
-policyset.adminCertSet.3.constraint.params.keyType=-
-policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.adminCertSet.3.constraint.params.keyType=RSA
+policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl
policyset.adminCertSet.3.default.name=Key Default
policyset.adminCertSet.4.constraint.class_id=noConstraintImpl
@@ -81,7 +81,7 @@ policyset.adminCertSet.7.default.params.exKeyUsageCritical=false
policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.adminCertSet.8.constraint.name=No Constraint
-policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.adminCertSet.8.default.name=Signing Alg
policyset.adminCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caAgentServerCert.cfg b/base/ca/shared/profiles/ca/caAgentServerCert.cfg
index 924046d..c4d109f 100644
--- a/base/ca/shared/profiles/ca/caAgentServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caAgentServerCert.cfg
@@ -29,8 +29,8 @@ policyset.serverCertSet.2.default.params.range=180
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
-policyset.serverCertSet.3.constraint.params.keyType=-
-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCACert.cfg b/base/ca/shared/profiles/ca/caCACert.cfg
index 2f898b8..e4f491d 100644
--- a/base/ca/shared/profiles/ca/caCACert.cfg
+++ b/base/ca/shared/profiles/ca/caCACert.cfg
@@ -79,7 +79,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default
policyset.caCertSet.8.default.params.critical=false
policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.caCertSet.9.constraint.name=No Constraint
-policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.caCertSet.9.default.name=Signing Alg
policyset.caCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg
new file mode 100644
index 0000000..5185891
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling user certificates with ECC keys by using the CMC certificate request with CMC Signature authentication.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=CMCAuth
+authz.acl=group="Certificate Manager Agents"
+name=Signed CMC-Authenticated User Certificate wth ECC keys Enrollment
+input.list=i1,i2
+input.i1.class_id=cmcCertReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=cmcUserCertSet
+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
+policyset.cmcUserCertSet.1.constraint.params.pattern=.*
+policyset.cmcUserCertSet.1.constraint.params.accept=true
+policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.cmcUserCertSet.1.default.name=Subject Name Default
+policyset.cmcUserCertSet.1.default.params.name=
+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
+policyset.cmcUserCertSet.2.constraint.params.range=365
+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false
+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl
+policyset.cmcUserCertSet.2.default.name=Validity Default
+policyset.cmcUserCertSet.2.default.params.range=180
+policyset.cmcUserCertSet.2.default.params.startTime=0
+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.cmcUserCertSet.3.constraint.name=Key Constraint
+policyset.cmcUserCertSet.3.constraint.params.keyType=EC
+policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521
+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.cmcUserCertSet.3.default.name=Key Default
+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.4.constraint.name=No Constraint
+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default
+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.5.constraint.name=No Constraint
+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.cmcUserCertSet.5.default.name=AIA Extension Default
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false
+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.cmcUserCertSet.6.default.name=Key Usage Default
+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.7.constraint.name=No Constraint
+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.cmcUserCertSet.8.constraint.name=No Constraint
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.cmcUserCertSet.8.default.name=Signing Alg
+policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg
new file mode 100644
index 0000000..158d9fe
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg
@@ -0,0 +1,90 @@
+desc=This certificate profile is for enrolling server certificates with ECC keys using CMC.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=CMCAuth
+authz.acl=group="Certificate Manager Agents"
+name=Server Certificate wth ECC keys Enrollment using CMC
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=.*CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=EC
+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl
+policyset.serverCertSet.9.default.name=copy CN to SAN Default
diff --git a/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg
new file mode 100644
index 0000000..f755243
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg
@@ -0,0 +1,86 @@
+desc=This certificate profile is for enrolling subsystem certificates with ECC keys using CMC.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=CMCAuth
+authz.acl=group="Certificate Manager Agents"
+name=Subsystem Certificate Enrollment with ECC keys using CMC
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=EC
+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg
index 7ff1329..fe2a8b3 100644
--- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg
@@ -30,8 +30,8 @@ policyset.cmcUserCertSet.2.default.params.range=180
policyset.cmcUserCertSet.2.default.params.startTime=0
policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
policyset.cmcUserCertSet.3.constraint.name=Key Constraint
-policyset.cmcUserCertSet.3.constraint.params.keyType=-
-policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
+policyset.cmcUserCertSet.3.constraint.params.keyType=RSA
+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
policyset.cmcUserCertSet.3.default.name=Key Default
policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
@@ -53,7 +53,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
@@ -65,7 +65,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default
policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false
policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
@@ -80,7 +80,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.cmcUserCertSet.8.constraint.name=No Constraint
-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.cmcUserCertSet.8.default.name=Signing Alg
policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
index ed5a1b2..967d6ef 100644
--- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg
@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.auditSigningCertSet.9.constraint.name=No Constraint
-policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.auditSigningCertSet.9.default.name=Signing Alg
policyset.auditSigningCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg
index 9c95182..49a356d 100644
--- a/base/ca/shared/profiles/ca/caCMCcaCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg
@@ -78,7 +78,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default
policyset.caCertSet.8.default.params.critical=false
policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.caCertSet.9.constraint.name=No Constraint
-policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.caCertSet.9.default.name=Signing Alg
policyset.caCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
index 259430b..bbe733a 100644
--- a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg
@@ -80,7 +80,7 @@ policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false
policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.drmStorageCertSet.9.constraint.name=No Constraint
-policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.drmStorageCertSet.9.default.name=Signing Alg
policyset.drmStorageCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
index ec54f9c..60b19bf 100644
--- a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg
@@ -80,7 +80,7 @@ policyset.transportCertSet.7.default.params.exKeyUsageCritical=false
policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.transportCertSet.8.constraint.name=No Constraint
-policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.transportCertSet.8.default.name=Signing Alg
policyset.transportCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg
index 8afbd46..cd60562 100644
--- a/base/ca/shared/profiles/ca/caCMCocspCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg
@@ -65,7 +65,7 @@ policyset.ocspCertSet.8.default.name=OCSP No Check Extension
policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false
policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.ocspCertSet.9.constraint.name=No Constraint
-policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.ocspCertSet.9.default.name=Signing Alg
policyset.ocspCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg
index 8215d65..89bbbea 100644
--- a/base/ca/shared/profiles/ca/caCMCserverCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg
@@ -30,8 +30,8 @@ policyset.serverCertSet.2.default.params.range=720
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
-policyset.serverCertSet.3.constraint.params.keyType=-
-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
@@ -52,7 +52,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
@@ -64,7 +64,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
@@ -80,7 +80,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg
index f473f98..4a922fc 100644
--- a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg
+++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg
@@ -30,8 +30,8 @@ policyset.serverCertSet.2.default.params.range=720
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
-policyset.serverCertSet.3.constraint.params.keyType=-
-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
@@ -80,7 +80,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg
index b447297..f12c7ed 100644
--- a/base/ca/shared/profiles/ca/caDirUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg
@@ -34,8 +34,8 @@ policyset.userCertSet.2.default.params.range=180
policyset.userCertSet.2.default.params.startTime=0
policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
policyset.userCertSet.3.constraint.name=Key Constraint
-policyset.userCertSet.3.constraint.params.keyType=-
-policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.userCertSet.3.constraint.params.keyType=EC
+policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
policyset.userCertSet.3.default.name=Key Default
policyset.userCertSet.4.constraint.class_id=noConstraintImpl
diff --git a/base/ca/shared/profiles/ca/caECAdminCert.cfg b/base/ca/shared/profiles/ca/caECAdminCert.cfg
new file mode 100644
index 0000000..d57bae1
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caECAdminCert.cfg
@@ -0,0 +1,87 @@
+desc=This certificate profile is for enrolling Security Domain administrator's certificates with ECC keys using LDAP authentication against the internal LDAP database.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=TokenAuth
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+name=Security Domain Administrator Certificate Enrollment with ECC keys
+input.list=i1,i2,i3
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+input.i3.class_id=subjectDNInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=adminCertSet
+policyset.adminCertSet.list=1,2,3,4,5,6,7,8
+policyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.adminCertSet.1.constraint.name=Subject Name Constraint
+policyset.adminCertSet.1.constraint.params.pattern=.*
+policyset.adminCertSet.1.constraint.params.accept=true
+policyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.adminCertSet.1.default.name=Subject Name Default
+policyset.adminCertSet.1.default.params.name=
+policyset.adminCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.adminCertSet.2.constraint.name=Validity Constraint
+policyset.adminCertSet.2.constraint.params.range=365
+policyset.adminCertSet.2.constraint.params.notBeforeCheck=false
+policyset.adminCertSet.2.constraint.params.notAfterCheck=false
+policyset.adminCertSet.2.default.class_id=validityDefaultImpl
+policyset.adminCertSet.2.default.name=Validity Default
+policyset.adminCertSet.2.default.params.range=365
+policyset.adminCertSet.2.default.params.startTime=0
+policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.adminCertSet.3.constraint.name=Key Constraint
+policyset.adminCertSet.3.constraint.params.keyType=-
+policyset.adminCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
+policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.adminCertSet.3.default.name=Key Default
+policyset.adminCertSet.4.constraint.class_id=noConstraintImpl
+policyset.adminCertSet.4.constraint.name=No Constraint
+policyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.adminCertSet.4.default.name=Authority Key Identifier Default
+policyset.adminCertSet.5.constraint.class_id=noConstraintImpl
+policyset.adminCertSet.5.constraint.name=No Constraint
+policyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.adminCertSet.5.default.name=AIA Extension Default
+policyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.adminCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.adminCertSet.5.default.params.authInfoAccessCritical=false
+policyset.adminCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.adminCertSet.6.constraint.params.keyUsageCritical=true
+policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.adminCertSet.6.default.name=Key Usage Default
+policyset.adminCertSet.6.default.params.keyUsageCritical=true
+policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.adminCertSet.6.default.params.keyUsageCrlSign=false
+policyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.adminCertSet.7.constraint.class_id=noConstraintImpl
+policyset.adminCertSet.7.constraint.name=No Constraint
+policyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.adminCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.adminCertSet.7.default.params.exKeyUsageCritical=false
+policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.adminCertSet.8.constraint.name=No Constraint
+policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.adminCertSet.8.default.name=Signing Alg
+policyset.adminCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECAgentServerCert.cfg b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg
new file mode 100644
index 0000000..c56b6de
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg
@@ -0,0 +1,85 @@
+desc=This certificate profile is for enrolling server certificates with ECC keys using agent authentication.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=AgentCertAuth
+name=Agent-Authenticated Server Certificate Enrollment with ECC keys
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=365
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=180
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg
new file mode 100644
index 0000000..4143102
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg
@@ -0,0 +1,99 @@
+desc=This certificate profile is for enrolling user ECC certificates with directory-pin-based authentication.
