From 5348b8e50dcd3166d8a0d3ebb953b0e835662629 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 29 2019 15:24:36 +0000 Subject: import pki-core-10.5.9-10.el7_6 --- diff --git a/SOURCES/pki-core-10.5.9-batch-1.0.patch b/SOURCES/pki-core-10.5.9-batch-1.0.patch new file mode 100644 index 0000000..d17d9e5 --- /dev/null +++ b/SOURCES/pki-core-10.5.9-batch-1.0.patch @@ -0,0 +1,3161 @@ +From ae472954d4b1a62b368acf044ac5e7c15ef8d0e4 Mon Sep 17 00:00:00 2001 +From: John Magne +Date: Fri, 19 Oct 2018 19:23:37 -0400 +Subject: [PATCH 03/19] Resolves: Bug 1624097 - CC: Identify version/release of + pki-ca, pki-kra, pki-ocsp, pki-tks, and pki-tps remotely. + +--- + .../netscape/cms/servlet/csadmin/GetStatus.java | 48 ++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java +index 1d2d0e6..338e26b 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java +@@ -18,6 +18,7 @@ + package com.netscape.cms.servlet.csadmin; + + import java.io.IOException; ++import java.io.FileInputStream; + import java.util.Locale; + + import javax.servlet.ServletConfig; +@@ -34,6 +35,8 @@ import com.netscape.cms.servlet.base.CMSServlet; + import com.netscape.cms.servlet.base.UserInfo; + import com.netscape.cms.servlet.common.CMSRequest; + import com.netscape.cmsutil.xml.XMLObject; ++import org.apache.commons.io.IOUtils; ++import org.apache.commons.lang.StringUtils; + + public class GetStatus extends CMSServlet { + +@@ -41,6 +44,8 @@ public class GetStatus extends CMSServlet { + * + */ + private static final long serialVersionUID = -2852842030221659847L; ++ // File below will be a member of a pki theme package. ++ private static final String productVersionFILE = "/usr/share/pki/CS_SERVER_VERSION"; + + public GetStatus() { + super(); +@@ -80,6 +85,13 @@ public class GetStatus extends CMSServlet { + xmlObj.addItemToContainer(root, "Type", type); + xmlObj.addItemToContainer(root, "Status", status); + xmlObj.addItemToContainer(root, "Version", version); ++ // File below will be a member of a pki theme package. ++ String productVersion = getProductVersion(productVersionFILE); ++ ++ if(!StringUtils.isEmpty(productVersion)) { ++ xmlObj.addItemToContainer(root,"ProductVersion", productVersion); ++ } ++ + byte[] cb = xmlObj.toByteArray(); + + outputResult(httpResp, "application/xml", cb); +@@ -108,4 +120,40 @@ public class GetStatus extends CMSServlet { + return locale; + } + ++ /** ++ * Return the product version if the file: /usr/share/pki/CS_SERVER_VERSION ++ * exists. ++ * ++ * Caller only cares if there is a string or not, exceptions handled here. ++ */ ++ private String getProductVersion(String versionFilePathName) { ++ String version = null; ++ FileInputStream inputStream = null; ++ ++ if(StringUtils.isEmpty(versionFilePathName)) { ++ CMS.debug("Missing product version file path!"); ++ return null; ++ } ++ ++ try { ++ inputStream = new FileInputStream(versionFilePathName); ++ String contents = IOUtils.toString(inputStream); ++ ++ if(contents != null) { ++ CMS.debug("Returning product version: " + version); ++ version = contents.trim(); ++ } ++ } catch (Exception e) { ++ CMS.debug("Failed to read product version String. " + e); ++ } ++ finally { ++ if(inputStream != null) { ++ try { ++ inputStream.close(); ++ } catch (IOException e) { ++ } ++ } ++ } ++ return version; ++ } + } +-- +1.8.3.1 + + +From 28452a131f11d6372beb6bc262b7c26bb4cb1961 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Fri, 14 Sep 2018 19:19:23 -0600 +Subject: [PATCH 04/19] Ticket 2865 X500Name.directoryStringEncodingOrder + overridden by CSR encoding + +https://pagure.io/dogtagpki/issue/2865 coverity fixes +(cherry picked from commit b375305e00dedc4127e5aa1b97e11dcc26a68f72) +--- + .../netscape/cms/profile/def/UserSubjectNameDefault.java | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java +index 636b045..459735e 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java +@@ -105,7 +105,13 @@ public class UserSubjectNameDefault extends EnrollDefault { + * keep the old name so that the attribute + * encodings are preserved. */ + X500Name oldX500name = oldName.getX500Name(); +- if (x500name.toString().equals(oldX500name.toString())) { ++ if (x500name == null) { ++ CMS.debug( method ++ + "new Subject DN is null; " ++ + "retaining current value." ++ ); ++ x500name = oldX500name; ++ } else if (x500name.toString().equals(oldX500name.toString())) { + CMS.debug( method + + "new Subject DN has same string representation " + + "as current value; retaining current value." +@@ -196,6 +202,12 @@ public class UserSubjectNameDefault extends EnrollDefault { + // to the certinfo + CertificateSubjectName req_sbj = request.getExtDataInCertSubjectName( + IEnrollProfile.REQUEST_SUBJECT_NAME); ++ if (req_sbj == null) { ++ // failed to retrieve subject name ++ CMS.debug("UserSubjectNameDefault: populate req_sbj is null"); ++ throw new EProfileException(CMS.getUserMessage(getLocale(request), ++ "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND")); ++ } + try { + info.set(X509CertInfo.SUBJECT, req_sbj); + +-- +1.8.3.1 + + +From 2180a832fa531120c9fe2dead72b58e615ef4744 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 22 Aug 2018 18:12:06 -0700 +Subject: [PATCH 07/19] ticket #2879 audit events for CA acting as TLS client + +This patch provides code for ticket 2879, adding audit events for CS when + acting as a TLS client. + +For a running CS system, there are two cases when this happens: +1. When one CS subsystem is talking to another CS subsystem + In this case: HttpClient is used +2. When a CS subsystem is talking to an ldap syste + In this case: PKISocketFactory is used + +Events added are: + - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE + - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS + - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED + +https://pagure.io/dogtagpki/issue/2879 + +Change-Id: Ib8e4c27c57cb2b13b461c36f37f52dc6a13956f8 +(cherry picked from commit add6813cb15673d604f05173585101a6e56745ca) +--- + base/ca/shared/conf/CS.cfg | 4 +- + .../event/ClientAccessSessionEstablishEvent.java | 74 +++++++ + .../event/ClientAccessSessionTerminatedEvent.java | 53 +++++ + base/kra/shared/conf/CS.cfg | 4 +- + base/ocsp/shared/conf/CS.cfg | 4 +- + .../cms/publish/publishers/OCSPPublisher.java | 4 + + .../dogtagpki/server/PKIClientSocketListener.java | 230 +++++++++++++++++++++ + base/server/cmsbundle/src/LogMessages.properties | 20 ++ + .../cmscore/connector/HttpConnFactory.java | 6 + + .../netscape/cmscore/connector/HttpConnection.java | 42 ++++ + .../netscape/cmscore/connector/HttpConnector.java | 10 + + .../com/netscape/cmscore/connector/Resender.java | 8 +- + .../cmscore/ldapconn/PKISocketFactory.java | 9 +- + base/tks/shared/conf/CS.cfg | 4 +- + .../src/com/netscape/cmsutil/http/HttpClient.java | 14 ++ + .../netscape/cmsutil/http/JssSSLSocketFactory.java | 8 + + 16 files changed, 484 insertions(+), 10 deletions(-) + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java + create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java + create mode 100644 base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 92504ff..4cef240 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -905,11 +905,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG ++log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG + log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) + log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) + log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) +diff --git a/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java +new file mode 100644 +index 0000000..f54641a +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java +@@ -0,0 +1,74 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.SignedAuditEvent; ++ ++public class ClientAccessSessionEstablishEvent extends SignedAuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS = ++ "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS"; ++ ++ public final static String CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE = ++ "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE"; ++ ++ public ClientAccessSessionEstablishEvent(String messageID) { ++ super(messageID); ++ } ++ ++ public static ClientAccessSessionEstablishEvent createSuccessEvent( ++ String clientHost, ++ String serverHost, ++ String serverPort, ++ String subjectID) { ++ ++ ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent( ++ CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS); ++ ++ event.setAttribute("ClientHost", clientHost); ++ event.setAttribute("ServerHost", serverHost); ++ event.setAttribute("ServerPort", serverPort); ++ event.setAttribute("SubjectID", subjectID); ++ event.setAttribute("Outcome", ILogger.SUCCESS); ++ ++ return event; ++ } ++ ++ public static ClientAccessSessionEstablishEvent createFailureEvent( ++ String clientHost, ++ String serverHost, ++ String serverPort, ++ String subjectID, ++ String info) { ++ ++ ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent( ++ CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE); ++ ++ event.setAttribute("ClientHost", clientHost); ++ event.setAttribute("ServerHost", serverHost); ++ event.setAttribute("ServerPort", serverPort); ++ event.setAttribute("SubjectID", subjectID); ++ event.setAttribute("Outcome", ILogger.FAILURE); ++ event.setAttribute("Info", info); ++ ++ return event; ++ } ++} +diff --git a/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java +new file mode 100644 +index 0000000..cad0c97 +--- /dev/null ++++ b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java +@@ -0,0 +1,53 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.certsrv.logging.event; ++ ++import com.netscape.certsrv.logging.ILogger; ++import com.netscape.certsrv.logging.SignedAuditEvent; ++ ++public class ClientAccessSessionTerminatedEvent extends SignedAuditEvent { ++ ++ private static final long serialVersionUID = 1L; ++ ++ public final static String CLIENT_ACCESS_SESSION_TERMINATED = ++ "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED"; ++ ++ public ClientAccessSessionTerminatedEvent(String messageID) { ++ super(messageID); ++ } ++ ++ public static ClientAccessSessionTerminatedEvent createEvent( ++ String clientHost, ++ String serverHost, ++ String serverPort, ++ String subjectID, ++ String info) { ++ ++ ClientAccessSessionTerminatedEvent event = new ClientAccessSessionTerminatedEvent( ++ CLIENT_ACCESS_SESSION_TERMINATED); ++ ++ event.setAttribute("ClientHost", clientHost); ++ event.setAttribute("ServerHost", serverHost); ++ event.setAttribute("ServerPort", serverPort); ++ event.setAttribute("SubjectID", subjectID); ++ event.setAttribute("Outcome", ILogger.SUCCESS); ++ event.setAttribute("Info", info); ++ ++ return event; ++ } ++} +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index 878e5f8..6108576 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL ++log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL + log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure) + log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) + log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure) +diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg +index b412e5e..d2e5256 100644 +--- a/base/ocsp/shared/conf/CS.cfg ++++ b/base/ocsp/shared/conf/CS.cfg +@@ -216,11 +216,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL ++log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) + log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) + log.instance.SignedAudit.expirationTime=0 +diff --git a/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java b/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java +index 11d44b8..d15523e 100644 +--- a/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java ++++ b/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java +@@ -42,6 +42,8 @@ import com.netscape.cmsutil.http.HttpRequest; + import com.netscape.cmsutil.http.JssSSLSocketFactory; + import com.netscape.cmsutil.util.Utils; + ++import org.dogtagpki.server.PKIClientSocketListener; ++ + import netscape.ldap.LDAPConnection; + + /** +@@ -247,12 +249,14 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo { + + Socket socket = null; + JssSSLSocketFactory factory; ++ PKIClientSocketListener sockListener = new PKIClientSocketListener(); + + if (mClientAuthEnabled) { + factory = new JssSSLSocketFactory(mNickname); + } else { + factory = new JssSSLSocketFactory(); + } ++ factory.addSocketListener(sockListener); + + if (mHost != null && mHost.indexOf(' ') != -1) { + // support failover hosts configuration +diff --git a/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java +new file mode 100644 +index 0000000..dc49908 +--- /dev/null ++++ b/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java +@@ -0,0 +1,230 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2017 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package org.dogtagpki.server; ++ ++import java.lang.Integer; ++import java.net.InetAddress; ++import java.security.Principal; ++import java.util.HashMap; ++import java.util.Map; ++import java.util.WeakHashMap; ++ ++import org.mozilla.jss.crypto.X509Certificate; ++import org.mozilla.jss.ssl.SSLAlertDescription; ++import org.mozilla.jss.ssl.SSLAlertEvent; ++import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; ++import org.mozilla.jss.ssl.SSLSecurityStatus; ++import org.mozilla.jss.ssl.SSLSocket; ++import org.mozilla.jss.ssl.SSLSocketListener; ++import org.slf4j.Logger; ++import org.slf4j.LoggerFactory; ++ ++import com.netscape.certsrv.logging.SignedAuditEvent; ++import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent; ++import com.netscape.certsrv.logging.event.ClientAccessSessionTerminatedEvent; ++import com.netscape.cms.logging.SignedAuditLogger; ++import com.netscape.certsrv.apps.CMS; ++ ++public class PKIClientSocketListener implements SSLSocketListener { ++ ++ private static Logger logger = LoggerFactory.getLogger(PKIClientSocketListener.class); ++ private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger(); ++ ++ /** ++ * The socketInfos map is a storage for socket information that may not be available ++ * after the socket has been closed such as client IP address and subject ID. The ++ * WeakHashMap is used here to allow the map key (i.e. the socket object) to be ++ * garbage-collected since there is no guarantee that socket will be closed with an ++ * SSL alert for a proper map entry removal. ++ */ ++ Map> socketInfos = new WeakHashMap<>(); ++ ++ @Override ++ public void alertReceived(SSLAlertEvent event) { ++ String method = "PKIClientSocketListener.alertReceived: "; ++CMS.debug(method + "begins"); ++ try { ++ SSLSocket socket = event.getSocket(); ++ ++ InetAddress serverAddress = socket.getInetAddress(); ++ InetAddress clientAddress = socket.getLocalAddress(); ++ String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); ++ String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); ++ String serverPort = Integer.toString(socket.getPort()); ++ ++ SSLSecurityStatus status = socket.getStatus(); ++/* ++ X509Certificate peerCertificate = status.getPeerCertificate(); ++ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); ++ String subjectID = subjectDN == null ? "" : subjectDN.toString(); ++*/ ++String subjectID = "SYSTEM"; ++ ++ int description = event.getDescription(); ++ String reason = SSLAlertDescription.valueOf(description).toString(); ++ ++ logger.debug("SSL alert received:"); ++ logger.debug(" - reason: " + reason); ++ logger.debug(" - client: " + clientIP); ++ logger.debug(" - server: " + serverIP); ++ logger.debug(" - subject: " + subjectID); ++ ++ ++ signedAuditLogger.log(ClientAccessSessionTerminatedEvent.createEvent( ++ clientIP, ++ serverIP, ++ serverPort, ++ subjectID, ++ reason)); ++ ++ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED"); ++CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort + " reason=" + reason); ++ ++ } catch (Exception e) { ++ logger.error(e.getMessage(), e); ++ } ++ } ++ ++ @Override ++ public void alertSent(SSLAlertEvent event) { ++ String method = "PKIClientSocketListener.alertSent: "; ++CMS.debug(method + "begins"); ++ try { ++ SSLSocket socket = event.getSocket(); ++ ++ int description = event.getDescription(); ++CMS.debug(method + "got description:"+ description); ++ String reason = SSLAlertDescription.valueOf(description).toString(); ++CMS.debug(method + "got reason:"+ reason); ++ ++ SignedAuditEvent auditEvent; ++ String clientIP; ++ String serverIP; ++ String serverPort; ++ String subjectID; ++ ++ if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) { ++ ++ // get socket info from socketInfos map since socket has been closed ++ Map info = socketInfos.get(socket); ++ clientIP = (String)info.get("clientIP"); ++ serverIP = (String)info.get("serverIP"); ++ serverPort = (String)info.get("serverPort"); ++ subjectID = (String)info.get("subjectID"); ++ ++ auditEvent = ClientAccessSessionTerminatedEvent.createEvent( ++ clientIP, ++ serverIP, ++ serverPort, ++ subjectID, ++ reason); ++ ++ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED"); ++ CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP+ " serverPort=" + serverPort + " reason=" + reason); ++ ++ } else { ++ ++ // get socket info from the socket itself ++ InetAddress serverAddress = socket.getInetAddress(); ++ InetAddress clientAddress = socket.getLocalAddress(); ++ ++ clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); ++ serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); ++ serverPort = Integer.toString(socket.getPort()); ++ ++ SSLSecurityStatus status = socket.getStatus(); ++/* ++ X509Certificate peerCertificate = status.getPeerCertificate(); ++ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); ++ subjectID = subjectDN == null ? "" : subjectDN.toString(); ++*/ ++subjectID = "SYSTEM"; ++ ++ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( ++ clientIP, ++ serverIP, ++ serverPort, ++ subjectID, ++ reason); ++ ++ } ++ ++ logger.debug("SSL alert sent:"); ++ logger.debug(" - reason: " + reason); ++ logger.debug(" - client: " + clientIP); ++ logger.debug(" - server: " + serverIP); ++ logger.debug(" - subject: " + subjectID); ++ ++ signedAuditLogger.log(auditEvent); ++ ++ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE"); ++CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort + " reason=" + reason); ++ ++ } catch (Exception e) { ++ logger.error(e.getMessage(), e); ++ } ++ } ++ ++ @Override ++ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { ++ String method = "PKIClientSocketListener.handshakeCompleted: "; ++CMS.debug(method + "begins"); ++ try { ++ SSLSocket socket = event.getSocket(); ++ ++ InetAddress serverAddress = socket.getInetAddress(); ++ InetAddress clientAddress = socket.getLocalAddress(); ++ String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress(); ++ String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress(); ++ String serverPort = Integer.toString(socket.getPort()); ++ ++ SSLSecurityStatus status = socket.getStatus(); ++/* ++ X509Certificate peerCertificate = status.getPeerCertificate(); ++ Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); ++ String subjectID = subjectDN == null ? "" : subjectDN.toString(); ++*/ ++String subjectID = "SYSTEM"; ++ ++ logger.debug("Handshake completed:"); ++ logger.debug(" - client: " + clientIP); ++ logger.debug(" - server: " + serverIP); ++ logger.debug(" - subject: " + subjectID); ++ ++ // store socket info in socketInfos map ++ Map info = new HashMap<>(); ++ info.put("clientIP", clientIP); ++ info.put("serverIP", serverIP); ++ info.put("serverPort", serverPort); ++ info.put("subjectID", subjectID); ++ socketInfos.put(socket, info); ++ ++ signedAuditLogger.log(ClientAccessSessionEstablishEvent.createSuccessEvent( ++ clientIP, ++ serverIP, ++ serverPort, ++ subjectID)); ++ ++ CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS"); ++CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort); ++ ++ } catch (Exception e) { ++ logger.error(e.getMessage(), e); ++ } ++ } ++} +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index d534506..a8a8deb 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2775,6 +2775,26 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ + LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\ + :[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated + ++# ++# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE ++# access session failed to establish when Certificate System acts as client ++# ++LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\ ++:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client ++# ++# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS ++# - used when access session was established successfully when ++# Certificate System acts as client ++# ++LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\ ++:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client ++# ++# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED ++# - used when access session was terminated when Certificate System acts as client ++# ++LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\ ++:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client ++ + + ########################### + #Unselectable signedAudit Events +diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java +index 47f5e61..e4f92b4 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java +@@ -27,6 +27,8 @@ import com.netscape.certsrv.logging.ILogger; + import com.netscape.cmsutil.http.JssSSLSocketFactory; + import com.netscape.cmsutil.net.ISocketFactory; + ++import org.dogtagpki.server.PKIClientSocketListener; ++ + /** + * Factory for getting HTTP Connections to a HTTPO server + */ +@@ -127,6 +129,10 @@ public class HttpConnFactory { + + try { + ISocketFactory tFactory = new JssSSLSocketFactory(mNickname, mClientCiphers); ++ PKIClientSocketListener sockListener = new PKIClientSocketListener() ++; ++ JssSSLSocketFactory factory = (JssSSLSocketFactory) tFactory; ++ factory.addSocketListener(sockListener); + + if (mTimeout == 0) { + retConn = CMS.getHttpConnection(mDest, tFactory); +diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java +index fbd3268..649fa80 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java +@@ -18,7 +18,10 @@ + package com.netscape.cmscore.connector; + + import java.io.IOException; ++import java.lang.Integer; + import java.net.InetSocketAddress; ++import java.net.InetAddress; ++import java.net.UnknownHostException; + import java.util.ArrayList; + import java.util.List; + +@@ -28,14 +31,24 @@ import com.netscape.certsrv.connector.IHttpConnection; + import com.netscape.certsrv.connector.IPKIMessage; + import com.netscape.certsrv.connector.IRemoteAuthority; + import com.netscape.certsrv.connector.IRequestEncoder; ++import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent; ++import com.netscape.certsrv.logging.SignedAuditEvent; ++import com.netscape.cms.logging.SignedAuditLogger; + import com.netscape.cmscore.util.Debug; + import com.netscape.cmsutil.http.HttpClient; + import com.netscape.cmsutil.http.HttpRequest; + import com.netscape.cmsutil.http.HttpResponse; + import com.netscape.cmsutil.net.ISocketFactory; + ++import org.dogtagpki.server.PKIClientSocketListener; ++import org.slf4j.Logger; ++import org.slf4j.LoggerFactory; ++ + public class HttpConnection implements IHttpConnection { + ++ private static Logger logger = LoggerFactory.getLogger(PKIClientSocketListener.class); ++ private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger(); ++ + protected IRemoteAuthority mDest = null; + protected HttpRequest mHttpreq = new HttpRequest(); + protected IRequestEncoder mReqEncoder = null; +@@ -43,12 +56,18 @@ public class HttpConnection implements IHttpConnection { + + int timeout = 0; + List targets; ++ String localIP = "localhost"; + + public HttpConnection(IRemoteAuthority dest, ISocketFactory factory, + int timeout // seconds + ) { + + CMS.debug("HttpConnection: Creating HttpConnection with timeout=" + timeout); ++ try { ++ localIP = InetAddress.getLocalHost().getHostAddress(); ++ } catch (UnknownHostException e) { ++ // default to "localhost"; ++ } + + mDest = dest; + mReqEncoder = new HttpRequestEncoder(); +@@ -118,6 +137,7 @@ public class HttpConnection implements IHttpConnection { + void connect() throws IOException { + + IOException exception = null; ++ SignedAuditEvent auditEvent; + + // try all targets + for (InetSocketAddress target : targets) { +@@ -136,6 +156,14 @@ public class HttpConnection implements IHttpConnection { + } catch (IOException e) { + exception = e; + CMS.debug("HttpConnection: Unable to connect to " + hostname + ":" + port + ": " + e); ++ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( ++ localIP, ++ hostname, ++ Integer.toString(port), ++ "SYSTEM", ++ "connect:" +e.toString()); ++ signedAuditLogger.log(auditEvent); ++ + // try the next target immediately + } + } +@@ -229,6 +257,13 @@ public class HttpConnection implements IHttpConnection { + + HttpResponse resp = null; + boolean reconnected = false; ++ SignedAuditEvent auditEvent; ++ String localIP = "localhost"; ++ try { ++ localIP = InetAddress.getLocalHost().getHostAddress(); ++ } catch (UnknownHostException e) { ++ // default to "localhost"; ++ } + + if (getRequestURI() == null) { + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", "URI not set in HttpRequest")); +@@ -266,6 +301,13 @@ public class HttpConnection implements IHttpConnection { + resp = mHttpClient.send(mHttpreq); + + } catch (IOException e) { ++ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( ++ localIP, ++ mHttpClient.getHost(), ++ mHttpClient.getPort(), ++ "SYSTEM", ++ "send:" +e.toString()); ++ signedAuditLogger.log(auditEvent); + + CMS.debug(e); + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java +index 398becc..0588bf4 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnector.java +@@ -35,6 +35,8 @@ import com.netscape.cmsutil.http.HttpResponse; + import com.netscape.cmsutil.http.JssSSLSocketFactory; + import com.netscape.cmsutil.net.ISocketFactory; + ++import org.dogtagpki.server.PKIClientSocketListener; ++ + public class HttpConnector implements IConnector { + protected IAuthority mSource = null; + protected IRemoteAuthority mDest = null; +@@ -55,8 +57,12 @@ public class HttpConnector implements IConnector { + mTimeout = 0; + mSource = source; + mDest = dest; ++ PKIClientSocketListener sockListener = new PKIClientSocketListener(); + mFactory = new JssSSLSocketFactory(nickName, clientCiphers); + ++ JssSSLSocketFactory factory = (JssSSLSocketFactory)mFactory; ++ factory.addSocketListener(sockListener); ++ + int minConns = config.getInteger("minHttpConns", 1); + int maxConns = config.getInteger("maxHttpConns", 15); + +@@ -82,8 +88,12 @@ public class HttpConnector implements IConnector { + mSource = source; + mDest = dest; + mTimeout = timeout; ++ PKIClientSocketListener sockListener = new PKIClientSocketListener(); + mFactory = new JssSSLSocketFactory(nickName, clientCiphers); + ++ JssSSLSocketFactory factory = (JssSSLSocketFactory) mFactory; ++ factory.addSocketListener(sockListener); ++ + int minConns = config.getInteger("minHttpConns", 1); + int maxConns = config.getInteger("maxHttpConns", 15); + +diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java b/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java +index e6d9ced..cc73077 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/connector/Resender.java +@@ -39,6 +39,8 @@ import com.netscape.certsrv.request.RequestStatus; + import com.netscape.cmscore.util.Debug; + import com.netscape.cmsutil.http.JssSSLSocketFactory; + ++import org.dogtagpki.server.PKIClientSocketListener; ++ + /** + * Resend requests at intervals to the server to check if it's been completed. + * Default interval is 5 minutes. +@@ -127,7 +129,11 @@ public class Resender implements IResender { + + if (! connected) { + CMS.debug("Connecting ..."); +- mConn = new HttpConnection(mDest, new JssSSLSocketFactory(mNickName, mClientCiphers)); ++ PKIClientSocketListener sockListener = new PKIClientSocketListener(); ++ JssSSLSocketFactory factory = new JssSSLSocketFactory(mNickName, mClientCiphers); ++ factory.addSocketListener(sockListener); ++ ++ mConn = new HttpConnection(mDest, factory); + initRequests(); + connected = true; + } +diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java +index d0c23ed..e9f28c9 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java +@@ -35,6 +35,8 @@ import com.netscape.certsrv.base.IConfigStore; + import netscape.ldap.LDAPException; + import netscape.ldap.LDAPSSLSocketFactoryExt; + ++import org.dogtagpki.server.PKIClientSocketListener; ++ + /** + * Uses HCL ssl socket. + * +@@ -46,6 +48,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { + private String mClientAuthCertNickname; + private boolean mClientAuth; + private boolean keepAlive; ++ PKIClientSocketListener sockListener = null; + + public PKISocketFactory() { + init(); +@@ -67,6 +70,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { + IConfigStore cs = CMS.getConfigStore(); + keepAlive = cs.getBoolean("tcp.keepAlive", true); + CMS.debug("TCP Keep-Alive: " + keepAlive); ++ sockListener = new PKIClientSocketListener(); + + } catch (Exception e) { + CMS.debug(e); +@@ -75,6 +79,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { + } + + public SSLSocket makeSSLSocket(String host, int port) throws UnknownHostException, IOException { ++ String method = "ldapconn/PKISocketFactory.makeSSLSocket: "; ++ CMS.debug(method + "begins"); + + /* + * let inherit TLS range and cipher settings +@@ -100,6 +106,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { + s.setUseClientMode(true); + s.enableV2CompatibleHello(false); + ++ s.addSocketListener(sockListener); ++ + SSLHandshakeCompletedListener listener = null; + + listener = new ClientHandshakeCB(this); +@@ -119,7 +127,6 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt { + } + + public Socket makeSocket(String host, int port) throws LDAPException { +- + Socket s = null; + + try { +diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg +index e9bf03e..60a3355 100644 +--- a/base/tks/shared/conf/CS.cfg ++++ b/base/tks/shared/conf/CS.cfg +@@ -208,11 +208,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging + log.instance.SignedAudit._002=## + log.instance.SignedAudit._003=## + log.instance.SignedAudit._004=## Available Audit events: +-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION ++log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL ++log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) + log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) + log.instance.SignedAudit.expirationTime=0 +diff --git a/base/util/src/com/netscape/cmsutil/http/HttpClient.java b/base/util/src/com/netscape/cmsutil/http/HttpClient.java +index db042a7..2204e19 100644 +--- a/base/util/src/com/netscape/cmsutil/http/HttpClient.java ++++ b/base/util/src/com/netscape/cmsutil/http/HttpClient.java +@@ -46,6 +46,9 @@ public class HttpClient { + protected BufferedReader mBufferedReader = null; + protected SSLCertificateApprovalCallback mCertApprovalCallback = null; + protected boolean mConnected = false; ++ // for auditing purposes ++ protected String mHost; ++ protected String mPort; + + public HttpClient() { + } +@@ -63,6 +66,9 @@ public class HttpClient { + int timeout // milliseconds + ) throws IOException { + ++ mHost = host; ++ mPort = Integer.toString(port); ++ + if (mFactory != null) { + if (mCertApprovalCallback == null) { + mSocket = mFactory.makeSocket(host, port, timeout); +@@ -149,6 +155,14 @@ public class HttpClient { + return mSocket; + } + ++ public String getHost() { ++ return mHost; ++ } ++ ++ public String getPort() { ++ return mPort; ++ } ++ + /** + * unit test + */ +diff --git a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java +index eaed821..0d176ad 100644 +--- a/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java ++++ b/base/util/src/com/netscape/cmsutil/http/JssSSLSocketFactory.java +@@ -27,6 +27,7 @@ import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback; + import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; + import org.mozilla.jss.ssl.SSLHandshakeCompletedListener; + import org.mozilla.jss.ssl.SSLSocket; ++import org.mozilla.jss.ssl.SSLSocketListener; + + import com.netscape.cmsutil.net.ISocketFactory; + import com.netscape.cmsutil.crypto.CryptoUtil; +@@ -40,6 +41,7 @@ public class JssSSLSocketFactory implements ISocketFactory { + private String mClientAuthCertNickname = null; + private String mClientCiphers = null; + private SSLSocket s = null; ++ private SSLSocketListener sockListener = null; + + public JssSSLSocketFactory() { + } +@@ -83,6 +85,8 @@ public class JssSSLSocketFactory implements ISocketFactory { + + listener = new ClientHandshakeCB(this); + s.addHandshakeCompletedListener(listener); ++ if (this.sockListener != null) ++ s.addSocketListener(this.sockListener); + + if (mClientAuthCertNickname != null) { + // 052799 setClientCertNickname does not +@@ -131,6 +135,10 @@ public class JssSSLSocketFactory implements ISocketFactory { + return s; + } + ++ public void addSocketListener(SSLSocketListener sl) { ++ this.sockListener = sl; ++ } ++ + public void log(int level, String msg) { + } + +-- +1.8.3.1 + + +From 44030bf381dc868e64c0e80d112bce72a626e8fb Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 31 Aug 2018 08:52:22 -0700 +Subject: [PATCH 09/19] Ticket2960 add SHA384 ciphers and cleanup profiles + +Note: this is a 2nd attempt as the first attempt was reverted due to +"breakage" of post-checkin-enablement of the IPA CI, which is +speculated to have used a server cert as a client cert which violated +one of the very essence of the "profile cleanup" part of the original +patch; As a compromise, the clientAuth bit was added back to all +non-CMC *server* profiles so the patch will pass the IPA CI. +The revised patch has been adquately tested in addition to passing +the IPA CI. + +This patch adds SHA384 ciphers to the cipher lists (RSA & EC) + +CryptoUtil.java contains changes to clientECCiphers: + - RSA ciphers comemented out + - SHA384 ciphers are added but RSA ones commented out + +Also added SHA384withRSA to ca.profiles.defaultSigningAlgsAllowed. + +In addition, a few cleanups are done: +- all MD2, MD5 from allowed signing key algs from profiles +- server profiles: + * removed clientAuth oid 1.3.6.1.5.5.7.3.2 from cmc server profiles + * fixed a couple KU's (RSA vs EC) that had true/false flipped +- caCMCkraStorageCert.cfg + * removed EKU (funny it had clientAuth) +- caCMCkraTransportCert.cfg + * removed EKU (funny it had clientAuth) +- base/ca/shared/conf/eccServerCert.profile + * added the missing CommonNameToSANDefault + +Tested with the following: +- installation of an RSA CA and a KRA (strip down to only SHA384 ciphers) + * performed successful agent access + * tested key archival +- installation of an EC CA (strip down to only SHA384 ciphers) + * performed successful agent access + * tested an agent-signed CMC request and submitted/issued successfully + using HttpClient + +The above tests showed: +- The SHA384 ciphers work out of box +- The TLS server and client profiles changes did not break any TLS connections. +- The KRA