+visible=true
+enable=false
+enableBy=admin
+name=Directory-Pin-Authenticated User Dual-Use ECC Certificate Enrollment
+auth.instance_id=PinDirEnrollment
+input.list=i1
+input.i1.class_id=keyGenInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=userCertSet
+policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9
+policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.userCertSet.1.constraint.name=Subject Name Constraint
+policyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.*
+policyset.userCertSet.1.constraint.params.accept=true
+policyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl
+policyset.userCertSet.1.default.name=Subject Name Default
+policyset.userCertSet.1.default.params.name=
+policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
+policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
+policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
+policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
+policyset.userCertSet.10.default.class_id=noDefaultImpl
+policyset.userCertSet.10.default.name=No Default
+policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.userCertSet.2.constraint.name=Validity Constraint
+policyset.userCertSet.2.constraint.params.range=365
+policyset.userCertSet.2.constraint.params.notBeforeCheck=false
+policyset.userCertSet.2.constraint.params.notAfterCheck=false
+policyset.userCertSet.2.default.class_id=validityDefaultImpl
+policyset.userCertSet.2.default.name=Validity Default
+policyset.userCertSet.2.default.params.range=180
+policyset.userCertSet.2.default.params.startTime=0
+policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.userCertSet.3.constraint.name=Key Constraint
+policyset.userCertSet.3.constraint.params.keyType=-
+policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
+policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.userCertSet.3.default.name=Key Default
+policyset.userCertSet.4.constraint.class_id=noConstraintImpl
+policyset.userCertSet.4.constraint.name=No Constraint
+policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.userCertSet.4.default.name=Authority Key Identifier Default
+policyset.userCertSet.5.constraint.class_id=noConstraintImpl
+policyset.userCertSet.5.constraint.name=No Constraint
+policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.userCertSet.5.default.name=AIA Extension Default
+policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.userCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.userCertSet.5.default.params.authInfoAccessCritical=false
+policyset.userCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.userCertSet.6.constraint.params.keyUsageCritical=true
+policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.userCertSet.6.default.name=Key Usage Default
+policyset.userCertSet.6.default.params.keyUsageCritical=true
+policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.userCertSet.6.default.params.keyUsageCrlSign=false
+policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.userCertSet.7.constraint.class_id=noConstraintImpl
+policyset.userCertSet.7.constraint.name=No Constraint
+policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.userCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.userCertSet.7.default.params.exKeyUsageCritical=false
+policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.userCertSet.8.constraint.class_id=noConstraintImpl
+policyset.userCertSet.8.constraint.name=No Constraint
+policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl
+policyset.userCertSet.8.default.name=Subject Alt Name Constraint
+policyset.userCertSet.8.default.params.subjAltNameExtCritical=false
+policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name
+policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$
+policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
+policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
+policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.userCertSet.9.constraint.name=No Constraint
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.userCertSet.9.default.name=Signing Alg
+policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
index c692bcf..0663b40 100644
--- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg
@@ -1,8 +1,8 @@
-desc=This certificate profile is for enrolling user certificates with directory-based authentication.
+desc=This certificate profile is for enrolling user ECC certificates with directory-based authentication.
visible=true
enable=true
enableBy=admin
-name=Directory-Authenticated User Dual-Use ECC Certificate Enrollment
+name=Directory-Authenticated User ECC Certificate Enrollment
auth.instance_id=UserDirEnrollment
input.list=i1
input.i1.class_id=keyGenInputImpl
@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180
policyset.userCertSet.2.default.params.startTime=0
policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
policyset.userCertSet.3.constraint.name=Key Constraint
-policyset.userCertSet.3.constraint.params.keyType=EC
+policyset.userCertSet.3.constraint.params.keyType=-
policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
policyset.userCertSet.3.default.name=Key Default
@@ -57,9 +57,9 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.userCertSet.6.constraint.params.keyUsageCritical=true
policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
-policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true
-policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true
policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
@@ -69,9 +69,9 @@ policyset.userCertSet.6.default.name=Key Usage Default
policyset.userCertSet.6.default.params.keyUsageCritical=true
policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
-policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true
-policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true
policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.userCertSet.9.constraint.name=No Constraint
-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.userCertSet.9.default.name=Signing Alg
policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECDualCert.cfg b/base/ca/shared/profiles/ca/caECDualCert.cfg
index 1a51dc6..0a56caf 100644
--- a/base/ca/shared/profiles/ca/caECDualCert.cfg
+++ b/base/ca/shared/profiles/ca/caECDualCert.cfg
@@ -1,6 +1,6 @@
desc=This certificate profile is for enrolling dual user ECC certificates. It works only with Netscape 7.0 or later.
visible=false
-enable=true
+enable=false
enableBy=admin
name=Manual User Signing & Encryption ECC Certificates Enrollment
auth.class_id=
@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1
policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.encryptionCertSet.9.constraint.name=No Constraint
-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.encryptionCertSet.9.default.name=Signing Alg
policyset.encryptionCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
new file mode 100644
index 0000000..816a1f8
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg
@@ -0,0 +1,85 @@
+desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request
+enable=true
+enableBy=admin
+name=Self-Signed CMC User Certificate Enrollment
+visible=false
+auth.instance_id=CMCUserSignedAuth
+input.list=i1,i2
+input.i1.class_id=cmcCertReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=cmcUserCertSet
+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
+policyset.cmcUserCertSet.1.constraint.params.accept=true
+policyset.cmcUserCertSet.1.constraint.params.pattern=.*
+policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.cmcUserCertSet.1.default.name=Subject Name Default
+policyset.cmcUserCertSet.1.default.params.name=
+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false
+policyset.cmcUserCertSet.2.constraint.params.range=365
+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl
+policyset.cmcUserCertSet.2.default.name=Validity Default
+policyset.cmcUserCertSet.2.default.params.range=180
+policyset.cmcUserCertSet.2.default.params.startTime=0
+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.cmcUserCertSet.3.constraint.name=Key Constraint
+policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521
+policyset.cmcUserCertSet.3.constraint.params.keyType=EC
+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.cmcUserCertSet.3.default.name=Key Default
+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.4.constraint.name=No Constraint
+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default
+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.5.constraint.name=No Constraint
+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.cmcUserCertSet.5.default.name=AIA Extension Default
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false
+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.cmcUserCertSet.6.default.name=Key Usage Default
+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.7.constraint.name=No Constraint
+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.cmcUserCertSet.8.constraint.name=No Constraint
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.cmcUserCertSet.8.default.name=Signing Alg
+policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
new file mode 100644
index 0000000..0116053
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg
@@ -0,0 +1,85 @@
+desc=This certificate profile is for enrolling user certificates by using the agent-signed CMC certificate request with CMC Signature authentication.
+enable=true
+enableBy=admin
+name=Agent-Signed CMC-Authenticated User Certificate Enrollment
+visible=false
+auth.instance_id=CMCAuth
+input.list=i1,i2
+input.i1.class_id=cmcCertReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=cmcUserCertSet
+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
+policyset.cmcUserCertSet.1.constraint.params.accept=true
+policyset.cmcUserCertSet.1.constraint.params.pattern=.*
+policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.cmcUserCertSet.1.default.name=Subject Name Default
+policyset.cmcUserCertSet.1.default.params.name=
+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false
+policyset.cmcUserCertSet.2.constraint.params.range=365
+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl
+policyset.cmcUserCertSet.2.default.name=Validity Default
+policyset.cmcUserCertSet.2.default.params.range=180
+policyset.cmcUserCertSet.2.default.params.startTime=0
+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.cmcUserCertSet.3.constraint.name=Key Constraint
+policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521
+policyset.cmcUserCertSet.3.constraint.params.keyType=EC
+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.cmcUserCertSet.3.default.name=Key Default
+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.4.constraint.name=No Constraint
+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default
+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.5.constraint.name=No Constraint
+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.cmcUserCertSet.5.default.name=AIA Extension Default
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false
+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.cmcUserCertSet.6.default.name=Key Usage Default
+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.7.constraint.name=No Constraint
+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.cmcUserCertSet.8.constraint.name=No Constraint
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.cmcUserCertSet.8.default.name=Signing Alg
+policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
new file mode 100644
index 0000000..a15aa53
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg
@@ -0,0 +1,94 @@
+desc=This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication.
+enable=true
+enableBy=admin
+name=User-Signed CMC-Authenticated User Certificate Enrollment
+visible=false
+auth.instance_id=CMCUserSignedAuth
+input.list=i1,i2
+input.i1.class_id=cmcCertReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=cmcUserCertSet
+policyset.cmcUserCertSet.list=1,9,10,2,3,4,5,6,7,8
+policyset.cmcUserCertSet.1.constraint.class_id=cmcUserSignedSubjectNameConstraintImpl
+policyset.cmcUserCertSet.1.constraint.name=CMC User Signed Subject Name Constraint
+policyset.cmcUserCertSet.1.default.class_id=cmcUserSignedSubjectNameDefaultImpl
+policyset.cmcUserCertSet.1.default.name=User Signed Subject Name Default
+policyset.cmcUserCertSet.1.default.params.name=
+policyset.cmcUserCertSet.9.constraint.class_id=uniqueKeyConstraintImpl
+policyset.cmcUserCertSet.9.constraint.name=Unique Key Constraint
+policyset.cmcUserCertSet.9.constraint.params.allowSameKeyRenewal=true
+policyset.cmcUserCertSet.9.default.class_id=noDefaultImpl
+policyset.cmcUserCertSet.9.default.name=No Default
+policyset.cmcUserCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
+policyset.cmcUserCertSet.10.constraint.name=Renewal Grace Period Constraint
+policyset.cmcUserCertSet.10.constraint.params.renewal.graceBefore=30
+policyset.cmcUserCertSet.10.constraint.params.renewal.graceAfter=30
+policyset.cmcUserCertSet.10.default.class_id=noDefaultImpl
+policyset.cmcUserCertSet.10.default.name=No Default
+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false
+policyset.cmcUserCertSet.2.constraint.params.range=365
+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl
+policyset.cmcUserCertSet.2.default.name=Validity Default
+policyset.cmcUserCertSet.2.default.params.range=180
+policyset.cmcUserCertSet.2.default.params.startTime=0
+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.cmcUserCertSet.3.constraint.name=Key Constraint
+policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521
+policyset.cmcUserCertSet.3.constraint.params.keyType=EC
+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.cmcUserCertSet.3.default.name=Key Default
+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.4.constraint.name=No Constraint
+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default
+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.5.constraint.name=No Constraint
+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.cmcUserCertSet.5.default.name=AIA Extension Default
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false
+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.cmcUserCertSet.6.default.name=Key Usage Default
+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.7.constraint.name=No Constraint
+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.cmcUserCertSet.8.constraint.name=No Constraint
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.cmcUserCertSet.8.default.name=Signing Alg
+policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
new file mode 100644
index 0000000..4fc8a9c
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg
@@ -0,0 +1,109 @@
+desc=This certificate profile is for enrolling Security Domain ECC server certificates.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=TokenAuth
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+name=Security Domain Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+input.i3.class_id=subjectAltNameExtInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
+# allows SAN to be specified from client side
+# need to:
+# 1. add i3 to input.list above
+# 2. add 9 to policyset.serverCertSet.list above
+# 3. change below to reflect the number of general names, and
+# turn each corresponding subjAltExtPattern_<num> to true
+# policyset.serverCertSet.9.default.params.subjAltNameNumGNs
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl
+policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default
+policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true
+policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$
+policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName
+policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=false
+policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$
+policyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName
+policyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=false
+policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$
+policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName
+policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false
+policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1
diff --git a/base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg
new file mode 100644
index 0000000..551cb68
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg
@@ -0,0 +1,88 @@
+desc=This certificate profile is for enrolling Security Domain subsystem certificates with ECC keys.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=TokenAuth
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+name=Security Domain Subsystem Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+updater.list=u1
+updater.u1.class_id=subsystemGroupUpdaterImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECServerCert.cfg b/base/ca/shared/profiles/ca/caECServerCert.cfg
new file mode 100644
index 0000000..0ae4371
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caECServerCert.cfg
@@ -0,0 +1,85 @@
+desc=This certificate profile is for enrolling server certificates with ECC keys.
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=Manual Server Certificate Enrollment with ECC keys
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=.*CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
new file mode 100644
index 0000000..14d610c
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg
@@ -0,0 +1,84 @@
+desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication.
+enable=true
+enableBy=admin
+name=Simple CMC Enrollment Request for User Certificate
+visible=false
+auth.instance_id=
+input.list=i1
+input.i1.class_id=certReqInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=cmcUserCertSet
+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8
+policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint
+policyset.cmcUserCertSet.1.constraint.params.accept=true
+policyset.cmcUserCertSet.1.constraint.params.pattern=.*
+policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.cmcUserCertSet.1.default.name=Subject Name Default
+policyset.cmcUserCertSet.1.default.params.name=
+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint
+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false
+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false
+policyset.cmcUserCertSet.2.constraint.params.range=365
+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl
+policyset.cmcUserCertSet.2.default.name=Validity Default
+policyset.cmcUserCertSet.2.default.params.range=180
+policyset.cmcUserCertSet.2.default.params.startTime=0
+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.cmcUserCertSet.3.constraint.name=Key Constraint
+policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521
+policyset.cmcUserCertSet.3.constraint.params.keyType=EC
+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.cmcUserCertSet.3.default.name=Key Default
+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.4.constraint.name=No Constraint
+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default
+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.5.constraint.name=No Constraint
+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.cmcUserCertSet.5.default.name=AIA Extension Default
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false
+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.cmcUserCertSet.6.default.name=Key Usage Default
+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl
+policyset.cmcUserCertSet.7.constraint.name=No Constraint
+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.cmcUserCertSet.8.constraint.name=No Constraint
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.cmcUserCertSet.8.default.name=Signing Alg
+policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECSubsystemCert.cfg b/base/ca/shared/profiles/ca/caECSubsystemCert.cfg
new file mode 100644
index 0000000..89f342a
--- /dev/null
+++ b/base/ca/shared/profiles/ca/caECSubsystemCert.cfg
@@ -0,0 +1,85 @@
+desc=This certificate profile is for enrolling subsystem certificates with ECC keys.
+visible=true
+enable=true
+enableBy=admin
+auth.class_id=
+name=Manual Subsystem Certificate Enrollment with ECC keys
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=.*
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=720
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=720
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=-
+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caECUserCert.cfg b/base/ca/shared/profiles/ca/caECUserCert.cfg
index 383af01..a6bf04a 100644
--- a/base/ca/shared/profiles/ca/caECUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caECUserCert.cfg
@@ -59,9 +59,9 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.userCertSet.6.constraint.params.keyUsageCritical=true
policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true
-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false
-policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true
-policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true
policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false
policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false
@@ -71,9 +71,9 @@ policyset.userCertSet.6.default.name=Key Usage Default
policyset.userCertSet.6.default.params.keyUsageCritical=true
policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true
-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false
-policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true
-policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true
policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false
policyset.userCertSet.6.default.params.keyUsageCrlSign=false
policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false
@@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.userCertSet.8.default.params.subjAltNameNumGNs=1
policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.userCertSet.9.constraint.name=No Constraint
-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.userCertSet.9.default.name=Signing Alg
policyset.userCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caEncECUserCert.cfg b/base/ca/shared/profiles/ca/caEncECUserCert.cfg
index 9faa4a5..8b1c1fb 100644
--- a/base/ca/shared/profiles/ca/caEncECUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caEncECUserCert.cfg
@@ -1,6 +1,6 @@
desc=This certificate profile is for enrolling user ECC encryption certificates. It works only with latest Firefox.
visible=false
-enable=true
+enable=false
enableBy=admin
name=Manual User Encryption ECC Certificates Enrollment
auth.class_id=
@@ -87,7 +87,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1
policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.encryptionCertSet.9.constraint.name=No Constraint
-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.encryptionCertSet.9.default.name=Signing Alg
policyset.encryptionCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
index db3fbd6..1a7c22d 100644
--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg
@@ -29,8 +29,8 @@ policyset.cmcUserCertSet.2.default.params.range=180
policyset.cmcUserCertSet.2.default.params.startTime=0
policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
policyset.cmcUserCertSet.3.constraint.name=Key Constraint
-policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
-policyset.cmcUserCertSet.3.constraint.params.keyType=-
+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.cmcUserCertSet.3.constraint.params.keyType=RSA
policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
policyset.cmcUserCertSet.3.default.name=Key Default
policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
@@ -79,7 +79,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.cmcUserCertSet.8.constraint.name=No Constraint
-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.cmcUserCertSet.8.default.name=Signing Alg
policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
index 90cb424..b06f35d 100644
--- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg
@@ -29,8 +29,8 @@ policyset.cmcUserCertSet.2.default.params.range=180
policyset.cmcUserCertSet.2.default.params.startTime=0
policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
policyset.cmcUserCertSet.3.constraint.name=Key Constraint
-policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
-policyset.cmcUserCertSet.3.constraint.params.keyType=-
+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.cmcUserCertSet.3.constraint.params.keyType=RSA
policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
policyset.cmcUserCertSet.3.default.name=Key Default
policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
@@ -79,7 +79,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.cmcUserCertSet.8.constraint.name=No Constraint
-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.cmcUserCertSet.8.default.name=Signing Alg
policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
index 7bfad9c..0c2b97b 100644
--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg
@@ -38,8 +38,8 @@ policyset.cmcUserCertSet.2.default.params.range=180
policyset.cmcUserCertSet.2.default.params.startTime=0
policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
policyset.cmcUserCertSet.3.constraint.name=Key Constraint
-policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
-policyset.cmcUserCertSet.3.constraint.params.keyType=-
+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.cmcUserCertSet.3.constraint.params.keyType=RSA
policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
policyset.cmcUserCertSet.3.default.name=Key Default
policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
@@ -88,7 +88,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.cmcUserCertSet.8.constraint.name=No Constraint
-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.cmcUserCertSet.8.default.name=Signing Alg
policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
index 5d4fbee..dd10f6f 100644
--- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg
@@ -31,8 +31,8 @@ policyset.serverCertSet.2.default.params.range=720
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
-policyset.serverCertSet.3.constraint.params.keyType=-
-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
@@ -53,7 +53,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
@@ -65,7 +65,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
index 3a8c202..7b3d34c 100644
--- a/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
+++ b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg
@@ -32,8 +32,8 @@ policyset.serverCertSet.2.default.params.range=720
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
-policyset.serverCertSet.3.constraint.params.keyType=-
-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
@@ -54,7 +54,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
@@ -66,7 +66,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
@@ -82,7 +82,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caOCSPCert.cfg b/base/ca/shared/profiles/ca/caOCSPCert.cfg
index 0a855b9..a1dedd3 100644
--- a/base/ca/shared/profiles/ca/caOCSPCert.cfg
+++ b/base/ca/shared/profiles/ca/caOCSPCert.cfg
@@ -64,7 +64,7 @@ policyset.ocspCertSet.8.default.name=OCSP No Check Extension
policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false
policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.ocspCertSet.9.constraint.name=No Constraint
-policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.ocspCertSet.9.default.name=Signing Alg
policyset.ocspCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caServerCert.cfg b/base/ca/shared/profiles/ca/caServerCert.cfg
index 997a056..2f44c96 100644
--- a/base/ca/shared/profiles/ca/caServerCert.cfg
+++ b/base/ca/shared/profiles/ca/caServerCert.cfg
@@ -29,8 +29,8 @@ policyset.serverCertSet.2.default.params.range=720
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
-policyset.serverCertSet.3.constraint.params.keyType=-
-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caSigningECUserCert.cfg b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg
index b410504..39a7c36 100644
--- a/base/ca/shared/profiles/ca/caSigningECUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg
@@ -1,6 +1,6 @@
desc=This certificate profile is for enrolling user ECC signing certificates. It works only with the latest Firefox.
visible=false
-enable=true
+enable=false
enableBy=admin
name=Manual User Signing ECC Certificate Enrollment
auth.class_id=
@@ -79,7 +79,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true
policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1
policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl
policyset.signingCertSet.9.constraint.name=No Constraint
-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl
policyset.signingCertSet.9.default.name=Signing Alg
policyset.signingCertSet.9.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
index 34015e2..a9c2b0c 100644
--- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg
@@ -28,8 +28,8 @@ policyset.cmcUserCertSet.2.default.params.range=180
policyset.cmcUserCertSet.2.default.params.startTime=0
policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl
policyset.cmcUserCertSet.3.constraint.name=Key Constraint
-policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521
-policyset.cmcUserCertSet.3.constraint.params.keyType=-
+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.cmcUserCertSet.3.constraint.params.keyType=RSA
policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl
policyset.cmcUserCertSet.3.default.name=Key Default
policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl
@@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false
-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false
@@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.cmcUserCertSet.6.default.name=Key Usage Default
policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true
policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false
-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false
policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true
policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false
@@ -78,7 +78,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false
policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4
policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.cmcUserCertSet.8.constraint.name=No Constraint
-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.cmcUserCertSet.8.default.name=Signing Alg
policyset.cmcUserCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caSubsystemCert.cfg b/base/ca/shared/profiles/ca/caSubsystemCert.cfg
index 63fd3a6..12e1629 100644
--- a/base/ca/shared/profiles/ca/caSubsystemCert.cfg
+++ b/base/ca/shared/profiles/ca/caSubsystemCert.cfg
@@ -29,8 +29,8 @@ policyset.serverCertSet.2.default.params.range=720
policyset.serverCertSet.2.default.params.startTime=0
policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
policyset.serverCertSet.3.constraint.name=Key Constraint
-policyset.serverCertSet.3.constraint.params.keyType=-
-policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
policyset.serverCertSet.3.default.name=Key Default
policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
policyset.serverCertSet.6.default.name=Key Usage Default
policyset.serverCertSet.6.default.params.keyUsageCritical=true
policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false
policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
policyset.serverCertSet.8.constraint.name=No Constraint
-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC
policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
policyset.serverCertSet.8.default.name=Signing Alg
policyset.serverCertSet.8.default.params.signingAlg=-
diff --git a/base/ca/shared/profiles/ca/caUserCert.cfg b/base/ca/shared/profiles/ca/caUserCert.cfg
index 917c589..1f62bb8 100644
--- a/base/ca/shared/profiles/ca/caUserCert.cfg
+++ b/base/ca/shared/profiles/ca/caUserCert.cfg
@@ -36,8 +36,8 @@ policyset.userCertSet.2.default.params.range=180
policyset.userCertSet.2.default.params.startTime=0
policyset.userCertSet.3.constraint.class_id=keyConstraintImpl
policyset.userCertSet.3.constraint.name=Key Constraint
-policyset.userCertSet.3.constraint.params.keyType=-
-policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521
+policyset.userCertSet.3.constraint.params.keyType=EC
+policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
policyset.userCertSet.3.default.class_id=userKeyDefaultImpl
policyset.userCertSet.3.default.name=Key Default
policyset.userCertSet.4.constraint.class_id=noConstraintImpl
--
1.8.3.1
From f87c7525632f33ad9f351f8db0acb8ccc98ce7ec Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Mon, 5 Mar 2018 18:33:51 -0700
Subject: [PATCH 11/20] Permit additional FIPS ciphers to be enabled by default
for RSA . . .