storage and transport profile changes did not break anything. + +fixes https://pagure.io/dogtagpki/issue/2960 + +Change-Id: Ia41dfbcec972cb18752b50056f29edf61cb3ce61 +(cherry picked from commit 97e290663f29d5b2c5afab18e4a7c90af05c874c) +--- + base/ca/shared/conf/CS.cfg | 2 +- + base/ca/shared/conf/eccAdminCert.profile | 2 +- + base/ca/shared/conf/eccServerCert.profile | 4 +++- + base/ca/shared/conf/rsaAdminCert.profile | 2 +- + base/ca/shared/profiles/ca/AdminCert.cfg | 6 +++--- + base/ca/shared/profiles/ca/ECAdminCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caAdminCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caAgentFileSigning.cfg | 2 +- + base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caCMCECserverCert.cfg | 2 +- + base/ca/shared/profiles/ca/caCMCUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 8 +------- + base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg | 8 +------- + base/ca/shared/profiles/ca/caCMCserverCert.cfg | 2 +- + base/ca/shared/profiles/ca/caCrossSignedCACert.cfg | 2 +- + base/ca/shared/profiles/ca/caDirBasedDualCert.cfg | 8 ++++---- + base/ca/shared/profiles/ca/caDirPinUserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caDirUserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caDualCert.cfg | 6 +++--- + base/ca/shared/profiles/ca/caDualRAuserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caECAdminCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECDirPinUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECDirUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECDualCert.cfg | 3 +-- + base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg | 2 +- + base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caECUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caEncUserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caIPAserviceCert.cfg | 2 +- + base/ca/shared/profiles/ca/caInstallCACert.cfg | 2 +- + base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg | 2 +- + base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg | 2 +- + base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg | 2 +- + base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg | 2 +- + base/ca/shared/profiles/ca/caJarSigningCert.cfg | 2 +- + base/ca/shared/profiles/ca/caOtherCert.cfg | 2 +- + base/ca/shared/profiles/ca/caRACert.cfg | 2 +- + base/ca/shared/profiles/ca/caRARouterCert.cfg | 2 +- + base/ca/shared/profiles/ca/caRAagentCert.cfg | 2 +- + base/ca/shared/profiles/ca/caRAserverCert.cfg | 12 ++++++++---- + base/ca/shared/profiles/ca/caRouterCert.cfg | 2 +- + base/ca/shared/profiles/ca/caSigningUserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caStorageCert.cfg | 10 ++-------- + base/ca/shared/profiles/ca/caTPSCert.cfg | 2 +- + base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg | 2 +- + base/ca/shared/profiles/ca/caUserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg | 2 +- + .../netscape/cms/profile/common/CACertCAEnrollProfile.java | 2 +- + .../src/com/netscape/cms/profile/def/SigningAlgDefault.java | 2 +- + base/server/python/pki/server/deployment/pkiparser.py | 10 ++++++++-- + base/server/share/conf/ciphers.info | 4 ++-- + base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 12 ++++++++++-- + 56 files changed, 103 insertions(+), 102 deletions(-) + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 6b39b0a..4cef240 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -666,7 +666,7 @@ ca.notification.requestInQ.senderEmail= + ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_NAME] + ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA + ca.ocsp_signing.tokenname=internal +-ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC ++ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC + ca.publish.createOwnDNEntry=false + ca.publish.queue.enable=true + ca.publish.queue.maxNumberOfThreads=3 +diff --git a/base/ca/shared/conf/eccAdminCert.profile b/base/ca/shared/conf/eccAdminCert.profile +index 46d157a..219944a 100644 +--- a/base/ca/shared/conf/eccAdminCert.profile ++++ b/base/ca/shared/conf/eccAdminCert.profile +@@ -26,7 +26,7 @@ list=2,4,5,6,7 + 6.default.params.keyUsageCritical=true + 6.default.params.keyUsageDigitalSignature=true + 6.default.params.keyUsageNonRepudiation=true +-6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageDataEncipherment=false + 6.default.params.keyUsageKeyEncipherment=false + 6.default.params.keyUsageKeyAgreement=true + 6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/conf/eccServerCert.profile b/base/ca/shared/conf/eccServerCert.profile +index 8c679f7..d990e77 100644 +--- a/base/ca/shared/conf/eccServerCert.profile ++++ b/base/ca/shared/conf/eccServerCert.profile +@@ -6,7 +6,7 @@ name=All Purpose SSL server cert with ECC keys Profile + description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers + profileIDMapping=caECServerCert + profileSetIDMapping=serverCertSet +-list=2,4,5,6,7 ++list=2,4,5,6,7,8 + 2.default.class=com.netscape.cms.profile.def.ValidityDefault + 2.default.name=Validity Default + 2.default.params.range=720 +@@ -37,3 +37,5 @@ list=2,4,5,6,7 + 7.default.name=Extended Key Usage Extension Default + 7.default.params.exKeyUsageCritical=false + 7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 ++8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault ++8.default.name=copy CN to SAN Default +diff --git a/base/ca/shared/conf/rsaAdminCert.profile b/base/ca/shared/conf/rsaAdminCert.profile +index 5e84d74..7b3668c 100644 +--- a/base/ca/shared/conf/rsaAdminCert.profile ++++ b/base/ca/shared/conf/rsaAdminCert.profile +@@ -26,7 +26,7 @@ list=2,4,5,6,7 + 6.default.params.keyUsageCritical=true + 6.default.params.keyUsageDigitalSignature=true + 6.default.params.keyUsageNonRepudiation=true +-6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageDataEncipherment=false + 6.default.params.keyUsageKeyEncipherment=true + 6.default.params.keyUsageKeyAgreement=false + 6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/AdminCert.cfg b/base/ca/shared/profiles/ca/AdminCert.cfg +index 7879614..18cbc2f 100644 +--- a/base/ca/shared/profiles/ca/AdminCert.cfg ++++ b/base/ca/shared/profiles/ca/AdminCert.cfg +@@ -53,7 +53,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.adminCertSet.6.constraint.params.keyUsageCritical=true + policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -65,7 +65,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default + policyset.adminCertSet.6.default.params.keyUsageCritical=true + policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false + policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false +@@ -80,7 +80,7 @@ policyset.adminCertSet.7.default.params.exKeyUsageCritical=false + policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.adminCertSet.8.constraint.name=No Constraint +-policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.adminCertSet.8.default.name=Signing Alg + policyset.adminCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/ECAdminCert.cfg b/base/ca/shared/profiles/ca/ECAdminCert.cfg +index e00022e..38562a6 100644 +--- a/base/ca/shared/profiles/ca/ECAdminCert.cfg ++++ b/base/ca/shared/profiles/ca/ECAdminCert.cfg +@@ -53,7 +53,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.adminCertSet.6.constraint.params.keyUsageCritical=true + policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -65,7 +65,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default + policyset.adminCertSet.6.default.params.keyUsageCritical=true + policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false + policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caAdminCert.cfg b/base/ca/shared/profiles/ca/caAdminCert.cfg +index 86a3b11..6598677 100644 +--- a/base/ca/shared/profiles/ca/caAdminCert.cfg ++++ b/base/ca/shared/profiles/ca/caAdminCert.cfg +@@ -54,7 +54,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.adminCertSet.6.constraint.params.keyUsageCritical=true + policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -66,7 +66,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default + policyset.adminCertSet.6.default.params.keyUsageCritical=true + policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=false + policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg +index 5608373..cc65afc 100644 +--- a/base/ca/shared/profiles/ca/caAgentFileSigning.cfg ++++ b/base/ca/shared/profiles/ca/caAgentFileSigning.cfg +@@ -80,7 +80,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.3 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg +index b7b4881..226c05c 100644 +--- a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg +@@ -52,7 +52,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -64,7 +64,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg +index 53b0c4d..68c59fb 100644 +--- a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg +@@ -76,7 +76,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint + policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl + policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default + policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint + policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg +index df47758..657b98e 100644 +--- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg +@@ -52,7 +52,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -64,7 +64,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false + policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg +index 1c2630d..908f584 100644 +--- a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg +@@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=drmStorageCertSet +-policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 ++policyset.drmStorageCertSet.list=1,2,3,4,5,6,9 + policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint + policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* +@@ -71,12 +71,6 @@ policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false + policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false + policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false + policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false +-policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl +-policyset.drmStorageCertSet.7.constraint.name=No Constraint +-policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +-policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default +-policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false +-policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.drmStorageCertSet.9.constraint.name=No Constraint + policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg +index 3d00408..628253d 100644 +--- a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg +@@ -10,7 +10,7 @@ input.i1.class_id=cmcCertReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=transportCertSet +-policyset.transportCertSet.list=1,2,3,4,5,6,7,8 ++policyset.transportCertSet.list=1,2,3,4,5,6,8 + policyset.transportCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.transportCertSet.1.constraint.name=Subject Name Constraint + policyset.transportCertSet.1.constraint.params.pattern=CN=.* +@@ -71,12 +71,6 @@ policyset.transportCertSet.6.default.params.keyUsageKeyCertSign=false + policyset.transportCertSet.6.default.params.keyUsageCrlSign=false + policyset.transportCertSet.6.default.params.keyUsageEncipherOnly=false + policyset.transportCertSet.6.default.params.keyUsageDecipherOnly=false +-policyset.transportCertSet.7.constraint.class_id=noConstraintImpl +-policyset.transportCertSet.7.constraint.name=No Constraint +-policyset.transportCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +-policyset.transportCertSet.7.default.name=Extended Key Usage Extension Default +-policyset.transportCertSet.7.default.params.exKeyUsageCritical=false +-policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.transportCertSet.8.constraint.name=No Constraint + policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg +index 9ad9fac..628fc50 100644 +--- a/base/ca/shared/profiles/ca/caCMCserverCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg +@@ -76,7 +76,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint + policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl + policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default + policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint + policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg +index 8fafbdf..efc35a3 100644 +--- a/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg ++++ b/base/ca/shared/profiles/ca/caCrossSignedCACert.cfg +@@ -76,7 +76,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default + policyset.caCertSet.8.default.params.critical=false + policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.caCertSet.9.constraint.name=No Constraint +-policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.caCertSet.9.default.name=Signing Alg + policyset.caCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg b/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg +index 3f34684..ac761c9 100644 +--- a/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg ++++ b/base/ca/shared/profiles/ca/caDirBasedDualCert.cfg +@@ -1,6 +1,6 @@ + desc=This certificate profile is for enrolling dual user certificates. It works only with Netscape 7.0 or later. + visible=true +-enable=true ++enable=false + enableBy=admin + name=Directory-authenticated User Signing & Encryption Certificates Enrollment + auth.instance_id=UserDirEnrollment +@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.encryptionCertSet.9.constraint.name=No Constraint +-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC ++policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC + policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.encryptionCertSet.9.default.name=Signing Alg + policyset.encryptionCertSet.9.default.params.signingAlg=- +@@ -161,8 +161,8 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.signingCertSet.9.constraint.name=No Constraint +-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC + policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.signingCertSet.9.default.name=Signing Alg + policyset.signingCertSet.9.default.params.signingAlg=- +-policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caDirPinUserCert.cfg +index af2b5e5..f9e24b9 100644 +--- a/base/ca/shared/profiles/ca/caDirPinUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caDirPinUserCert.cfg +@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg +index 0b7f6b7..2e90d97 100644 +--- a/base/ca/shared/profiles/ca/caDirUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg +@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caDualCert.cfg b/base/ca/shared/profiles/ca/caDualCert.cfg +index 87036d1..c5cf168 100644 +--- a/base/ca/shared/profiles/ca/caDualCert.cfg ++++ b/base/ca/shared/profiles/ca/caDualCert.cfg +@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.encryptionCertSet.9.constraint.name=No Constraint +-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.encryptionCertSet.9.default.name=Signing Alg + policyset.encryptionCertSet.9.default.params.signingAlg=- +@@ -161,8 +161,8 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.signingCertSet.9.constraint.name=No Constraint +-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.signingCertSet.9.default.name=Signing Alg + policyset.signingCertSet.9.default.params.signingAlg=- +-policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg +index 7d61b36..e25b4bb 100644 +--- a/base/ca/shared/profiles/ca/caDualRAuserCert.cfg ++++ b/base/ca/shared/profiles/ca/caDualRAuserCert.cfg +@@ -88,7 +88,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECAdminCert.cfg b/base/ca/shared/profiles/ca/caECAdminCert.cfg +index d57bae1..84cab82 100644 +--- a/base/ca/shared/profiles/ca/caECAdminCert.cfg ++++ b/base/ca/shared/profiles/ca/caECAdminCert.cfg +@@ -54,7 +54,7 @@ policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.adminCertSet.6.constraint.params.keyUsageCritical=true + policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false + policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -66,7 +66,7 @@ policyset.adminCertSet.6.default.name=Key Usage Default + policyset.adminCertSet.6.default.params.keyUsageCritical=true + policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false + policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg +index 4143102..7b33de6 100644 +--- a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg +@@ -57,7 +57,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.userCertSet.6.constraint.params.keyUsageCritical=true + policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false + policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -69,7 +69,7 @@ policyset.userCertSet.6.default.name=Key Usage Default + policyset.userCertSet.6.default.params.keyUsageCritical=true + policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false + policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg +index b65999e..11eafa7 100644 +--- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg +@@ -57,7 +57,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.userCertSet.6.constraint.params.keyUsageCritical=true + policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false + policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -69,7 +69,7 @@ policyset.userCertSet.6.default.name=Key Usage Default + policyset.userCertSet.6.default.params.keyUsageCritical=true + policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false + policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caECDualCert.cfg b/base/ca/shared/profiles/ca/caECDualCert.cfg +index 0a56caf..663aa13 100644 +--- a/base/ca/shared/profiles/ca/caECDualCert.cfg ++++ b/base/ca/shared/profiles/ca/caECDualCert.cfg +@@ -161,8 +161,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.signingCertSet.9.constraint.name=No Constraint +-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.signingCertSet.9.default.name=Signing Alg + policyset.signingCertSet.9.default.params.signingAlg=- +-policyset.signingCertSet.9.default.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +index 48e6499..b3cc471 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +@@ -48,7 +48,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -60,7 +60,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg +index b24cb03..822e96b 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg +@@ -51,7 +51,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -63,7 +63,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +index e7b60ee..5a817df 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +@@ -59,7 +59,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -71,7 +71,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +diff --git a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg +index 8580544..24d61ca 100644 +--- a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg +@@ -78,7 +78,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint + policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl + policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default + policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint + policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg +index 8df3576..3d072a2 100644 +--- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg +@@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +diff --git a/base/ca/shared/profiles/ca/caECUserCert.cfg b/base/ca/shared/profiles/ca/caECUserCert.cfg +index a6bf04a..dda7282 100644 +--- a/base/ca/shared/profiles/ca/caECUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECUserCert.cfg +@@ -59,7 +59,7 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.userCertSet.6.constraint.params.keyUsageCritical=true + policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false + policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false +@@ -71,7 +71,7 @@ policyset.userCertSet.6.default.name=Key Usage Default + policyset.userCertSet.6.default.params.keyUsageCritical=true + policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false + policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true + policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false +diff --git a/base/ca/shared/profiles/ca/caEncUserCert.cfg b/base/ca/shared/profiles/ca/caEncUserCert.cfg +index 07e78f9..c166b28 100644 +--- a/base/ca/shared/profiles/ca/caEncUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caEncUserCert.cfg +@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.encryptionCertSet.9.constraint.name=No Constraint +-policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.encryptionCertSet.9.default.name=Signing Alg + policyset.encryptionCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg +index 9603758..42d802e 100644 +--- a/base/ca/shared/profiles/ca/caIPAserviceCert.cfg ++++ b/base/ca/shared/profiles/ca/caIPAserviceCert.cfg +@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caInstallCACert.cfg b/base/ca/shared/profiles/ca/caInstallCACert.cfg +index 7bdb180..ba942d7 100644 +--- a/base/ca/shared/profiles/ca/caInstallCACert.cfg ++++ b/base/ca/shared/profiles/ca/caInstallCACert.cfg +@@ -80,7 +80,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default + policyset.caCertSet.8.default.params.critical=false + policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.caCertSet.9.constraint.name=No Constraint +-policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.caCertSet.9.default.name=Signing Alg + policyset.caCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg +index 5acc174..60d560d 100644 +--- a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg ++++ b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg +@@ -80,7 +80,7 @@ policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false + policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.drmStorageCertSet.9.constraint.name=No Constraint +-policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.drmStorageCertSet.9.default.name=Signing Alg + policyset.drmStorageCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg +index 8788f94..982c868 100644 +--- a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg ++++ b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg +@@ -65,7 +65,7 @@ policyset.ocspCertSet.8.default.name=OCSP No Check Extension + policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false + policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.ocspCertSet.9.constraint.name=No Constraint +-policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.ocspCertSet.9.default.name=Signing Alg + policyset.ocspCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +index de3c2a5..25538e7 100644 +--- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg ++++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +@@ -78,7 +78,7 @@ policyset.serverCertSet.7.constraint.name=No Constraint + policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl + policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default + policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +-policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint + policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +diff --git a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg +index 9f7680a..bdc69bc 100644 +--- a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg ++++ b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg +@@ -80,7 +80,7 @@ policyset.transportCertSet.7.default.params.exKeyUsageCritical=false + policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.transportCertSet.8.constraint.name=No Constraint +-policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.transportCertSet.8.default.name=Signing Alg + policyset.transportCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caJarSigningCert.cfg b/base/ca/shared/profiles/ca/caJarSigningCert.cfg +index f5f5e62..8aea48d 100644 +--- a/base/ca/shared/profiles/ca/caJarSigningCert.cfg ++++ b/base/ca/shared/profiles/ca/caJarSigningCert.cfg +@@ -80,7 +80,7 @@ policyset.caJarSigningSet.5.default.params.nsCertSSLClient=false + policyset.caJarSigningSet.5.default.params.nsCertSSLServer=false + policyset.caJarSigningSet.6.constraint.class_id=signingAlgConstraintImpl + policyset.caJarSigningSet.6.constraint.name=No Constraint +-policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.caJarSigningSet.6.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.caJarSigningSet.6.default.class_id=signingAlgDefaultImpl + policyset.caJarSigningSet.6.default.name=Signing Alg + policyset.caJarSigningSet.6.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caOtherCert.cfg b/base/ca/shared/profiles/ca/caOtherCert.cfg +index e5cf627..5b8f50e 100644 +--- a/base/ca/shared/profiles/ca/caOtherCert.cfg ++++ b/base/ca/shared/profiles/ca/caOtherCert.cfg +@@ -79,7 +79,7 @@ policyset.otherCertSet.7.default.params.exKeyUsageCritical=false + policyset.otherCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 + policyset.otherCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.otherCertSet.8.constraint.name=No Constraint +-policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.otherCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.otherCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.otherCertSet.8.default.name=Signing Alg + policyset.otherCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caRACert.cfg b/base/ca/shared/profiles/ca/caRACert.cfg +index 9774566..fb1199e 100644 +--- a/base/ca/shared/profiles/ca/caRACert.cfg ++++ b/base/ca/shared/profiles/ca/caRACert.cfg +@@ -79,7 +79,7 @@ policyset.raCertSet.7.default.params.exKeyUsageCritical=false + policyset.raCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.raCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.raCertSet.8.constraint.name=No Constraint +-policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.raCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.raCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.raCertSet.8.default.name=Signing Alg + policyset.raCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caRARouterCert.cfg b/base/ca/shared/profiles/ca/caRARouterCert.cfg +index 05b3a72..c504285 100644 +--- a/base/ca/shared/profiles/ca/caRARouterCert.cfg ++++ b/base/ca/shared/profiles/ca/caRARouterCert.cfg +@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caRAagentCert.cfg b/base/ca/shared/profiles/ca/caRAagentCert.cfg +index 2199b26..db22f90 100644 +--- a/base/ca/shared/profiles/ca/caRAagentCert.cfg ++++ b/base/ca/shared/profiles/ca/caRAagentCert.cfg +@@ -89,7 +89,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caRAserverCert.cfg b/base/ca/shared/profiles/ca/caRAserverCert.cfg +index 3a6cefa..e2406b4 100644 +--- a/base/ca/shared/profiles/ca/caRAserverCert.cfg ++++ b/base/ca/shared/profiles/ca/caRAserverCert.cfg +@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=serverCertSet +-policyset.serverCertSet.list=1,2,3,4,5,6,7,8 ++policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9 + policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.serverCertSet.1.constraint.name=Subject Name Constraint + policyset.serverCertSet.1.constraint.params.pattern=CN=.* +@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.serverCertSet.6.constraint.params.keyUsageCritical=true + policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.serverCertSet.6.default.name=Key Usage Default + policyset.serverCertSet.6.default.params.keyUsageCritical=true + policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +-policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false + policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true + policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +@@ -79,7 +79,11 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- ++policyset.serverCertSet.9.constraint.class_id=noConstraintImpl ++policyset.serverCertSet.9.constraint.name=No Constraint ++policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl ++policyset.serverCertSet.9.default.name=copy CN to SAN Default +diff --git a/base/ca/shared/profiles/ca/caRouterCert.cfg b/base/ca/shared/profiles/ca/caRouterCert.cfg +index 3364675..b306102 100644 +--- a/base/ca/shared/profiles/ca/caRouterCert.cfg ++++ b/base/ca/shared/profiles/ca/caRouterCert.cfg +@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caSigningUserCert.cfg b/base/ca/shared/profiles/ca/caSigningUserCert.cfg +index f197ffa..7fac691 100644 +--- a/base/ca/shared/profiles/ca/caSigningUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caSigningUserCert.cfg +@@ -79,7 +79,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.signingCertSet.9.constraint.name=No Constraint +-policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.signingCertSet.9.default.name=Signing Alg + policyset.signingCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg +index a55873f..6987061 100644 +--- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg +@@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl + policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint + policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +@@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl + policyset.cmcUserCertSet.6.default.name=Key Usage Default + policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true + policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false + policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true + policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +diff --git a/base/ca/shared/profiles/ca/caStorageCert.cfg b/base/ca/shared/profiles/ca/caStorageCert.cfg +index c8e7205..62d6968 100644 +--- a/base/ca/shared/profiles/ca/caStorageCert.cfg ++++ b/base/ca/shared/profiles/ca/caStorageCert.cfg +@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=drmStorageCertSet +-policyset.drmStorageCertSet.list=1,2,3,4,5,6,7,9 ++policyset.drmStorageCertSet.list=1,2,3,4,5,6,9 + policyset.drmStorageCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.drmStorageCertSet.1.constraint.name=Subject Name Constraint + policyset.drmStorageCertSet.1.constraint.params.pattern=CN=.* +@@ -71,15 +71,9 @@ policyset.drmStorageCertSet.6.default.params.keyUsageKeyCertSign=false + policyset.drmStorageCertSet.6.default.params.keyUsageCrlSign=false + policyset.drmStorageCertSet.6.default.params.keyUsageEncipherOnly=false + policyset.drmStorageCertSet.6.default.params.keyUsageDecipherOnly=false +-policyset.drmStorageCertSet.7.constraint.class_id=noConstraintImpl +-policyset.drmStorageCertSet.7.constraint.name=No Constraint +-policyset.drmStorageCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +-policyset.drmStorageCertSet.7.default.name=Extended Key Usage Extension Default +-policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false +-policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 + policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.drmStorageCertSet.9.constraint.name=No Constraint +-policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.drmStorageCertSet.9.default.name=Signing Alg + policyset.drmStorageCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caTPSCert.cfg b/base/ca/shared/profiles/ca/caTPSCert.cfg +index 82a217a..4f98512 100644 +--- a/base/ca/shared/profiles/ca/caTPSCert.cfg ++++ b/base/ca/shared/profiles/ca/caTPSCert.cfg +@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false + policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 + policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl + policyset.serverCertSet.8.constraint.name=No Constraint +-policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl + policyset.serverCertSet.8.default.name=Signing Alg + policyset.serverCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg +index 43caf26..ef8ab5f 100644 +--- a/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg ++++ b/base/ca/shared/profiles/ca/caUUIDdeviceCert.cfg +@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtSource_1=UUID4 + policyset.userCertSet.8.default.params.subjAltNameNumGNs=2 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caUserCert.cfg b/base/ca/shared/profiles/ca/caUserCert.cfg +index 9164dac..62bc40c 100644 +--- a/base/ca/shared/profiles/ca/caUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caUserCert.cfg +@@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg +index 43b6e85..81fc027 100644 +--- a/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg ++++ b/base/ca/shared/profiles/ca/caUserSMIMEcapCert.cfg +@@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true + policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 + policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.userCertSet.9.constraint.name=No Constraint +-policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.userCertSet.9.default.name=Signing Alg + policyset.userCertSet.9.default.params.signingAlg=- +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java +index 1ae2f08..c4f2d6b 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/CACertCAEnrollProfile.java +@@ -76,7 +76,7 @@ public class CACertCAEnrollProfile extends CAEnrollProfile + IConfigStore defConfig4 = def4.getConfigStore(); + defConfig4.putString("params.signingAlg", "-"); + defConfig4.putString("params.signingAlgsAllowed", +- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA256withEC,SHA384withEC,SHA512withEC"); ++ "SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC"); + + // extensions + IProfilePolicy policy5 = +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java +index 81ad58c..97f221e 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/SigningAlgDefault.java +@@ -46,7 +46,7 @@ public class SigningAlgDefault extends EnrollDefault { + + public static final String VAL_ALGORITHM = "signingAlg"; + public static final String DEF_CONFIG_ALGORITHMS = +- "-,MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA"; ++ "-,SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA"; + + public SigningAlgDefault() { + super(); +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 53296fc..3e0c9d2 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -1152,7 +1152,9 @@ class PKIConfigParser: + "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ +- "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ++ "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ ++ "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384," + \ ++ "+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" + else: + self.mdict['TOMCAT_SSL_RANGE_CIPHERS_SLOT'] = \ + "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ +@@ -1186,7 +1188,11 @@ class PKIConfigParser: + "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA" ++ "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ ++ "+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," + \ ++ "+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + \ ++ "-TLS_RSA_WITH_AES_256_GCM_SHA384" + + if self.deployer.architecture == 64: + self.mdict['NUXWDOG_JNI_PATH_SLOT'] = ( +diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info +index 44c6e4b..e51bffd 100644 +--- a/base/server/share/conf/ciphers.info ++++ b/base/server/share/conf/ciphers.info +@@ -123,8 +123,8 @@ + # + ## + # For RSA servers: +- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" ++ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" + # + # + # For ECC servers: +- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" ++ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" +diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +index d3036f3..c1688e4 100644 +--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java ++++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java +@@ -188,13 +188,21 @@ public class CryptoUtil { + public static final int LINE_COUNT = 76; + + static public final Integer[] clientECCiphers = { ++/* + SSLSocket.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + SSLSocket.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, ++*/ + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, +- SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, +- SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ++// SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ++ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, ++ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, ++ SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, ++/* ++ SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, ++ SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ++*/ + }; + static public List clientECCipherList = new ArrayList(Arrays.asList(clientECCiphers)); + +-- +1.8.3.1 + + +From 992d97189bbcfff3427b1dcc752f6588da25e496 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 31 Aug 2018 17:08:30 -0700 +Subject: [PATCH 10/19] Ticket3027 Disable TLS_RSA_* ciphers for HSM in FIPS + mode + +This patch disables the TLS_RSA_* ciphers by default because they do not work +with HSMs in FIPS mode. +ciphers.info is also updated to reflect the changes. + +fixes https://pagure.io/dogtagpki/issue/3027 + +Change-Id: Id720b8697976bb344d6dd8e4471a1bb5403af172 +(cherry picked from commit 908514da63dd9364df0f17810d9d41bfb5c596d5) +--- + .../python/pki/server/deployment/pkiparser.py | 12 ++-- + base/server/share/conf/ciphers.info | 70 ++++++++-------------- + 2 files changed, 31 insertions(+), 51 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 3e0c9d2..2397f43 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -1130,7 +1130,7 @@ class PKIConfigParser: + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ + "-TLS_RSA_WITH_AES_128_CBC_SHA," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_RSA_WITH_AES_256_CBC_SHA," + \ + "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ + "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ +@@ -1146,7 +1146,7 @@ class PKIConfigParser: + "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ ++ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ + "+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ +@@ -1183,12 +1183,12 @@ class PKIConfigParser: + "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ + "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ + "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ +- "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ ++ "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ ++ "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ + "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ + "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ +- "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ +- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ ++ "-TLS_RSA_WITH_AES_128_CBC_SHA," + \ ++ "-TLS_RSA_WITH_AES_256_CBC_SHA," + \ + "+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384," + \ + "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384," + \ + "+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + \ +diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info +index e51bffd..bbb3cf1 100644 +--- a/base/server/share/conf/ciphers.info ++++ b/base/server/share/conf/ciphers.info +@@ -26,17 +26,6 @@ + # suited for the type of the server installed. Changes can be made to + # suit each site's needs. + # +-# Although TLS1.2 ciphers (SHA256) are preferred, many older clients +-# do not support them. For example, the following "preferred modern" +-# ciphers are on by default, and by simply limiting the +-# sslVersionRange* parameters, they can be turned off. +-# +-# TLS_RSA_WITH_AES_128_CBC_SHA256, +-# TLS_RSA_WITH_AES_256_CBC_SHA256, +-# TLS_RSA_WITH_AES_128_GCM_SHA256, +-# TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, +-# TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +-# + # The TLS_ECDHE_RSA_* ciphers provide Perfect Forward Secrecy, + # which, while provide added security to the already secure and adequate + # TLS_RSA_* ciphers, requires 3 times longer to establish SSL sessions. +@@ -62,25 +51,6 @@ + # TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + # TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + # +-# The following somewhat weaker ciphers (in CBC mode), though +-# adequate for the CS operations, can be turned off if so desired: +-# +-# TLS_RSA_WITH_AES_128_CBC_SHA, +-# TLS_RSA_WITH_AES_256_CBC_SHA, +-# +-# Note: In an EC CS server setup, you will see by default that the +-# following RSA ciphers are left on. Those are used for +-# installation where the actual systems certs have not yet been +-# created, and a temporary RSA ssl server cert is at play. +-# +-# Those can be turned off manually by sites. +-# +-# TLS_RSA_WITH_AES_256_CBC_SHA256, +-# TLS_RSA_WITH_AES_128_GCM_SHA256 +-# +-# These ciphers might be removed by the installation script in +-# some future release. +-# + # For RHEL 7.5 or greater: + # + # * all '3DES' ciphers have been disabled, +@@ -98,33 +68,43 @@ + # +TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + # +TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, + # +TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, ++# +TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, + # +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, ++# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + # +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + # +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, +-# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, +-# +TLS_RSA_WITH_AES_128_CBC_SHA256, +-# +TLS_RSA_WITH_AES_256_CBC_SHA256, +-# +TLS_RSA_WITH_AES_128_CBC_SHA, +-# +TLS_RSA_WITH_AES_256_CBC_SHA +-# +-# NOTE: The last two ciphers, TLS_RSA_WITH_AES_128_CBC_SHA, +-# and TLS_RSA_WITH_AES_256_CBC_SHA, may need to remain +-# enabled in order to talk to the LDAP server +-# during pkispawn installation/configuration. ++# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, ++# +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + # + # Default ciphers enabled for ECC servers: + # + # +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, +-# +TLS_RSA_WITH_AES_256_CBC_SHA, + # +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, +-# +TLS_RSA_WITH_AES_256_CBC_SHA256, + # +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, +-# +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ++# +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, ++# +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, ++# +TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ++# ++# For RHEL 7.6 or greater: ++# ++# The following ciphers do not work with HSM in FIPS mode, and ++# are therefore disabled by default. ++# ++# TLS_RSA_WITH_AES_256_CBC_SHA, ++# TLS_RSA_WITH_AES_128_CBC_SHA, ++# TLS_RSA_WITH_AES_128_CBC_SHA256, ++# TLS_RSA_WITH_AES_256_CBC_SHA256, ++# TLS_RSA_WITH_AES_128_GCM_SHA256, ++# TLS_RSA_WITH_AES_256_GCM_SHA384 ++# ++# note: ++# * They are currently not preferred in TLS 1.2 ++# * They are deprecated in TLS 1.3 + # + ## + # For RSA servers: +- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" ++ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384" + # + # + # For ECC servers: +- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" ++ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" +-- +1.8.3.1 + + +From 5385791f72c5fab901aa38cbc31fd2fd9af269bf Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 18 Sep 2018 16:13:29 -0700 +Subject: [PATCH 11/19] Bug1628410 CMC: add config to allow non-clientAuth + +This patch adds a new parameter, cmc.bypassClientAuth, in the CS.cfg +to allow agents to bypass clientAuth requirement in CMCAuth. +Default value for cmc.bypassClientAuth is false. + +In addition, CMC enrollment profile caCMCUserCert "visible" value is +set to false. + +fixes https://bugzilla.redhat.com/show_bug.cgi?id=1628410 + +Change-Id: Ie3efda321472c1e1b27ac4c5ecf63db753ce70fc +(cherry picked from commit 19120d14941b5964a728ab06b0406be3ddeff5d4) +--- + base/ca/shared/profiles/ca/caCMCUserCert.cfg | 2 +- + .../com/netscape/cms/authentication/CMCAuth.java | 50 +++++++++++++--------- + 2 files changed, 30 insertions(+), 22 deletions(-) + +diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg +index 657b98e..1f990f2 100644 +--- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg +@@ -1,5 +1,5 @@ + desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. +-visible=true ++visible=false + enable=true + enableBy=admin + auth.instance_id=CMCAuth +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +index 9b6a819..98d5e29 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +@@ -127,6 +127,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + + /* authentication plug-in configuration store */ + private IConfigStore mConfig; ++ private boolean mBypassClientAuth = false; + private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----"; + private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----"; + public static final String TOKEN_CERT_SERIAL = "certSerialToRevoke"; +@@ -213,6 +214,8 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + mName = name; + mImplName = implName; + mConfig = config; ++ mBypassClientAuth = ++ CMS.getConfigStore().getBoolean("cmc.bypassClientAuth", false); + + log(ILogger.LL_INFO, "Initialization complete!"); + } +@@ -882,28 +885,33 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + X509Certificate clientCert = + (X509Certificate) auditContext.get(SessionContext.SSL_CLIENT_CERT); + if (clientCert == null) { +- // createAuditSubjectFromCert(auditContext, x509Certs[0]); +- msg = "missing SSL client authentication certificate;"; +- CMS.debug(method + msg); +- s.close(); +- throw new EMissingCredential( +- CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); +- } +- netscape.security.x509.X500Name clientPrincipal = +- (X500Name) clientCert.getSubjectDN(); +- +- netscape.security.x509.X500Name cmcPrincipal = +- (X500Name) x509Certs[0].getSubjectDN(); +- +- // check ssl client cert against cmc signer +- if (!clientPrincipal.equals(cmcPrincipal)) { +- msg = "SSL client authentication certificate and CMC signer do not match"; +- CMS.debug(method + msg); +- s.close(); +- throw new EInvalidCredentials( +- CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); ++ if (mBypassClientAuth) { ++ msg = "missing SSL client authentication certificate; allowed"; ++ CMS.debug(method + msg); ++ } else { ++ msg = "missing SSL client authentication certificate;"; ++ CMS.debug(method + msg); ++ s.close(); ++ throw new EMissingCredential( ++ CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT")); ++ } + } else { +- CMS.debug(method + "ssl client cert principal and cmc signer principal match"); ++ netscape.security.x509.X500Name clientPrincipal = ++ (X500Name) clientCert.getSubjectDN(); ++ ++ netscape.security.x509.X500Name cmcPrincipal = ++ (X500Name) x509Certs[0].getSubjectDN(); ++ ++ // check ssl client cert against cmc signer ++ if (!clientPrincipal.equals(cmcPrincipal)) { ++ msg = "SSL client authentication certificate and CMC signer do not match"; ++ CMS.debug(method + msg); ++ s.close(); ++ throw new EInvalidCredentials( ++ CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); ++ } else { ++ CMS.debug(method + "ssl client cert principal and cmc signer principal match"); ++ } + } + + PublicKey signKey = cert.getPublicKey(); +-- +1.8.3.1 + + +From b53d4f5f135432d6bc25b4bc0def1ea4b44705a4 Mon Sep 17 00:00:00 2001 +From: Dinesh Prasanth M K +Date: Mon, 1 Oct 2018 16:25:08 -0400 +Subject: [PATCH 12/19] Fixes password leak of Auth plugins to Audit Logs (#57) + +* Auth plugin adds `(sensitive)` instead of plain passwords +to AuditLogs +* Added generic `isSensitive()` to identify Passwords before logging + +Signed-off-by: Dinesh Prasanth M K + +(cherry picked from commit cc2b50fac7542476aef222ab5f1d49d86e38cba1) +--- + base/common/src/com/netscape/certsrv/apps/CMS.java | 30 ++++++++++++++++++++++ + .../netscape/cms/servlet/admin/AdminServlet.java | 18 ++----------- + .../com/netscape/cms/servlet/base/CMSServlet.java | 21 +-------------- + .../netscape/cms/servlet/csadmin/BaseServlet.java | 15 +---------- + .../cms/servlet/processors/CAProcessor.java | 16 +----------- + .../servlet/profile/ProfileSubmitCMCServlet.java | 17 ++---------- + 6 files changed, 37 insertions(+), 80 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java +index d04223f..0bf186e 100644 +--- a/base/common/src/com/netscape/certsrv/apps/CMS.java ++++ b/base/common/src/com/netscape/certsrv/apps/CMS.java +@@ -1672,6 +1672,36 @@ public final class CMS { + } + + /** ++ * Check whether the string is contains password ++ * ++ * @param name key string ++ * @return whether key is a password or not ++ */ ++ public static boolean isSensitive(String name) { ++ return (name.startsWith("__") || ++ name.endsWith("password") || ++ name.endsWith("passwd") || ++ name.endsWith("pwd") || ++ name.equalsIgnoreCase("admin_password_again") || ++ name.equalsIgnoreCase("directoryManagerPwd") || ++ name.equalsIgnoreCase("bindpassword") || ++ name.equalsIgnoreCase("bindpwd") || ++ name.equalsIgnoreCase("passwd") || ++ name.equalsIgnoreCase("password") || ++ name.equalsIgnoreCase("pin") || ++ name.equalsIgnoreCase("pwd") || ++ name.equalsIgnoreCase("pwdagain") || ++ name.equalsIgnoreCase("uPasswd") || ++ name.equalsIgnoreCase("PASSWORD_CACHE_ADD") || ++ name.startsWith("p12Password") || ++ name.equalsIgnoreCase("host_challenge") || ++ name.equalsIgnoreCase("card_challenge") || ++ name.equalsIgnoreCase("card_cryptogram") || ++ name.equalsIgnoreCase("drm_trans_desKey") || ++ name.equalsIgnoreCase("cert_request")); ++ } ++ ++ /** + * Main driver to start CMS. + */ + public static void main(String[] args) { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +index 2b8cec7..ed5393b 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +@@ -203,21 +203,7 @@ public class AdminServlet extends HttpServlet { + // __ (double underscores); however, in the event that + // a security parameter slips through, we perform multiple + // additional checks to insure that it is NOT displayed +- if (pn.startsWith("__") || +- pn.endsWith("password") || +- pn.endsWith("passwd") || +- pn.endsWith("pwd") || +- pn.equalsIgnoreCase("admin_password_again") || +- pn.equalsIgnoreCase("directoryManagerPwd") || +- pn.equalsIgnoreCase("bindpassword") || +- pn.equalsIgnoreCase("bindpwd") || +- pn.equalsIgnoreCase("passwd") || +- pn.equalsIgnoreCase("password") || +- pn.equalsIgnoreCase("pin") || +- pn.equalsIgnoreCase("pwd") || +- pn.equalsIgnoreCase("pwdagain") || +- pn.equalsIgnoreCase("uPasswd") || +- pn.equalsIgnoreCase("PASSWORD_CACHE_ADD")) { ++ if (CMS.isSensitive(pn)) { + CMS.debug("AdminServlet::service() param name='" + pn + + "' value='(sensitive)'"); + } else { +@@ -992,7 +978,7 @@ public class AdminServlet extends HttpServlet { + if (name.equals(Constants.RS_ID)) continue; + + String value = null; +- if (name.equalsIgnoreCase("PASSWORD_CACHE_ADD")) ++ if (CMS.isSensitive(name)) + value = "(sensitive)"; + else + value = req.getParameter(name); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +index f18db1a..0c65702 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java +@@ -403,26 +403,7 @@ public abstract class CMSServlet extends HttpServlet { + // __ (double underscores); however, in the event that + // a security parameter slips through, we perform multiple + // additional checks to insure that it is NOT displayed +- if (pn.startsWith("__") || +- pn.endsWith("password") || +- pn.endsWith("passwd") || +- pn.endsWith("pwd") || +- pn.equalsIgnoreCase("admin_password_again") || +- pn.equalsIgnoreCase("directoryManagerPwd") || +- pn.equalsIgnoreCase("bindpassword") || +- pn.equalsIgnoreCase("bindpwd") || +- pn.equalsIgnoreCase("passwd") || +- pn.equalsIgnoreCase("password") || +- pn.equalsIgnoreCase("pin") || +- pn.equalsIgnoreCase("pwd") || +- pn.equalsIgnoreCase("pwdagain") || +- pn.startsWith("p12Password") || +- pn.equalsIgnoreCase("uPasswd") || +- pn.equalsIgnoreCase("host_challenge") || +- pn.equalsIgnoreCase("card_challenge") || +- pn.equalsIgnoreCase("card_cryptogram") || +- pn.equalsIgnoreCase("drm_trans_desKey") || +- pn.equalsIgnoreCase("cert_request")) { ++ if (CMS.isSensitive(pn)) { + CMS.debug("CMSServlet::service() param name='" + pn + + "' value='(sensitive)'"); + } else { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java +index 3b3ae40..70922dc 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/BaseServlet.java +@@ -70,20 +70,7 @@ public class BaseServlet extends VelocityServlet { + // __ (double underscores); however, in the event that + // a security parameter slips through, we perform multiple + // additional checks to insure that it is NOT displayed +- if (pn.startsWith("__") || +- pn.endsWith("password") || +- pn.endsWith("passwd") || +- pn.endsWith("pwd") || +- pn.equalsIgnoreCase("admin_password_again") || +- pn.equalsIgnoreCase("directoryManagerPwd") || +- pn.equalsIgnoreCase("bindpassword") || +- pn.equalsIgnoreCase("bindpwd") || +- pn.equalsIgnoreCase("passwd") || +- pn.equalsIgnoreCase("password") || +- pn.equalsIgnoreCase("pin") || +- pn.equalsIgnoreCase("pwd") || +- pn.equalsIgnoreCase("pwdagain") || +- pn.equalsIgnoreCase("uPasswd")) { ++ if (CMS.isSensitive(pn)) { + CMS.debug("BaseServlet::service() param name='" + pn + + "' value='(sensitive)'"); + } else { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +index 62b4242..f732c4d 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +@@ -258,21 +258,7 @@ public class CAProcessor extends Processor { + // __ (double underscores); however, in the event that + // a security parameter slips through, we perform multiple + // additional checks to insure that it is NOT displayed +- if (paramName.startsWith("__") || +- paramName.endsWith("password") || +- paramName.endsWith("passwd") || +- paramName.endsWith("pwd") || +- paramName.equalsIgnoreCase("admin_password_again") || +- paramName.equalsIgnoreCase("directoryManagerPwd") || +- paramName.equalsIgnoreCase("bindpassword") || +- paramName.equalsIgnoreCase("bindpwd") || +- paramName.equalsIgnoreCase("passwd") || +- paramName.equalsIgnoreCase("password") || +- paramName.equalsIgnoreCase("pin") || +- paramName.equalsIgnoreCase("pwd") || +- paramName.equalsIgnoreCase("pwdagain") || +- paramName.equalsIgnoreCase("uPasswd") || +- paramName.equalsIgnoreCase("cert_request")) { ++ if (CMS.isSensitive(paramName)) { + CMS.debug("CAProcessor: - " + paramName + ": (sensitive)"); + } else { + CMS.debug("CAProcessor: - " + paramName + ": " + entry.getValue()); +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 03e94a8..81a2f2a 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -47,9 +47,9 @@ import com.netscape.certsrv.authorization.AuthzToken; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.SessionContext; + import com.netscape.certsrv.logging.AuditEvent; ++import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.AuthEvent; + import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; +-import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.profile.ECMCBadIdentityException; + import com.netscape.certsrv.profile.ECMCBadMessageCheckException; + import com.netscape.certsrv.profile.ECMCBadRequestException; +@@ -306,20 +306,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + // __ (double underscores); however, in the event that + // a security parameter slips through, we perform multiple + // additional checks to insure that it is NOT displayed +- if (paramName.startsWith("__") || +- paramName.endsWith("password") || +- paramName.endsWith("passwd") || +- paramName.endsWith("pwd") || +- paramName.equalsIgnoreCase("admin_password_again") || +- paramName.equalsIgnoreCase("directoryManagerPwd") || +- paramName.equalsIgnoreCase("bindpassword") || +- paramName.equalsIgnoreCase("bindpwd") || +- paramName.equalsIgnoreCase("passwd") || +- paramName.equalsIgnoreCase("password") || +- paramName.equalsIgnoreCase("pin") || +- paramName.equalsIgnoreCase("pwd") || +- paramName.equalsIgnoreCase("pwdagain") || +- paramName.equalsIgnoreCase("uPasswd")) { ++ if (CMS.isSensitive(paramName)) { + CMS.debug("ProfileSubmitCMCServlet Input Parameter " + + paramName + "='(sensitive)'"); + } else { +-- +1.8.3.1 + + +From 4041f30e683307eb96140c8b81e48e62c2e7c34a Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 28 Aug 2018 23:08:13 +0200 +Subject: [PATCH 13/19] Fixed CA signing cert importation + +The pki_ca_signing_cert_path param has been modified to have +an empty value by default. + +The import_ca_signing_cert() has been modified such that if +the param is not specified, it will return silently. If the +param contains an invalid path, the method will fail. If the +param contains a valid path to the CA signing cert, the cert +will be imported into the NSS database. + +https://pagure.io/dogtagpki/issue/3040 + +Change-Id: Idde1850744391162495599067c840c47ef47de69 +(cherry picked from commit a4f5b17ee96adf79391f9def6e04bb239a779cbe) +--- + base/server/etc/default.cfg | 2 +- + base/server/man/man5/pki_default.cfg.5 | 2 +- + .../pki/server/deployment/scriptlets/configuration.py | 19 ++++++++++--------- + 3 files changed, 12 insertions(+), 11 deletions(-) + +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index 0f348ee..b92cca7 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -94,7 +94,7 @@ pki_ca_port=%(pki_security_domain_https_port)s + pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA + + # DEPRECATED: Use 'pki_ca_signing_cert_path' instead. +-pki_external_ca_cert_path=%(pki_instance_configuration_path)s/external_ca.cert ++pki_external_ca_cert_path= + pki_ca_signing_cert_path=%(pki_external_ca_cert_path)s + + pki_client_admin_cert_p12=%(pki_client_dir)s/%(pki_subsystem_type)s_admin_cert.p12 +diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 +index fe3cdc7..afdcbfb 100644 +--- a/base/server/man/man5/pki_default.cfg.5 ++++ b/base/server/man/man5/pki_default.cfg.5 +@@ -413,7 +413,7 @@ Required for the second step of a stand-alone PKI process. This is the location + .PP + .B pki_ca_signing_cert_path + .IP +-Required for the second step of a stand-alone PKI process. This is the location of the file containing the external CA's certificate chain (as issued by the external CA). Defaults to '%(pki_instance_configuration_path)s/external_ca_chain.cert'. ++Required for the second step of a stand-alone PKI process. This is the location of the file containing the external CA's certificate chain (as issued by the external CA). Defaults to empty. + .PP + .B pki_external_admin_cert_path + .IP +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index fd043a8..1b62445 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -395,15 +395,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + self.import_system_cert_request(deployer, subsystem, 'subsystem') + self.import_system_cert_request(deployer, subsystem, 'sslserver') + +- def import_ca_signing_cert(self, deployer, nssdb, subsystem): ++ def import_ca_signing_cert(self, deployer, nssdb): + + param = 'pki_ca_signing_cert_path' + cert_file = deployer.mdict.get(param) +- if not cert_file or not os.path.exists(cert_file): +- if subsystem.name == 'ca': +- raise Exception('Invalid certificate path: %s=%s' % (param, cert_file)) +- else: +- return ++ ++ if not cert_file: ++ return ++ ++ if not os.path.exists(cert_file): ++ raise Exception('Invalid certificate path: %s=%s' % (param, cert_file)) + + nickname = deployer.mdict['pki_ca_signing_nickname'] + +@@ -593,14 +594,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + def import_system_certs(self, deployer, nssdb, subsystem): + + if subsystem.name == 'ca': +- self.import_ca_signing_cert(deployer, nssdb, subsystem) ++ self.import_ca_signing_cert(deployer, nssdb) + self.import_ca_ocsp_signing_cert(deployer, nssdb) + + if subsystem.name == 'kra': + # Always import cert chain into internal token. + internal_nssdb = subsystem.instance.open_nssdb() + try: +- self.import_ca_signing_cert(deployer, internal_nssdb, subsystem) ++ self.import_ca_signing_cert(deployer, internal_nssdb) + finally: + internal_nssdb.close() + +@@ -612,7 +613,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # Always import cert chain into internal token. + internal_nssdb = subsystem.instance.open_nssdb() + try: +- self.import_ca_signing_cert(deployer, internal_nssdb, subsystem) ++ self.import_ca_signing_cert(deployer, internal_nssdb) + finally: + internal_nssdb.close() + +-- +1.8.3.1 + + +From 6fbffb076caea906381e47bc1b6cae9da9892ae4 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 23 Oct 2018 03:31:33 +0200 +Subject: [PATCH 14/19] Fixed password prompt in pki CLI + +The pki CLI has been modified not to throw an exception when the +user specifies a username without any password. The CLI will then +prompt for a password. + +https://pagure.io/dogtagpki/issue/2840 +(cherry picked from commit b1bda0a1e7baca575561c08e78d93ae7c7160738) +--- + base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +index 711625a..50e5b75 100644 +--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java +@@ -378,9 +378,6 @@ public class MainCLI extends CLI { + + if (passwordFile != null && password != null) { + throw new Exception("The '-W' and '-w' options are mutually exclusive."); +- +- } else if (passwordFile == null && password == null) { +- throw new Exception("Missing user password."); + } + } + +-- +1.8.3.1 + + +From 60ad482668db175f297e55a947f55021871ce348 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 Oct 2018 18:21:52 +0200 +Subject: [PATCH 16/19] Added CMSEngine.disableSubsystem() + +The code that calls pki-server subsystem-disable in +SelfTestSubsystem has been moved into CMSEngine.disableSubsystem(). + +https://pagure.io/dogtagpki/issue/3070 +(cherry picked from commit d5b119cdf3693680d5d1518b4b21b436d442708b) +--- + base/common/src/com/netscape/certsrv/apps/CMS.java | 4 ++++ + .../src/com/netscape/cmscore/apps/CMSEngine.java | 24 +++++++++++++++++++++ + .../cmscore/selftests/SelfTestSubsystem.java | 25 +++++----------------- + 3 files changed, 33 insertions(+), 20 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java +index 0bf186e..b6b74e6 100644 +--- a/base/common/src/com/netscape/certsrv/apps/CMS.java ++++ b/base/common/src/com/netscape/certsrv/apps/CMS.java +@@ -145,6 +145,10 @@ public final class CMS { + _engine = engine; + } + ++ public static ICMSEngine getCMSEngine() { ++ return _engine; ++ } ++ + /** + * This method is used for unit tests. It allows the underlying _engine + * to be stubbed out. +diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +index eaf57fa..2c953cc 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +@@ -2042,6 +2042,30 @@ public class CMSEngine implements ICMSEngine { + + } + ++ public void disableSubsystem() { ++ ++ String name = mConfig.get("cs.type"); ++ String subsystemID = name.toLowerCase(); ++ ++ CMS.debug("CMSEngine: Disabling " + name + " subsystem"); ++ ++ try { ++ ProcessBuilder pb = new ProcessBuilder("pki-server", "subsystem-disable", "-i", instanceId, subsystemID); ++ CMS.debug("Command: " + String.join(" ", pb.command())); ++ ++ Process process = pb.inheritIO().start(); ++ int rc = process.waitFor(); ++ ++ if (rc != 0) { ++ CMS.debug("CMSEngine: Unable to disable " + name + " subsystem. RC: " + rc); ++ } ++ ++ } catch (Exception e) { ++ CMS.debug("CMSEngine: Unable to disable " + name + " subsystem: " + e.getMessage()); ++ CMS.debug(e); ++ } ++ } ++ + /** + * shuts down a subsystem list in reverse order. + */ +diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +index 98b53c7..9ed4f8a 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +@@ -50,6 +50,7 @@ import com.netscape.certsrv.selftests.ISelfTest; + import com.netscape.certsrv.selftests.ISelfTestSubsystem; + import com.netscape.cms.logging.Logger; + import com.netscape.cms.logging.SignedAuditLogger; ++import com.netscape.cmscore.apps.CMSEngine; + + ////////////////////// + // class definition // +@@ -1832,29 +1833,13 @@ public class SelfTestSubsystem + + audit(auditMessage); + +- CMS.debug("SelfTestSubsystem.startup(): shutdown server"); ++ CMS.debug("SelfTestSubsystem: Shutting down server due to selftest failure: " + e.getMessage()); ++ CMS.debug(e); + +- // shutdown the system gracefully + CMS.shutdown(); + +- IConfigStore cs = CMS.getConfigStore(); +- String instanceID = cs.get("instanceId"); +- String subsystemID = cs.get("cs.type").toLowerCase(); +- +- System.out.println("SelfTestSubsystem: Disabling \"" + subsystemID + "\" subsystem due to selftest failure."); +- +- try { +- ProcessBuilder pb = new ProcessBuilder("pki-server", "subsystem-disable", "-i", instanceID, subsystemID); +- Process process = pb.inheritIO().start(); +- int rc = process.waitFor(); +- +- if (rc != 0) { +- System.out.println("SelfTestSubsystem: Unable to disable \"" + subsystemID + "\". RC: " + rc); +- } +- +- } catch (Exception e2) { +- e.printStackTrace(); +- } ++ CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); ++ engine.disableSubsystem(); + } + } + +-- +1.8.3.1 + + +From 83e911b75bb887bc4f3bf36fc9709401e54b7443 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 Oct 2018 18:22:24 +0200 +Subject: [PATCH 17/19] Fixed subsystem shutdown on selftest failures + +The code that handles selftest failures have been modified +to call CMSEngine.disableSubsystem() to undeploy the web +application. Once undeployed, the web application will no +longer accept client requests, then Tomcat will execute +CMSStartServlet.destroy() which will eventually shutdown +the subsystem. + +https://pagure.io/dogtagpki/issue/3070 +(cherry picked from commit 7c3711c786ba90fe29b7450530dd8372d5839fcd) +--- + .../cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java | 7 ++++--- + .../src/com/netscape/cmscore/selftests/SelfTestSubsystem.java | 9 ++++----- + 2 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +index 59a5d62..633b13d 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +@@ -73,6 +73,7 @@ import com.netscape.certsrv.selftests.ESelfTestException; + import com.netscape.certsrv.selftests.ISelfTest; + import com.netscape.certsrv.selftests.ISelfTestSubsystem; + import com.netscape.certsrv.tks.ITKSAuthority; ++import com.netscape.cmscore.apps.CMSEngine; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Cert; + import com.netscape.cmsutil.util.Utils; +@@ -3194,10 +3195,10 @@ public final class CMSAdminServlet extends AdminServlet { + + "\n"; + sendResponse(ERROR, content, null, resp); + +- CMS.debug("CMSAdminServlet.runSelfTestsOnDemand(): shutdown server"); ++ CMS.debug("CMSAdminServlet: Disabling subsystem due to selftest failure: " + e.getMessage()); + +- // shutdown the system gracefully +- CMS.shutdown(); ++ CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); ++ engine.disableSubsystem(); + + return; + } else { +diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +index 9ed4f8a..8ce9a58 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java +@@ -537,10 +537,11 @@ public class SelfTestSubsystem + "CMSCORE_SELFTESTS_RUN_ON_DEMAND_FAILED", + instanceFullName)); + +- CMS.debug("SelfTestSubsystem.runSelfTestsOnDemand(): shutdown server"); ++ CMS.debug("SelfTestSubsystem: Disabling subsystem due to selftest failure: " + e.getMessage()); ++ CMS.debug(e); + +- // shutdown the system gracefully +- CMS.shutdown(); ++ CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); ++ engine.disableSubsystem(); + + return; + } +@@ -1836,8 +1837,6 @@ public class SelfTestSubsystem + CMS.debug("SelfTestSubsystem: Shutting down server due to selftest failure: " + e.getMessage()); + CMS.debug(e); + +- CMS.shutdown(); +- + CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); + engine.disableSubsystem(); + } +-- +1.8.3.1 + + +From 81710f32fb9c269f2795b3272b3765a542299eb6 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 17 Oct 2018 18:23:09 +0200 +Subject: [PATCH 18/19] Fixed signed audit logging failure handling + +The code that handles signed audit logging failures has been +modified to call CMSEngine.disableSubsystem() to undeploy the +web application. Once undeployed, the web application will no +longer accept client requests, then Tomcat will execute +CMSStartServlet.destroy() which will eventually shutdown the +subsystem. + +https://pagure.io/dogtagpki/issue/3070 +(cherry picked from commit 5e7d7b972f14d65781909f6dfee4ad1e7ecb801a) +--- + .../cms/src/com/netscape/cms/logging/LogFile.java | 17 ++++------------- + 1 file changed, 4 insertions(+), 13 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +index b04f70d..a4a691b 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +@@ -79,6 +79,7 @@ import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.LogSource; + import com.netscape.certsrv.logging.SignedAuditEvent; + import com.netscape.certsrv.logging.SystemEvent; ++import com.netscape.cmscore.apps.CMSEngine; + import com.netscape.cmsutil.util.Utils; + + import netscape.ldap.client.JDAPAVA; +@@ -422,20 +423,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + // synchronized. We just want to avoid an infinite loop. + mInSignedAuditLogFailureMode = true; + +- // Block all new incoming requests +- if (CMS.areRequestsDisabled() == false) { +- // XXX is this a race condition? +- CMS.disableRequests(); +- } +- +- // Terminate all requests in process +- CMS.terminateRequests(); +- +- // Call graceful shutdown of the CMS server +- // Call force shutdown to get added functionality of +- // making sure to kill the web server. ++ CMS.debug("LogFile: Disabling subsystem due to signed logging failure"); + +- CMS.forceShutdown(); ++ CMSEngine engine = (CMSEngine) CMS.getCMSEngine(); ++ engine.disableSubsystem(); + } + } + +-- +1.8.3.1 + + +From bd2b3117334ce0e638bf309a591a0eeb6390253f Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Sat, 20 Oct 2018 04:03:49 +0200 +Subject: [PATCH 19/19] Added doc on signed audit logging failures + +https://pagure.io/dogtagpki/issue/3070 +(cherry picked from commit 54c1b9b04625de6f3493e5d28979a740b31e63b3) +--- + docs/admin/Signed_Audit_Logging_Failures.md | 88 +++++++++++++++++++++++++++++ + 1 file changed, 88 insertions(+) + create mode 100644 docs/admin/Signed_Audit_Logging_Failures.md + +diff --git a/docs/admin/Signed_Audit_Logging_Failures.md b/docs/admin/Signed_Audit_Logging_Failures.md +new file mode 100644 +index 0000000..17cc3bd +--- /dev/null ++++ b/docs/admin/Signed_Audit_Logging_Failures.md +@@ -0,0 +1,88 @@ ++Signed Audit Logging Failures ++============================= ++ ++## Overview ++ ++If a PKI subsystem is unable to write signed audit log to disk, ++the subsystem will automatically shutdown to prevent