It was determined that the following additional FIPS ciphers should be
enabled by default for RSA:
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Reference: dogtagpki Pagure Issue #2855 - restrict default cipher suite to
those ciphers permitted in fips mode
Fixes: https://pagure.io/dogtagpki/issue/2952
Change-Id: I0947e8581beb3140e4c07800dd2c6bc9d90a6cd8
(cherry picked from commit 7809f40bcd49ad11f0a314cd45979cfdcb55686f)
---
base/server/python/pki/server/deployment/pkiparser.py | 8 ++++----
base/server/share/conf/ciphers.info | 6 +++++-
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index b64e99b..53296fc 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -1165,8 +1165,8 @@ class PKIConfigParser:
"-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \
"-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \
- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
- "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \
+ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \
"-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \
@@ -1178,9 +1178,9 @@ class PKIConfigParser:
"+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \
"-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \
"-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \
- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \
"-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \
- "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
+ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \
"+TLS_RSA_WITH_AES_128_CBC_SHA256," + \
"+TLS_RSA_WITH_AES_256_CBC_SHA256," + \
"-TLS_RSA_WITH_AES_128_GCM_SHA256," + \
diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info
index b3e74d3..44c6e4b 100644
--- a/base/server/share/conf/ciphers.info
+++ b/base/server/share/conf/ciphers.info
@@ -98,6 +98,10 @@
# +TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
# +TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
# +TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+# +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+# +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+# +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
# +TLS_RSA_WITH_AES_128_CBC_SHA256,
# +TLS_RSA_WITH_AES_256_CBC_SHA256,
# +TLS_RSA_WITH_AES_128_CBC_SHA,
@@ -119,7 +123,7 @@
#
##
# For RSA servers:
- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA"
#
#
# For ECC servers:
--
1.8.3.1
From 2ba512b4bc7fddc8c279733dd35c8105dd134224 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Mon, 26 Feb 2018 13:16:01 -0800
Subject: [PATCH 12/20] Ticket #2940 [MAN] Missing Man pages for tools
CMCRequest, CMCResponse, CMCSharedToken, and CMCRevoke
This patch adds man pages for CMCRequest, CMCResponse, and CMCSharedToken.
In addition, the usage in CMCResponse has been enhanced to include a
verbose mode which will output certs in Base64 encoding individually.
A "note" has been added to CMCRevoke --help to direct users to CMCRequest
for better usability. The man page for CMCRevoke is intentionaly left out
for this reason.
The URL in CMCRequest.1 is a placeholder for the follow-up patch. It will
be replaced once the examples are complete.
This patch addresses https://pagure.io/dogtagpki/issue/2940
Change-Id: Id1df31a29207a0d12d50b7a3b959a3abcd9748d0
(cherry picked from commit 1597b5bc09b39f7ee248e9f7ef5da55c8846a1c0)
(cherry picked from commit 08ac412c0a724b88817038e89563f928cc522357)
---
base/java-tools/man/man1/CMCEnroll.1 | 3 +
base/java-tools/man/man1/CMCRequest.1 | 188 +++++++++++++++++++++
base/java-tools/man/man1/CMCResponse.1 | 63 +++++++
base/java-tools/man/man1/CMCSharedToken.1 | 79 +++++++++
.../src/com/netscape/cmstools/CMCResponse.java | 25 ++-
.../src/com/netscape/cmstools/CMCRevoke.java | 1 +
6 files changed, 356 insertions(+), 3 deletions(-)
create mode 100644 base/java-tools/man/man1/CMCRequest.1
create mode 100644 base/java-tools/man/man1/CMCResponse.1
create mode 100644 base/java-tools/man/man1/CMCSharedToken.1
diff --git a/base/java-tools/man/man1/CMCEnroll.1 b/base/java-tools/man/man1/CMCEnroll.1
index 4cc861f..9700307 100644
--- a/base/java-tools/man/man1/CMCEnroll.1
+++ b/base/java-tools/man/man1/CMCEnroll.1
@@ -16,6 +16,9 @@
.\" for man page specific macros, see man(7)
.SH NAME
CMCEnroll \- Used to sign a certificate request with an agent's certificate.
+.PP
+\fBNote:\fP
+This tool has not yet been updated to work with the latest improvement in the CA to conform to RFC 5272. Please use \fBCMCRequest\fP instead.
.SH SYNOPSIS
.PP
diff --git a/base/java-tools/man/man1/CMCRequest.1 b/base/java-tools/man/man1/CMCRequest.1
new file mode 100644
index 0000000..f647ef7
--- /dev/null
+++ b/base/java-tools/man/man1/CMCRequest.1
@@ -0,0 +1,188 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH CMCRequest 1 "March 14, 2018" "version 10.5" "PKI CMC Request Generation Tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+CMCRequest \- Used to generate a CMC certificate issuance or revocation request.
+
+.SH SYNOPSIS
+.PP
+\fBCMCRequest <CMCRequest configuration filename>\fP
+
+.SH DESCRIPTION
+.PP
+The Certificate Management over Cryptographic Message Syntax (CMC) Request Generation utility, \fBCMCRequest\fP, provides a command-line utility used to generate a CMC certificate issuance or revocation request. For issuance request, it requires either a PKCS#10 or CRMF request as input. The resulting CMC request can be sent to the CA via tool such as \fBHttpClient\fP.
+.PP
+\fBCMCRequest\fP takes a configuration file where various configuration parametrs are supported.
+
+.SH CONFIGURATION PARAMETERS
+.PP
+The following are supported configuration parameters for the configuration file. Each parameter is in the format of <name>=<value> (e.g. format=pkcs10).
+.PP
+.TP
+.B numRequests
+Total number of PKCS10 or CRMF requests. (note: lately the CA has only been tested to work with one)
+
+.TP
+.B input
+full path for PKCS #10 or CRMF certificate request in PEM.
+
+For example if \fBPKCS10Client\fP or \fBCRMFPopClient\fP are used to generate the PKCS#10 or CRMF requests respectively, this value should be the value of the \fB"-o"\fP option of those command line tools.
+
+.TP
+.B format
+request format. Either \fBpkcs10\fP or \fBcrmf\fP.
+
+.TP
+.B output
+full path for the resulting CMC request in ASN.1 DER encoded format.
+
+Note that this would be the \fBinput\fP in the \fBHttpClient\fP configuration file if it is used to submit the CMC request.
+
+.TP
+.B dbdir
+directory for NSS database: cert8.db, key3.db and secmod.db
+
+.TP
+.B tokenname
+name of crypto token where user signing certificate key can be found (default is internal)
+
+.TP
+.B nickname
+The nickname of the user certificate that corresponds to the private key that is used to sign the request.
+
+This parameter is ignored if \fBselfSign\fP or \fBidentityProofV2.enable\fP is true.
+
+.TP
+.B password
+password to the crypto token where the signing user's certificate and keys are stored.
+
+.TP
+.B identification[.enable]
+RFC 5272 allows the CA to require inclusion of the \fBidentification\fP control to accompany the \fBidentityProofV2\fP control in a CMC request.
+
+In Dogtag, CA employs the \fBidentification\fP control to assist in locating the shared secret required for verification of the shared secret computed in the \fBidentityProofV2\fP.
+
+In addition, the \fBidentification\fP control is also required for \fBpopLinkWitnessV2\fP for locating the shared secret.
+
+When \fBidentification.eanble\fP is true, \fBidentification\fP should contain a user id known by the CA.
+
+.TP
+.B witness.sharedSecret
+The \fBwitness.sharedSecret\fP should contain a passphrase that is known by the CA. One usually obtains it from the CA administrator.
+
+This parameter is required by the following options: \fBidentityProofV2\fP, and \fBpopLinkWitnessV2\fP.
+
+See man pages for \fBCMCSharedToken\fP for information on usage.
+
+.TP
+.B identityProofV2.[enable, hashAlg, macAlg]
+Identity Proof V2 allows one to provide proof of identity without a signing certificate. It does so by embedding a "witness" value that's calculated from a shared secret (see \fBwitness.sharedSecret\fP) known by the CA.
+
+The \fBidentityProofV2\fP parameter set allows a user to specify the hashing algorithm as well as MAC (Message Authentication Code) algorithm used to compute the value of the witness value.
+
+Supported \fBidentityProofV2.hashAlg\fP are: \fBSHA-256, SHA-384, and SHA-512\fP
+
+Supported \fBidentityProofV2.macAlg\fP are: \fBSHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC\fP
+
+When \fBidentityProofV2.eanble\fP is true, these parameters must be accompanied by the \fBidentification\fP as well as the \fBwitness.sharedSecret\fP parameters.
+
+These parameters could be accompanied by the \fBpopLinkWitnessV2\fP parameter set if required by the CA.
+
+.TP
+.B popLinkWitnessV2.[enable, keyGenAlg, macAlg]
+The POPLinkWitnessV2 control is a mechanim that links the POP (Proof of Possession) to the identity, which adds more credibility to the otherwise distinct POP and Proof of Identity mechanisms. It does so by employing calculation of a random value with a shared secret (see \fBwitness.sharedSecret\fP) known by the CA.
+
+The POP Link Witness V2 value must be baked into the PKCS#10 or CRMF requests. It is therefore crutial that the caller that employs this option has access to the private key of the certificate request.
+
+If \fBpopLinkWitnessV2\fP is used, then \fBidentification\fP and \fBwitness.sharedSecret\fP must be supplied, and the \fBidentityProofV2\fP parameter set is in general used.
+
+Supported keyGenAlg are: \fBSHA-256, SHA-384, and SHA-512\fP
+
+Supported macAlg are: \fBSHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC\fP
+
+.TP
+.B request.selfSign
+\fBtrue\fP or \fBfalse\fP. If \fBselfSign\fP is true, the CMC request will be "signed" with the pairing private key of the enrollment request; and in which case the \fBnickname\fP parameter will be ignored.