it from ++receiving and executing additional operations that cannot be ++logged. ++ ++This situation may happen when the disk is full. In that case ++the admin will need to provide additional disk space, then restart ++the subsystem. ++ ++Note: auto-shutdown will only work if audit signing is enabled. ++ ++## Verifying Auto-Shutdown ++ ++To verify auto-shutdown on a CA instance, prepare a small ++partition and assign the proper permissions: ++ ++``` ++$ mkdir -p /tmp/audit ++$ mount -t tmpfs -o size=2M,mode=0755 tmpfs /tmp/audit ++$ chown pkiuser:pkiuser /tmp/audit ++$ semanage fcontext -a -t pki_tomcat_log_t /tmp/audit ++$ restorecon -vR /tmp/audit ++``` ++ ++Edit /etc/pki/pki-tomcat/ca/CS.cfg to enable audit signing ++and configure it to store the logs in the above partition: ++ ++``` ++log.instance.SignedAudit.logSigning=true ++log.instance.SignedAudit.fileName=/tmp/audit/ca_audit ++``` ++ ++Restart the server: ++ ++``` ++$ systemctl restart pki-tomcatd@pki-tomcat.service ++``` ++ ++Create a big file to fill up the partition: ++ ++``` ++$ dd if=/dev/zero of=/tmp/audit/bigfile bs=1M count=2 ++``` ++ ++Execute some operations to generate audit logs, for example: ++ ++``` ++$ pki ca-cert-find ++``` ++ ++When the partition becomes full, the server will no longer able ++to write the signed audit log into the partition, so it will ++generate the following message in console or systemd journal ++(assuming the journal is stored in a different partition that ++is not full): ++ ++``` ++Failed to flush log "/tmp/audit/ca_audit", error: No space left on device ++``` ++ ++Then the CA subsystem will shutdown automatically. The server itself ++will still be running and accepting connections, but all requests ++going to the CA subsystem will fail. ++ ++To resolve the issue, create more space in the partition by ++removing the big file: ++ ++``` ++$ rm -f /tmp/audit/bigfile ++``` ++ ++Then re-enable the CA subsystem with the following command: ++ ++``` ++$ pki-server subsystem-enable -i pki-tomcat ca ++``` ++ ++or by restarting the server: ++ ++``` ++$ systemctl restart pki-tomcatd@pki-tomcat.service ++``` ++ +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.9-batch-2.0.patch b/SOURCES/pki-core-10.5.9-batch-2.0.patch new file mode 100644 index 0000000..31837d3 --- /dev/null +++ b/SOURCES/pki-core-10.5.9-batch-2.0.patch @@ -0,0 +1,3528 @@ +From 9c24a655511c911c8acc724a45f79b3ea4986b9f Mon Sep 17 00:00:00 2001 +From: Dinesh Prasanth M K +Date: Thu, 1 Nov 2018 16:29:11 -0400 +Subject: [PATCH 01/13] Add --force flag to pki-destroy + +Resolves: Bug 1372056 +Ticket: https://pagure.io/dogtagpki/issue/1172 + +List of changes with this commit: +- Adds new flag `--force` to pkidestroy to force remove a subsystem +- Use `os.path.join()` instead of appending '/' between path names +- Remove the `pki_database_path` dir instead of removing contents of the dir + - This is moved to `security_database.py` instead of `configuration.py` +- pkidestroy and pkispawn logs are owned by `root` instead of configured pkiuser + +Signed-off-by: Dinesh Prasanth M K +(cherry picked from commit 926c26e10db1b3fde8f24802d7a77419d0f2f28d) +--- + .../python/pki/server/deployment/pkihelper.py | 6 +- + .../server/deployment/scriptlets/configuration.py | 7 +- + .../server/deployment/scriptlets/finalization.py | 5 +- + .../server/deployment/scriptlets/initialization.py | 92 ++++++++++++---------- + .../deployment/scriptlets/security_databases.py | 8 +- + .../deployment/scriptlets/webapp_deployment.py | 2 +- + base/server/sbin/pkidestroy | 44 ++++++++--- + 7 files changed, 96 insertions(+), 68 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 79f1e57..e1b9a02 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -947,8 +947,10 @@ class Instance: + rv = [] + try: + for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: +- path = self.mdict['pki_instance_path'] + \ +- "/" + subsystem.lower() ++ path = os.path.join( ++ self.mdict['pki_instance_path'], ++ subsystem.lower() ++ ) + if os.path.exists(path) and os.path.isdir(path): + rv.append(subsystem) + except OSError as exc: +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index 1b62445..7bc0023 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -1274,9 +1274,4 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + raise RuntimeError("server failed to restart") + + def destroy(self, deployer): +- +- config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__, +- extra=config.PKI_INDENTATION_LEVEL_1) +- if len(deployer.instance.tomcat_instance_subsystems()) == 1: +- if deployer.directory.exists(deployer.mdict['pki_client_dir']): +- deployer.directory.delete(deployer.mdict['pki_client_dir']) ++ pass +diff --git a/base/server/python/pki/server/deployment/scriptlets/finalization.py b/base/server/python/pki/server/deployment/scriptlets/finalization.py +index e62051f..3c7e118 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/finalization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/finalization.py +@@ -68,19 +68,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.mdict['pki_subsystem'], + deployer.mdict['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) +- deployer.file.modify(deployer.mdict['pki_spawn_log'], silent=True) + + def destroy(self, deployer): + + config.pki_log.info(log.FINALIZATION_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) +- deployer.file.modify(deployer.mdict['pki_destroy_log'], silent=True) + # If this is the last remaining PKI instance, ALWAYS remove the + # link to start configured PKI instances upon system reboot + if deployer.mdict['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ + deployer.instance.pki_instance_subsystems() == 0: + deployer.systemd.disable() +- # Start this Tomcat PKI Process ++ ++ # Start this Tomcat PKI Process back if there are any subsystems still existing + if len(deployer.instance.tomcat_instance_subsystems()) >= 1: + deployer.systemd.start() + config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2, +diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py +index 9528ec5..efd1536 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py +@@ -86,45 +86,53 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.configuration_file.verify_ds_secure_connection_data() + + def destroy(self, deployer): +- +- # begin official logging +- config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2, +- deployer.mdict['pki_subsystem'], +- deployer.mdict['pki_instance_name'], +- extra=config.PKI_INDENTATION_LEVEL_0) +- config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__, +- extra=config.PKI_INDENTATION_LEVEL_1) +- # verify that this type of "subsystem" currently EXISTS +- # for this "instance" +- deployer.instance.verify_subsystem_exists() +- # verify that the command-line parameters match the values +- # that are present in the corresponding configuration file +- deployer.configuration_file.verify_command_matches_configuration_file() +- # establish 'uid' and 'gid' +- deployer.identity.set_uid(deployer.mdict['pki_user']) +- deployer.identity.set_gid(deployer.mdict['pki_group']) +- # get ports to remove selinux context +- deployer.configuration_file.populate_non_default_ports() +- +- # remove kra connector from CA if this is a KRA +- deployer.kra_connector.deregister() +- +- # remove tps connector from TKS if this is a TPS +- deployer.tps_connector.deregister() +- +- # de-register instance from its Security Domain +- # +- # NOTE: Since the security domain of an instance must be up +- # and running in order to be de-registered, this step +- # must be done PRIOR to instance shutdown because this +- # instance's security domain may be a part of a +- # tightly-coupled shared instance. +- # +- +- # Previously we obtained the token through a command line interface +- # no longer supported. Thus we assume no token and the deregister op will +- # take place without the token using an alternate method. +- +- deployer.security_domain.deregister(None) +- # ALWAYS Stop this Tomcat PKI Process +- deployer.systemd.stop() ++ try: ++ # begin official logging ++ config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2, ++ deployer.mdict['pki_subsystem'], ++ deployer.mdict['pki_instance_name'], ++ extra=config.PKI_INDENTATION_LEVEL_0) ++ config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__, ++ extra=config.PKI_INDENTATION_LEVEL_1) ++ # verify that this type of "subsystem" currently EXISTS ++ # for this "instance" ++ deployer.instance.verify_subsystem_exists() ++ # verify that the command-line parameters match the values ++ # that are present in the corresponding configuration file ++ deployer.configuration_file.verify_command_matches_configuration_file() ++ # establish 'uid' and 'gid' ++ deployer.identity.set_uid(deployer.mdict['pki_user']) ++ deployer.identity.set_gid(deployer.mdict['pki_group']) ++ # get ports to remove selinux context ++ deployer.configuration_file.populate_non_default_ports() ++ ++ # remove kra connector from CA if this is a KRA ++ deployer.kra_connector.deregister() ++ ++ # remove tps connector from TKS if this is a TPS ++ deployer.tps_connector.deregister() ++ ++ # de-register instance from its Security Domain ++ # ++ # NOTE: Since the security domain of an instance must be up ++ # and running in order to be de-registered, this step ++ # must be done PRIOR to instance shutdown because this ++ # instance's security domain may be a part of a ++ # tightly-coupled shared instance. ++ # ++ ++ # Previously we obtained the token through a command line interface ++ # no longer supported. Thus we assume no token and the deregister op will ++ # take place without the token using an alternate method. ++ ++ deployer.security_domain.deregister(None) ++ ++ except Exception as e: # pylint: disable=broad-except ++ config.pki_log.error(str(e)) ++ # If it is a normal destroy, pass any exception ++ if not deployer.mdict['pki_force_destroy']: ++ raise ++ ++ finally: ++ # ALWAYS Stop this Tomcat PKI Process ++ deployer.systemd.stop() +diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py +index b8550ad..02f4713 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py ++++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py +@@ -259,7 +259,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if len(deployer.instance.tomcat_instance_subsystems()) == 0: +- deployer.file.delete(deployer.mdict['pki_cert_database']) +- deployer.file.delete(deployer.mdict['pki_key_database']) +- deployer.file.delete(deployer.mdict['pki_secmod_database']) ++ ++ if deployer.directory.exists(deployer.mdict['pki_client_dir']): ++ deployer.directory.delete(deployer.mdict['pki_client_dir']) ++ ++ deployer.directory.delete(deployer.mdict['pki_database_path']) + deployer.file.delete(deployer.mdict['pki_shared_password_conf']) +diff --git a/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py b/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py +index bfa3c32..8957d9d 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py ++++ b/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py +@@ -70,7 +70,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + config.pki_log.info(log.WEBAPP_DEPLOYMENT_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + +- # Delete /conf/Catalina/localhost/.xml ++ # Delete /Catalina/localhost/.xml + deployer.file.delete( + os.path.join( + deployer.mdict['pki_instance_configuration_path'], +diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy +index 58f0541..4692e36 100755 +--- a/base/server/sbin/pkidestroy ++++ b/base/server/sbin/pkidestroy +@@ -95,6 +95,13 @@ def main(argv): + nargs=1, metavar='', + help='security domain password file path') + ++ parser.optional.add_argument( ++ '--force', ++ dest='pki_force_destroy', ++ action='store_true', ++ help='force removal of subsystem' ++ ) ++ + args = parser.process_command_line_arguments() + + interactive = False +@@ -155,20 +162,26 @@ def main(argv): + pwd_file: + config.pki_secdomain_pass = pwd_file.readline().strip('\n') + ++ # '--force' ++ force_destroy = args.pki_force_destroy ++ + # verify that previously deployed instance exists +- deployed_pki_instance_path = \ +- config.pki_root_prefix + config.PKI_DEPLOYMENT_BASE_ROOT + "/" + \ +- config.pki_deployed_instance_name +- if not os.path.exists(deployed_pki_instance_path): ++ deployed_pki_instance_path = os.path.join( ++ config.PKI_DEPLOYMENT_BASE_ROOT, config.pki_deployed_instance_name ++ ) ++ ++ if not os.path.exists(deployed_pki_instance_path) and not force_destroy: + print("ERROR: " + log.PKI_INSTANCE_DOES_NOT_EXIST_1 % + deployed_pki_instance_path) + print() + parser.arg_parser.exit(-1) + + # verify that previously deployed subsystem for this instance exists +- deployed_pki_subsystem_path = \ +- deployed_pki_instance_path + "/" + deployer.subsystem_name.lower() +- if not os.path.exists(deployed_pki_subsystem_path): ++ deployed_pki_subsystem_path = os.path.join( ++ deployed_pki_instance_path, deployer.subsystem_name.lower() ++ ) ++ ++ if not os.path.exists(deployed_pki_subsystem_path) and not force_destroy: + print("ERROR: " + log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2 % + (deployer.subsystem_name, deployed_pki_instance_path)) + print() +@@ -178,11 +191,16 @@ def main(argv): + config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + + # establish complete path to previously deployed configuration file +- config.user_deployment_cfg =\ +- deployed_pki_subsystem_path + "/" +\ +- "registry" + "/" +\ +- deployer.subsystem_name.lower() + "/" +\ ++ config.user_deployment_cfg = os.path.join( ++ deployed_pki_subsystem_path, ++ "registry", ++ deployer.subsystem_name.lower(), + config.USER_DEPLOYMENT_CONFIGURATION ++ ) ++ ++ if force_destroy and not os.path.exists(config.user_deployment_cfg): ++ # During force destroy, try to load the file. If file doesn't exist, we ignore it ++ config.user_deployment_cfg = None + + parser.validate() + parser.init_config() +@@ -213,6 +231,10 @@ def main(argv): + parser.compose_pki_master_dictionary() + parser.mdict['pki_destroy_log'] = \ + config.pki_log_dir + "/" + config.pki_log_name ++ ++ # Add force_destroy to master dictionary ++ parser.mdict['pki_force_destroy'] = force_destroy ++ + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.log_format(parser.mdict), +-- +1.8.3.1 + + +From 7f0af3958605c9826c5bb71fcb43cfccb3056d90 Mon Sep 17 00:00:00 2001 +From: Dinesh Prasanth M K +Date: Thu, 1 Nov 2018 16:43:36 -0400 +Subject: [PATCH 02/13] Add --remove-logs flag to pki-destroy + +Partially resolves: Bug 1372056 + +List of changes by this commit: + +- Logs are preserved by default (comment #1 in BZ) +- Add `--remove-flags` flag to pkidestroy to remove logs + +Signed-off-by: Dinesh Prasanth M K +(cherry picked from commit 9e2cdb0b2f5df552ef50ba7883b4c686adec41b3) +--- + .../server/deployment/scriptlets/instance_layout.py | 7 +++++-- + .../server/deployment/scriptlets/subsystem_layout.py | 19 +++++++++++-------- + base/server/sbin/pkidestroy | 13 +++++++++++++ + 3 files changed, 29 insertions(+), 10 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +index 2095212..568c0a0 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +@@ -199,8 +199,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + # remove Tomcat instance base + deployer.directory.delete(deployer.mdict['pki_instance_path']) +- # remove Tomcat instance logs +- deployer.directory.delete(deployer.mdict['pki_instance_log_path']) ++ ++ # remove Tomcat instance logs only if --remove-logs is specified ++ if deployer.mdict['pki_remove_logs']: ++ deployer.directory.delete(deployer.mdict['pki_instance_log_path']) ++ + # remove shared NSS security database path for this instance + deployer.directory.delete(deployer.mdict['pki_database_path']) + # remove Tomcat instance configuration +diff --git a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py +index a0e4658..fb9f754 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py +@@ -124,15 +124,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.directory.delete( + deployer.mdict['pki_subsystem_profiles_path']) + deployer.directory.delete(deployer.mdict['pki_subsystem_path']) +- # remove instance-based subsystem logs +- if deployer.mdict['pki_subsystem'] in \ +- config.PKI_SIGNED_AUDIT_SUBSYSTEMS: ++ ++ # remove instance-based subsystem logs only if --remove-logs flag is specified ++ if deployer.mdict['pki_remove_logs']: ++ if deployer.mdict['pki_subsystem'] in \ ++ config.PKI_SIGNED_AUDIT_SUBSYSTEMS: ++ deployer.directory.delete( ++ deployer.mdict['pki_subsystem_signed_audit_log_path']) + deployer.directory.delete( +- deployer.mdict['pki_subsystem_signed_audit_log_path']) +- deployer.directory.delete( +- deployer.mdict['pki_subsystem_archive_log_path']) +- deployer.directory.delete( +- deployer.mdict['pki_subsystem_log_path']) ++ deployer.mdict['pki_subsystem_archive_log_path']) ++ deployer.directory.delete( ++ deployer.mdict['pki_subsystem_log_path']) ++ + # remove instance-based subsystem configuration + deployer.directory.delete( + deployer.mdict['pki_subsystem_configuration_path']) +diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy +index 4692e36..4095d13 100755 +--- a/base/server/sbin/pkidestroy ++++ b/base/server/sbin/pkidestroy +@@ -102,6 +102,13 @@ def main(argv): + help='force removal of subsystem' + ) + ++ parser.optional.add_argument( ++ '--remove-logs', ++ dest='pki_remove_logs', ++ action='store_true', ++ help='remove subsystem logs' ++ ) ++ + args = parser.process_command_line_arguments() + + interactive = False +@@ -165,6 +172,9 @@ def main(argv): + # '--force' + force_destroy = args.pki_force_destroy + ++ # '--remove-logs' ++ remove_logs = args.pki_remove_logs ++ + # verify that previously deployed instance exists + deployed_pki_instance_path = os.path.join( + config.PKI_DEPLOYMENT_BASE_ROOT, config.pki_deployed_instance_name +@@ -235,6 +245,9 @@ def main(argv): + # Add force_destroy to master dictionary + parser.mdict['pki_force_destroy'] = force_destroy + ++ # Add remove logs to master dictionary ++ parser.mdict['pki_remove_logs'] = remove_logs ++ + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.log_format(parser.mdict), +-- +1.8.3.1 + + +From 24405fac463e59250ccf42507bba7fb811e3a2fb Mon Sep 17 00:00:00 2001 +From: Dinesh Prasanth M K +Date: Thu, 1 Nov 2018 17:02:03 -0400 +Subject: [PATCH 03/13] Reuse same instance log dirs (if exists) + +Resolves: Bug 1644769 +Ticket: https://pagure.io/dogtagpki/issue/3077 + +- `pkidestroy` behaviour was chagned to preserve the logs by default. + When `pkispawn` is run, it throws a name space collision error. +- This patch reuses the log dir and appends logs to the same log dir + structure (if exists) and logs it accordingly. + +`Signed-off-by: Dinesh Prasanth M K ` + +(cherry picked from commit c6c6757b4c566d10d25fe220fa9f59539c7a55ee) +--- + base/server/python/pki/server/deployment/pkihelper.py | 12 +++++------- + base/server/python/pki/server/deployment/pkimessages.py | 2 ++ + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index e1b9a02..3b55f78 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -345,18 +345,16 @@ class Namespace: + log.PKIHELPER_NAMESPACE_COLLISION_2 % ( + self.mdict['pki_instance_name'], + self.mdict['pki_cgroup_cpu_systemd_service_path'])) ++ + if os.path.exists(self.mdict['pki_instance_log_path']) and\ + os.path.exists(self.mdict['pki_subsystem_log_path']): +- # Top-Level PKI log path collision +- config.pki_log.error( +- log.PKIHELPER_NAMESPACE_COLLISION_2, ++ # Check if logs already exist. If so, append to it. Log it as info ++ config.pki_log.info( ++ log.PKIHELPER_LOG_REUSE, + self.mdict['pki_instance_name'], + self.mdict['pki_instance_log_path'], + extra=config.PKI_INDENTATION_LEVEL_2) +- raise Exception( +- log.PKIHELPER_NAMESPACE_COLLISION_2 % ( +- self.mdict['pki_instance_name'], +- self.mdict['pki_instance_log_path'])) ++ + if os.path.exists(self.mdict['pki_instance_configuration_path']) and\ + os.path.exists(self.mdict['pki_subsystem_configuration_path']): + # Top-Level PKI configuration path collision +diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py +index 7bb79ca..6539295 100644 +--- a/base/server/python/pki/server/deployment/pkimessages.py ++++ b/base/server/python/pki/server/deployment/pkimessages.py +@@ -277,6 +277,8 @@ PKIHELPER_NAMESPACE_COLLISION_2 = \ + "PKI instance '%s' would produce a namespace collision with '%s'!" + PKIHELPER_NAMESPACE_RESERVED_NAME_2 = \ + "PKI instance '%s' is already a reserved name under '%s'!" ++PKIHELPER_LOG_REUSE = \ ++ "previous logs of PKI instance '%s' already exist. Appending logs to '%s'" + PKIHELPER_NCIPHER_RESTART_1 = "executing '%s'" + PKIHELPER_NOISE_FILE_2 = \ + "generating noise file called '%s' and filling it with '%d' random bytes" +-- +1.8.3.1 + + +From 2a0d9c8c8ee7333198a8f5cb09c988eeeb3d528f Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Wed, 22 Aug 2018 00:02:03 +0200 +Subject: [PATCH 04/13] Updated pki.nssdb to support multiple CSR delimiters + types + +The pki.nssdb module has been modified to support both standard +and legacy CSR delimiters as defined in RFC 7468. + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: I609d640a66357f5293ff3a565027c1a395a47db7 +(cherry picked from commit 8bf25507886c446594fa1bd82e3040ab79b271b3) +--- + base/common/python/pki/nssdb.py | 46 ++++++++++++++++++++++++++++++++++------- + 1 file changed, 39 insertions(+), 7 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index f350255..d4ae804 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -34,8 +34,11 @@ from cryptography.hazmat.backends import default_backend + + import pki + +-CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----' +-CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----' ++CSR_HEADER = '-----BEGIN CERTIFICATE REQUEST-----' ++CSR_FOOTER = '-----END CERTIFICATE REQUEST-----' ++ ++LEGACY_CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----' ++LEGACY_CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----' + + CERT_HEADER = '-----BEGIN CERTIFICATE-----' + CERT_FOOTER = '-----END CERTIFICATE-----' +@@ -51,10 +54,18 @@ logger = logging.LoggerAdapter( + extra={'indent': ''}) + + +-def convert_data(data, input_format, output_format, header=None, footer=None): ++def convert_data(data, input_format, output_format, ++ header=None, footer=None, ++ headers=None, footers=None): ++ ''' ++ This method converts a PEM file to base-64 and vice versa. ++ It supports CSR, certificate, and PKCS #7 certificate chain. ++ ''' ++ + if input_format == output_format: + return data + ++ # converting from base-64 to PEM + if input_format == 'base64' and output_format == 'pem': + + # join base-64 data into a single line +@@ -66,16 +77,30 @@ def convert_data(data, input_format, output_format, header=None, footer=None): + # add header and footer + return '%s\n%s\n%s\n' % (header, '\n'.join(lines), footer) + ++ # converting from PEM to base-64 + if input_format == 'pem' and output_format == 'base64': + ++ # initialize list of headers if not provided ++ if not headers: ++ headers = [header] ++ ++ # initialize list of footers if not provided ++ if not footers: ++ footers = [footer] ++ + # join multiple lines into a single line + lines = [] + for line in data.splitlines(): + line = line.rstrip('\r\n') +- if line == header: ++ ++ # if the line is a header, skip ++ if line in headers: + continue +- if line == footer: ++ ++ # if the line is a footer, skip ++ if line in footers: + continue ++ + lines.append(line) + + return ''.join(lines) +@@ -86,7 +111,9 @@ def convert_data(data, input_format, output_format, header=None, footer=None): + + def convert_csr(csr_data, input_format, output_format): + return convert_data(csr_data, input_format, output_format, +- CSR_HEADER, CSR_FOOTER) ++ CSR_HEADER, CSR_FOOTER, ++ headers=[CSR_HEADER, LEGACY_CSR_HEADER], ++ footers=[CSR_FOOTER, LEGACY_CSR_FOOTER]) + + + def convert_cert(cert_data, input_format, output_format): +@@ -100,10 +127,15 @@ def convert_pkcs7(pkcs7_data, input_format, output_format): + + + def get_file_type(filename): ++ ''' ++ This method detects the content of a PEM file. It supports ++ CSR, certificate, PKCS #7 certificate chain. ++ ''' ++ + with open(filename, 'r') as f: + data = f.read() + +- if data.startswith(CSR_HEADER): ++ if data.startswith(CSR_HEADER) or data.startswith(LEGACY_CSR_HEADER): + return 'csr' + + if data.startswith(CERT_HEADER): +-- +1.8.3.1 + + +From b9867142f4971a98b6c79ba16788db8829dfd79d Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Mon, 20 Aug 2018 23:14:25 +0200 +Subject: [PATCH 05/13] Removed default CSR paths + +The default.cfg has been modified to remove default CSR paths. + +The verify_predefined_configuration_file_data() has been modified +to no longer require CSR path parameters in the first step of +external CA scenario. + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: Idef6849b8bd7ee00d13151e0de10357a1f1d9ef2 +(cherry picked from commit f3dc6c79370d8b57362272c40bd9f67aaf791710) +--- + base/server/etc/default.cfg | 24 ++++++++-------- + .../python/pki/server/deployment/pkihelper.py | 32 +--------------------- + 2 files changed, 13 insertions(+), 43 deletions(-) + +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index b92cca7..2c0430a 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -330,7 +330,7 @@ pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=% + pki_ca_signing_token= + + # DEPRECATED: Use 'pki_ca_signing_csr_path' instead. +-pki_external_csr_path=%(pki_instance_configuration_path)s/external_ca.csr ++pki_external_csr_path= + pki_ca_signing_csr_path=%(pki_external_csr_path)s + + pki_ocsp_signing_csr_path= +@@ -442,12 +442,12 @@ pki_kra_ephemeral_requests=False + + # DEPRECATED + # Use 'pki_*_csr_path' instead. +-pki_external_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr +-pki_external_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr +-pki_external_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr +-pki_external_storage_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_storage.csr +-pki_external_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr +-pki_external_transport_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_transport.csr ++pki_external_admin_csr_path= ++pki_external_audit_signing_csr_path= ++pki_external_sslserver_csr_path= ++pki_external_storage_csr_path= ++pki_external_subsystem_csr_path= ++pki_external_transport_csr_path= + + pki_admin_csr_path=%(pki_external_admin_csr_path)s + pki_audit_signing_csr_path=%(pki_external_audit_signing_csr_path)s +@@ -527,11 +527,11 @@ pki_standalone=False + + # DEPRECATED + # Use 'pki_*_csr_path' instead. +-pki_external_admin_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_admin.csr +-pki_external_audit_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_audit_signing.csr +-pki_external_signing_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_signing.csr +-pki_external_sslserver_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_sslserver.csr +-pki_external_subsystem_csr_path=%(pki_instance_configuration_path)s/%(pki_subsystem_type)s_subsystem.csr ++pki_external_admin_csr_path= ++pki_external_audit_signing_csr_path= ++pki_external_signing_csr_path= ++pki_external_sslserver_csr_path= ++pki_external_subsystem_csr_path= + + pki_admin_csr_path=%(pki_external_admin_csr_path)s + pki_audit_signing_csr_path=%(pki_external_audit_signing_csr_path)s +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index 3b55f78..b3c3ccb 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -712,39 +712,9 @@ class ConfigurationFile: + # pki_ca_signing_cert_path are optional. + pass + elif not self.skip_configuration and self.standalone: +- if not self.external_step_two: +- +- # Stand-alone PKI Admin CSR (Step 1) +- self.confirm_data_exists("pki_admin_csr_path") +- +- # Stand-alone PKI Audit Signing CSR (Step 1) +- self.confirm_data_exists( +- "pki_audit_signing_csr_path") + +- # Stand-alone PKI SSL Server CSR (Step 1) +- self.confirm_data_exists("pki_sslserver_csr_path") ++ if self.external_step_two: + +- # Stand-alone PKI Subsystem CSR (Step 1) +- self.confirm_data_exists("pki_subsystem_csr_path") +- +- # Stand-alone PKI KRA CSRs +- if self.subsystem == "KRA": +- +- # Stand-alone PKI KRA Storage CSR (Step 1) +- self.confirm_data_exists( +- "pki_storage_csr_path") +- +- # Stand-alone PKI KRA Transport CSR (Step 1) +- self.confirm_data_exists( +- "pki_transport_csr_path") +- +- # Stand-alone PKI OCSP CSRs +- if self.subsystem == "OCSP": +- # Stand-alone PKI OCSP OCSP Signing CSR (Step 1) +- self.confirm_data_exists( +- "pki_ocsp_signing_csr_path") +- +- else: + # Stand-alone PKI External CA Certificate (Step 2) + # The pki_ca_signing_cert_path is optional. + +-- +1.8.3.1 + + +From e2563b186203e5e89d281ff5c39ca182f62cfefa Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 21 Aug 2018 01:03:11 +0200 +Subject: [PATCH 06/13] Added support for installation with custom CSRs + +The installation code has been modified to import custom +CSRs for KRA and OCSP system certicates if provided. The +CA installation already supports this functionality. + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: Ic6a7a462bf07f2ca07275a01fc04b8d194005188 +(cherry picked from commit 88271a9b3d829669fb997ee6158081da18faed97) +--- + .../netscape/cms/servlet/csadmin/ConfigurationUtils.java | 11 +++-------- + .../pki/server/deployment/scriptlets/configuration.py | 16 ++++++++++++---- + 2 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index d8b4965..7398891 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -2986,14 +2986,9 @@ public class ConfigurationUtils { + + CMS.debug("ConfigurationUtils.loadCertRequest(" + tag + ")"); + +- try { +- String certreq = config.getString(subsystem + "." + tag + ".certreq"); +- return CryptoUtil.base64Decode(certreq); +- +- } catch (EPropertyNotFound e) { +- // The CSR is optional for existing CA case. +- return null; +- } ++ // the CSR must exist in the second step of external CA scenario ++ String certreq = config.getString(subsystem + "." + tag + ".certreq"); ++ return CryptoUtil.base64Decode(certreq); + } + + public static void generateCertRequest(IConfigStore config, String certTag, Cert cert) throws Exception { +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index 7bc0023..cf02205 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -368,7 +368,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + csr_data = f.read() + + b64_csr = pki.nssdb.convert_csr(csr_data, 'pem', 'base64') +- subsystem.config['ca.%s.certreq' % tag] = b64_csr ++ subsystem.config['%s.%s.certreq' % (subsystem.name, tag)] = b64_csr + + def import_ca_signing_csr(self, deployer, subsystem): + +@@ -391,9 +391,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + if subsystem.name == 'ca': + self.import_ca_signing_csr(deployer, subsystem) + self.import_system_cert_request(deployer, subsystem, 'ocsp_signing') +- self.import_system_cert_request(deployer, subsystem, 'audit_signing') +- self.import_system_cert_request(deployer, subsystem, 'subsystem') +- self.import_system_cert_request(deployer, subsystem, 'sslserver') ++ ++ if subsystem.name == 'kra': ++ self.import_system_cert_request(deployer, subsystem, 'storage') ++ self.import_system_cert_request(deployer, subsystem, 'transport') ++ ++ if subsystem.name == 'ocsp': ++ self.import_system_cert_request(deployer, subsystem, 'signing') ++ ++ self.import_system_cert_request(deployer, subsystem, 'audit_signing') ++ self.import_system_cert_request(deployer, subsystem, 'subsystem') ++ self.import_system_cert_request(deployer, subsystem, 'sslserver') + + def import_ca_signing_cert(self, deployer, nssdb): + +-- +1.8.3.1 + + +From e3b8099fb20b6806020bab1a1687340da643eacf Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 21 Aug 2018 20:01:30 +0200 +Subject: [PATCH 07/13] Fixed messages for installation with custom keys + +The pkispawn has been modified to display the proper message +for installation with custom keys where the CSRs will not be +generated. + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: Ibd0ae62c88c2b10520231de3e485e305c715218c +(cherry picked from commit e50f3b0b6034c2c18a0775f2e91fd2e5ea21678f) +--- + base/server/sbin/pkispawn | 81 +++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 65 insertions(+), 16 deletions(-) + +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index ab94b8b..64c7a67 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -760,9 +760,17 @@ def print_external_ca_step_one_information(mdict): + print(" The %s subsystem of the '%s' instance is still incomplete." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + print() +- print(" A CSR for the CA certificate has been generated at:\n" +- " %s" +- % mdict['pki_ca_signing_csr_path']) ++ print(" NSS database: %s" % mdict['pki_database_path']) ++ print() ++ ++ signing_csr = mdict['pki_ca_signing_csr_path'] ++ ++ if signing_csr: ++ print(" A CSR for the CA signing certificate has been generated in:") ++ print(" %s" % mdict['pki_ca_signing_csr_path']) ++ else: ++ print(" No CSR has been generated for CA signing certificate.") ++ + print(log.PKI_RUN_INSTALLATION_STEP_TWO) + print(log.PKI_SPAWN_INFORMATION_FOOTER) + +@@ -773,13 +781,35 @@ def print_kra_step_one_information(mdict): + print(" The %s subsystem of the '%s' instance is still incomplete." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + print() +- print(" The CSRs for KRA certificates have been generated in:") +- print(" storage: %s" % mdict['pki_storage_csr_path']) +- print(" transport: %s" % mdict['pki_transport_csr_path']) +- print(" subsystem: %s" % mdict['pki_subsystem_csr_path']) +- print(" SSL server: %s" % mdict['pki_sslserver_csr_path']) +- print(" audit signing: %s" % mdict['pki_audit_signing_csr_path']) +- print(" admin: %s" % mdict['pki_admin_csr_path']) ++ print(" NSS database: %s" % mdict['pki_database_path']) ++ print() ++ ++ storage_csr = mdict['pki_storage_csr_path'] ++ transport_csr = mdict['pki_transport_csr_path'] ++ subsystem_csr = mdict['pki_subsystem_csr_path'] ++ sslserver_csr = mdict['pki_sslserver_csr_path'] ++ audit_csr = mdict['pki_audit_signing_csr_path'] ++ admin_csr = mdict['pki_admin_csr_path'] ++ ++ if storage_csr or transport_csr or subsystem_csr or sslserver_csr \ ++ or audit_csr or admin_csr: ++ print(" The CSRs for KRA certificates have been generated in:") ++ else: ++ print(" No CSRs have been generated for KRA certificates.") ++ ++ if storage_csr: ++ print(" storage: %s" % storage_csr) ++ if transport_csr: ++ print(" transport: %s" % transport_csr) ++ if subsystem_csr: ++ print(" subsystem: %s" % subsystem_csr) ++ if sslserver_csr: ++ print(" SSL server: %s" % sslserver_csr) ++ if audit_csr: ++ print(" audit signing: %s" % audit_csr) ++ if admin_csr: ++ print(" admin: %s" % admin_csr) ++ + print(log.PKI_RUN_INSTALLATION_STEP_TWO) + print(log.PKI_SPAWN_INFORMATION_FOOTER) + +@@ -790,12 +820,31 @@ def print_ocsp_step_one_information(mdict): + print(" The %s subsystem of the '%s' instance is still incomplete." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + print() +- print(" The CSRs for OCSP certificates have been generated in:") +- print(" OCSP signing: %s" % mdict['pki_ocsp_signing_csr_path']) +- print(" subsystem: %s" % mdict['pki_subsystem_csr_path']) +- print(" SSL server: %s" % mdict['pki_sslserver_csr_path']) +- print(" audit signing: %s" % mdict['pki_audit_signing_csr_path']) +- print(" admin: %s" % mdict['pki_admin_csr_path']) ++ print(" NSS database: %s" % mdict['pki_database_path']) ++ print() ++ ++ signing_csr = mdict['pki_ocsp_signing_csr_path'] ++ subsystem_csr = mdict['pki_subsystem_csr_path'] ++ sslserver_csr = mdict['pki_sslserver_csr_path'] ++ audit_csr = mdict['pki_audit_signing_csr_path'] ++ admin_csr = mdict['pki_admin_csr_path'] ++ ++ if signing_csr or subsystem_csr or sslserver_csr or audit_csr or admin_csr: ++ print(" The CSRs for OCSP certificates have been generated in:") ++ else: ++ print(" No CSRs have been generated for OCSP certificates.") ++ ++ if signing_csr: ++ print(" OCSP signing: %s" % signing_csr) ++ if subsystem_csr: ++ print(" subsystem: %s" % subsystem_csr) ++ if sslserver_csr: ++ print(" SSL server: %s" % sslserver_csr) ++ if audit_csr: ++ print(" audit signing: %s" % audit_csr) ++ if admin_csr: ++ print(" admin: %s" % admin_csr) ++ + print(log.PKI_RUN_INSTALLATION_STEP_TWO) + print(log.PKI_SPAWN_INFORMATION_FOOTER) + +-- +1.8.3.1 + + +From 6c7079adf8878a2c799cd716c3df9ec75816accd Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Thu, 23 Aug 2018 06:10:44 +0200 +Subject: [PATCH 08/13] Fixed pki client-cert-import to accept PKCS #7 CA cert + chain + +The NSSDatabase.add_cert() has been modified to accept both single +certificates and PKCS #7 certificate chains in PEM format. + +The pki client-cert-import has been modified to support importing +CA cert chain in PKCS #7 format. + +The Cert.parseCertificate() has been modified to parse PKCS #7 +cert chain properly. + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: Ibeffcfa4915638df7b13a0cb6deb8c4afc775ca1 +(cherry picked from commit 9cef57869f01e89653331c0e22c9d3bacf7744ce) +--- + base/common/python/pki/nssdb.py | 2 ++ + .../com/netscape/cmstools/client/ClientCertImportCLI.java | 14 +++++++++++--- + base/util/src/com/netscape/cmsutil/util/Cert.java | 12 +++++++++--- + 3 files changed, 22 insertions(+), 6 deletions(-) + +diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py +index d4ae804..05d2c62 100644 +--- a/base/common/python/pki/nssdb.py ++++ b/base/common/python/pki/nssdb.py +@@ -223,6 +223,7 @@ class NSSDatabase(object): + '-P', self.token, + '-f', self.password_file, + '-n', nickname, ++ '-a', + '-i', cert_file, + '-t', '' + ] +@@ -242,6 +243,7 @@ class NSSDatabase(object): + '-d', self.directory, + '-f', self.internal_password_file, + '-n', nickname, ++ '-a', + '-i', cert_file, + '-t', trust_attributes + ] +diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +index 99b215e..62fd4d6 100644 +--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java ++++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java +@@ -19,7 +19,6 @@ + package com.netscape.cmstools.client; + + import java.io.File; +-import java.io.FileOutputStream; + import java.io.FileWriter; + import java.io.PrintWriter; + import java.net.URI; +@@ -45,6 +44,7 @@ import com.netscape.cmstools.cli.CLI; + import com.netscape.cmstools.cli.MainCLI; + import com.netscape.cmsutil.crypto.CryptoUtil; + import com.netscape.cmsutil.util.Cert; ++import com.netscape.cmsutil.util.Utils; + + import netscape.security.pkcs.PKCS12; + import netscape.security.pkcs.PKCS7; +@@ -250,8 +250,11 @@ public class ClientCertImportCLI extends CLI { + File certFile = File.createTempFile("pki-client-cert-import-", ".crt"); + certFile.deleteOnExit(); + +- try (FileOutputStream out = new FileOutputStream(certFile)) { +- out.write(bytes); ++ try (FileWriter fw = new FileWriter(certFile); ++ PrintWriter out = new PrintWriter(fw)) { ++ out.println(PKCS7.HEADER); ++ out.print(Utils.base64encode(bytes, true)); ++ out.println(PKCS7.FOOTER); + } + + if (trustAttributes == null) +@@ -338,6 +341,9 @@ public class ClientCertImportCLI extends CLI { + command.add(dbPasswordFile.getAbsolutePath()); + } + ++ // accept PEM or PKCS #7 certificate ++ command.add("-a"); ++ + command.add("-i"); + command.add(certFile); + command.add("-n"); +@@ -362,10 +368,12 @@ public class ClientCertImportCLI extends CLI { + String trustAttributes) throws Exception { + + if (nickname != null) { ++ // import a single CA certificate with the provided nickname + importCert(dbPath, dbPasswordFile, certFile, nickname, trustAttributes); + return; + } + ++ // import CA certificate chain with auto-generated nicknames + String pemCert = new String(Files.readAllBytes(Paths.get(certFile))).trim(); + byte[] binCert = Cert.parseCertificate(pemCert); + +diff --git a/base/util/src/com/netscape/cmsutil/util/Cert.java b/base/util/src/com/netscape/cmsutil/util/Cert.java +index f084395..e6f2460 100644 +--- a/base/util/src/com/netscape/cmsutil/util/Cert.java ++++ b/base/util/src/com/netscape/cmsutil/util/Cert.java +@@ -33,6 +33,9 @@ public class Cert { + public static final String HEADER = "-----BEGIN CERTIFICATE-----"; + public static final String FOOTER = "-----END CERTIFICATE-----"; + ++ public static final String PKCS7_HEADER = "-----BEGIN PKCS7-----"; ++ public static final String PKCS7_FOOTER = "-----END PKCS7-----"; ++ + // From https://www.rfc-editor.org/rfc/rfc7468.txt + public static final String REQUEST_HEADER = "-----BEGIN CERTIFICATE REQUEST-----"; + public static final String REQUEST_FOOTER = "-----END CERTIFICATE REQUEST-----"; +@@ -68,9 +71,12 @@ public class Cert { + return s; + } + +- if ((s.startsWith(HEADER)) && +- (s.endsWith(FOOTER))) { +- return (s.substring(27, (s.length() - 25))); ++ if (s.startsWith(HEADER) && s.endsWith(FOOTER)) { ++ return s.substring(HEADER.length(), s.length() - FOOTER.length()); ++ } ++ ++ if (s.startsWith(PKCS7_HEADER) && s.endsWith(PKCS7_FOOTER)) { ++ return s.substring(PKCS7_HEADER.length(), s.length() - PKCS7_FOOTER.length()); + } + + // To support Thawte's header and footer +-- +1.8.3.1 + + +From ea9b582909d10d8f6c485860615319b6f6c31741 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 31 Aug 2018 00:32:44 +0200 +Subject: [PATCH 09/13] Renamed server NSS database parameters + +The following parameters have been renamed for consistency: +* pki_database_path -> pki_server_database_path +* pki_pin -> pki_server_database_password + +The old parameters are still usable but they have been +deprecated. + +The pki_client_pin is redundant so it has been removed. + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: I243a01b360f573a16a160e9a415f786e38681603 +(cherry picked from commit 80defb1b7602eb59f5ee817a76acac86490ce853) +--- + base/server/etc/default.cfg | 10 ++++++- + .../python/pki/server/deployment/pkihelper.py | 10 +++---- + .../python/pki/server/deployment/pkiparser.py | 34 +++++++++++++--------- + .../server/deployment/scriptlets/configuration.py | 4 +-- + .../deployment/scriptlets/instance_layout.py | 6 ++-- + .../deployment/scriptlets/security_databases.py | 21 ++++++------- + .../server/deployment/scriptlets/selinux_setup.py | 8 ++--- + base/server/sbin/pkispawn | 6 ++-- + 8 files changed, 57 insertions(+), 42 deletions(-) + +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index 2c0430a..0ae0764 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -31,6 +31,7 @@ sensitive_parameters= + pki_pin + pki_replication_password + pki_security_domain_password ++ pki_server_database_password + pki_server_pkcs12_password + pki_token_password + +@@ -173,6 +174,14 @@ pki_cert_chain_path=%(pki_external_ca_cert_chain_path)s + pki_external_ca_cert_chain_nickname=caSigningCert External CA + pki_cert_chain_nickname=%(pki_external_ca_cert_chain_nickname)s + ++# DEPRECATED: Use 'pki_server_database_path' instead. ++pki_database_path=%(pki_instance_configuration_path)s/alias ++pki_server_database_path=%(pki_database_path)s ++ ++# DEPRECATED: Use 'pki_server_database_password' instead. ++pki_pin= ++pki_server_database_password= ++ + pki_pkcs12_path= + pki_pkcs12_password= + +@@ -201,7 +210,6 @@ pki_registry_path=%(pki_root_prefix)s/etc/sysconfig/pki + pki_instance_path=%(pki_path)s/%(pki_instance_name)s + pki_instance_log_path=%(pki_log_path)s/%(pki_instance_name)s + pki_instance_configuration_path=%(pki_configuration_path)s/%(pki_instance_name)s +-pki_database_path=%(pki_instance_configuration_path)s/alias + pki_instance_database_link=%(pki_instance_path)s/alias + pki_instance_conf_link=%(pki_instance_path)s/conf + pki_instance_logs_link=%(pki_instance_path)s/logs +diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py +index b3c3ccb..77594ec 100644 +--- a/base/server/python/pki/server/deployment/pkihelper.py ++++ b/base/server/python/pki/server/deployment/pkihelper.py +@@ -3092,7 +3092,7 @@ class KRAConnector: + "-h", cahost, + "-n", subsystemnick, + "-P", "https", +- "-d", self.mdict['pki_database_path'], ++ "-d", self.mdict['pki_server_database_path'], + "-c", token_pwd, + "ca-kraconnector-del", + "--host", krahost, +@@ -3125,7 +3125,7 @@ class KRAConnector: + command = ["/usr/bin/sslget", + "-n", subsystemnick, + "-p", token_pwd, +- "-d", self.mdict['pki_database_path'], ++ "-d", self.mdict['pki_server_database_path'], + "-e", params, + "-v", + "-r", update_url, cahost + ":" + str(caport)] +@@ -3236,7 +3236,7 @@ class TPSConnector: + "-h", tkshost, + "-n", subsystemnick, + "-P", "https", +- "-d", self.mdict['pki_database_path'], ++ "-d", self.mdict['pki_server_database_path'], + "-c", token_pwd, + "-t", "tks", + "tks-tpsconnector-del", +@@ -3336,7 +3336,7 @@ class SecurityDomain: + admin_update_url = "/ca/admin/ca/updateDomainXML" + command = ["/usr/bin/sslget", + "-p", str(123456), +- "-d", self.mdict['pki_database_path'], ++ "-d", self.mdict['pki_server_database_path'], + "-e", params, + "-v", + "-r", admin_update_url, +@@ -3451,7 +3451,7 @@ class SecurityDomain: + command = ["/usr/bin/sslget", + "-n", subsystemnick, + "-p", token_pwd, +- "-d", self.mdict['pki_database_path'], ++ "-d", self.mdict['pki_server_database_path'], + "-e", params, + "-v", + "-r", update_url, sechost + ":" + str(secagentport)] +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 2397f43..5b8cdd3 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -84,7 +84,11 @@ class PKIConfigParser: + (None, 'pki_ssl_server_subject_dn', + None, 'pki_sslserver_subject_dn'), + (None, 'pki_ssl_server_token', +- None, 'pki_sslserver_token') ++ None, 'pki_sslserver_token'), ++ (None, 'pki_database_path', ++ None, 'pki_server_database_path'), ++ (None, 'pki_pin', ++ None, 'pki_server_database_password'), + ] + + DEPRECATED_CA_PARAMS = [ +@@ -490,6 +494,7 @@ class PKIConfigParser: + 'pki_pin', + 'pki_replication_password', + 'pki_security_domain_password', ++ 'pki_server_database_password', + 'pki_server_pkcs12_password', + 'pki_token_password') + +@@ -766,17 +771,23 @@ class PKIConfigParser: + + # if instance already exists and has password, reuse the password + if internal_token in instance.passwords: +- self.mdict['pki_pin'] = instance.passwords.get(internal_token) ++ self.mdict['pki_server_database_password'] = instance.passwords.get(internal_token) + + # otherwise, use user-provided password if specified +- elif 'pki_pin' in self.mdict: ++ elif self.mdict['pki_server_database_password']: + pass + ++ # otherwise, use user-provided pin if specified ++ elif self.mdict['pki_pin']: ++ self.mdict['pki_server_database_password'] = self.mdict['pki_pin'] ++ + # otherwise, generate a random password + else: +- self.mdict['pki_pin'] = pki.generate_password() ++ self.mdict['pki_server_database_password'] = pki.generate_password() + +- self.mdict['pki_client_pin'] = pki.generate_password() ++ # generate random password for client database if not specified ++ if not self.mdict['pki_client_database_password']: ++ self.mdict['pki_client_database_password'] = pki.generate_password() + + pkilogging.sensitive_parameters = \ + self.mdict['sensitive_parameters'].split() +@@ -1231,13 +1242,13 @@ class PKIConfigParser: + self.mdict['pki_instance_configuration_path'], + "password.conf") + self.mdict['pki_cert_database'] = \ +- os.path.join(self.mdict['pki_database_path'], ++ os.path.join(self.mdict['pki_server_database_path'], + "cert8.db") + self.mdict['pki_key_database'] = \ +- os.path.join(self.mdict['pki_database_path'], ++ os.path.join(self.mdict['pki_server_database_path'], + "key3.db") + self.mdict['pki_secmod_database'] = \ +- os.path.join(self.mdict['pki_database_path'], ++ os.path.join(self.mdict['pki_server_database_path'], + "secmod.db") + self.mdict['pki_self_signed_nickname'] = \ + self.mdict['pki_sslserver_nickname'] +@@ -1262,11 +1273,6 @@ class PKIConfigParser: + self.mdict['pki_subsystem_configuration_path'], + "password.conf") + +- if not len(self.mdict['pki_client_database_password']): +- # use randomly generated client 'pin' +- self.mdict['pki_client_database_password'] = \ +- str(self.mdict['pki_client_pin']) +- + # Configuration scriptlet + # 'Security Domain' Configuration name/value pairs + # 'Subsystem Name' Configuration name/value pairs +@@ -1393,7 +1399,7 @@ class PKIConfigParser: + # NOTE: ALWAYS store the PKCS #12 backup keys file + # in with the NSS "server" security databases + self.mdict['pki_backup_keys_p12'] = \ +- self.mdict['pki_database_path'] + "/" + \ ++ self.mdict['pki_server_database_path'] + "/" + \ + self.mdict['pki_subsystem'].lower() + "_" + \ + "backup" + "_" + "keys" + "." + "p12" + +diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py +index cf02205..f085e80 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py ++++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py +@@ -865,7 +865,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + deployer.password.create_password_conf( + deployer.mdict['pki_shared_pfile'], +- deployer.mdict['pki_pin'], pin_sans_token=True) ++ deployer.mdict['pki_server_database_password'], pin_sans_token=True) + + # only create a self signed cert for a new instance + # +@@ -884,7 +884,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + f.write("not_so_random_data") + + deployer.certutil.generate_self_signed_certificate( +- deployer.mdict['pki_database_path'], ++ deployer.mdict['pki_server_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], +diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +index 568c0a0..e5ce820 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py ++++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py +@@ -162,10 +162,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.systemd.daemon_reload() + + # establish shared NSS security databases for this instance +- deployer.directory.create(deployer.mdict['pki_database_path']) ++ deployer.directory.create(deployer.mdict['pki_server_database_path']) + # establish instance convenience symbolic links + deployer.symlink.create( +- deployer.mdict['pki_database_path'], ++ deployer.mdict['pki_server_database_path'], + deployer.mdict['pki_instance_database_link']) + deployer.symlink.create( + deployer.mdict['pki_instance_configuration_path'], +@@ -205,7 +205,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.directory.delete(deployer.mdict['pki_instance_log_path']) + + # remove shared NSS security database path for this instance +- deployer.directory.delete(deployer.mdict['pki_database_path']) ++ deployer.directory.delete(deployer.mdict['pki_server_database_path']) + # remove Tomcat instance configuration + deployer.directory.delete( + deployer.mdict['pki_instance_configuration_path']) +diff --git a/base/server/python/pki/server/deployment/scriptlets/security_databases.py b/base/server/python/pki/server/deployment/scriptlets/security_databases.py +index 02f4713..7ce32a8 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/security_databases.py ++++ b/base/server/python/pki/server/deployment/scriptlets/security_databases.py +@@ -54,12 +54,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + if config.str2bool(deployer.mdict['pki_hsm_enable']): + deployer.password.create_hsm_password_conf( + deployer.mdict['pki_shared_password_conf'], +- deployer.mdict['pki_pin'], ++ deployer.mdict['pki_server_database_password'], + deployer.mdict['pki_token_password']) + else: + deployer.password.create_password_conf( + deployer.mdict['pki_shared_password_conf'], +- deployer.mdict['pki_pin']) ++ deployer.mdict['pki_server_database_password']) + + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a temporary server 'pfile' +@@ -67,11 +67,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # allowing 'certutil' to generate the security databases + deployer.password.create_password_conf( + deployer.mdict['pki_shared_pfile'], +- deployer.mdict['pki_pin'], pin_sans_token=True) ++ deployer.mdict['pki_server_database_password'], pin_sans_token=True) + deployer.file.modify(deployer.mdict['pki_shared_password_conf']) + + deployer.certutil.create_security_databases( +- deployer.mdict['pki_database_path'], ++ deployer.mdict['pki_server_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], +@@ -79,7 +79,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + if config.str2bool(deployer.mdict['pki_hsm_enable']): + deployer.modutil.register_security_module( +- deployer.mdict['pki_database_path'], ++ deployer.mdict['pki_server_database_path'], + deployer.mdict['pki_hsm_modulename'], + deployer.mdict['pki_hsm_libfile']) + deployer.file.modify( +@@ -103,7 +103,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + raise Exception('Missing pki_server_pkcs12_password property.') + + nssdb = pki.nssdb.NSSDatabase( +- directory=deployer.mdict['pki_database_path'], ++ directory=deployer.mdict['pki_server_database_path'], + password_file=deployer.mdict['pki_shared_pfile']) + + try: +@@ -129,7 +129,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + raise Exception('Missing pki_clone_pkcs12_password property.') + + nssdb = pki.nssdb.NSSDatabase( +- directory=deployer.mdict['pki_database_path'], ++ directory=deployer.mdict['pki_server_database_path'], + password_file=deployer.mdict['pki_shared_pfile']) + + try: +@@ -162,7 +162,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + nickname=deployer.mdict['pki_audit_signing_nickname'], + trust_attributes='u,u,Pu') + +- print('Imported certificates in %s:' % deployer.mdict['pki_database_path']) ++ print('Imported certificates into %s:' % ++ deployer.mdict['pki_server_database_path']) + + nssdb.show_certs() + +@@ -180,7 +181,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + # the instance will utilize 'softokn' or an HSM + # + rv = deployer.certutil.verify_certificate_exists( +- deployer.mdict['pki_database_path'], ++ deployer.mdict['pki_server_database_path'], + deployer.mdict['pki_cert_database'], + deployer.mdict['pki_key_database'], + deployer.mdict['pki_secmod_database'], +@@ -195,7 +196,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + 'pki_ds_secure_connection_ca_trustargs'], + deployer.mdict['pki_ds_secure_connection_ca_pem_file'], + password_file=deployer.mdict['pki_shared_pfile'], +- path=deployer.mdict['pki_database_path'], ++ path=deployer.mdict['pki_server_database_path'], + token=deployer.mdict['pki_self_signed_token']) + + # Always delete the temporary 'pfile' +diff --git a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py +index d5e4b0c..7d324d4 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py ++++ b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py +@@ -115,10 +115,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + config.pki_log.info( + "adding selinux fcontext \"%s\"", +- deployer.mdict['pki_database_path'] + self.suffix, ++ deployer.mdict['pki_server_database_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add( +- deployer.mdict['pki_database_path'] + self.suffix, ++ deployer.mdict['pki_server_database_path'] + self.suffix, + config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") + + port_records = seobject.portRecords(trans) +@@ -206,10 +206,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + config.pki_log.info( + "deleting selinux fcontext \"%s\"", +- deployer.mdict['pki_database_path'] + self.suffix, ++ deployer.mdict['pki_server_database_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete( +- deployer.mdict['pki_database_path'] + ++ deployer.mdict['pki_server_database_path'] + + self.suffix, "") + + port_records = seobject.portRecords(trans) +diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn +index 64c7a67..867a381 100755 +--- a/base/server/sbin/pkispawn ++++ b/base/server/sbin/pkispawn +@@ -760,7 +760,7 @@ def print_external_ca_step_one_information(mdict): + print(" The %s subsystem of the '%s' instance is still incomplete." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + print() +- print(" NSS database: %s" % mdict['pki_database_path']) ++ print(" NSS database: %s" % mdict['pki_server_database_path']) + print() + + signing_csr = mdict['pki_ca_signing_csr_path'] +@@ -781,7 +781,7 @@ def print_kra_step_one_information(mdict): + print(" The %s subsystem of the '%s' instance is still incomplete." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + print() +- print(" NSS database: %s" % mdict['pki_database_path']) ++ print(" NSS database: %s" % mdict['pki_server_database_path']) + print() + + storage_csr = mdict['pki_storage_csr_path'] +@@ -820,7 +820,7 @@ def print_ocsp_step_one_information(mdict): + print(" The %s subsystem of the '%s' instance is still incomplete." % + (deployer.subsystem_name, mdict['pki_instance_name'])) + print() +- print(" NSS database: %s" % mdict['pki_database_path']) ++ print(" NSS database: %s" % mdict['pki_server_database_path']) + print() + + signing_csr = mdict['pki_ocsp_signing_csr_path'] +-- +1.8.3.1 + + +From a3d27ed43b9c119cfaff100573d89c2caa08e3b7 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 7 Sep 2018 16:32:47 +0200 +Subject: [PATCH 10/13] Fixed password generation in pkispawn + +Previously the NSS database passwords were generated in +pkiparser.py. Under certain scenarios the password may be +overwritten by a subsequent code in pkispawn. To avoid the +problem the code that generates the NSS database passwords +has been moved into the initialization scriptlet. + +https://pagure.io/dogtagpki/issue/3061 + +Change-Id: Ieabfaea7465b615f214820d2ed877f4da589dadb +(cherry picked from commit 9a984ee0a709645fe9b6044367ed28076692ee86) +--- + .../python/pki/server/deployment/pkiparser.py | 25 -------------------- + .../server/deployment/scriptlets/initialization.py | 27 ++++++++++++++++++++++ + 2 files changed, 27 insertions(+), 25 deletions(-) + +diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py +index 5b8cdd3..2ea7319 100644 +--- a/base/server/python/pki/server/deployment/pkiparser.py ++++ b/base/server/python/pki/server/deployment/pkiparser.py +@@ -764,31 +764,6 @@ class PKIConfigParser: + + self.deployer.flatten_master_dict() + +- instance = pki.server.PKIInstance(self.mdict['pki_instance_name']) +- instance.load() +- +- internal_token = self.mdict['pki_self_signed_token'] +- +- # if instance already exists and has password, reuse the password +- if internal_token in instance.passwords: +- self.mdict['pki_server_database_password'] = instance.passwords.get(internal_token) +- +- # otherwise, use user-provided password if specified +- elif self.mdict['pki_server_database_password']: +- pass +- +- # otherwise, use user-provided pin if specified +- elif self.mdict['pki_pin']: +- self.mdict['pki_server_database_password'] = self.mdict['pki_pin'] +- +- # otherwise, generate a random password +- else: +- self.mdict['pki_server_database_password'] = pki.generate_password() +- +- # generate random password for client database if not specified +- if not self.mdict['pki_client_database_password']: +- self.mdict['pki_client_database_password'] = pki.generate_password() +- + pkilogging.sensitive_parameters = \ + self.mdict['sensitive_parameters'].split() + +diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py +index efd1536..4515b55 100644 +--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py ++++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py +@@ -19,6 +19,7 @@ + # + + from __future__ import absolute_import ++import pki + + # PKI Deployment Imports + from .. import pkiconfig as config +@@ -36,6 +37,32 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + deployer.mdict['pki_subsystem'], + deployer.mdict['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) ++ ++ instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) ++ instance.load() ++ ++ internal_token = deployer.mdict['pki_self_signed_token'] ++ ++ # if instance already exists and has password, reuse the password ++ if internal_token in instance.passwords: ++ deployer.mdict['pki_server_database_password'] = instance.passwords.get(internal_token) ++ ++ # otherwise, use user-provided password if specified ++ elif deployer.mdict['pki_server_database_password']: ++ pass ++ ++ # otherwise, use user-provided pin if specified ++ elif deployer.mdict['pki_pin']: ++ deployer.mdict['pki_server_database_password'] = deployer.mdict['pki_pin'] ++ ++ # otherwise, generate a random password ++ else: ++ deployer.mdict['pki_server_database_password'] = pki.generate_password() ++ ++ # generate random password for client database if not specified ++ if not deployer.mdict['pki_client_database_password']: ++ deployer.mdict['pki_client_database_password'] = pki.generate_password() ++ + # ALWAYS initialize 'uid' and 'gid' + deployer.identity.add_uid_and_gid(deployer.mdict['pki_user'], + deployer.mdict['pki_group']) +-- +1.8.3.1 + + +From 4886a7f4fa3678cd26c7c38c5140784dc53b76b5 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 2 Oct 2018 18:11:43 +0200 +Subject: [PATCH 11/13] Updated pki-server subsystem-cert-validate output + +The pki-server subsystem-cert-validate CLI has been modified to +show the actual message generated by NSS if the validation fails. + +(cherry picked from commit eb8baf8b51e3c897caddbc16df2fd226308a0876) +--- + base/server/python/pki/server/cli/subsystem.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py +index 57093d4..068d1db 100644 +--- a/base/server/python/pki/server/cli/subsystem.py ++++ b/base/server/python/pki/server/cli/subsystem.py +@@ -1038,10 +1038,11 @@ class SubsystemCertValidateCLI(pki.cli.CLI): + return True + + except subprocess.CalledProcessError as e: +- if e.returncode == 1: +- print(' Status: INVALID') ++ if e.output: ++ status = e.output.decode('utf-8') + else: +- print(' Status: ERROR: %s' % e.output) ++ status = 'ERROR' ++ print(' Status: %s' % status) + return False + + finally: +-- +1.8.3.1 + + +From 0115c05727962dac2bdb3865388144315719a0b0 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 24 Aug 2018 03:36:15 +0200 +Subject: [PATCH 12/13] Added docs for installation with custom keys + +https://pagure.io/dogtagpki/issue/3053 + +Change-Id: I8f8fdbb7cc1888092bd7ba686a626137113ed2d5 +(cherry picked from commit a8405a1f8bd4c3fd10213725a32da0419e622252) +--- + .../Installing_CA_with_Custom_CA_Signing_Key.md | 169 ++++++++++++++++++ + .../Installing_KRA_with_Custom_Keys.md | 190 +++++++++++++++++++++ + .../Installing_OCSP_with_Custom_Keys.md | 183 ++++++++++++++++++++ + 3 files changed, 542 insertions(+) + create mode 100644 docs/installation/Installing_CA_with_Custom_CA_Signing_Key.md + create mode 100644 docs/installation/Installing_KRA_with_Custom_Keys.md + create mode 100644 docs/installation/Installing_OCSP_with_Custom_Keys.md + +diff --git a/docs/installation/Installing_CA_with_Custom_CA_Signing_Key.md b/docs/installation/Installing_CA_with_Custom_CA_Signing_Key.md +new file mode 100644 +index 0000000..5cdf786 +--- /dev/null ++++ b/docs/installation/Installing_CA_with_Custom_CA_Signing_Key.md +@@ -0,0 +1,169 @@ ++Installing CA with Custom CA Signing Key ++======================================== ++ ++Overview ++-------- ++ ++This page describes the process to install a CA subsystem with a custom CA signing key, CSR, and certificate. ++ ++Starting CA Subsystem Installation ++---------------------------------- ++ ++Prepare a file (e.g. ca-step1.cfg) that contains the deployment configuration step 1, for example: ++ ++``` ++[DEFAULT] ++pki_server_database_password=Secret.123 ++ ++[CA] ++pki_admin_email=caadmin@example.com ++pki_admin_name=caadmin ++pki_admin_nickname=caadmin ++pki_admin_password=Secret.123 ++pki_admin_uid=caadmin ++ ++pki_client_database_password=Secret.123 ++pki_client_database_purge=False ++pki_client_pkcs12_password=Secret.123 ++ ++pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com ++pki_ds_database=ca ++pki_ds_password=Secret.123 ++ ++pki_security_domain_name=EXAMPLE ++ ++pki_ca_signing_nickname=ca_signing ++pki_ocsp_signing_nickname=ca_ocsp_signing ++pki_audit_signing_nickname=ca_audit_signing ++pki_sslserver_nickname=sslserver ++pki_subsystem_nickname=subsystem ++ ++pki_external=True ++pki_external_step_two=False ++``` ++ ++Then execute the following command: ++ ++``` ++$ pkispawn -f ca-step1.cfg -s CA ++``` ++ ++It will install CA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: ++* server NSS database: /etc/pki/pki-tomcat/alias ++* admin NSS database: ~/.dogtag/pki-tomcat/ca/alias ++ ++Since there is no CSR path parameter specified, it will not generate the CA signing key by default. ++ ++Generating CA Signing Key, CSR, and Certificate ++----------------------------------------------- ++ ++Generate a custom CA signing key in the server NSS database, then generate a CSR and store it in a file (e.g. ca_signing.csr). ++ ++Use the CSR to issue the CA signing certificate: ++* for root CA installation, generate a self-signed CA signing certificate ++* for subordinate CA installation, submit the CSR to an external CA to issue the CA signing certificate ++ ++Store the CA signing certificate in a file (e.g. ca_signing.crt). The CA signing certificate can be specified as a single certificate or a PKCS #7 certificate chain in PEM format. ++ ++If the CA signing certificate was issued by an external CA, store the external CA certificate chain in a file (e.g. external.crt). The certificate chain can be specified as a single certificate or a PKCS #7 certificate chain in PEM format. The certificate chain should include all CA certificates from the root CA to the external CA that issued the CA signing certificate, but it should not include the CA signing certificate itself. ++ ++See also: ++* [Generating CA Signing Certificate](http://www.dogtagpki.org/wiki/Generating_CA_Signing_Certificate) ++ ++Finishing CA Subsystem Installation ++----------------------------------- ++ ++Prepare another file (e.g. ca-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. ca-step1.cfg) with additional changes below. ++ ++Specify step 2 with the following parameter: ++ ++``` ++pki_external_step_two=True ++``` ++ ++Specify the custom CA signing CSR with the following parameter: ++ ++``` ++pki_ca_signing_csr_path=ca_signing.csr ++``` ++ ++Specify the custom CA signing certificate with the following parameter: ++ ++``` ++pki_ca_signing_cert_path=ca_signing.crt ++``` ++ ++If the CA signing certificate was issued by an external CA, specify the external CA certificate chain with the following parameters: ++ ++``` ++pki_cert_chain_nickname=external ++pki_cert_chain_path=external.crt ++``` ++ ++Finally, execute the following command: ++ ++``` ++$ pkispawn -f ca-step2.cfg -s CA ++``` ++ ++Verifying System Certificates ++----------------------------- ++ ++Verify that the server NSS database contains the following certificates: ++ ++``` ++$ certutil -L -d /etc/pki/pki-tomcat/alias ++ ++Certificate Nickname Trust Attributes ++ SSL,S/MIME,JAR/XPI ++ ++external CT,C,C ++ca_signing CTu,Cu,Cu ++ca_ocsp_signing u,u,u ++subsystem u,u,u ++ca_audit_signing u,u,Pu ++sslserver u,u,u ++``` ++ ++Verifying Admin Certificate ++--------------------------- ++ ++Prepare a client NSS database (e.g. ~/.dogtag/nssdb): ++ ++``` ++$ pki -c Secret.123 client-init ++``` ++ ++Import the external CA certificate chain: ++ ++``` ++$ pki -c Secret.123 client-cert-import --ca-cert external.crt ++``` ++ ++Import the CA signing certificate: ++ ++``` ++$ pki -c Secret.123 client-cert-import ca_signing --ca-cert ca_signing.crt ++``` ++ ++Import admin key and certificate: ++ ++``` ++$ pki -c Secret.123 client-cert-import \ ++ --pkcs12 ~/.dogtag/pki-tomcat/ca_admin_cert.p12 \ ++ --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf ++``` ++ ++Verify that the admin certificate can be used to access the CA subsystem by executing the following command: ++ ++``` ++$ pki -c Secret.123 -n caadmin ca-user-show caadmin ++-------------- ++User "caadmin" ++-------------- ++ User ID: caadmin ++ Full name: caadmin ++ Email: caadmin@example.com ++ Type: adminType ++ State: 1 ++``` +diff --git a/docs/installation/Installing_KRA_with_Custom_Keys.md b/docs/installation/Installing_KRA_with_Custom_Keys.md +new file mode 100644 +index 0000000..e555363 +--- /dev/null ++++ b/docs/installation/Installing_KRA_with_Custom_Keys.md +@@ -0,0 +1,190 @@ ++Installing KRA with Custom Keys ++=============================== ++ ++Overview ++-------- ++ ++This page describes the process to install a KRA subsystem with custom KRA system and admin keys, CSRs, and certificates. ++ ++Starting KRA Subsystem Installation ++----------------------------------- ++ ++Prepare a file (e.g. kra-step1.cfg) that contains the deployment configuration step 1, for example: ++ ++``` ++[DEFAULT] ++pki_server_database_password=Secret.123 ++ ++[KRA] ++pki_admin_email=kraadmin@example.com ++pki_admin_name=kraadmin ++pki_admin_nickname=kraadmin ++pki_admin_password=Secret.123 ++pki_admin_uid=kraadmin ++ ++pki_client_database_password=Secret.123 ++pki_client_database_purge=False ++pki_client_pkcs12_password=Secret.123 ++ ++pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com ++pki_ds_database=kra ++pki_ds_password=Secret.123 ++ ++pki_security_domain_name=EXAMPLE ++pki_security_domain_user=caadmin ++pki_security_domain_password=Secret.123 ++ ++pki_storage_nickname=kra_storage ++pki_transport_nickname=kra_transport ++pki_subsystem_nickname=subsystem ++pki_sslserver_nickname=sslserver ++pki_audit_signing_nickname=kra_audit_signing ++ ++pki_external=True ++pki_external_step_two=False ++``` ++ ++Then execute the following command: ++ ++``` ++$ pkispawn -f kra-step1.cfg -s KRA ++``` ++ ++It will install KRA subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: ++* server NSS database: /etc/pki/pki-tomcat/alias ++* admin NSS database: ~/dogtag/pki-tomcat/kra/alias ++ ++Since there are no CSR path parameters specified, it will not generate KRA system and admin keys. ++ ++Generating KRA Keys, CSRs, and Certificates ++------------------------------------------- ++ ++Generate custom KRA system keys in the server NSS database and admin key in the admin NSS database, then generate the CSRs and store them in files, for example: ++* kra_storage.csr ++* kra_transport.csr ++* subsystem.csr ++* sslserver.csr ++* kra_audit_signing.csr ++* kra_admin.csr ++ ++Submit the CSRs to an external CA to issue the certificates, then store the certificates in files, for example: ++* kra_storage.crt ++* kra_transport.crt ++* subsystem.crt ++* sslserver.crt ++* kra_audit_signing.crt ++* kra_admin.crt ++ ++The certificates can be specified as single certificates or PKCS #7 certificate chains in PEM format. ++ ++Store the external CA