+
+\fBrequest.selfSign\fP is only used if a signing certificate (of the agent or user herself) is not available to sign. Because the request itself is not signed with a certificate (a proven identity), the proof of origin (proof of identification) must be provided by some other means.
+
+In Dogtag, if \fBselfSign\fP is true, it must be used in conjunction with the \fBidentityProofV2\fP and \fBidentification\fP parameters. And in that case the Proof Of Origin is accomplished by the Shared Secret (\fBwitness.sharedSecret\fP) mechanism.
+
+The \fBselfSign\fP option is normally used to enroll for a user's first signing certificate while auto-approval (without agent's pre-approval) is preferred. In general, once a user has obtained the first signing certificate, such signing certificate can be used to sign (thus proving origin) and obtain other certificate such as encryption-only ceritifcate, or when doing a renewal or revocation.
+
+By default, if unspecified, \fBselfSign\fP is false.
+
+\fBNote\fP: to employ the \fBselfSign\fP option, the PKCS#10 or CRMF requests must have the \fBSubjectKeyIdentifier extension\fP. (hint: \fBCRMFPopClient\fP and \fBPKCS10Client\fP should be called with the "-y" option)
+
+If \fBselfSign\fP is true, \fBrequest.privKeyId\fP must be specified.
+It is crutial that the caller that employs this option has access to the private key of the certificate request.
+
+.TP
+.B request.privKeyId
+The \fBrequest.privKeyId\fP parameter is required in the following cases:
+
+\fBselfSign\fP, \fBpopLinkWitnessV2\fP, and \fBdecryptedPop\fP
+
+.TP
+.B decryptedPop.enable, encryptedPopResponseFile, decryptedPopRequestFile
+In case when the enrolling key is an encryption-only key, the traditional POP (Proof of Possession) that employs signing of the request is not possible, CMC provides the EncryptedPOP/DecryptedPOP mechanism to allow the CA to challenge the client. This mechanism requires two trips. Frist trip (a CMC request without POP) would trigger the CA to generate a challenge and encrypt the challenge with the request public key in the certificate response (one should find the EncryptedPOP control as well as status with "failedInfo=POP required" in the CMCResponse); while second trip from the client would contain proof that the client has decrypted the challenge and thereby proving ownership of the private key to the enrollment request.
+When preparing for the second trip, the following parameters must be present:
+
+\fBdecryptedPop.enable\fP - set to true; default is false;
+
+\fBencryptedPopResponseFile\fP - the input file that contains the CMCResponse from first trip; It should contains the CMC EncryptedPop control.
+
+\fBdecryptedPopRequestFile\fP - the output file for the CMC request which should contain the CMC DecryptedPOP control.
+
+\fBrequest.privKeyId\fP - see descripton for \fBrequest.privKeyId\fP; It is used to decrypt the EncryptedPop, thereby proving the possession of the private key.
+
+Please note that the \fBPopLinkWitnessV2\fP control as well as the \fBselfSign\fP directive do not apply to EncryptedPOP/DecryptedPOP for the simple fact that the enrollment private key is not capable of signing.
+
+.TP
+.B revRequest.[enable, serial, reason, comment, issuer, sharedSecret]
+Revocation can be done either by signing with user's own valid signing certificate, or by authenticating with user's shared secret (see \fBwitness.sharedSecret\fP) known by the CA.
+
+For revocation request signed with user's own valid signing certificate, the \fBnicname\fP parameter should be a valid user signing certificate that belongs to the same user subject as that of the certificate to be revoked (but not necessarily the same certificate); Also, \fBrevRequest.issuer\fP and \fBrevRequest.sharedSecret\fP are ignored, while \fBrevRequest.serial\fP and \fBrevRequest.reason\fP must contain valid values.
+
+For revocation by authenticating with user's shared secret, the following parameters are required: \fBrevRequest.serial\fP, \fBrevRequest.reason\fP, \fBrevRequest.issuer\fP, \fBrevRequest.sharedSecret\fP, while \fBnickname\fP will be ignored.
+
+\fBrevRequest.reason\fP can have one of the following values: \fBunspecified\fP, \fBkeyCompromise\fP, \fBcaCompromise\fP, \fBaffiliationChanged\fP, \fBsuperseded\fP, \fBcessationOfOperation\fP, \fBcertificateHold\fP, \fBremoveFromCRL\fP.
+
+\fBrevRequest.serial\fP is in Decimal.
+
+\fBrevRequest.issuer\fP is issuer subject DN.
+
+\fBrevRequest.invalidityDatePresent\fP is optional. \fBtrue\fP or \fBfalse\fP. When true, the invalidityDate of the RevokeRequest will be set to the current time when this tool is being run.
+
+\fBrevRequest.comment\fP is optional.
+
+.SH EXAMPLES
+.PP
+CMC requests must be submitted to the CA to be processed. Tool supported by Dogtag for submitting these requests is \fBHttpClient\fP.
+.PP
+\fBNote:\fP For examples on how to use this tool, please see
+http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Practical_Usage_Scenarios for Practical Usage Scenarios, and their examples.
+
+.SH AUTHORS
+Christina Fu <cfu@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2018 Red Hat, Inc. This is licensed under the GNU General Public
+License, version 2 (GPLv2). A copy of this license is available at
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+
+.SH SEE ALSO
+.BR CMCResponse(1), CMCSharedToken(1), CMCRevoke(1), pki(1)
diff --git a/base/java-tools/man/man1/CMCResponse.1 b/base/java-tools/man/man1/CMCResponse.1
new file mode 100644
index 0000000..3d5703e
--- /dev/null
+++ b/base/java-tools/man/man1/CMCResponse.1
@@ -0,0 +1,63 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH CMCResponse 1 "March 14, 2018" "version 10.5" "PKI CMC Response Parsing Tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+CMCResponse \- Used to parse CMC responses returned from CMC issuance or revocation requests.
+
+.SH SYNOPSIS
+.PP
+\fBCMCResponse [OPTIONS]\fP
+
+.SH DESCRIPTION
+.PP
+The Certificate Management over Cryptographic Message Syntax (CMC) Response parsing utility, \fBCMCResponse\fP, provides a command-line utility used to parse and present CMC responses from CMC issuance or revocation requests.
+.PP
+It takes the CMC response returned from the CA as input, parses, and shows the content of the response along with CMC status in a human-readable format. In addition, it can optionally output the response in PKCS#7 PEM format for further processing by other tools.
+
+.SH OPTIONS
+.PP
+The following are supported options.
+.PP
+.TP
+.B -d <path>
+Path of directory to the NSS database. This option is required.
+
+.TP
+.B -i <path>
+Name of file (could include path) for the CMC issuance or revocation response. This option is required.
+
+.TP
+.B -o <path>
+Name of file (could include path) to store the certificate chain in PKCS#7 PEM. This is optional.
+
+.TP
+.B -v
+If specified, will run in verbose mode, which would entail all certs in the chain being displayed individually in Base64 encoding format. It is false by default.
+
+.SH EXAMPLE
+.PP
+CMCResponse -d . -i cmc.role_p10-ec3.resp -o cmc.role_p10-ec3.resp.PEM
+
+.SH AUTHORS
+Christina Fu <cfu@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2018 Red Hat, Inc. This is licensed under the GNU General Public
+License, version 2 (GPLv2). A copy of this license is available at
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+
+.SH SEE ALSO
+.BR CMCRequest(1)
diff --git a/base/java-tools/man/man1/CMCSharedToken.1 b/base/java-tools/man/man1/CMCSharedToken.1
new file mode 100644
index 0000000..e4a26f0
--- /dev/null
+++ b/base/java-tools/man/man1/CMCSharedToken.1
@@ -0,0 +1,79 @@
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH CMCSharedToken 1 "March 14, 2018" "version 10.5" "PKI CMC Shared Secret Generation Tool" Dogtag Team
+.\" Please adjust this date whenever revising the man page.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for man page specific macros, see man(7)
+.SH NAME
+CMCSharedToken \- Used to process a user passphrase and create shared token to be stored by the CA to allow Shared Secret-based proof of origin in cases such as CMC certificate issuance and revocation.
+
+.SH SYNOPSIS
+.PP
+\fBCMCSharedToken [OPTIONS]\fP
+
+.SH DESCRIPTION
+.PP
+The Certificate Management over Cryptographic Message Syntax (CMC) shared secret generation tool, \fBCMCSharedToken\fP, provides a command-line utility used to process a user passphrase to be shared with the CA.
+.PP
+It takes a passphrase provided by the user, encrypts it with an issuance protection certificate, and outputs the encrypted blob which could be stored on the CA for subsequent enrollment or revocation activities by the user.
+.PP
+This tool can be run either by the user or by the administrator. If run by the user, the output (encrypted passphrase, i.e. shared token) needs to be sent to the CA administrator to store on the CA; if run by the CA administrator, the passphrase itself needs to be passed to the intended user. It is outside of the scope of this software to state how such communication takes place. It is up to the site policy to decide which way best suits the deployment site.
+.PP
+For information on how the administrator would store the shared tokens on the CA, see Red Hat Certificate System Administrator's Guide.
+
+.SH OPTIONS
+.PP
+The following are supported options.
+.PP
+.TP
+.B -d <database>
+Path of directory to the NSS database. This option is required.
+
+.TP
+.B -h <token>
+Security token name (default: internal)
+
+.TP
+.B -p <password>
+Security token password.
+
+.TP
+.B -p <passphrase>
+CMC enrollment passphrase (shared secret) (put in "" if containing spaces)
+
+.TP
+.B -b <issuance protection cert>
+PEM issuance protection certificate. Note: only one of the -b or -n options should be used.
+
+.TP
+.B -n <issuance protection cer nicknamet>
+PEM issuance protection certificate on token. Note: only one of the -b or -n options should be used.
+
+.TP
+.B -v
+Run in verbose mode.
+
+.SH EXAMPLE
+.PP
+CMCSharedToken -d . -p myNSSPassword -s "just another good day" -o cmcSharedTok2.b64 -n "subsystemCert cert-pki-tomcat"
+
+.SH AUTHORS
+Christina Fu <cfu@redhat.com>.
+
+.SH COPYRIGHT
+Copyright (c) 2018 Red Hat, Inc. This is licensed under the GNU General Public
+License, version 2 (GPLv2). A copy of this license is available at
+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+
+.SH SEE ALSO
+.BR CMCRequest(1)
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java
index 6d84a19..945f09f 100644
--- a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java
+++ b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java
@@ -18,6 +18,7 @@
package com.netscape.cmstools;
import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.math.BigInteger;
@@ -53,6 +54,7 @@ import org.mozilla.jss.pkix.cms.ContentInfo;
import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo;
import org.mozilla.jss.pkix.cms.SignedData;
+import com.netscape.cmsutil.util.Utils;
import netscape.security.pkcs.PKCS7;
import netscape.security.util.CertPrettyPrint;
import netscape.security.x509.X509CertImpl;
@@ -124,7 +126,7 @@ public class CMCResponse {
return list;
}
- public void printContent() {
+ public void printContent(boolean printCerts) {
try {
SignedData cmcFullResp = (SignedData) contentInfo.getInterpretedContent();
@@ -137,6 +139,18 @@ public class CMCResponse {
for (int i = 0; i < numCerts; i++) {
Certificate cert = (Certificate) certs.elementAt(i);
X509CertImpl certImpl = new X509CertImpl(ASN1Util.encode(cert));
+
+ if (printCerts) {
+ System.out.println("Cert:" + i );
+ ByteArrayOutputStream fos = new ByteArrayOutputStream();
+ certImpl.encode(fos);
+ fos.close();
+ byte[] certBytes = fos.toByteArray();
+ String certB64 = Utils.base64encode(certBytes, true);
+ System.out.println(certB64);
+ System.out.println("===");
+ }
+
CertPrettyPrint print = new CertPrettyPrint(certImpl);
content.append(print.toString(Locale.getDefault()));
}
@@ -320,10 +334,12 @@ public class CMCResponse {
option.setArgName("path");
options.addOption(option);
- option = new Option("o", true, "Output file to store certificate chain in PKCS #7 PEM format");
+ option = new Option("o", true, "Output file to store certificate chain in PKCS #7 PEM format; also prints out cert base 64 encoding individually");
option.setArgName("path");
options.addOption(option);
+ options.addOption("v", "verbose", false, "Run in verbose mode. Base64 encoding of certs in response will be printed individually");
+
options.addOption(null, "help", false, "Show help message.");
CommandLine cmd = parser.parse(options, args, true);
@@ -333,6 +349,7 @@ public class CMCResponse {
String input = cmd.getOptionValue("i");
String output = cmd.getOptionValue("o");
+ boolean printCerts = cmd.hasOption("v");
if (cmd.hasOption("help")) {
printUsage();
@@ -341,6 +358,7 @@ public class CMCResponse {
if (input == null) {
System.err.println("ERROR: Missing input CMC response");
+ System.err.println("Try 'CMCResponse --help' for more information.");
System.exit(1);
}
@@ -349,7 +367,7 @@ public class CMCResponse {
// display CMC response
CMCResponse response = new CMCResponse(data);
- response.printContent();
+ response.printContent(printCerts);
// terminate if any of the statuses is not a SUCCESS
Collection<CMCStatusInfoV2> statusInfos = response.getStatusInfos();
@@ -379,6 +397,7 @@ public class CMCResponse {
try (FileWriter fw = new FileWriter(output)) {
fw.write(pkcs7.toPEMString());
}
+ System.out.println("\nPKCS#7 now stored in file: " + output);
}
}
}
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
index d041cd3..203bc02 100644
--- a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java
@@ -115,6 +115,7 @@ public class CMCRevoke {
"-p<password to db> " +
"-h<tokenname> " +
"-c<comment> ");
+ System.out.println("\nNOTE: You can alternatively use CMCRequest instead for better usability.");
for (int i = 0; i < s.length; i++) {
System.out.println(i + ":" + s[i]);
}
--
1.8.3.1
From e6881a52e9998bd328a0021600b82d26534ff912 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Thu, 8 Mar 2018 18:46:16 +1100
Subject: [PATCH 13/20] Move parseACL to ACL.java
The parseACL function currently lives in CMSEngine, which is an
awkward place for it. Move it into the ACL class as a static
method.
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: I2a22618a8e295864e218e067fadf4255ceada9b3
(cherry picked from commit 80577d3480c8f5aa917db86f962b8acf6f750c55)
---
base/common/src/com/netscape/certsrv/acls/ACL.java | 120 ++++++++++++++++++++
base/common/src/com/netscape/certsrv/apps/CMS.java | 18 ---
.../src/com/netscape/certsrv/apps/ICMSEngine.java | 16 ---
.../com/netscape/cms/authorization/AAclAuthz.java | 4 +-
.../src/com/netscape/cmscore/apps/CMSEngine.java | 121 ---------------------
.../netscape/cmscore/app/CMSEngineDefaultStub.java | 6 -
6 files changed, 122 insertions(+), 163 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java
index 8672081..fc031e4 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACL.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java
@@ -20,9 +20,12 @@ package com.netscape.certsrv.acls;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
+import java.util.StringTokenizer;
import java.util.TreeSet;
import java.util.Vector;
+import com.netscape.certsrv.apps.CMS;
+
/**
* A class represents an access control list (ACL). An ACL
* is associated with an protected resources. The policy
@@ -194,4 +197,121 @@ public class ACL implements IACL, java.io.Serializable {
public Enumeration<String> rights() {
return Collections.enumeration(rights);
}
+
+ /**
+ * Parse ACL resource attributes
+ *
+ * @param resACLs same format as the resourceACLs attribute:
+ *
+ * <PRE>
+ * <resource name>:<permission1,permission2,...permissionn>:
+ * <allow|deny> (<subset of the permission set>) <evaluator expression>
+ * </PRE>
+ *
+ * @exception EACLsException ACL related parsing errors for resACLs
+ * @return an ACL instance built from the parsed resACLs
+ */
+ public static ACL parseACL(String resACLs) throws EACLsException {
+ if (resACLs == null) {
+ throw new EACLsException(CMS.getUserMessage("CMS_ACL_NULL_VALUE", "resACLs"));
+ }
+
+ ACL acl = null;
+ Vector<String> rights = null;
+ int idx1 = resACLs.indexOf(":");
+
+ if (idx1 <= 0) {
+ acl = new ACL(resACLs, rights, resACLs);
+ } else {
+ // getting resource id
+ String resource = resACLs.substring(0, idx1);
+
+ if (resource == null) {
+ String infoMsg = "resource not specified in resourceACLS attribute:" +
+ resACLs;
+
+ String[] params = new String[2];
+
+ params[0] = resACLs;
+ params[1] = infoMsg;
+ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params));
+ }
+
+ // getting list of applicable rights
+ String st = resACLs.substring(idx1 + 1);
+ int idx2 = st.indexOf(":");
+ String rightsString = null;
+
+ if (idx2 != -1)
+ rightsString = st.substring(0, idx2);
+ else {
+ String infoMsg =
+ "rights not specified in resourceACLS attribute:" + resACLs;
+ String[] params = new String[2];
+
+ params[0] = resACLs;
+ params[1] = infoMsg;
+ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params));
+ }
+
+ if (rightsString != null) {
+ rights = new Vector<String>();
+ StringTokenizer rtok = new StringTokenizer(rightsString, ",");
+
+ while (rtok.hasMoreTokens()) {
+ rights.addElement(rtok.nextToken());
+ }
+ }
+
+ acl = new ACL(resource, rights, resACLs);
+
+ // search *backwards* for final instance of ':', to handle case
+ // where acl expressions contain colon, e.g. in a group name.
+ String stx = st.substring(idx2 + 1);
+ int idx3 = stx.lastIndexOf(":");
+ String aclStr = stx.substring(0, idx3);
+
+ // getting list of acl entries
+ if (aclStr != null) {
+ StringTokenizer atok = new StringTokenizer(aclStr, ";");
+
+ while (atok.hasMoreTokens()) {
+ String acs = atok.nextToken();
+
+ // construct ACL entry
+ ACLEntry entry = ACLEntry.parseACLEntry(acl, acs);
+
+ if (entry == null) {
+ String infoMsg = "parseACLEntry() call failed";
+ String[] params = new String[2];
+
+ params[0] = "ACLEntry = " + acs;
+ params[1] = infoMsg;
+ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params));
+ }
+
+ entry.setACLEntryString(acs);
+ acl.addEntry(entry);
+ }
+ } else {
+ // fine
+ String infoMsg = "acls not specified in resourceACLS attribute:" +
+
+ resACLs;
+
+ String[] params = new String[2];
+
+ params[0] = resACLs;
+ params[1] = infoMsg;
+ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params));
+ }
+
+ // getting description
+ String desc = stx.substring(idx3 + 1);
+
+ acl.setDescription(desc);
+ }
+
+ return (acl);
+ }
}
diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
index a6cd582..d04223f 100644
--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
@@ -36,8 +36,6 @@ import org.dogtagpki.legacy.policy.ISubjAltNameConfig;
import org.mozilla.jss.CryptoManager.CertificateUsage;
import org.mozilla.jss.util.PasswordCallback;
-import com.netscape.certsrv.acls.EACLsException;
-import com.netscape.certsrv.acls.IACL;
import com.netscape.certsrv.authentication.IAuthSubsystem;
import com.netscape.certsrv.authentication.ISharedToken;
import com.netscape.certsrv.authority.IAuthority;
@@ -316,22 +314,6 @@ public final class CMS {
}
/**
- * Parse ACL resource attributes
- *
- * @param resACLs same format as the resourceACLs attribute:
- *
- * <PRE>
- * <resource name>:<permission1,permission2,...permissionn>:
- * <allow|deny> (<subset of the permission set>) <evaluator expression>
- * </PRE>
- * @exception EACLsException ACL related parsing errors for resACLs
- * @return an ACL instance built from the parsed resACLs
- */
- public static IACL parseACL(String resACLs) throws EACLsException {
- return _engine.parseACL(resACLs);
- }
-
- /**
* Creates an issuing poing record.
*
* @return issuing record
diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
index f861b95..d996d90 100644
--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
+++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
@@ -36,8 +36,6 @@ import org.dogtagpki.legacy.policy.ISubjAltNameConfig;
import org.mozilla.jss.CryptoManager.CertificateUsage;
import org.mozilla.jss.util.PasswordCallback;
-import com.netscape.certsrv.acls.EACLsException;
-import com.netscape.certsrv.acls.IACL;
import com.netscape.certsrv.authentication.ISharedToken;
import com.netscape.certsrv.authority.IAuthority;
import com.netscape.certsrv.base.EBaseException;
@@ -468,20 +466,6 @@ public interface ICMSEngine extends ISubsystem {
String p7, String p8, String p9, String p10);
/**
- * Parse ACL resource attributes
- *
- * @param resACLs same format as the resourceACLs attribute:
- *
- * <PRE>
- * <resource name>:<permission1,permission2,...permissionn>:
- * <allow|deny> (<subset of the permission set>) <evaluator expression>
- * </PRE>
- * @exception EACLsException ACL related parsing errors for resACLs
- * @return an ACL instance built from the parsed resACLs
- */
- public IACL parseACL(String resACLs) throws EACLsException;
-
- /**
* Creates an issuing poing record.