certificate chain in a file (e.g. ca_signing.crt). The certificate chain can be specified as a single certificate or PKCS #7 certificate chain in PEM format. The certificate chain should include all CA certificates from the root CA to the external CA that issued the KRA system and admin certificates. ++ ++See also: ++* [Generating KRA Storage Certificate](http://www.dogtagpki.org/wiki/Generating_KRA_Storage_Certificate) ++* [Generating KRA Transport Certificate](http://www.dogtagpki.org/wiki/Generating_KRA_Transport_Certificate) ++* [Generating Subsystem Certificate](http://www.dogtagpki.org/wiki/Generating_Subsystem_Certificate) ++* [Generating SSL Server Certificate](http://www.dogtagpki.org/wiki/Generating_SSL_Server_Certificate) ++* [Generating Audit Signing Certificate](http://www.dogtagpki.org/wiki/Generating_Audit_Signing_Certificate) ++* [Generating Admin Certificate](http://www.dogtagpki.org/wiki/Generating_Admin_Certificate) ++ ++Finishing KRA Subsystem Installation ++------------------------------------ ++ ++Prepare another file (e.g. kra-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. kra-step1.cfg) with additional changes below. ++ ++Specify step 2 with the following parameter: ++ ++``` ++pki_external_step_two=True ++``` ++ ++Specify the custom CSRs with the following parameters: ++ ++``` ++pki_storage_csr_path=kra_storage.csr ++pki_transport_csr_path=kra_transport.csr ++pki_subsystem_csr_path=subsystem.csr ++pki_sslserver_csr_path=sslserver.csr ++pki_audit_signing_csr_path=kra_audit_signing.csr ++pki_admin_csr_path=kra_admin.csr ++``` ++ ++Specify the custom certificates with the following parameters: ++ ++``` ++pki_storage_cert_path=kra_storage.crt ++pki_transport_cert_path=kra_transport.crt ++pki_subsystem_cert_path=subsystem.crt ++pki_sslserver_cert_path=sslserver.crt ++pki_audit_signing_cert_path=kra_audit_signing.crt ++pki_admin_cert_path=kra_admin.crt ++``` ++ ++Specify the external CA certificate chain with the following parameters: ++ ++``` ++pki_cert_chain_nickname=ca_signing ++pki_cert_chain_path=ca_signing.crt ++``` ++ ++Finally, execute the following command: ++ ++``` ++$ pkispawn -f kra-step2.cfg -s KRA ++``` ++ ++Verifying System Certificates ++----------------------------- ++ ++Verify that the server NSS database contains the following certificates: ++ ++``` ++$ certutil -L -d /etc/pki/pki-tomcat/alias ++ ++Certificate Nickname Trust Attributes ++ SSL,S/MIME,JAR/XPI ++ ++ca_signing CT,C,C ++kra_storage CTu,Cu,Cu ++kra_transport u,u,u ++subsystem u,u,u ++kra_audit_signing u,u,Pu ++sslserver u,u,u ++``` ++ ++Verifying Admin Certificate ++--------------------------- ++ ++Prepare a client NSS database (e.g. ~/.dogtag/nssdb): ++ ++``` ++$ pki -c Secret.123 client-init ++``` ++ ++Import the external CA certificate chain: ++ ++``` ++$ pki -c Secret.123 client-cert-import --ca-cert ca_signing.crt ++``` ++ ++Import the admin key and certificate: ++ ++``` ++$ pki -c Secret.123 client-cert-import \ ++ --pkcs12 ~/.dogtag/pki-tomcat/kra_admin_cert.p12 \ ++ --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf ++``` ++ ++Verify that the admin certificate can be used to access KRA by executing the following command: ++ ++``` ++$ pki -c Secret.123 -n kraadmin kra-user-show kraadmin ++--------------- ++User "kraadmin" ++--------------- ++ User ID: kraadmin ++ Full name: kraadmin ++ Email: kraadmin@example.com ++ Type: adminType ++ State: 1 ++``` +diff --git a/docs/installation/Installing_OCSP_with_Custom_Keys.md b/docs/installation/Installing_OCSP_with_Custom_Keys.md +new file mode 100644 +index 0000000..dca4f79 +--- /dev/null ++++ b/docs/installation/Installing_OCSP_with_Custom_Keys.md +@@ -0,0 +1,183 @@ ++Installing OCSP with Custom Keys ++================================ ++ ++Overview ++-------- ++ ++This page describes the process to install a OCSP subsystem with custom OCSP system and admin keys, CSRs, and certificates. ++ ++Starting OCSP Subsystem Installation ++------------------------------------ ++ ++Prepare a file (e.g. ocsp-step1.cfg) that contains the deployment configuration step 1, for example: ++ ++``` ++[DEFAULT] ++pki_server_database_password=Secret.123 ++ ++[OCSP] ++pki_admin_email=ocspadmin@example.com ++pki_admin_name=ocspadmin ++pki_admin_nickname=ocspadmin ++pki_admin_password=Secret.123 ++pki_admin_uid=ocspadmin ++ ++pki_client_database_password=Secret.123 ++pki_client_database_purge=False ++pki_client_pkcs12_password=Secret.123 ++ ++pki_ds_base_dn=dc=ocsp,dc=pki,dc=example,dc=com ++pki_ds_database=ocsp ++pki_ds_password=Secret.123 ++ ++pki_security_domain_name=EXAMPLE ++pki_security_domain_user=caadmin ++pki_security_domain_password=Secret.123 ++ ++pki_ocsp_signing_nickname=ocsp_signing ++pki_subsystem_nickname=subsystem ++pki_sslserver_nickname=sslserver ++pki_audit_signing_nickname=ocsp_audit_signing ++ ++pki_external=True ++pki_external_step_two=False ++``` ++ ++Then execute the following command: ++ ++``` ++$ pkispawn -f ocsp-step1.cfg -s OCSP ++``` ++ ++It will install OCSP subsystem in a Tomcat instance (default is pki-tomcat) and create the following NSS databases: ++* server NSS database: /etc/pki/pki-tomcat/alias ++* admin NSS database: ~/.dogtag/pki-tomcat/ocsp/alias ++ ++Since there are no CSR path parameters specified, it will not generate the OCSP system and admin keys. ++ ++Generating OCSP Keys, CSRs, and Certificates ++-------------------------------------------- ++ ++Generate custom OCSP system keys in the server NSS database and admin key in the admin NSS database, then generate the CSRs and store them in files, for example: ++* ocsp_signing.csr ++* subsystem.csr ++* sslserver.csr ++* ocsp_audit_signing.csr ++* ocsp_admin.csr ++ ++Submit the CSRs to an external CA to issue the certificates, then store the certificates in files, for example: ++* ocsp_signing.crt ++* subsystem.crt ++* sslserver.crt ++* ocsp_audit_signing.crt ++* ocsp_admin.crt ++ ++The certificates can be specified as single certificates or PKCS #7 certificate chains in PEM format. ++ ++Store the external CA certificate chain in a file (e.g. ca_signing.crt). The certificate chain can be specified as a single certificate or PKCS #7 certificate chain in PEM format. The certificate chain should include all CA certificates from the root CA to the external CA that issued the OCSP system and admin certificates. ++ ++See also: ++* [Generating OCSP Signing Certificate](http://www.dogtagpki.org/wiki/Generating_OCSP_Signing_Certificate) ++* [Generating Subsystem Certificate](http://www.dogtagpki.org/wiki/Generating_Subsystem_Certificate) ++* [Generating SSL Server Certificate](http://www.dogtagpki.org/wiki/Generating_SSL_Server_Certificate) ++* [Generating Audit Signing Certificate](http://www.dogtagpki.org/wiki/Generating_Audit_Signing_Certificate) ++* [Generating Admin Certificate](http://www.dogtagpki.org/wiki/Generating_Admin_Certificate) ++ ++Finishing OCSP Subsystem Installation ++------------------------------------- ++ ++Prepare another file (e.g. ocsp-step2.cfg) that contains the deployment configuration step 2. The file can be copied from step 1 (i.e. ocsp-step1.cfg) with additional changes below. ++ ++Specify step 2 with the following parameter: ++ ++``` ++pki_external_step_two=True ++``` ++ ++Specify the custom CSRs with the following parameters: ++ ++``` ++pki_ocsp_signing_csr_path=ocsp_signing.csr ++pki_subsystem_csr_path=subsystem.csr ++pki_sslserver_csr_path=sslserver.csr ++pki_audit_signing_csr_path=ocsp_audit_signing.csr ++pki_admin_csr_path=ocsp_admin.csr ++``` ++ ++Specify the custom certificates with the following parameters: ++ ++``` ++pki_ocsp_signing_cert_path=ocsp_signing.crt ++pki_subsystem_cert_path=subsystem.crt ++pki_sslserver_cert_path=sslserver.crt ++pki_audit_signing_cert_path=ocsp_audit_signing.crt ++pki_admin_cert_path=ocsp_admin.crt ++``` ++ ++Specify the external CA certificate chain with the following parameters: ++ ++``` ++pki_cert_chain_nickname=ca_signing ++pki_cert_chain_path=ca_signing.crt ++``` ++ ++Finally, execute the following command: ++ ++``` ++$ pkispawn -f ocsp-step2.cfg -s OCSP ++``` ++ ++Verifying System Certificates ++----------------------------- ++ ++Verify that the server NSS database contains the following certificates: ++ ++``` ++$ certutil -L -d /etc/pki/pki-tomcat/alias ++ ++Certificate Nickname Trust Attributes ++ SSL,S/MIME,JAR/XPI ++ ++ca_signing CT,C,C ++ocsp_signing CTu,Cu,Cu ++subsystem u,u,u ++ocsp_audit_signing u,u,Pu ++sslserver u,u,u ++``` ++ ++Verifying Admin Certificate ++--------------------------- ++ ++Prepare a client NSS database (e.g. ~/.dogtag/nssdb): ++ ++``` ++$ pki -c Secret.123 client-init ++``` ++ ++Import the external CA certificate chain: ++ ++``` ++$ pki -c Secret.123 client-cert-import --ca-cert ca_signing.crt ++``` ++ ++Import the admin key and certificate: ++ ++``` ++$ pki -c Secret.123 client-cert-import \ ++ --pkcs12 ~/.dogtag/pki-tomcat/ocsp_admin_cert.p12 \ ++ --pkcs12-password-file ~/.dogtag/pki-tomcat/ca/pkcs12_password.conf ++``` ++ ++Verify that the admin certificate can be used to access the OCSP subsystem by executing the following command: ++ ++``` ++$ pki -c Secret.123 -n ocspadmin ocsp-user-show ocspadmin ++---------------- ++User "ocspadmin" ++---------------- ++ User ID: ocspadmin ++ Full name: ocspadmin ++ Email: ocspadmin@example.com ++ Type: adminType ++ State: 1 ++``` +-- +1.8.3.1 + + +From 253f16813de60b1951b769a437c92322e36647bf Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 9 Nov 2018 11:06:57 -0800 +Subject: [PATCH 13/13] bug 1653863 tools supporting CMC requests output keyID + needs to be captured in file + +This patch adds code in both CRMFPopClient and PKCS10Client to automatically +write the private key id into a file named .keyId so that +they can be featched later for CMCRequest +is the name of the file specified with the "-o" option. + +This patch also changed all references from "CMC self-test" to +"CMC shared secret" instead. + +A test feature is also added to CMCRequest. + +fixes https://bugzilla.redhat.com/show_bug.cgi?id=1655951 + +Change-Id: Iaf2772be54f9937da456655cdec688f13f6e8b71 +(cherry picked from commit cb99e112b9421f6fe98b4ac5ab5885c28ee958c3) +--- + base/ca/shared/conf/CS.cfg | 10 +- + base/ca/shared/conf/registry.cfg | 8 +- + .../profiles/ca/caECFullCMCSelfSignedCert.cfg | 82 -------- + .../profiles/ca/caECFullCMCSharedTokenCert.cfg | 82 ++++++++ + .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 82 -------- + .../profiles/ca/caFullCMCSharedTokenCert.cfg | 82 ++++++++ + base/java-tools/man/man1/CMCRequest.1 | 22 +- + base/java-tools/man/man1/PKCS10Client.1 | 3 +- + .../src/com/netscape/cmstools/CMCRequest.java | 227 ++++++++++++++++----- + .../src/com/netscape/cmstools/CRMFPopClient.java | 22 +- + .../src/com/netscape/cmstools/PKCS10Client.java | 24 ++- + .../CMCSelfSignedSubjectNameConstraint.java | 129 ------------ + .../CMCSharedTokenSubjectNameConstraint.java | 130 ++++++++++++ + 13 files changed, 526 insertions(+), 377 deletions(-) + delete mode 100644 base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg + delete mode 100644 base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg + create mode 100644 base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg + delete mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java + create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSharedTokenSubjectNameConstraint.java + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 4cef240..29d4fd4 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -975,7 +975,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 + oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension + oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 + os.userid=nobody +-profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSelfSignedCert,caECFullCMCSelfSignedCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment ++profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSharedTokenCert,caECFullCMCSharedTokenCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment + profile.caUUIDdeviceCert.class_id=caEnrollImpl + profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg + profile.caManualRenewal.class_id=caEnrollImpl +@@ -1050,10 +1050,10 @@ profile.caFullCMCUserSignedCert.class_id=caEnrollImpl + profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg + profile.caECFullCMCUserSignedCert.class_id=caEnrollImpl + profile.caECFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCUserSignedCert.cfg +-profile.caFullCMCSelfSignedCert.class_id=caEnrollImpl +-profile.caFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSelfSignedCert.cfg +-profile.caECFullCMCSelfSignedCert.class_id=caEnrollImpl +-profile.caECFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCSelfSignedCert.cfg ++profile.caFullCMCSharedTokenCert.class_id=caEnrollImpl ++profile.caFullCMCSharedTokenCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSharedTokenCert.cfg ++profile.caECFullCMCSharedTokenCert.class_id=caEnrollImpl ++profile.caECFullCMCSharedTokenCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCSharedTokenCert.cfg + profile.caInternalAuthOCSPCert.class_id=caEnrollImpl + profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg + profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl +diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg +index 4fe6e93..a78af86 100644 +--- a/base/ca/shared/conf/registry.cfg ++++ b/base/ca/shared/conf/registry.cfg +@@ -1,5 +1,5 @@ + types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater +-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl ++constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSharedTokenSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl + constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint + constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint + constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint +@@ -36,9 +36,9 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr + constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint + constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint + constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint +-constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint +-constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint +-constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint ++constraintPolicy.cmcSharedTokenSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSharedTokenSubjectNameConstraint ++constraintPolicy.cmcSharedTokenSubjectNameConstraintImpl.desc=CMC Shared Token request User Subject Name Constraint ++constraintPolicy.cmcSharedTokenSubjectNameConstraintImpl.name=CMC Shared Token request User Subject Name Constraint + constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint + constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint + constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint +diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +deleted file mode 100644 +index b3cc471..0000000 +--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg ++++ /dev/null +@@ -1,82 +0,0 @@ +-desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request +-enable=false +-enableBy=admin +-name=Self-Signed CMC User Certificate Enrollment +-visible=false +-auth.instance_id=CMCUserSignedAuth +-input.list=i1 +-input.i1.class_id=cmcCertReqInputImpl +-output.list=o1 +-output.o1.class_id=certOutputImpl +-policyset.list=cmcUserCertSet +-policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 +-policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl +-policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint +-policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl +-policyset.cmcUserCertSet.1.default.name=Subject Name Default +-policyset.cmcUserCertSet.1.default.params.name= +-policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl +-policyset.cmcUserCertSet.2.constraint.name=Validity Constraint +-policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false +-policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false +-policyset.cmcUserCertSet.2.constraint.params.range=365 +-policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl +-policyset.cmcUserCertSet.2.default.name=Validity Default +-policyset.cmcUserCertSet.2.default.params.range=180 +-policyset.cmcUserCertSet.2.default.params.startTime=0 +-policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl +-policyset.cmcUserCertSet.3.constraint.name=Key Constraint +-policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 +-policyset.cmcUserCertSet.3.constraint.params.keyType=EC +-policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl +-policyset.cmcUserCertSet.3.default.name=Key Default +-policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +-policyset.cmcUserCertSet.4.constraint.name=No Constraint +-policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +-policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default +-policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl +-policyset.cmcUserCertSet.5.constraint.name=No Constraint +-policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +-policyset.cmcUserCertSet.5.default.name=AIA Extension Default +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +-policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false +-policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 +-policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +-policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint +-policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl +-policyset.cmcUserCertSet.6.default.name=Key Usage Default +-policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true +-policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true +-policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +-policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true +-policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false +-policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl +-policyset.cmcUserCertSet.7.constraint.name=No Constraint +-policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +-policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default +-policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false +-policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +-policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl +-policyset.cmcUserCertSet.8.constraint.name=No Constraint +-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +-policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl +-policyset.cmcUserCertSet.8.default.name=Signing Alg +-policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg +new file mode 100644 +index 0000000..ffdccb1 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caECFullCMCSharedTokenCert.cfg +@@ -0,0 +1,82 @@ ++desc=This certificate profile is for enrolling user certificates with ECC keys by using the CMC Shared Token certificate request ++enable=false ++enableBy=admin ++name=CMC Shared Token User Certificate Enrollment ++visible=false ++auth.instance_id=CMCUserSignedAuth ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=cmcUserCertSet ++policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 ++policyset.cmcUserCertSet.1.constraint.class_id=cmcSharedTokenSubjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=CMC Shared Token Subject Name Constraint ++policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.default.name=Subject Name Default ++policyset.cmcUserCertSet.1.default.params.name= ++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint ++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false ++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false ++policyset.cmcUserCertSet.2.constraint.params.range=365 ++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl ++policyset.cmcUserCertSet.2.default.name=Validity Default ++policyset.cmcUserCertSet.2.default.params.range=180 ++policyset.cmcUserCertSet.2.default.params.startTime=0 ++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.cmcUserCertSet.3.constraint.name=Key Constraint ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 ++policyset.cmcUserCertSet.3.constraint.params.keyType=EC ++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.cmcUserCertSet.3.default.name=Key Default ++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.4.constraint.name=No Constraint ++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default ++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.5.constraint.name=No Constraint ++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.cmcUserCertSet.5.default.name=AIA Extension Default ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false ++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.cmcUserCertSet.6.default.name=Key Usage Default ++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.7.constraint.name=No Constraint ++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false ++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.cmcUserCertSet.8.constraint.name=No Constraint ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.cmcUserCertSet.8.default.name=Signing Alg ++policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +deleted file mode 100644 +index 538b16a..0000000 +--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg ++++ /dev/null +@@ -1,82 +0,0 @@ +-desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request +-enable=false +-enableBy=admin +-name=Self-Signed CMC User Certificate Enrollment +-visible=false +-auth.instance_id=CMCUserSignedAuth +-input.list=i1 +-input.i1.class_id=cmcCertReqInputImpl +-output.list=o1 +-output.o1.class_id=certOutputImpl +-policyset.list=cmcUserCertSet +-policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 +-policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl +-policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint +-policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl +-policyset.cmcUserCertSet.1.default.name=Subject Name Default +-policyset.cmcUserCertSet.1.default.params.name= +-policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl +-policyset.cmcUserCertSet.2.constraint.name=Validity Constraint +-policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false +-policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false +-policyset.cmcUserCertSet.2.constraint.params.range=365 +-policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl +-policyset.cmcUserCertSet.2.default.name=Validity Default +-policyset.cmcUserCertSet.2.default.params.range=180 +-policyset.cmcUserCertSet.2.default.params.startTime=0 +-policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl +-policyset.cmcUserCertSet.3.constraint.name=Key Constraint +-policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 +-policyset.cmcUserCertSet.3.constraint.params.keyType=RSA +-policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl +-policyset.cmcUserCertSet.3.default.name=Key Default +-policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl +-policyset.cmcUserCertSet.4.constraint.name=No Constraint +-policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +-policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default +-policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl +-policyset.cmcUserCertSet.5.constraint.name=No Constraint +-policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +-policyset.cmcUserCertSet.5.default.name=AIA Extension Default +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= +-policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +-policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false +-policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 +-policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +-policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint +-policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false +-policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true +-policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl +-policyset.cmcUserCertSet.6.default.name=Key Usage Default +-policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true +-policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false +-policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true +-policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false +-policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false +-policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false +-policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true +-policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true +-policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl +-policyset.cmcUserCertSet.7.constraint.name=No Constraint +-policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +-policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default +-policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false +-policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +-policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl +-policyset.cmcUserCertSet.8.constraint.name=No Constraint +-policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC +-policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl +-policyset.cmcUserCertSet.8.default.name=Signing Alg +-policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg +new file mode 100644 +index 0000000..5ef8004 +--- /dev/null ++++ b/base/ca/shared/profiles/ca/caFullCMCSharedTokenCert.cfg +@@ -0,0 +1,82 @@ ++desc=This certificate profile is for enrolling user certificates by using the CMC Shared Token certificate request ++enable=false ++enableBy=admin ++name=CMC Shared Token User Certificate Enrollment ++visible=false ++auth.instance_id=CMCUserSignedAuth ++input.list=i1 ++input.i1.class_id=cmcCertReqInputImpl ++output.list=o1 ++output.o1.class_id=certOutputImpl ++policyset.list=cmcUserCertSet ++policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 ++policyset.cmcUserCertSet.1.constraint.class_id=cmcSharedTokenSubjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=CMC Shared Token Subject Name Constraint ++policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.default.name=Subject Name Default ++policyset.cmcUserCertSet.1.default.params.name= ++policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl ++policyset.cmcUserCertSet.2.constraint.name=Validity Constraint ++policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false ++policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false ++policyset.cmcUserCertSet.2.constraint.params.range=365 ++policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl ++policyset.cmcUserCertSet.2.default.name=Validity Default ++policyset.cmcUserCertSet.2.default.params.range=180 ++policyset.cmcUserCertSet.2.default.params.startTime=0 ++policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl ++policyset.cmcUserCertSet.3.constraint.name=Key Constraint ++policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 ++policyset.cmcUserCertSet.3.constraint.params.keyType=RSA ++policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl ++policyset.cmcUserCertSet.3.default.name=Key Default ++policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.4.constraint.name=No Constraint ++policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl ++policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default ++policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.5.constraint.name=No Constraint ++policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl ++policyset.cmcUserCertSet.5.default.name=AIA Extension Default ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= ++policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false ++policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 ++policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl ++policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true ++policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl ++policyset.cmcUserCertSet.6.default.name=Key Usage Default ++policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true ++policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true ++policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false ++policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true ++policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true ++policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl ++policyset.cmcUserCertSet.7.constraint.name=No Constraint ++policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl ++policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default ++policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false ++policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 ++policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl ++policyset.cmcUserCertSet.8.constraint.name=No Constraint ++policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl ++policyset.cmcUserCertSet.8.default.name=Signing Alg ++policyset.cmcUserCertSet.8.default.params.signingAlg=- +diff --git a/base/java-tools/man/man1/CMCRequest.1 b/base/java-tools/man/man1/CMCRequest.1 +index 8c67fc0..18f5e50 100644 +--- a/base/java-tools/man/man1/CMCRequest.1 ++++ b/base/java-tools/man/man1/CMCRequest.1 +@@ -63,7 +63,7 @@ name of crypto token where user signing certificate key can be found (default is + .B nickname + The nickname of the user certificate that corresponds to the private key that is used to sign the request. + +-This parameter is ignored if \fBselfSign\fP or \fBidentityProofV2.enable\fP is true. ++This parameter is ignored if \fBuseSharedSecret\fP or \fBidentityProofV2.enable\fP is true. + + .TP + .B password +@@ -114,27 +114,27 @@ Supported keyGenAlg are: \fBSHA-256, SHA-384, and SHA-512\fP + Supported macAlg are: \fBSHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC\fP + + .TP +-.B request.selfSign +-\fBtrue\fP or \fBfalse\fP. If \fBselfSign\fP is true, the CMC request will be "signed" with the pairing private key of the enrollment request; and in which case the \fBnickname\fP parameter will be ignored. ++.B request.useSharedSecret ++\fBtrue\fP or \fBfalse\fP. If \fBuseSharedSecret\fP is true, the CMC request will be "signed" with the pairing private key of the enrollment request; and in which case the \fBnickname\fP parameter will be ignored. + +-\fBrequest.selfSign\fP is only used if a signing certificate (of the agent or user herself) is not available to sign. Because the request itself is not signed with a certificate (a proven identity), the proof of origin (proof of identification) must be provided by some other means. ++\fBrequest.useSharedSecret\fP is only used if a signing certificate (of the agent or user herself) is not available to sign. Because the request itself is not signed with a certificate (a proven identity), the proof of origin (proof of identification) must be provided by some other means. + +-In Dogtag, if \fBselfSign\fP is true, it must be used in conjunction with the \fBidentityProofV2\fP and \fBidentification\fP parameters. And in that case the Proof Of Origin is accomplished by the Shared Secret (\fBwitness.sharedSecret\fP) mechanism. ++In Dogtag, if \fBrequest.useSharedSecret\fP is true, it must be used in conjunction with the \fBidentityProofV2\fP and \fBidentification\fP parameters. And in that case the Proof Of Origin is accomplished by the Shared Secret (\fBwitness.sharedSecret\fP) mechanism. + +-The \fBselfSign\fP option is normally used to enroll for a user's first signing certificate while auto-approval (without agent's pre-approval) is preferred. In general, once a user has obtained the first signing certificate, such signing certificate can be used to sign (thus proving origin) and obtain other certificate such as encryption-only ceritifcate, or when doing a renewal or revocation. ++The \fBrequest.useSharedSecret\fP option is normally used to enroll for a user's first signing certificate while auto-approval (without agent's pre-approval) is preferred. In general, once a user has obtained the first signing certificate, such signing certificate can be used to sign (thus proving origin) and obtain other certificate such as encryption-only ceritifcate, or when doing a renewal or revocation. + +-By default, if unspecified, \fBselfSign\fP is false. ++By default, if unspecified, \fBrequest.useSharedSecret\fP is false. + +-\fBNote\fP: to employ the \fBselfSign\fP option, the PKCS#10 or CRMF requests must have the \fBSubjectKeyIdentifier extension\fP. (hint: \fBCRMFPopClient\fP and \fBPKCS10Client\fP should be called with the "-y" option) ++\fBNote\fP: to employ the \fBrequest.useSharedSecret\fP option, the PKCS#10 or CRMF requests must have the \fBSubjectKeyIdentifier extension\fP. (hint: \fBCRMFPopClient\fP and \fBPKCS10Client\fP should be called with the "-y" option) + +-If \fBselfSign\fP is true, \fBrequest.privKeyId\fP must be specified. ++If \fBrequest.useSharedSecret\fP is true, \fBrequest.privKeyId\fP must be specified. + It is crutial that the caller that employs this option has access to the private key of the certificate request. + + .TP + .B request.privKeyId + The \fBrequest.privKeyId\fP parameter is required in the following cases: + +-\fBselfSign\fP, \fBpopLinkWitnessV2\fP, and \fBdecryptedPop\fP ++\fBrequest.useSharedSecret\fP, \fBpopLinkWitnessV2\fP, and \fBdecryptedPop\fP + + .TP + .B decryptedPop.enable, encryptedPopResponseFile, decryptedPopRequestFile +@@ -149,7 +149,7 @@ When preparing for the second trip, the following parameters must be present: + + \fBrequest.privKeyId\fP - see descripton for \fBrequest.privKeyId\fP; It is used to decrypt the EncryptedPop, thereby proving the possession of the private key. + +-Please note that the \fBPopLinkWitnessV2\fP control as well as the \fBselfSign\fP directive do not apply to EncryptedPOP/DecryptedPOP for the simple fact that the enrollment private key is not capable of signing. ++Please note that the \fBPopLinkWitnessV2\fP control as well as the \fBrequest.useSharedSecret\fP directive do not apply to EncryptedPOP/DecryptedPOP for the simple fact that the enrollment private key is not capable of signing. + + .TP + .B revRequest.[enable, serial, reason, comment, issuer, sharedSecret] +diff --git a/base/java-tools/man/man1/PKCS10Client.1 b/base/java-tools/man/man1/PKCS10Client.1 +index e85c833..122680c 100644 +--- a/base/java-tools/man/man1/PKCS10Client.1 ++++ b/base/java-tools/man/man1/PKCS10Client.1 +@@ -84,7 +84,8 @@ Gives the subject DN of the certificate. + .B -x + + .TP +-.B -y ++.B -y ++To be used with "request.useSharedSecret=true" when running CMCRequest. + + .SH AUTHORS + Amol Kahat . +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +index 4e40143..1070a93 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java +@@ -268,13 +268,19 @@ public class CMCRequest { + } + + /* +- * signData self-signs the PKIData using the private key that matches +- * the public key in the request ++ * signData self-signs (for Shared Token) the PKIData using the private key ++ * that matches the public key in the request + */ + static SignedData signData( + java.security.PrivateKey privKey, + PKIData pkidata) { +- String method = "signData for selfSign: "; ++ return signData(privKey, pkidata, null); ++ } ++ static SignedData signData( ++ java.security.PrivateKey privKey, ++ PKIData pkidata, ++ SignerIdentifier test_cmc_si /*for TEST_CMC use_shared_secret case only*/) { ++ String method = "signData for useSharedSecret begins: "; + System.out.println(method + "begins: "); + SignedData req = null; + +@@ -286,10 +292,15 @@ public class CMCRequest { + + KeyIdentifier keyIdObj = null; + try { +- keyIdObj = (KeyIdentifier) skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID); +- SignerIdentifier si = new SignerIdentifier( ++ SignerIdentifier si = null; ++ if (test_cmc_si == null) { ++ keyIdObj = (KeyIdentifier) skiExtn.get(SubjectKeyIdentifierExtension.KEY_ID); ++ si = new SignerIdentifier( + SignerIdentifier.SUBJECT_KEY_IDENTIFIER, + null, new OCTET_STRING(keyIdObj.getIdentifier())); ++ } else //TEST_CMC use_shared_secret case ++ si = test_cmc_si; ++ + req = createSignedData(privKey, si, null /*certChain*/, pkidata); + } catch (Exception e) { + e.printStackTrace(); +@@ -430,7 +441,7 @@ public class CMCRequest { + * @return request in PKIData + */ + static PKIData createPKIData( +- String selfSign, ++ String useSharedSecret, + String[] rValue, String format, String transactionMgtEnable, + String transactionMgtId, + String identificationEnable, String identification, +@@ -495,16 +506,16 @@ public class CMCRequest { + + CertRequest certReq = certReqMsg.getCertReq(); + CertTemplate certTemplate = certReq.getCertTemplate(); +- if (selfSign.equals("true")) { ++ if (useSharedSecret.equals("true")) { + skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil.getExtensionFromCertTemplate( + certTemplate, + PKIXExtensions.SubjectKey_Id); + if (skiExtn != null) { + System.out.println(method + +- " SubjectKeyIdentifier extension found in self-signed request"); ++ " SubjectKeyIdentifier extension found in self-signed Shared Token request"); + } else { + System.out.println(method + +- " SubjectKeyIdentifier extension missing in self-signed request"); ++ " SubjectKeyIdentifier extension missing in self-signed Shared Token request"); + System.exit(1); + } + } +@@ -569,7 +580,7 @@ public class CMCRequest { + System.exit(1); + } + +- if (selfSign.equals("true")) { ++ if (useSharedSecret.equals("true")) { + try { + skiExtn = (SubjectKeyIdentifierExtension) CryptoUtil.getExtensionFromPKCS10( + pkcs, "SubjectKeyIdentifier"); +@@ -798,13 +809,13 @@ public class CMCRequest { + System.out.println("#nickname: nickname for user certificate which will be used"); + System.out.println("#to sign the CMC full request (enrollment or revocation)."); + System.out.println(""); +- System.out.println("#selfSign: if selfSign is true, the CMC request will be"); ++ System.out.println("#request.useSharedSecret: if request.useSharedSecret is true, the CMC request will be"); + System.out.println("#signed with the pairing private key of the enrollment request;"); + System.out.println("#and in which case the nickname will be ignored"); + System.out.println("#If revRequest.sharedSecret is specified, then nickname will also be ignored."); + System.out.println("nickname=CMS User Signing Certificate"); + System.out.println(""); +- System.out.println("selfSign=false"); ++ System.out.println("request.useSharedSecret=false"); + System.out.println(""); + System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db"); + System.out.println("dbdir=./"); +@@ -1219,7 +1230,7 @@ public class CMCRequest { + * Constructing OtherMsg to include the SignerInfo makes no sense here + * as the outer layer SignedData would have SignerInfo. + * It is possibly done because the original code assumed a self-signed +- * revocation request that is subsequently signed by an agent... ++ * Shared Token revocation request that is subsequently signed by an agent... + * which is not conforming to the RFC. + + EncapsulatedContentInfo revokeContent = new EncapsulatedContentInfo( +@@ -1881,6 +1892,7 @@ public class CMCRequest { + HMACDigest hmacDigest = new HMACDigest(SHA2Digest, challenge); + hmacDigest.update(ASN1Util.encode(request)); + popProofValue = hmacDigest.digest(); ++ System.out.println(method + "popProofValue length = " + popProofValue.length); + } catch (Exception ex) { + CryptoUtil.obscureBytes(challenge, "random"); + System.out.println(method + "calculating POP Proof Value failed: " + ex); +@@ -1926,6 +1938,137 @@ public class CMCRequest { + return pkidata; + } + ++ static void outputContentInfo(ContentInfo cmcblob, String ofilename) { ++ try (FileOutputStream os = new FileOutputStream(ofilename)){ ++ cmcblob.encode(os); ++ System.out.println(""); ++ System.out.println(""); ++ System.out.println("The CMC enrollment request in binary format is stored in " + ++ ofilename); ++ } catch (IOException e) { ++ System.out.println("CMCRequest: unable to open file " + ofilename + ++ " for writing:\n" + e); ++ } ++ } ++ ++ ++ /* ++ * processResignCMC ++ * ++ * This is for testing only, for the purpose of producing ++ * negative tests consisted of deliberate alteration of ++ * CMC controls to see how CA reacts to these variations. ++ * ++ * It takes in a blob of the format cmc (with altered fields): ++ * format=test_cmc ++ * which is the same as output format from CMCRequest, ++ * and re-signs it with either signerCert or privKeyID ++ * and spits out to output ++ * Note: if signerCert is not null, then privKeyID is ignored ++ * ++ * @author cfu ++ */ ++ static void processResignCMC(String ifilename, String ofilename, X509Certificate signerCert, String privKeyId, String tokenName, String nickname, CryptoManager cm) { ++ try { ++ if (ifilename == null || ifilename.equals("")) { ++ System.out.println("TEST_CMC: param input needed for test_cmc"); ++ System.exit(1); ++ } ++ if (ofilename == null || ofilename.equals("")) { ++ System.out.println("TEST_CMC: param output needed for test_cmc"); ++ System.exit(1); ++ } ++ ++ PrivateKey privk = null; ++ if (signerCert == null) { ++ if (privKeyId == null) { ++ System.out.println("TEST_CMC: signerCert not supplied, need privKeyId to re-sign."); ++ System.exit(1); ++ } else { ++ System.out.println("TEST_CMC: got re-signing privKeyId: " + privKeyId); ++ ++ byte[] keyIDb = CryptoUtil.decodeKeyID(privKeyId); ++ ++ privk = CryptoUtil.findPrivateKeyFromID(keyIDb); ++ ++ if (privk != null) { ++ System.out.println("TEST_CMC: got private key"); ++ } else { ++ System.out.println("TEST_CMC: error getting private key null"); ++ System.exit(1); ++ } ++ } ++ } ++ ++ FileInputStream inputBlob = null; ++ FileOutputStream outputBlob = null; ++ try { ++ inputBlob = new FileInputStream(ifilename); ++ } catch (FileNotFoundException e) { ++ System.out.println("can''t find file " + ++ ifilename + e); ++ System.exit(1); ++ } ++ ++ byte data[] = new byte[inputBlob.available()]; ++ inputBlob.read(data); ++ System.out.println("TEST_CMC: input read"); ++ ContentInfo.Template ci_template = new ContentInfo.Template(); ++ ContentInfo ci = ++ (ContentInfo) ci_template.decode(new ByteArrayInputStream(data)); ++ if (ci != null) ++ System.out.println("TEST_CMC: ContentInfo template decoded"); ++ ++ SignedData signedData = (SignedData) ci.getInterpretedContent(); ++ if (signedData != null) ++ System.out.println("TEST_CMC: SignedData retrieved"); ++ ++ EncapsulatedContentInfo eci = signedData.getContentInfo(); ++ if (eci != null) ++ System.out.println("TEST_CMC: EncapsulatedContentInfo retrieved"); ++ OCTET_STRING os = eci.getContent(); //this is the orig data ++ if (os != null) ++ System.out.println("TEST_CMC: orig data retrieved"); ++ byte origData [] = os.toByteArray(); ++ PKIData.Template pkidata_template = new PKIData.Template(); ++ PKIData pkidata = ++ (PKIData) pkidata_template.decode(new ByteArrayInputStream(origData)); ++ if (pkidata != null) ++ System.out.println("TEST_CMC: PKIData decoded"); ++ ++ // now re-sign ++ SignedData newSignedData = null; ++ if (signerCert != null) { ++ System.out.println("TEST_CMC: re-signing using signer cert:" + ++ nickname); ++ newSignedData = signData(signerCert, tokenName, nickname, cm, pkidata); ++ } else { // self-signed Shared Token request ++ System.out.println("TEST_CMC: re-signing using private key: " + ++ privKeyId); ++ SET signInfos = signedData.getSignerInfos(); ++ SignerInfo si = (SignerInfo) (ASN1Util.decode(SignerInfo.getTemplate(), ASN1Util.encode(signInfos.elementAt(0)))); ++ newSignedData = signData(privk, pkidata, si.getSignerIdentifier()); ++ } ++ ++ if (newSignedData == null) { ++ System.out.println("TEST_CMC: PKIData signing returned null"); ++ System.exit(1); ++ } ++ System.out.println("TEST_CMC: PKIData signed"); ++ ContentInfo cmcblob = getCMCBlob(newSignedData, null); ++ if (cmcblob == null) { ++ System.out.println("TEST_CMC: getCMCBlob returned null"); ++ System.exit(1); ++ } ++ ++ outputContentInfo(cmcblob, ofilename); ++ System.out.println("TEST_CMC: completed"); ++ } catch (Exception ex) { ++ System.out.println("TEST_CMC: exception caught: " + ex); ++ System.exit(1); ++ } ++ } ++ + public static void main(String[] s) { + String numRequests = null; + String dbdir = null, nickname = null; +@@ -1948,7 +2091,7 @@ public class CMCRequest { + String popLinkWitnessV2Enable = "false", popLinkWitnessV2keyGenAlg = "SHA256", popLinkWitnessV2macAlg = "SHA256"; + String popLinkWitnessEnable = "false"; + String bodyPartIDs = null, lraPopWitnessEnable = "false"; +- String selfSign = "false"; ++ String useSharedSecret = "false"; + + System.out.println(""); + +@@ -2009,8 +2152,9 @@ public class CMCRequest { + decryptedPopEnable = val; + } else if (name.equals("encryptedPopResponseFile")) { + encryptedPopResponseFile = val; +- } else if (name.equals("request.selfSign")) { +- selfSign = val; ++ } else if (name.equals("request.useSharedSecret") || ++ name.equals("request.selfSign")) { ++ useSharedSecret = val; + } else if (name.equals("request.privKeyId")) { + privKeyId = val; + } else if (name.equals("decryptedPopRequestFile")) { +@@ -2095,12 +2239,13 @@ public class CMCRequest { + printUsage(); + } + +- if ((!selfSign.equals("true") && (revRequestSharedSecret == null)) ++ if ((!useSharedSecret.equals("true") && (revRequestSharedSecret == null)) + && nickname == null) { + System.out.println("Missing nickname."); + printUsage(); + } + ++ + try { + // initialize CryptoManager + if (dbdir == null) +@@ -2142,7 +2287,7 @@ public class CMCRequest { + certname.append(tokenName); + certname.append(":"); + } +- if ((!selfSign.equals("true") || (revRequestSharedSecret == null)) ++ if ((!useSharedSecret.equals("true") || (revRequestSharedSecret == null)) + && nickname != null) { + certname.append(nickname); + signerCert = cm.findCertByNickname(certname.toString()); +@@ -2151,14 +2296,22 @@ public class CMCRequest { + } + } + ++ // TEST_CMC ++ if (format.equals("test_cmc")) { ++ System.out.println("TEST_CMC: request format is test_cmc; re-signing the request"); ++ processResignCMC(ifilename, ofilename, signerCert, privKeyId, ++ tokenName, nickname, cm); ++ System.exit(0); ++ } ++ + ContentInfo cmcblob = null; + PKIData pkidata = null; + PrivateKey privk = null; +- if (selfSign.equalsIgnoreCase("true") || ++ if (useSharedSecret.equalsIgnoreCase("true") || + decryptedPopEnable.equalsIgnoreCase("true") || + popLinkWitnessV2Enable.equalsIgnoreCase("true")) { + if (privKeyId == null) { +- System.out.println("selfSign or ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified."); ++ System.out.println("useSharedSecret or ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified."); + printUsage(); + } else { + System.out.println("got request privKeyId: " + privKeyId); +@@ -2353,7 +2506,7 @@ public class CMCRequest { + + // create the request PKIData + pkidata = createPKIData( +- selfSign, ++ useSharedSecret, + requests, + format, transactionMgtEnable, transactionMgtId, + identificationEnable, identification, +@@ -2381,13 +2534,13 @@ public class CMCRequest { + SignedData signedData = null; + + // sign the request +- if (selfSign.equalsIgnoreCase("true")) { +- // selfSign signs with private key +- System.out.println("selfSign is true..."); ++ if (useSharedSecret.equalsIgnoreCase("true")) { ++ // useSharedSecret signs with private key ++ System.out.println("useSharedSecret is true..."); + signedData = signData(privk, pkidata); + } else { +- // none selfSign signs with existing cert +- System.out.println("selfSign is false..."); ++ // none useSharedSecret signs with existing cert ++ System.out.println("useSharedSecret is false..."); + signedData = signData(signerCert, tokenName, nickname, cm, pkidata); + } + if (signedData == null) { +@@ -2404,27 +2557,7 @@ public class CMCRequest { + + // (6) Finally, print the actual CMC blob to the + // specified output file +- FileOutputStream os = null; +- try { +- os = new FileOutputStream(ofilename); +- cmcblob.encode(os); +- System.out.println(""); +- System.out.println(""); +- System.out.println("The CMC enrollment request in binary format is stored in " + +- ofilename); +- } catch (IOException e) { +- System.out.println("CMCRequest: unable to open file " + ofilename + +- " for writing:\n" + e); +- } +- +- try { +- os.close(); +- } catch (IOException e) { +- System.out.println("CMCRequest: Unexpected error " + +- "encountered while attempting to close() " + +- "\n" + e); +- } +- ++ outputContentInfo(cmcblob, ofilename); + } catch (Exception e) { + e.printStackTrace(); + System.exit(1); +diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +index 747b7d6..dd7a264 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java +@@ -190,7 +190,7 @@ public class CRMFPopClient { + option.setArgName("keywrap algorithm"); + options.addOption(option); + +- options.addOption("y", false, "for Self-signed cmc."); ++ options.addOption("y", false, "for cmc SharedSecret requests."); + + options.addOption("v", "verbose", false, "Run in verbose mode."); + options.addOption(null, "help", false, "Show help message."); +@@ -210,7 +210,7 @@ public class CRMFPopClient { + System.out.println(" -k Attribute value encoding in subject DN (default: false)"); + System.out.println(" - true: enabled"); + System.out.println(" - false: disabled"); +- System.out.println(" -y Add SubjectKeyIdentifier extension in case of self-signed CMC requests (default: false)"); ++ System.out.println(" -y Add SubjectKeyIdentifier extension in case of CMC SharedSecret requests (default: false); To be used with 'request.useSharedSecret=true' when running CMCRequest."); + System.out.println(" - true: enabled"); + System.out.println(" - false: disabled"); + System.out.println(" -a Key algorithm (default: rsa)"); +@@ -320,7 +320,7 @@ public class CRMFPopClient { + int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1")); + int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1")); + +- boolean self_sign = cmd.hasOption("y"); ++ boolean use_shared_secret = cmd.hasOption("y"); + + // get the keywrap algorithm + KeyWrapAlgorithm keyWrapAlgorithm = null; +@@ -335,6 +335,7 @@ public class CRMFPopClient { + } + + String output = cmd.getOptionValue("o"); ++ String output_kid = output + ".keyId"; + + String hostPort = cmd.getOptionValue("m"); + String username = cmd.getOptionValue("u"); +@@ -507,7 +508,7 @@ public class CRMFPopClient { + + if (verbose) System.out.println("Creating certificate request"); + CertRequest certRequest = client.createCertRequest( +- self_sign, ++ use_shared_secret, + token, transportCert, algorithm, keyPair, + subject, keyWrapAlgorithm); + +@@ -558,11 +559,16 @@ public class CRMFPopClient { + requestor); + + } else if (output != null) { +- System.out.println("Storing CRMF requrest into " + output); ++ System.out.println("Storing CRMF request into " + output); + try (FileWriter out = new FileWriter(output)) { + out.write(csr); + } + ++ System.out.println("Storing CRMF request key id into " + output_kid); ++ try (FileWriter out_kid = new FileWriter(output_kid)) { ++ out_kid.write(kid); ++ } ++ + } else { + System.out.println(csr); + } +@@ -655,7 +661,7 @@ public class CRMFPopClient { + } + + public CertRequest createCertRequest( +- boolean self_sign, ++ boolean use_shared_secret, + CryptoToken token, + X509Certificate transportCert, + String algorithm, +@@ -701,8 +707,8 @@ public class CRMFPopClient { + seq.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr)); + */ + +- if (self_sign) { // per rfc 5272 +- System.out.println("CRMFPopClient: self_sign true. Generating SubjectKeyIdentifier extension."); ++ if (use_shared_secret) { // per rfc 5272 ++ System.out.println("CRMFPopClient: use_shared_secret true. Generating SubjectKeyIdentifier extension."); + KeyIdentifier subjKeyId = CryptoUtil.createKeyIdentifier(keyPair); + OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(PKIXExtensions.SubjectKey_Id.toString()); + SEQUENCE extns = new SEQUENCE(); +diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java +index 9f39430..137049e 100644 +--- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java ++++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java +@@ -18,6 +18,7 @@ + package com.netscape.cmstools; + + import java.io.FileOutputStream; ++import java.io.FileWriter; + import java.io.IOException; + import java.io.PrintStream; + import java.security.KeyPair; +@@ -84,11 +85,11 @@ public class PKCS10Client { + System.out.println( + " available ECC curve names (if provided by the crypto module): nistp256 (secp256r1),nistp384 (secp384r1),nistp521 (secp521r1),nistk163 (sect163k1),sect163r1,nistb163 (sect163r2),sect193r1,sect193r2,nistk233 (sect233k1),nistb233 (sect233r1),sect239k1,nistk283 (sect283k1),nistb283 (sect283r1),nistk409 (sect409k1),nistb409 (sect409r1),nistk571 (sect571k1),nistb571 (sect571r1),secp160k1,secp160r1,secp160r2,secp192k1,nistp192 (secp192r1, prime192v1),secp224k1,nistp224 (secp224r1),secp256k1,prime192v2,prime192v3,prime239v1,prime239v2,prime239v3,c2pnb163v1,c2pnb163v2,c2pnb163v3,c2pnb176v1,c2tnb191v1,c2tnb191v2,c2tnb191v3,c2pnb208w1,c2tnb239v1,c2tnb239v2,c2tnb239v3,c2pnb272w1,c2pnb304w1,c2tnb359w1,c2pnb368w1,c2tnb431r1,secp112r1,secp112r2,secp128r1,secp128r2,sect113r1,sect113r2,sect131r1,sect131r2\n"); + System.out.println( +- "In addition: -y \n"); ++ "In addition: -y To be used with 'request.useSharedSecret=true' when running CMCRequest.\n"); + } + + public static void main(String args[]) throws Exception { +- String dbdir = null, ofilename = null, password = null, subjectName = null, tokenName = null; ++ String dbdir = null, ofilename = null, kid_ofilename = null, password = null, subjectName = null, tokenName = null; + + String alg = "rsa"; + String ecc_curve = "nistp256"; +@@ -99,7 +100,7 @@ public class PKCS10Client { + boolean ec_ssl_ecdh = false; + int rsa_keylen = 2048; + +- boolean self_sign = false; ++ boolean use_shared_secret = false; + + if (args.length < 4) { + printUsage(); +@@ -163,6 +164,7 @@ public class PKCS10Client { + rsa_keylen = Integer.parseInt(args[i+1]); + } else if (name.equals("-o")) { + ofilename = args[i+1]; ++ kid_ofilename = ofilename + ".keyId"; + } else if (name.equals("-n")) { + subjectName = args[i+1]; + } else if (name.equals("-h")) { +@@ -170,9 +172,9 @@ public class PKCS10Client { + } else if (name.equals("-y")) { + String temp = args[i+1]; + if (temp.equals("true")) +- self_sign = true; ++ use_shared_secret = true; + else +- self_sign = false; ++ use_shared_secret = false; + } else { + System.out.println("Unrecognized argument(" + i + "): " + + name); +@@ -277,8 +279,8 @@ public class PKCS10Client { + + + Extensions extns = new Extensions(); +- if (self_sign) { // per rfc 5272 +- System.out.println("PKCS10Client: self_sign true. Generating SubjectKeyIdentifier extension."); ++ if (use_shared_secret) { // per rfc 5272 ++ System.out.println("PKCS10Client: use_shared_secret true. Generating SubjectKeyIdentifier extension."); + KeyIdentifier subjKeyId = CryptoUtil.createKeyIdentifier(pair); + SubjectKeyIdentifierExtension extn = new SubjectKeyIdentifierExtension(false, + subjKeyId.getIdentifier()); +@@ -318,7 +320,13 @@ public class PKCS10Client { + ps.println(Cert.REQUEST_FOOTER); + ps.flush(); + ps.close(); +- System.out.println("PKCS10Client: done. Request written to file: "+ ofilename); ++ System.out.println("PKCS10Client: done. Certificate request written into "+ ofilename); ++ ++ try (FileWriter out_kid = new FileWriter(kid_ofilename)) { ++ out_kid.write(kid); ++ } ++ System.out.println("PKCS10Client: PKCS#10 request key id written into " + kid_ofilename); ++ + } catch (Exception e) { + System.out.println("PKCS10Client: Exception caught: "+e.toString()); + System.exit(1); +diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java +deleted file mode 100644 +index d4554ca..0000000 +--- a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java ++++ /dev/null +@@ -1,129 +0,0 @@ +-// --- BEGIN COPYRIGHT BLOCK --- +-// This program is free software; you can redistribute it and/or modify +-// it under the terms of the GNU General Public License as published by +-// the Free Software Foundation; version 2 of the License. +-// +-// This program is distributed in the hope that it will be useful, +-// but WITHOUT ANY WARRANTY; without even the implied warranty of +-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-// GNU General Public License for more details. +-// +-// You should have received a copy of the GNU General Public License along +-// with this program; if not, write to the Free Software Foundation, Inc., +-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +-// +-// (C) 2013 Red Hat, Inc. +-// All rights reserved. +-// --- END COPYRIGHT BLOCK --- +-package com.netscape.cms.profile.constraint; +- +-import java.util.Locale; +- +-import com.netscape.certsrv.apps.CMS; +-import com.netscape.certsrv.authentication.IAuthToken; +-import com.netscape.certsrv.authentication.IAuthManager; +-import com.netscape.certsrv.base.IConfigStore; +-import com.netscape.certsrv.profile.EProfileException; +-import com.netscape.certsrv.profile.ERejectException; +-import com.netscape.certsrv.profile.IPolicyDefault; +-import com.netscape.certsrv.profile.IProfile; +-import com.netscape.certsrv.property.IDescriptor; +-import com.netscape.certsrv.request.IRequest; +-import com.netscape.cms.profile.common.EnrollProfile; +-import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault; +- +-import netscape.security.x509.CertificateSubjectName; +-import netscape.security.x509.X500Name; +-import netscape.security.x509.X509CertInfo; +- +-/** +- * This class implements the user subject name constraint for self-signed cmc requests. +- * It makes sure the SharedSecret authenticated subjectDN and the rsulting cert match +- * +- * @author cfu +- * @version $Revision$, $Date$ +- */ +-public class CMCSelfSignedSubjectNameConstraint extends EnrollConstraint { +- +- public CMCSelfSignedSubjectNameConstraint() { +- } +- +- public void init(IProfile profile, IConfigStore config) +- throws EProfileException { +- super.init(profile, config); +- } +- +- public IDescriptor getConfigDescriptor(Locale locale, String name) { +- return null; +- } +- +- public String getDefaultConfig(String name) { +- return null; +- } +- +- /** +- * Validates the request. The request is not modified +- * during the validation. User encoded subject name +- * is copied into the certificate template. +- */ +- public void validate(IRequest request, X509CertInfo info) +- throws ERejectException { +- String method = "CMCSelfSignedSubjectNameConstraint: "; +- String msg = ""; +- +- CertificateSubjectName infoCertSN = null; +- String authTokenSharedTokenSN = null; +- +- try { +- infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); +- if (infoCertSN == null) { +- msg = method + "infoCertSN null"; +- CMS.debug(msg); +- throw new Exception(msg); +- } +- CMS.debug(method + "validate user subject ="+ +- infoCertSN.toString()); +- X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME); +- if (infoCertName == null) { +- msg = method + "infoCertName null"; +- CMS.debug(msg); +- throw new Exception(msg); +- } +- +- authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); +- if (authTokenSharedTokenSN == null) { +- msg = method + "authTokenSharedTokenSN null"; +- CMS.debug(msg); +- throw new Exception(msg); +- } +- if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) { +- CMS.debug(method + "names matched"); +- } else { +- msg = method + "names do not match; authTokenSharedTokenSN =" + +- authTokenSharedTokenSN; +- CMS.debug(msg); +- throw new Exception(msg); +- } +- +- } catch (Exception e) { +- throw new ERejectException( +- CMS.getUserMessage(getLocale(request), +- "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e); +- } +- } +- +- public String getText(Locale locale) { +- return CMS.getUserMessage(locale, +- "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT"); +- } +- +- public boolean isApplicable(IPolicyDefault def) { +- String method = "CMCSelfSignedSubjectNameConstraint: isApplicable: "; +- if (def instanceof AuthTokenSubjectNameDefault) { +- CMS.debug(method + "true"); +- return true; +- } +- CMS.debug(method + "false"); +- return false; +- } +-} +diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSharedTokenSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSharedTokenSubjectNameConstraint.java +new file mode 100644 +index 0000000..879e1cc +--- /dev/null ++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSharedTokenSubjectNameConstraint.java +@@ -0,0 +1,130 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2013 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.cms.profile.constraint; ++ ++import java.util.Locale; ++ ++import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.IAuthToken; ++import com.netscape.certsrv.authentication.IAuthManager; ++import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.profile.EProfileException; ++import com.netscape.certsrv.profile.ERejectException; ++import com.netscape.certsrv.profile.IPolicyDefault; ++import com.netscape.certsrv.profile.IProfile; ++import com.netscape.certsrv.property.IDescriptor; ++import com.netscape.certsrv.request.IRequest; ++import com.netscape.cms.profile.common.EnrollProfile; ++import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault; ++ ++import netscape.security.x509.CertificateSubjectName; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertInfo; ++ ++/** ++ * This class implements the user subject name constraint for cmc requests ++ * authenticated by the SharedSecret ++ * The resulting cert should match that of the authenticating DN ++ * ++ * @author cfu ++ * @version $Revision$, $Date$ ++ */ ++public class CMCSharedTokenSubjectNameConstraint extends EnrollConstraint { ++ ++ public CMCSharedTokenSubjectNameConstraint() { ++ } ++ ++ public void init(IProfile profile, IConfigStore config) ++ throws EProfileException { ++ super.init(profile, config); ++ } ++ ++ public IDescriptor getConfigDescriptor(Locale locale, String name) { ++ return null; ++ } ++ ++ public String getDefaultConfig(String name) { ++ return null; ++ } ++ ++ /** ++ * Validates the request. The request is not modified ++ * during the validation. User encoded subject name ++ * is copied into the certificate template. ++ */ ++ public void validate(IRequest request, X509CertInfo info) ++ throws ERejectException { ++ String method = "CMCSharedTokenSubjectNameConstraint: "; ++ String msg = ""; ++ ++ CertificateSubjectName infoCertSN = null; ++ String authTokenSharedTokenSN = null; ++ ++ try { ++ infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); ++ if (infoCertSN == null) { ++ msg = method + "infoCertSN null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ CMS.debug(method + "validate user subject ="+ ++ infoCertSN.toString()); ++ X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME); ++ if (infoCertName == null) { ++ msg = method + "infoCertName null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ ++ authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); ++ if (authTokenSharedTokenSN == null) { ++ msg = method + "authTokenSharedTokenSN null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) { ++ CMS.debug(method + "names matched"); ++ } else { ++ msg = method + "names do not match; authTokenSharedTokenSN =" + ++ authTokenSharedTokenSN; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ ++ } catch (Exception e) { ++ throw new ERejectException( ++ CMS.getUserMessage(getLocale(request), ++ "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e); ++ } ++ } ++ ++ public String getText(Locale locale) { ++ return CMS.getUserMessage(locale, ++ "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT"); ++ } ++ ++ public boolean isApplicable(IPolicyDefault def) { ++ String method = "CMCSharedTokenSubjectNameConstraint: isApplicable: "; ++ if (def instanceof AuthTokenSubjectNameDefault) { ++ CMS.debug(method + "true"); ++ return true; ++ } ++ CMS.debug(method + "false"); ++ return false; ++ } ++} +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-CA-OCSP-SystemCertsVerification.patch b/SOURCES/pki-core-CA-OCSP-SystemCertsVerification.patch new file mode 100644 index 0000000..5697215 --- /dev/null +++ b/SOURCES/pki-core-CA-OCSP-SystemCertsVerification.patch @@ -0,0 +1,258 @@ +From da51b869a4ad3e558689c4dfa054605495c96485 Mon Sep 17 00:00:00 2001 +From: jmagne +Date: Thu, 8 Nov 2018 17:07:40 -0800 +Subject: [PATCH] Resolve: Bug 1641119 - CC: CA/OCSP startup fail on + SystemCertsVerification if enableOCSP is true. (#87) + +The approach taken by this patch is quite simple. The SystemCertsVerification self test has been modified to +optionally act differently when verifying the system certs of both ca and ocsp instances. + +Previously, the test would do a full cert verification , which results in an ocsp check being done at the nss level, if ocsp has been enabled in the server.xml. The past result was to have the server hang on startup , due to the fact that an ocsp check of a given cert would loop back to the ca or ocsp server itself to do the work. In the case of the self test /startup scenario, the server will not be sufficiently ready to field such a request, thus resulting in a hang situation. + +This fix modifies the cert checks for ca and ocsp to ONLY do a validity test for each cert. + +The code has created an optional parameter than can force our of this behaviour if the admin absolutely wants to: + +selftests.plugin.SystemCertsVerification.FullCAandOCSPVerify= true + +IF, the admin wants the test to behave as it did before. This may be the case where we know ocsp is not configured for the ca or ocsp itself. + +The value, is false by default and is false if the line is not present. + +The simple validity test is all that gets done at this point but could be modified to do more in the future. +We already have a validity test for just the CA singing and OCSP signing certs. I felt it was cleaner to just leave those in place unchanged, safely leaving the original wiring in place. + +(cherry picked from commit 3eab287365d83a167fff7ec1287bd70647e93757) +--- + base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 2 +- + .../selftests/common/SystemCertsVerification.java | 17 +++++++- + .../src/com/netscape/cmscore/apps/CMSEngine.java | 2 +- + .../src/com/netscape/cmscore/cert/CertUtils.java | 50 ++++++++++++++++++++-- + base/server/tomcat7/conf/server.xml | 9 +++- + base/server/tomcat8/conf/server.xml | 9 +++- + 6 files changed, 78 insertions(+), 11 deletions(-) + +diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg +index 226c05c..c45da2e 100644 +--- a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg +@@ -1,5 +1,5 @@ + desc=This certificate profile is for enrolling user certificates with ECC keys by using the CMC certificate request with CMC Signature authentication. +-visible=true ++visible=false + enable=true + enableBy=admin + auth.instance_id=CMCAuth +diff --git a/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java b/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java +index cc52f83..335a940 100644 +--- a/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java ++++ b/base/server/cms/src/com/netscape/cms/selftests/common/SystemCertsVerification.java +@@ -36,6 +36,7 @@ import com.netscape.certsrv.selftests.EMissingSelfTestException; + import com.netscape.certsrv.selftests.ESelfTestException; + import com.netscape.certsrv.selftests.ISelfTestSubsystem; + import com.netscape.cms.selftests.ASelfTest; ++import com.netscape.cmscore.cert.CertUtils; + + ////////////////////// + // class definition // +@@ -60,7 +61,9 @@ public class SystemCertsVerification + + // parameter information + public static final String PROP_SUB_ID = "SubId"; ++ public static final String PROP_FULL_CA_OCSP_VERIFY = "FullCAandOCSPVerify"; + private String mSubId = null; ++ private boolean mFullCAandOCSPVerify = false; + + ///////////////////// + // default methods // +@@ -122,6 +125,13 @@ public class SystemCertsVerification + + // retrieve optional parameter(s) + ++ try { ++ mFullCAandOCSPVerify = mConfig.getBoolean(PROP_FULL_CA_OCSP_VERIFY, false); ++ } catch (EBaseException e) { ++ //Since this is fully optional, keep going. ++ mFullCAandOCSPVerify = false; ++ } ++ + return; + } + +@@ -190,7 +200,12 @@ public class SystemCertsVerification + public void runSelfTest(ILogEventListener logger) throws Exception { + + try { +- CMS.verifySystemCerts(); ++ if (("ca".equalsIgnoreCase(mSubId) || "ocsp".equalsIgnoreCase(mSubId)) && !mFullCAandOCSPVerify) { ++ //Perform validity only ++ CertUtils.verifySystemCerts(true); ++ } else { ++ CertUtils.verifySystemCerts(false); ++ } + + String logMessage = CMS.getLogMessage( + "SELFTESTS_COMMON_SYSTEM_CERTS_VERIFICATION_SUCCESS", +diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +index 2c953cc..f1a3b78 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +@@ -1711,7 +1711,7 @@ public class CMSEngine implements ICMSEngine { + } + + public void verifySystemCerts() throws Exception { +- CertUtils.verifySystemCerts(); ++ CertUtils.verifySystemCerts(false); + } + + public void verifySystemCertByTag(String tag) throws Exception { +diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java +index 3334b43..6669632 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java +@@ -817,6 +817,30 @@ public class CertUtils { + return tmp.toString(); + } + ++ public static void verifySystemCertValidityByNickname(String nickname) throws Exception { ++ ++ String method = "Certutils.verifySystemCertValidityByNickname: "; ++ ++ CMS.debug(method + "(" + nickname + ")"); ++ try { ++ CryptoManager cm = CryptoManager.getInstance(); ++ org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(nickname); ++ ++ X509CertImpl impl = new X509CertImpl(cert.getEncoded()); ++ ++ boolean valid = isValidCert(impl); ++ ++ if (!valid) { ++ throw new Exception(method + " failed: nickname: " + nickname); ++ } ++ } catch (Exception e) { ++ CMS.debug(method + " failed : " + e); ++ throw new Exception(method + " faliled: nickname: "+ nickname + "cause: " + e); ++ } ++ ++ CMS.debug(method + "success"); ++ } ++ + /* + * verify a certificate by its nickname + * @throws Exception if something is wrong +@@ -891,10 +915,18 @@ public class CertUtils { + } + + /* +- * verify a certificate by its tag name ++ * verify a certificate by its tag name, do a full