*
* @return issuing record
diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
index 4e864fd..2d4a94f 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
@@ -180,7 +180,7 @@ public abstract class AAclAuthz implements IAuthzManager {
* @throws EBaseException parsing error from <code>parseACL</code>
*/
public void addACLs(String resACLs) throws EBaseException {
- ACL acl = (ACL) CMS.parseACL(resACLs);
+ ACL acl = ACL.parseACL(resACLs);
if (acl != null) {
ACL curACL = mACLs.get(acl.getName());
@@ -791,7 +791,7 @@ public abstract class AAclAuthz implements IAuthzManager {
ACL ac = null;
try {
- ac = (ACL) CMS.parseACL(resourceACLs);
+ ac = ACL.parseACL(resourceACLs);
} catch (EBaseException ex) {
throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR_0"));
}
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index b1df429..eaf57fa 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -38,7 +38,6 @@ import java.util.Hashtable;
import java.util.List;
import java.util.Locale;
import java.util.ResourceBundle;
-import java.util.StringTokenizer;
import java.util.Timer;
import java.util.Vector;
@@ -62,10 +61,6 @@ import org.mozilla.jss.util.PasswordCallback;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
-import com.netscape.certsrv.acls.ACL;
-import com.netscape.certsrv.acls.ACLEntry;
-import com.netscape.certsrv.acls.EACLsException;
-import com.netscape.certsrv.acls.IACL;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.apps.ICMSEngine;
import com.netscape.certsrv.apps.ICommandQueue;
@@ -618,122 +613,6 @@ public class CMSEngine implements ICMSEngine {
}
/**
- * Parse ACL resource attributes
- *
- * @param resACLs same format as the resourceACLs attribute:
- *
- * <PRE>
- * <resource name>:<permission1,permission2,...permissionn>:
- * <allow|deny> (<subset of the permission set>) <evaluator expression>
- * </PRE>
- * @exception EACLsException ACL related parsing errors for resACLs
- * @return an ACL instance built from the parsed resACLs
- */
- public IACL parseACL(String resACLs) throws EACLsException {
- if (resACLs == null) {
- throw new EACLsException(CMS.getUserMessage("CMS_ACL_NULL_VALUE", "resACLs"));
- }
-
- ACL acl = null;
- Vector<String> rights = null;
- int idx1 = resACLs.indexOf(":");
-
- if (idx1 <= 0) {
- acl = new ACL(resACLs, rights, resACLs);
- } else {
- // getting resource id
- String resource = resACLs.substring(0, idx1);
-
- if (resource == null) {
- String infoMsg = "resource not specified in resourceACLS attribute:" +
- resACLs;
-
- String[] params = new String[2];
-
- params[0] = resACLs;
- params[1] = infoMsg;
- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params));
- }
-
- // getting list of applicable rights
- String st = resACLs.substring(idx1 + 1);
- int idx2 = st.indexOf(":");
- String rightsString = null;
-
- if (idx2 != -1)
- rightsString = st.substring(0, idx2);
- else {
- String infoMsg =
- "rights not specified in resourceACLS attribute:" + resACLs;
- String[] params = new String[2];
-
- params[0] = resACLs;
- params[1] = infoMsg;
- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params));
- }
-
- if (rightsString != null) {
- rights = new Vector<String>();
- StringTokenizer rtok = new StringTokenizer(rightsString, ",");
-
- while (rtok.hasMoreTokens()) {
- rights.addElement(rtok.nextToken());
- }
- }
-
- acl = new ACL(resource, rights, resACLs);
-
- // search *backwards* for final instance of ':', to handle case
- // where acl expressions contain colon, e.g. in a group name.
- String stx = st.substring(idx2 + 1);
- int idx3 = stx.lastIndexOf(":");
- String aclStr = stx.substring(0, idx3);
-
- // getting list of acl entries
- if (aclStr != null) {
- StringTokenizer atok = new StringTokenizer(aclStr, ";");
-
- while (atok.hasMoreTokens()) {
- String acs = atok.nextToken();
-
- // construct ACL entry
- ACLEntry entry = ACLEntry.parseACLEntry(acl, acs);
-
- if (entry == null) {
- String infoMsg = "parseACLEntry() call failed";
- String[] params = new String[2];
-
- params[0] = "ACLEntry = " + acs;
- params[1] = infoMsg;
- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params));
- }
-
- entry.setACLEntryString(acs);
- acl.addEntry(entry);
- }
- } else {
- // fine
- String infoMsg = "acls not specified in resourceACLS attribute:" +
-
- resACLs;
-
- String[] params = new String[2];
-
- params[0] = resACLs;
- params[1] = infoMsg;
- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params));
- }
-
- // getting description
- String desc = stx.substring(idx3 + 1);
-
- acl.setDescription(desc);
- }
-
- return (acl);
- }
-
- /**
* Parse server.xml to get the ports and IPs
* @throws EBaseException
*/
diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
index b314dac..b65dae1 100644
--- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
+++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
@@ -19,8 +19,6 @@ import org.dogtagpki.legacy.policy.ISubjAltNameConfig;
import org.mozilla.jss.CryptoManager.CertificateUsage;
import org.mozilla.jss.util.PasswordCallback;
-import com.netscape.certsrv.acls.EACLsException;
-import com.netscape.certsrv.acls.IACL;
import com.netscape.certsrv.apps.ICMSEngine;
import com.netscape.certsrv.apps.ICommandQueue;
import com.netscape.certsrv.authentication.ISharedToken;
@@ -260,10 +258,6 @@ public class CMSEngineDefaultStub implements ICMSEngine {
return null;
}
- public IACL parseACL(String resACLs) throws EACLsException {
- return null;
- }
-
public ICRLIssuingPointRecord createCRLIssuingPointRecord(String id, BigInteger crlNumber, Long crlSize,
Date thisUpdate, Date nextUpdate) {
return null;
--
1.8.3.1
From 973c83b316272319ccb958ff6f391dfccb0c4e76 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 9 Mar 2018 10:39:33 +1100
Subject: [PATCH 14/20] ACL.java: Remove unused constructor
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: Id8eee2d31538e2c95debb03a6102e0a7fdb0bd60
(cherry picked from commit 8748541f70e1c753589b37f76331a7cadc684253)
---
base/common/src/com/netscape/certsrv/acls/ACL.java | 5 -----
1 file changed, 5 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java
index fc031e4..0e3c28e 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACL.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java
@@ -51,11 +51,6 @@ public class ACL implements IACL, java.io.Serializable {
protected String name = null; // resource name
protected String description = null; // resource description
- /**
- * Class constructor.
- */
- public ACL() {
- }
/**
* Class constructor.
--
1.8.3.1
From aa1c01265acd8e92a7cf8880d594ab554dc5efbc Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 9 Mar 2018 10:58:21 +1100
Subject: [PATCH 15/20] ACL.java: Make constructor private and add sanity check
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: I5b15695df8692941646151b92ddaa893b3f93468
(cherry picked from commit fcacf3d579a2562b764e0caed2cab81d73aa053f)
---
base/common/src/com/netscape/certsrv/acls/ACL.java | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java
index 0e3c28e..d1560ab 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACL.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java
@@ -66,8 +66,10 @@ public class ACL implements IACL, java.io.Serializable {
* Allow administrators to read and modify log
* configuration"
*/
- public ACL(String name, Collection<String> rights, String resourceACLs) {
- setName(name);
+ private ACL(String name, Collection<String> rights, String resourceACLs) {
+ if (name == null)
+ throw new IllegalArgumentException("ACL name cannot be null");
+ this.name = name;
if (rights != null) {
this.rights = new TreeSet<>(rights);
} else {
--
1.8.3.1
From fd7dc5e953fccd966f940b4060e35935ef4a3146 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 9 Mar 2018 11:12:41 +1100
Subject: [PATCH 16/20] ACL.java: retain all resourceACLs strings when merging
When writing a merged ACL back to the database, only the first
resourceACLs string is written, and the other resourceACLs strings
are lost.
Retain all the original resourceACLs strings when merging ACLs and
write them all back to the database when saving.
This commit also performs some minor refactors. Extract the merging
routine into ACL.merge(). Remove the now-unused addRight(),
addEntry() and setName() methods.
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: Ica36f1ed1517b4d13f13fd78259b6bb78ef1f22c
(cherry picked from commit 414a6a63d4833cfe0e575a682378fb9515ad59a6)
---
base/common/src/com/netscape/certsrv/acls/ACL.java | 47 ++++++++--------------
.../com/netscape/cms/authorization/AAclAuthz.java | 9 +----
.../netscape/cms/authorization/DirAclAuthz.java | 6 +--
3 files changed, 20 insertions(+), 42 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java
index d1560ab..cce41a8 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACL.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java
@@ -47,10 +47,11 @@ public class ACL implements IACL, java.io.Serializable {
protected Vector<ACLEntry> entries = new Vector<ACLEntry>(); // ACL entries
protected TreeSet<String> rights = null; // possible rights entries
- protected String resourceACLs = null; // exact resourceACLs string on ldap server
protected String name = null; // resource name
protected String description = null; // resource description
+ // exact resourceACLs strings on ldap server
+ protected TreeSet<String> resourceACLs = new TreeSet<>();
/**
* Class constructor.
@@ -75,18 +76,20 @@ public class ACL implements IACL, java.io.Serializable {
} else {
this.rights = new TreeSet<>();
}
- this.resourceACLs = resourceACLs;
-
+ this.resourceACLs.add(resourceACLs);
}
- /**
- * Sets the name of the resource governed by this
- * access control.
+ /** Merge the rules of the other ACL into this one.
*
- * @param name name of the resource
+ * @throws IllegalArgumentException if the ACLs do not have the same name.
*/
- public void setName(String name) {
- this.name = name;
+ public void merge(ACL other) {
+ if (!this.name.equals(other.name))
+ throw new IllegalArgumentException("Cannot merge ACLs; names do not match.");
+
+ this.rights.addAll(other.rights);
+ this.entries.addAll(other.entries);
+ this.resourceACLs.addAll(other.resourceACLs);
}
/**
@@ -100,11 +103,11 @@ public class ACL implements IACL, java.io.Serializable {
}
/**
- * Retrieves the exact string of the resourceACLs
+ * Retrieve an iterable of strings that were used to produce this ACL.
*
- * @return resource's acl
+ * @return Iterable of formatted ACLs
*/
- public String getResourceACLs() {
+ public Iterable<String> getResourceACLs() {
return resourceACLs;
}
@@ -129,15 +132,6 @@ public class ACL implements IACL, java.io.Serializable {
}
/**
- * Adds an ACL entry to this list.
- *
- * @param entry the <code>ACLEntry</code> to be added to this resource
- */
- public void addEntry(ACLEntry entry) {
- entries.addElement(entry);
- }
-
- /**
* Returns ACL entries.
*
* @return enumeration for the <code>ACLEntry</code> vector
@@ -168,15 +162,6 @@ public class ACL implements IACL, java.io.Serializable {
}
/**
- * Adds an rights entry to this list.
- *
- * @param right The right to be added for this ACL
- */
- public void addRight(String right) {
- rights.add(right);
- }
-
- /**
* Tells if the permission is one of the defined "rights"
*
* @param permission permission to be checked
@@ -288,7 +273,7 @@ public class ACL implements IACL, java.io.Serializable {
}
entry.setACLEntryString(acs);
- acl.addEntry(entry);
+ acl.entries.add(entry);
}
} else {
// fine
diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
index 2d4a94f..7b69ec4 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java
@@ -187,14 +187,7 @@ public abstract class AAclAuthz implements IAuthzManager {
if (curACL == null) {
mACLs.put(acl.getName(), acl);
} else {
- for (Enumeration<ACLEntry> entries = acl.entries() ;
- entries.hasMoreElements() ; ) {
- curACL.addEntry(entries.nextElement());
- }
- for (Enumeration<String> rights = acl.rights() ;
- rights.hasMoreElements() ; ) {
- curACL.addRight(rights.nextElement());
- }
+ curACL.merge(acl);
}
} else {
log(ILogger.LL_FAILURE, "parseACL failed");
diff --git a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
index 3e2a1b3..13360ef 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
@@ -231,9 +231,9 @@ public class DirAclAuthz extends AAclAuthz
if (en.hasMoreElements() == true) {
while (en.hasMoreElements()) {
ACL a = en.nextElement();
- String resAclString = a.getResourceACLs();
-
- attrs.addValue(resAclString);
+ for (String s : a.getResourceACLs()) {
+ attrs.addValue(s);
+ }
}
mod.add(LDAPModification.REPLACE, attrs);
--
1.8.3.1
From 5cf81863d7813259a526af38e32d504ca5cc59bb Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 9 Mar 2018 15:14:06 +1100
Subject: [PATCH 17/20] ACL.java: remove setDescription method
The only place setDescription was used was in parseACL() which is
now part of this class, so we can replace that method with a new
constructor argument and avoid another way to unreasonably mutate
an ACL.
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: I8cff0cbb5cb47b80b7b0e6dc37702e16ec2a85e0
(cherry picked from commit 5e36d86d2c5ab2264768e64fe8029e428ce01b92)
---
base/common/src/com/netscape/certsrv/acls/ACL.java | 29 ++++++++--------------
1 file changed, 10 insertions(+), 19 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java
index cce41a8..09a4b2b 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACL.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java
@@ -67,7 +67,11 @@ public class ACL implements IACL, java.io.Serializable {
* Allow administrators to read and modify log
* configuration"
*/
- private ACL(String name, Collection<String> rights, String resourceACLs) {
+ private ACL(
+ String name,
+ Collection<String> rights,
+ String desc,
+ String resourceACLs) {
if (name == null)
throw new IllegalArgumentException("ACL name cannot be null");
this.name = name;
@@ -77,6 +81,7 @@ public class ACL implements IACL, java.io.Serializable {
this.rights = new TreeSet<>();
}
this.resourceACLs.add(resourceACLs);
+ this.description = desc;
}
/** Merge the rules of the other ACL into this one.
@@ -112,16 +117,6 @@ public class ACL implements IACL, java.io.Serializable {
}
/**
- * Sets the description of the resource governed by this
- * access control.
- *
- * @param description Description of the protected resource
- */
- public void setDescription(String description) {
- this.description = description;
- }
-
- /**
* Retrieves the description of the resource governed by
* this access control.
*
@@ -203,7 +198,7 @@ public class ACL implements IACL, java.io.Serializable {
int idx1 = resACLs.indexOf(":");
if (idx1 <= 0) {
- acl = new ACL(resACLs, rights, resACLs);
+ acl = new ACL(resACLs, rights, null /* desc */, resACLs);
} else {
// getting resource id
String resource = resACLs.substring(0, idx1);
@@ -245,13 +240,14 @@ public class ACL implements IACL, java.io.Serializable {
}
}
- acl = new ACL(resource, rights, resACLs);
-
// search *backwards* for final instance of ':', to handle case
// where acl expressions contain colon, e.g. in a group name.
String stx = st.substring(idx2 + 1);
int idx3 = stx.lastIndexOf(":");
String aclStr = stx.substring(0, idx3);
+ String desc = stx.substring(idx3 + 1);
+
+ acl = new ACL(resource, rights, desc, resACLs);
// getting list of acl entries
if (aclStr != null) {
@@ -287,11 +283,6 @@ public class ACL implements IACL, java.io.Serializable {
params[1] = infoMsg;
throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params));
}
-
- // getting description
- String desc = stx.substring(idx3 + 1);
-
- acl.setDescription(desc);
}
return (acl);
--
1.8.3.1
From 987c3e042b0419aaa75f11e936effd52bc9da6d5 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 9 Mar 2018 16:39:20 +1100
Subject: [PATCH 18/20] ACLEntry.java: return null on parse error
If an ACL entry has an empty permission expression a
StringIndexOutOfBoundsException is thrown because an expected space
character cannot be found. Detect this condition and return null.
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: I1518f53f68e106e877d24d7dce8a5756ca5aedbd
(cherry picked from commit 682fcf270f6b49ff5a6e7133f022982445a74422)
---
base/common/src/com/netscape/certsrv/acls/ACLEntry.java | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/base/common/src/com/netscape/certsrv/acls/ACLEntry.java b/base/common/src/com/netscape/certsrv/acls/ACLEntry.java
index 23f8596..5cca230 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACLEntry.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACLEntry.java
@@ -203,6 +203,11 @@ public class ACLEntry implements IACLEntry, java.io.Serializable {
}
// locate the second space
i = suffix.indexOf(' ');
+ if (i <= 0) {
+ // second space not found, or is at start of string
+ return null;
+ }
+
// this prefix should be rights list, delimited by ","
prefix = suffix.substring(1, i - 1);
// the suffix is the rest, which is the "expressions"
--
1.8.3.1
From 5a918d21aba41516054f232141752dd5a708cf77 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 9 Mar 2018 17:58:39 +1100
Subject: [PATCH 19/20] DirAclAuthz.updateACLs: re-throw ACL exception
Currently DirAclAuthz catches EACLsException when attempting to
update an ACL, logs the error, and then throws a new EACLsException,
discarding the info about where the original exception occurred.
There is no need to throw a new exception of the same type, so
re-throw the caught exception.
Part of: https://pagure.io/dogtagpki/issue/2957
Change-Id: If6e38e2217b8884b54b7daf07a7b79e23b8175d7
(cherry picked from commit 021ebec5d54a85d8de56478fb4762c4b15ee0a3a)
---
base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
index 13360ef..e2c1229 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java
@@ -211,7 +211,7 @@ public class DirAclAuthz extends AAclAuthz
log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", ex.toString()));
- throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL"));
+ throw ex;
}
}
--
1.8.3.1
From 65a1edc262a2abb4b3bbcf7a46d775dbaffa4937 Mon Sep 17 00:00:00 2001
From: Amol Kahat <akahat@redhat.com>
Date: Tue, 27 Feb 2018 19:56:31 +0530
Subject: [PATCH 20/20] Fixed BZ 1549632: Not able to generate certificate
request with ECC using pki client-cert-request
Change-Id: I23a51af2c9e9bcc62983332bee22fe3c56ce1409
Signed-off-by: Amol Kahat <akahat@redhat.com>
(cherry picked from commit 69434ec08442b92cab8c304caef98200ff71e8e2)
(cherry picked from commit 15911c8e65eb1543776a64f567ca3e281091e750)
---
.../cmstools/client/ClientCertRequestCLI.java | 45 ++++++++++++++--------
1 file changed, 29 insertions(+), 16 deletions(-)
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
index 54acd65..b440fc6 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
@@ -123,7 +123,8 @@ public class ClientCertRequestCLI extends CLI {
option.setArgName("path");
options.addOption(option);
- option = new Option(null, "profile", true, "Certificate profile (RSA default: caUserCert, ECC default: caECUserCert)");
+ option = new Option(null, "profile", true,
+ "Certificate profile (RSA default: caUserCert, ECC default: caECUserCert)");
option.setArgName("profile");
options.addOption(option);
@@ -242,7 +243,7 @@ public class ClientCertRequestCLI extends CLI {
throw new Exception("--issuer-id and --issuer-dn options are mutually exclusive");
}
- MainCLI mainCLI = (MainCLI)parent.getParent();
+ MainCLI mainCLI = (MainCLI) parent.getParent();
File certDatabase = mainCLI.certDatabase;
String password = mainCLI.config.getCertPassword();
@@ -253,13 +254,21 @@ public class ClientCertRequestCLI extends CLI {
String csr;
PKIClient client;
if ("pkcs10".equals(requestType)) {
- csr = generatePkcs10Request(certDatabase, password, algorithm, length, subjectDN);
+ if ("rsa".equals(algorithm)) {
+ csr = generatePkcs10Request(certDatabase, password, algorithm,
+ Integer.toString(length), subjectDN);
+ }
+
+ else if ("ec".equals(algorithm)) {
+ csr = generatePkcs10Request(certDatabase, password, algorithm, curve, subjectDN);
+ } else {
+ throw new Exception("Error: Unknown algorithm: " + algorithm);
+ }
// initialize database after PKCS10Client to avoid conflict
mainCLI.init();
client = getClient();
-
} else if ("crmf".equals(requestType)) {
// initialize database before CRMFPopClient to load transport certificate
@@ -325,8 +334,8 @@ public class ClientCertRequestCLI extends CLI {
Vector<?> rdns = dn.getRDNs();
Map<String, String> subjectAttributes = new HashMap<String, String>();
- for (int i=0; i< rdns.size(); i++) {
- RDN rdn = (RDN)rdns.elementAt(i);
+ for (int i = 0; i < rdns.size(); i++) {
+ RDN rdn = (RDN) rdns.elementAt(i);
String type = rdn.getTypes()[0].toLowerCase();
String value = rdn.getValues()[0];
subjectAttributes.put(type, value);
@@ -334,7 +343,8 @@ public class ClientCertRequestCLI extends CLI {
ProfileInput sn = request.getInput("Subject Name");
if (sn != null) {
- if (verbose) System.out.println("Subject Name:");
+ if (verbose)
+ System.out.println("Subject Name:");
for (ProfileAttribute attribute : sn.getAttributes()) {
String name = attribute.getName();
@@ -350,13 +360,16 @@ public class ClientCertRequestCLI extends CLI {
} else {
// unknown attribute, ignore
- if (verbose) System.out.println(" - " + name);
+ if (verbose)
+ System.out.println(" - " + name);
continue;
}
- if (value == null) continue;
+ if (value == null)
+ continue;
- if (verbose) System.out.println(" - " + name + ": " + value);
+ if (verbose)
+ System.out.println(" - " + name + ": " + value);
attribute.setValue(value);
}
}
@@ -385,19 +398,20 @@ public class ClientCertRequestCLI extends CLI {
File certDatabase,
String password,
String algorithm,
- int length,
- String subjectDN
- ) throws Exception {
+ String length,
+ String subjectDN) throws Exception {
File csrFile = File.createTempFile("pki-client-cert-request-", ".csr", certDatabase);
csrFile.deleteOnExit();
+ String lenOrCurve = "ec".equals(algorithm) ? "-c" : "-l";
+
String[] commands = {
"/usr/bin/PKCS10Client",
"-d", certDatabase.getAbsolutePath(),
"-p", password,
"-a", algorithm,
- "-l", "" + length,
+ lenOrCurve, "" + length,
"-o", csrFile.getAbsolutePath(),
"-n", subjectDN
};
@@ -427,8 +441,7 @@ public class ClientCertRequestCLI extends CLI {
int sensitive,
int extractable,
boolean withPop,
- KeyWrapAlgorithm keyWrapAlgorithm
- ) throws Exception {
+ KeyWrapAlgorithm keyWrapAlgorithm) throws Exception {
CryptoManager manager = CryptoManager.getInstance();
CryptoToken token = manager.getThreadToken();
--
1.8.3.1