verification + * @throws Exception if something is wrong + */ + public static void verifySystemCertByTag(String tag) throws Exception { ++ verifySystemCertByTag(tag,false); ++ } ++ /* ++ * verify a certificate by its tag name ++ * @throws Exception if something is wrong ++ * perform optional validity check only ++ */ ++ public static void verifySystemCertByTag(String tag,boolean checkValidityOnly) throws Exception { + + CMS.debug("CertUtils: verifySystemCertByTag(" + tag + ")"); + +@@ -934,7 +966,11 @@ public class CertUtils { + // throw new Exception("Missing certificate usage for " + tag + " certificate"); ? + } + +- verifySystemCertByNickname(nickname, certusage); ++ if(!checkValidityOnly) { ++ verifySystemCertByNickname(nickname, certusage); ++ } else { ++ verifySystemCertValidityByNickname(nickname); ++ } + + auditMessage = CMS.getLogMessage( + AuditEvent.CIMC_CERT_VERIFICATION, +@@ -999,8 +1035,9 @@ public class CertUtils { + * goes through all system certs and check to see if they are good + * and audit the result + * @throws Exception if something is wrong ++ * optionally only check certs validity. + */ +- public static void verifySystemCerts() throws Exception { ++ public static void verifySystemCerts(boolean checkValidityOnly) throws Exception { + + String auditMessage = null; + IConfigStore config = CMS.getConfigStore(); +@@ -1051,7 +1088,12 @@ public class CertUtils { + String tag = tokenizer.nextToken(); + tag = tag.trim(); + CMS.debug("CertUtils: verifySystemCerts() cert tag=" + tag); +- verifySystemCertByTag(tag); ++ ++ if (!checkValidityOnly) { ++ verifySystemCertByTag(tag); ++ } else { ++ verifySystemCertByTag(tag, true); ++ } + } + + } catch (Exception e) { +diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml +index dae513d..02eb8eb 100644 +--- a/base/server/tomcat7/conf/server.xml ++++ b/base/server/tomcat7/conf/server.xml +@@ -173,6 +173,11 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) + In case of an ocsp signing certificate, one must import the cert + into the subsystem's nss db and set trust. e.g.: + certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 ++ ++ If both ocspResponderURL and ocspResponderCertNickname are both unset ++ all OCSP checks will be made using the URL encoded within the AIA extension ++ of each cert being verified. ++ + ocspCacheSize - sets max cache entries + ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt + ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt +@@ -192,8 +197,8 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) + ocspResponderURL="http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ca/ocsp" + ocspResponderCertNickname="ocspSigningCert cert-pki-ca" + ocspCacheSize="1000" +- ocspMinCacheEntryDuration="60" +- ocspMaxCacheEntryDuration="120" ++ ocspMinCacheEntryDuration="7200" ++ ocspMaxCacheEntryDuration="14400" + ocspTimeout="10" + strictCiphers="true" + clientAuth="[PKI_AGENT_CLIENTAUTH]" +diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat8/conf/server.xml +index d08e3b1..c83ab58 100644 +--- a/base/server/tomcat8/conf/server.xml ++++ b/base/server/tomcat8/conf/server.xml +@@ -193,6 +193,11 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) + In case of an ocsp signing certificate, one must import the cert + into the subsystem's nss db and set trust. e.g.: + certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 ++ ++ If both ocspResponderURL and ocspResponderCertNickname are both unset ++ all OCSP checks will be made using the URL encoded within the AIA extension ++ of each cert being verified. ++ + ocspCacheSize - sets max cache entries + ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt + ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt +@@ -218,8 +223,8 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) + ocspResponderURL="http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/ca/ocsp" + ocspResponderCertNickname="ocspSigningCert cert-pki-ca" + ocspCacheSize="1000" +- ocspMinCacheEntryDuration="60" +- ocspMaxCacheEntryDuration="120" ++ ocspMinCacheEntryDuration="7200" ++ ocspMaxCacheEntryDuration="14400" + ocspTimeout="10" + strictCiphers="true" + clientAuth="[PKI_AGENT_CLIENTAUTH]" +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-Session-Timeout.patch b/SOURCES/pki-core-Session-Timeout.patch new file mode 100644 index 0000000..4aa0af6 --- /dev/null +++ b/SOURCES/pki-core-Session-Timeout.patch @@ -0,0 +1,5141 @@ +From 05ebd730708f4dd6b59c667535fef0808e0e0468 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 11 Dec 2018 08:17:20 +0100 +Subject: [PATCH] Simplifying Web UI session timeout configuration + +The web.xml files for PKI webapps have been modified to remove +hard-coded parameters. The webapps will now +use the timeout defined in /etc/pki//web.xml. + +Unused web.xml files have been removed as well. + +https://pagure.io/dogtagpki/issue/3084 +(cherry picked from commit 30a47907af087a9d2f7739e8d577d7cdd28de18b) +--- + base/ca/shared/conf/web.xml | 989 ------------------------- + base/ca/shared/webapps/ca/WEB-INF/web.xml | 10 - + base/kra/shared/conf/web.xml | 989 ------------------------- + base/kra/shared/webapps/kra/WEB-INF/web.xml | 10 - + base/ocsp/shared/conf/web.xml | 993 -------------------------- + base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml | 11 - + base/server/share/webapps/pki/WEB-INF/web.xml | 4 - + base/tks/shared/conf/web.xml | 993 -------------------------- + base/tks/shared/webapps/tks/WEB-INF/web.xml | 10 - + base/tps/shared/conf/web.xml | 993 -------------------------- + base/tps/shared/webapps/tps/WEB-INF/web.xml | 10 - + 11 files changed, 5012 deletions(-) + delete mode 100644 base/ca/shared/conf/web.xml + delete mode 100644 base/kra/shared/conf/web.xml + delete mode 100644 base/ocsp/shared/conf/web.xml + delete mode 100644 base/tks/shared/conf/web.xml + delete mode 100644 base/tps/shared/conf/web.xml + +diff --git a/base/ca/shared/conf/web.xml b/base/ca/shared/conf/web.xml +deleted file mode 100644 +index fb22468..0000000 +--- a/base/ca/shared/conf/web.xml ++++ /dev/null +@@ -1,989 +0,0 @@ +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- default +- org.apache.catalina.servlets.DefaultServlet +- +- debug +- 0 +- +- +- listings +- false +- +- 1 +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- jsp +- org.apache.jasper.servlet.JspServlet +- +- fork +- false +- +- +- xpoweredBy +- false +- +- 3 +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- default +- / +- +- +- +- +- +- +- +- jsp +- *.jsp +- +- +- +- jsp +- *.jspx +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- 30 +- +- +- +- +- +- +- +- +- +- +- +- abs +- audio/x-mpeg +- +- +- ai +- application/postscript +- +- +- aif +- audio/x-aiff +- +- +- aifc +- audio/x-aiff +- +- +- aiff +- audio/x-aiff +- +- +- aim +- application/x-aim +- +- +- art +- image/x-jg +- +- +- asf +- video/x-ms-asf +- +- +- asx +- video/x-ms-asf +- +- +- au +- audio/basic +- +- +- avi +- video/x-msvideo +- +- +- avx +- video/x-rad-screenplay +- +- +- bcpio +- application/x-bcpio +- +- +- bin +- application/octet-stream +- +- +- bmp +- image/bmp +- +- +- body +- text/html +- +- +- cdf +- application/x-cdf +- +- +- cer +- application/x-x509-ca-cert +- +- +- class +- application/java +- +- +- cpio +- application/x-cpio +- +- +- csh +- application/x-csh +- +- +- css +- text/css +- +- +- dib +- image/bmp +- +- +- doc +- application/msword +- +- +- dtd +- application/xml-dtd +- +- +- dv +- video/x-dv +- +- +- dvi +- application/x-dvi +- +- +- eps +- application/postscript +- +- +- etx +- text/x-setext +- +- +- exe +- application/octet-stream +- +- +- gif +- image/gif +- +- +- gtar +- application/x-gtar +- +- +- gz +- application/x-gzip +- +- +- hdf +- application/x-hdf +- +- +- hqx +- application/mac-binhex40 +- +- +- htc +- text/x-component +- +- +- htm +- text/html +- +- +- html +- text/html +- +- +- hqx +- application/mac-binhex40 +- +- +- ief +- image/ief +- +- +- jad +- text/vnd.sun.j2me.app-descriptor +- +- +- jar +- application/java-archive +- +- +- java +- text/plain +- +- +- jnlp +- application/x-java-jnlp-file +- +- +- jpe +- image/jpeg +- +- +- jpeg +- image/jpeg +- +- +- jpg +- image/jpeg +- +- +- js +- text/javascript +- +- +- jsf +- text/plain +- +- +- jspf +- text/plain +- +- +- kar +- audio/x-midi +- +- +- latex +- application/x-latex +- +- +- m3u +- audio/x-mpegurl +- +- +- mac +- image/x-macpaint +- +- +- man +- application/x-troff-man +- +- +- mathml +- application/mathml+xml +- +- +- me +- application/x-troff-me +- +- +- mid +- audio/x-midi +- +- +- midi +- audio/x-midi +- +- +- mif +- application/x-mif +- +- +- mov +- video/quicktime +- +- +- movie +- video/x-sgi-movie +- +- +- mp1 +- audio/x-mpeg +- +- +- mp2 +- audio/x-mpeg +- +- +- mp3 +- audio/x-mpeg +- +- +- mpa +- audio/x-mpeg +- +- +- mpe +- video/mpeg +- +- +- mpeg +- video/mpeg +- +- +- mpega +- audio/x-mpeg +- +- +- mpg +- video/mpeg +- +- +- mpv2 +- video/mpeg2 +- +- +- ms +- application/x-wais-source +- +- +- nc +- application/x-netcdf +- +- +- oda +- application/oda +- +- +- ogg +- application/ogg +- +- +- pbm +- image/x-portable-bitmap +- +- +- pct +- image/pict +- +- +- pdf +- application/pdf +- +- +- pgm +- image/x-portable-graymap +- +- +- pic +- image/pict +- +- +- pict +- image/pict +- +- +- pls +- audio/x-scpls +- +- +- png +- image/png +- +- +- pnm +- image/x-portable-anymap +- +- +- pnt +- image/x-macpaint +- +- +- ppm +- image/x-portable-pixmap +- +- +- ppt +- application/powerpoint +- +- +- ps +- application/postscript +- +- +- psd +- image/x-photoshop +- +- +- qt +- video/quicktime +- +- +- qti +- image/x-quicktime +- +- +- qtif +- image/x-quicktime +- +- +- ras +- image/x-cmu-raster +- +- +- rdf +- application/rdf+xml +- +- +- rgb +- image/x-rgb +- +- +- rm +- application/vnd.rn-realmedia +- +- +- roff +- application/x-troff +- +- +- rtf +- application/rtf +- +- +- rtx +- text/richtext +- +- +- sh +- application/x-sh +- +- +- shar +- application/x-shar +- +- +- smf +- audio/x-midi +- +- +- sit +- application/x-stuffit +- +- +- snd +- audio/basic +- +- +- src +- application/x-wais-source +- +- +- sv4cpio +- application/x-sv4cpio +- +- +- sv4crc +- application/x-sv4crc +- +- +- svg +- image/svg+xml +- +- +- swf +- application/x-shockwave-flash +- +- +- t +- application/x-troff +- +- +- tar +- application/x-tar +- +- +- tcl +- application/x-tcl +- +- +- tex +- application/x-tex +- +- +- texi +- application/x-texinfo +- +- +- texinfo +- application/x-texinfo +- +- +- tif +- image/tiff +- +- +- tiff +- image/tiff +- +- +- tr +- application/x-troff +- +- +- tsv +- text/tab-separated-values +- +- +- txt +- text/plain +- +- +- ulw +- audio/basic +- +- +- ustar +- application/x-ustar +- +- +- vxml +- application/voicexml+xml +- +- +- xbm +- image/x-xbitmap +- +- +- xht +- application/xhtml+xml +- +- +- xhtml +- application/xhtml+xml +- +- +- xml +- application/xml +- +- +- xpm +- image/x-xpixmap +- +- +- xsl +- application/xml +- +- +- xslt +- application/xslt+xml +- +- +- xul +- application/vnd.mozilla.xul+xml +- +- +- xwd +- image/x-xwindowdump +- +- +- wav +- audio/x-wav +- +- +- svg +- image/svg +- +- +- svgz +- image/svg +- +- +- vsd +- application/x-visio +- +- +- +- wbmp +- image/vnd.wap.wbmp +- +- +- +- wml +- text/vnd.wap.wml +- +- +- +- wmlc +- application/vnd.wap.wmlc +- +- +- +- wmls +- text/vnd.wap.wmlscript +- +- +- +- wmlscriptc +- application/vnd.wap.wmlscriptc +- +- +- wrl +- x-world/x-vrml +- +- +- Z +- application/x-compress +- +- +- z +- application/x-compress +- +- +- zip +- application/zip +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- index.html +- index.htm +- index.jsp +- +- +- +- 404 +- /404.html +- +- +- +- 500 +- /500.html +- +- +- +diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml +index 2666049..92d4e6b 100644 +--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml ++++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml +@@ -2618,16 +2618,6 @@ + /ee/ca/pkiclient + + +- +- +- +- +- +- +- +- 30 +- +- + + + Account Services +diff --git a/base/kra/shared/conf/web.xml b/base/kra/shared/conf/web.xml +deleted file mode 100644 +index fb22468..0000000 +--- a/base/kra/shared/conf/web.xml ++++ /dev/null +@@ -1,989 +0,0 @@ +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- default +- org.apache.catalina.servlets.DefaultServlet +- +- debug +- 0 +- +- +- listings +- false +- +- 1 +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- jsp +- org.apache.jasper.servlet.JspServlet +- +- fork +- false +- +- +- xpoweredBy +- false +- +- 3 +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- default +- / +- +- +- +- +- +- +- +- jsp +- *.jsp +- +- +- +- jsp +- *.jspx +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- 30 +- +- +- +- +- +- +- +- +- +- +- +- abs +- audio/x-mpeg +- +- +- ai +- application/postscript +- +- +- aif +- audio/x-aiff +- +- +- aifc +- audio/x-aiff +- +- +- aiff +- audio/x-aiff +- +- +- aim +- application/x-aim +- +- +- art +- image/x-jg +- +- +- asf +- video/x-ms-asf +- +- +- asx +- video/x-ms-asf +- +- +- au +- audio/basic +- +- +- avi +- video/x-msvideo +- +- +- avx +- video/x-rad-screenplay +- +- +- bcpio +- application/x-bcpio +- +- +- bin +- application/octet-stream +- +- +- bmp +- image/bmp +- +- +- body +- text/html +- +- +- cdf +- application/x-cdf +- +- +- cer +- application/x-x509-ca-cert +- +- +- class +- application/java +- +- +- cpio +- application/x-cpio +- +- +- csh +- application/x-csh +- +- +- css +- text/css +- +- +- dib +- image/bmp +- +- +- doc +- application/msword +- +- +- dtd +- application/xml-dtd +- +- +- dv +- video/x-dv +- +- +- dvi +- application/x-dvi +- +- +- eps +- application/postscript +- +- +- etx +- text/x-setext +- +- +- exe +- application/octet-stream +- +- +- gif +- image/gif +- +- +- gtar +- application/x-gtar +- +- +- gz +- application/x-gzip +- +- +- hdf +- application/x-hdf +- +- +- hqx +- application/mac-binhex40 +- +- +- htc +- text/x-component +- +- +- htm +- text/html +- +- +- html +- text/html +- +- +- hqx +- application/mac-binhex40 +- +- +- ief +- image/ief +- +- +- jad +- text/vnd.sun.j2me.app-descriptor +- +- +- jar +- application/java-archive +- +- +- java +- text/plain +- +- +- jnlp +- application/x-java-jnlp-file +- +- +- jpe +- image/jpeg +- +- +- jpeg +- image/jpeg +- +- +- jpg +- image/jpeg +- +- +- js +- text/javascript +- +- +- jsf +- text/plain +- +- +- jspf +- text/plain +- +- +- kar +- audio/x-midi +- +- +- latex +- application/x-latex +- +- +- m3u +- audio/x-mpegurl +- +- +- mac +- image/x-macpaint +- +- +- man +- application/x-troff-man +- +- +- mathml +- application/mathml+xml +- +- +- me +- application/x-troff-me +- +- +- mid +- audio/x-midi +- +- +- midi +- audio/x-midi +- +- +- mif +- application/x-mif +- +- +- mov +- video/quicktime +- +- +- movie +- video/x-sgi-movie +- +- +- mp1 +- audio/x-mpeg +- +- +- mp2 +- audio/x-mpeg +- +- +- mp3 +- audio/x-mpeg +- +- +- mpa +- audio/x-mpeg +- +- +- mpe +- video/mpeg +- +- +- mpeg +- video/mpeg +- +- +- mpega +- audio/x-mpeg +- +- +- mpg +- video/mpeg +- +- +- mpv2 +- video/mpeg2 +- +- +- ms +- application/x-wais-source +- +- +- nc +- application/x-netcdf +- +- +- oda +- application/oda +- +- +- ogg +- application/ogg +- +- +- pbm +- image/x-portable-bitmap +- +- +- pct +- image/pict +- +- +- pdf +- application/pdf +- +- +- pgm +- image/x-portable-graymap +- +- +- pic +- image/pict +- +- +- pict +- image/pict +- +- +- pls +- audio/x-scpls +- +- +- png +- image/png +- +- +- pnm +- image/x-portable-anymap +- +- +- pnt +- image/x-macpaint +- +- +- ppm +- image/x-portable-pixmap +- +- +- ppt +- application/powerpoint +- +- +- ps +- application/postscript +- +- +- psd +- image/x-photoshop +- +- +- qt +- video/quicktime +- +- +- qti +- image/x-quicktime +- +- +- qtif +- image/x-quicktime +- +- +- ras +- image/x-cmu-raster +- +- +- rdf +- application/rdf+xml +- +- +- rgb +- image/x-rgb +- +- +- rm +- application/vnd.rn-realmedia +- +- +- roff +- application/x-troff +- +- +- rtf +- application/rtf +- +- +- rtx +- text/richtext +- +- +- sh +- application/x-sh +- +- +- shar +- application/x-shar +- +- +- smf +- audio/x-midi +- +- +- sit +- application/x-stuffit +- +- +- snd +- audio/basic +- +- +- src +- application/x-wais-source +- +- +- sv4cpio +- application/x-sv4cpio +- +- +- sv4crc +- application/x-sv4crc +- +- +- svg +- image/svg+xml +- +- +- swf +- application/x-shockwave-flash +- +- +- t +- application/x-troff +- +- +- tar +- application/x-tar +- +- +- tcl +- application/x-tcl +- +- +- tex +- application/x-tex +- +- +- texi +- application/x-texinfo +- +- +- texinfo +- application/x-texinfo +- +- +- tif +- image/tiff +- +- +- tiff +- image/tiff +- +- +- tr +- application/x-troff +- +- +- tsv +- text/tab-separated-values +- +- +- txt +- text/plain +- +- +- ulw +- audio/basic +- +- +- ustar +- application/x-ustar +- +- +- vxml +- application/voicexml+xml +- +- +- xbm +- image/x-xbitmap +- +- +- xht +- application/xhtml+xml +- +- +- xhtml +- application/xhtml+xml +- +- +- xml +- application/xml +- +- +- xpm +- image/x-xpixmap +- +- +- xsl +- application/xml +- +- +- xslt +- application/xslt+xml +- +- +- xul +- application/vnd.mozilla.xul+xml +- +- +- xwd +- image/x-xwindowdump +- +- +- wav +- audio/x-wav +- +- +- svg +- image/svg +- +- +- svgz +- image/svg +- +- +- vsd +- application/x-visio +- +- +- +- wbmp +- image/vnd.wap.wbmp +- +- +- +- wml +- text/vnd.wap.wml +- +- +- +- wmlc +- application/vnd.wap.wmlc +- +- +- +- wmls +- text/vnd.wap.wmlscript +- +- +- +- wmlscriptc +- application/vnd.wap.wmlscriptc +- +- +- wrl +- x-world/x-vrml +- +- +- Z +- application/x-compress +- +- +- z +- application/x-compress +- +- +- zip +- application/zip +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- index.html +- index.htm +- index.jsp +- +- +- +- 404 +- /404.html +- +- +- +- 500 +- /500.html +- +- +- +diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml +index 5b7031a..ffa33f6 100644 +--- a/base/kra/shared/webapps/kra/WEB-INF/web.xml ++++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml +@@ -1055,16 +1055,6 @@ + + [PKI_CLOSE_STANDALONE_COMMENT] + +- +- +- +- +- +- +- +- 30 +- +- + + + Account Services +diff --git a/base/ocsp/shared/conf/web.xml b/base/ocsp/shared/conf/web.xml +deleted file mode 100644 +index 860a9c4..0000000 +--- a/base/ocsp/shared/conf/web.xml ++++ /dev/null +@@ -1,993 +0,0 @@ +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- default +- org.apache.catalina.servlets.DefaultServlet +- +- debug +- 0 +- +- +- listings +- false +- +- 1 +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- jsp +- org.apache.jasper.servlet.JspServlet +- +- fork +- false +- +- +- xpoweredBy +- false +- +- 3 +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- default +- / +- +- +- +- +- +- +- +- jsp +- *.jsp +- +- +- +- jsp +- *.jspx +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- 30 +- +- +- +- +- +- +- +- +- +- +- +- abs +- audio/x-mpeg +- +- +- ai +- application/postscript +- +- +- aif +- audio/x-aiff +- +- +- aifc +- audio/x-aiff +- +- +- aiff +- audio/x-aiff +- +- +- aim +- application/x-aim +- +- +- art +- image/x-jg +- +- +- asf +- video/x-ms-asf +- +- +- asx +- video/x-ms-asf +- +- +- au +- audio/basic +- +- +- avi +- video/x-msvideo +- +- +- avx +- video/x-rad-screenplay +- +- +- bcpio +- application/x-bcpio +- +- +- bin +- application/octet-stream +- +- +- bmp +- image/bmp +- +- +- body +- text/html +- +- +- cdf +- application/x-cdf +- +- +- cer +- application/x-x509-ca-cert +- +- +- class +- application/java +- +- +- cpio +- application/x-cpio +- +- +- csh +- application/x-csh +- +- +- css +- text/css +- +- +- dib +- image/bmp +- +- +- doc +- application/msword +- +- +- dtd +- application/xml-dtd +- +- +- dv +- video/x-dv +- +- +- dvi +- application/x-dvi +- +- +- eps +- application/postscript +- +- +- etx +- text/x-setext +- +- +- exe +- application/octet-stream +- +- +- gif +- image/gif +- +- +- gtar +- application/x-gtar +- +- +- gz +- application/x-gzip +- +- +- hdf +- application/x-hdf +- +- +- hqx +- application/mac-binhex40 +- +- +- htc +- text/x-component +- +- +- htm +- text/html +- +- +- html +- text/html +- +- +- hqx +- application/mac-binhex40 +- +- +- ief +- image/ief +- +- +- jad +- text/vnd.sun.j2me.app-descriptor +- +- +- jar +- application/java-archive +- +- +- java +- text/plain +- +- +- jnlp +- application/x-java-jnlp-file +- +- +- jpe +- image/jpeg +- +- +- jpeg +- image/jpeg +- +- +- jpg +- image/jpeg +- +- +- js +- text/javascript +- +- +- jsf +- text/plain +- +- +- jspf +- text/plain +- +- +- kar +- audio/x-midi +- +- +- latex +- application/x-latex +- +- +- m3u +- audio/x-mpegurl +- +- +- mac +- image/x-macpaint +- +- +- man +- application/x-troff-man +- +- +- mathml +- application/mathml+xml +- +- +- me +- application/x-troff-me +- +- +- mid +- audio/x-midi +- +- +- midi +- audio/x-midi +- +- +- mif +- application/x-mif +- +- +- mov +- video/quicktime +- +- +- movie +- video/x-sgi-movie +- +- +- mp1 +- audio/x-mpeg +- +- +- mp2 +- audio/x-mpeg +- +- +- mp3 +- audio/x-mpeg +- +- +- mpa +- audio/x-mpeg +- +- +- mpe +- video/mpeg +- +- +- mpeg +- video/mpeg +- +- +- mpega +- audio/x-mpeg +- +- +- mpg +- video/mpeg +- +- +- mpv2 +- video/mpeg2 +- +- +- ms +- application/x-wais-source +- +- +- nc +- application/x-netcdf +- +- +- oda +- application/oda +- +- +- ogg +- application/ogg +- +- +- pbm +- image/x-portable-bitmap +- +- +- pct +- image/pict +- +- +- pdf +- application/pdf +- +- +- pgm +- image/x-portable-graymap +- +- +- pic +- image/pict +- +- +- pict +- image/pict +- +- +- pls +- audio/x-scpls +- +- +- png +- image/png +- +- +- pnm +- image/x-portable-anymap +- +- +- pnt +- image/x-macpaint +- +- +- ppm +- image/x-portable-pixmap +- +- +- ppt +- application/powerpoint +- +- +- ps +- application/postscript +- +- +- psd +- image/x-photoshop +- +- +- qt +- video/quicktime +- +- +- qti +- image/x-quicktime +- +- +- qtif +- image/x-quicktime +- +- +- ras +- image/x-cmu-raster +- +- +- rdf +- application/rdf+xml +- +- +- rgb +- image/x-rgb +- +- +- rm +- application/vnd.rn-realmedia +- +- +- roff +- application/x-troff +- +- +- rtf +- application/rtf +- +- +- rtx +- text/richtext +- +- +- sh +- application/x-sh +- +- +- shar +- application/x-shar +- +- +- smf +- audio/x-midi +- +- +- sit +- application/x-stuffit +- +- +- snd +- audio/basic +- +- +- src +- application/x-wais-source +- +- +- sv4cpio +- application/x-sv4cpio +- +- +- sv4crc +- application/x-sv4crc +- +- +- svg +- image/svg+xml +- +- +- swf +- application/x-shockwave-flash +- +- +- t +- application/x-troff +- +- +- tar +- application/x-tar +- +- +- tcl +- application/x-tcl +- +- +- tex +- application/x-tex +- +- +- texi +- application/x-texinfo +- +- +- texinfo +- application/x-texinfo +- +- +- tif +- image/tiff +- +- +- tiff +- image/tiff +- +- +- tr +- application/x-troff +- +- +- tsv +- text/tab-separated-values +- +- +- txt +- text/plain +- +- +- ulw +- audio/basic +- +- +- ustar +- application/x-ustar +- +- +- vxml +- application/voicexml+xml +- +- +- xbm +- image/x-xbitmap +- +- +- xht +- application/xhtml+xml +- +- +- xhtml +- application/xhtml+xml +- +- +- xml +- application/xml +- +- +- xpm +- image/x-xpixmap +- +- +- xsl +- application/xml +- +- +- xslt +- application/xslt+xml +- +- +- xul +- application/vnd.mozilla.xul+xml +- +- +- xwd +- image/x-xwindowdump +- +- +- wav +- audio/x-wav +- +- +- svg +- image/svg +- +- +- svgz +- image/svg +- +- +- vsd +- application/x-visio +- +- +- +- wbmp +- image/vnd.wap.wbmp +- +- +- +- wml +- text/vnd.wap.wml +- +- +- +- wmlc +- application/vnd.wap.wmlc +- +- +- +- wmls +- text/vnd.wap.wmlscript +- +- +- +- wmlscriptc +- application/vnd.wap.wmlscriptc +- +- +- wrl +- x-world/x-vrml +- +- +- Z +- application/x-compress +- +- +- z +- application/x-compress +- +- +- zip +- application/zip +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- index.html +- index.htm +- index.jsp +- +- +- +- 404 +- /404.html +- +- +- +- 500 +- /500.html +- +- +- +diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml +index e610800..1bdc9cf 100644 +--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml ++++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml +@@ -689,17 +689,6 @@ + + [PKI_CLOSE_STANDALONE_COMMENT] + +- +- +- +- +- +- +- +- +- 30 +- +- + + + Account Services +diff --git a/base/server/share/webapps/pki/WEB-INF/web.xml b/base/server/share/webapps/pki/WEB-INF/web.xml +index aacdffa..4f08b16 100644 +--- a/base/server/share/webapps/pki/WEB-INF/web.xml ++++ b/base/server/share/webapps/pki/WEB-INF/web.xml +@@ -45,8 +45,4 @@ + + + +- +- 30 +- +- + +diff --git a/base/tks/shared/conf/web.xml b/base/tks/shared/conf/web.xml +deleted file mode 100644 +index 860a9c4..0000000 +--- a/base/tks/shared/conf/web.xml ++++ /dev/null +@@ -1,993 +0,0 @@ +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- default +- org.apache.catalina.servlets.DefaultServlet +- +- debug +- 0 +- +- +- listings +- false +- +- 1 +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- jsp +- org.apache.jasper.servlet.JspServlet +- +- fork +- false +- +- +- xpoweredBy +- false +- +- 3 +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- default +- / +- +- +- +- +- +- +- +- jsp +- *.jsp +- +- +- +- jsp +- *.jspx +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- 30 +- +- +- +- +- +- +- +- +- +- +- +- abs +- audio/x-mpeg +- +- +- ai +- application/postscript +- +- +- aif +- audio/x-aiff +- +- +- aifc +- audio/x-aiff +- +- +- aiff +- audio/x-aiff +- +- +- aim +- application/x-aim +- +- +- art +- image/x-jg +- +- +- asf +- video/x-ms-asf +- +- +- asx +- video/x-ms-asf +- +- +- au +- audio/basic +- +- +- avi +- video/x-msvideo +- +- +- avx +- video/x-rad-screenplay +- +- +- bcpio +- application/x-bcpio +- +- +- bin +- application/octet-stream +- +- +- bmp +- image/bmp +- +- +- body +- text/html +- +- +- cdf +- application/x-cdf +- +- +- cer +- application/x-x509-ca-cert +- +- +- class +- application/java +- +- +- cpio +- application/x-cpio +- +- +- csh +- application/x-csh +- +- +- css +- text/css +- +- +- dib +- image/bmp +- +- +- doc +- application/msword +- +- +- dtd +- application/xml-dtd +- +- +- dv +- video/x-dv +- +- +- dvi +- application/x-dvi +- +- +- eps +- application/postscript +- +- +- etx +- text/x-setext +- +- +- exe +- application/octet-stream +- +- +- gif +- image/gif +- +- +- gtar +- application/x-gtar +- +- +- gz +- application/x-gzip +- +- +- hdf +- application/x-hdf +- +- +- hqx +- application/mac-binhex40 +- +- +- htc +- text/x-component +- +- +- htm +- text/html +- +- +- html +- text/html +- +- +- hqx +- application/mac-binhex40 +- +- +- ief +- image/ief +- +- +- jad +- text/vnd.sun.j2me.app-descriptor +- +- +- jar +- application/java-archive +- +- +- java +- text/plain +- +- +- jnlp +- application/x-java-jnlp-file +- +- +- jpe +- image/jpeg +- +- +- jpeg +- image/jpeg +- +- +- jpg +- image/jpeg +- +- +- js +- text/javascript +- +- +- jsf +- text/plain +- +- +- jspf +- text/plain +- +- +- kar +- audio/x-midi +- +- +- latex +- application/x-latex +- +- +- m3u +- audio/x-mpegurl +- +- +- mac +- image/x-macpaint +- +- +- man +- application/x-troff-man +- +- +- mathml +- application/mathml+xml +- +- +- me +- application/x-troff-me +- +- +- mid +- audio/x-midi +- +- +- midi +- audio/x-midi +- +- +- mif +- application/x-mif +- +- +- mov +- video/quicktime +- +- +- movie +- video/x-sgi-movie +- +- +- mp1 +- audio/x-mpeg +- +- +- mp2 +- audio/x-mpeg +- +- +- mp3 +- audio/x-mpeg +- +- +- mpa +- audio/x-mpeg +- +- +- mpe +- video/mpeg +- +- +- mpeg +- video/mpeg +- +- +- mpega +- audio/x-mpeg +- +- +- mpg +- video/mpeg +- +- +- mpv2 +- video/mpeg2 +- +- +- ms +- application/x-wais-source +- +- +- nc +- application/x-netcdf +- +- +- oda +- application/oda +- +- +- ogg +- application/ogg +- +- +- pbm +- image/x-portable-bitmap +- +- +- pct +- image/pict +- +- +- pdf +- application/pdf +- +- +- pgm +- image/x-portable-graymap +- +- +- pic +- image/pict +- +- +- pict +- image/pict +- +- +- pls +- audio/x-scpls +- +- +- png +- image/png +- +- +- pnm +- image/x-portable-anymap +- +- +- pnt +- image/x-macpaint +- +- +- ppm +- image/x-portable-pixmap +- +- +- ppt +- application/powerpoint +- +- +- ps +- application/postscript +- +- +- psd +- image/x-photoshop +- +- +- qt +- video/quicktime +- +- +- qti +- image/x-quicktime +- +- +- qtif +- image/x-quicktime +- +- +- ras +- image/x-cmu-raster +- +- +- rdf +- application/rdf+xml +- +- +- rgb +- image/x-rgb +- +- +- rm +- application/vnd.rn-realmedia +- +- +- roff +- application/x-troff +- +- +- rtf +- application/rtf +- +- +- rtx +- text/richtext +- +- +- sh +- application/x-sh +- +- +- shar +- application/x-shar +- +- +- smf +- audio/x-midi +- +- +- sit +- application/x-stuffit +- +- +- snd +- audio/basic +- +- +- src +- application/x-wais-source +- +- +- sv4cpio +- application/x-sv4cpio +- +- +- sv4crc +- application/x-sv4crc +- +- +- svg +- image/svg+xml +- +- +- swf +- application/x-shockwave-flash +- +- +- t +- application/x-troff +- +- +- tar +- application/x-tar +- +- +- tcl +- application/x-tcl +- +- +- tex +- application/x-tex +- +- +- texi +- application/x-texinfo +- +- +- texinfo +- application/x-texinfo +- +- +- tif +- image/tiff +- +- +- tiff +- image/tiff +- +- +- tr +- application/x-troff +- +- +- tsv +- text/tab-separated-values +- +- +- txt +- text/plain +- +- +- ulw +- audio/basic +- +- +- ustar +- application/x-ustar +- +- +- vxml +- application/voicexml+xml +- +- +- xbm +- image/x-xbitmap +- +- +- xht +- application/xhtml+xml +- +- +- xhtml +- application/xhtml+xml +- +- +- xml +- application/xml +- +- +- xpm +- image/x-xpixmap +- +- +- xsl +- application/xml +- +- +- xslt +- application/xslt+xml +- +- +- xul +- application/vnd.mozilla.xul+xml +- +- +- xwd +- image/x-xwindowdump +- +- +- wav +- audio/x-wav +- +- +- svg +- image/svg +- +- +- svgz +- image/svg +- +- +- vsd +- application/x-visio +- +- +- +- wbmp +- image/vnd.wap.wbmp +- +- +- +- wml +- text/vnd.wap.wml +- +- +- +- wmlc +- application/vnd.wap.wmlc +- +- +- +- wmls +- text/vnd.wap.wmlscript +- +- +- +- wmlscriptc +- application/vnd.wap.wmlscriptc +- +- +- wrl +- x-world/x-vrml +- +- +- Z +- application/x-compress +- +- +- z +- application/x-compress +- +- +- zip +- application/zip +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- index.html +- index.htm +- index.jsp +- +- +- +- 404 +- /404.html +- +- +- +- 500 +- /500.html +- +- +- +diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml +index ddbea88..9c0a0de 100644 +--- a/base/tks/shared/webapps/tks/WEB-INF/web.xml ++++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml +@@ -368,16 +368,6 @@ + /admin/tks/getStatus + + +- +- +- +- +- +- +- +- 30 +- +- + + + Account Services +diff --git a/base/tps/shared/conf/web.xml b/base/tps/shared/conf/web.xml +deleted file mode 100644 +index 8330ecc..0000000 +--- a/base/tps/shared/conf/web.xml ++++ /dev/null +@@ -1,993 +0,0 @@ +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- default +- org.apache.catalina.servlets.DefaultServlet +- +- debug +- 0 +- +- +- listings +- false +- +- 1 +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- jsp +- org.apache.jasper.servlet.JspServlet +- +- fork +- false +- +- +- xpoweredBy +- false +- +- 3 +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- default +- / +- +- +- +- +- +- +- +- jsp +- *.jsp +- +- +- +- jsp +- *.jspx +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- 30 +- +- +- +- +- +- +- +- +- +- +- +- abs +- audio/x-mpeg +- +- +- ai +- application/postscript +- +- +- aif +- audio/x-aiff +- +- +- aifc +- audio/x-aiff +- +- +- aiff +- audio/x-aiff +- +- +- aim +- application/x-aim +- +- +- art +- image/x-jg +- +- +- asf +- video/x-ms-asf +- +- +- asx +- video/x-ms-asf +- +- +- au +- audio/basic +- +- +- avi +- video/x-msvideo +- +- +- avx +- video/x-rad-screenplay +- +- +- bcpio +- application/x-bcpio +- +- +- bin +- application/octet-stream +- +- +- bmp +- image/bmp +- +- +- body +- text/html +- +- +- cdf +- application/x-cdf +- +- +- cer +- application/x-x509-ca-cert +- +- +- class +- application/java +- +- +- cpio +- application/x-cpio +- +- +- csh +- application/x-csh +- +- +- css +- text/css +- +- +- dib +- image/bmp +- +- +- doc +- application/msword +- +- +- dtd +- application/xml-dtd +- +- +- dv +- video/x-dv +- +- +- dvi +- application/x-dvi +- +- +- eps +- application/postscript +- +- +- etx +- text/x-setext +- +- +- exe +- application/octet-stream +- +- +- gif +- image/gif +- +- +- gtar +- application/x-gtar +- +- +- gz +- application/x-gzip +- +- +- hdf +- application/x-hdf +- +- +- hqx +- application/mac-binhex40 +- +- +- htc +- text/x-component +- +- +- htm +- text/html +- +- +- html +- text/html +- +- +- hqx +- application/mac-binhex40 +- +- +- ief +- image/ief +- +- +- jad +- text/vnd.sun.j2me.app-descriptor +- +- +- jar +- application/java-archive +- +- +- java +- text/plain +- +- +- jnlp +- application/x-java-jnlp-file +- +- +- jpe +- image/jpeg +- +- +- jpeg +- image/jpeg +- +- +- jpg +- image/jpeg +- +- +- js +- text/javascript +- +- +- jsf +- text/plain +- +- +- jspf +- text/plain +- +- +- kar +- audio/x-midi +- +- +- latex +- application/x-latex +- +- +- m3u +- audio/x-mpegurl +- +- +- mac +- image/x-macpaint +- +- +- man +- application/x-troff-man +- +- +- mathml +- application/mathml+xml +- +- +- me +- application/x-troff-me +- +- +- mid +- audio/x-midi +- +- +- midi +- audio/x-midi +- +- +- mif +- application/x-mif +- +- +- mov +- video/quicktime +- +- +- movie +- video/x-sgi-movie +- +- +- mp1 +- audio/x-mpeg +- +- +- mp2 +- audio/x-mpeg +- +- +- mp3 +- audio/x-mpeg +- +- +- mpa +- audio/x-mpeg +- +- +- mpe +- video/mpeg +- +- +- mpeg +- video/mpeg +- +- +- mpega +- audio/x-mpeg +- +- +- mpg +- video/mpeg +- +- +- mpv2 +- video/mpeg2 +- +- +- ms +- application/x-wais-source +- +- +- nc +- application/x-netcdf +- +- +- oda +- application/oda +- +- +- ogg +- application/ogg +- +- +- pbm +- image/x-portable-bitmap +- +- +- pct +- image/pict +- +- +- pdf +- application/pdf +- +- +- pgm +- image/x-portable-graymap +- +- +- pic +- image/pict +- +- +- pict +- image/pict +- +- +- pls +- audio/x-scpls +- +- +- png +- image/png +- +- +- pnm +- image/x-portable-anymap +- +- +- pnt +- image/x-macpaint +- +- +- ppm +- image/x-portable-pixmap +- +- +- ppt +- application/powerpoint +- +- +- ps +- application/postscript +- +- +- psd +- image/x-photoshop +- +- +- qt +- video/quicktime +- +- +- qti +- image/x-quicktime +- +- +- qtif +- image/x-quicktime +- +- +- ras +- image/x-cmu-raster +- +- +- rdf +- application/rdf+xml +- +- +- rgb +- image/x-rgb +- +- +- rm +- application/vnd.rn-realmedia +- +- +- roff +- application/x-troff +- +- +- rtf +- application/rtf +- +- +- rtx +- text/richtext +- +- +- sh +- application/x-sh +- +- +- shar +- application/x-shar +- +- +- smf +- audio/x-midi +- +- +- sit +- application/x-stuffit +- +- +- snd +- audio/basic +- +- +- src +- application/x-wais-source +- +- +- sv4cpio +- application/x-sv4cpio +- +- +- sv4crc +- application/x-sv4crc +- +- +- svg +- image/svg+xml +- +- +- swf +- application/x-shockwave-flash +- +- +- t +- application/x-troff +- +- +- tar +- application/x-tar +- +- +- tcl +- application/x-tcl +- +- +- tex +- application/x-tex +- +- +- texi +- application/x-texinfo +- +- +- texinfo +- application/x-texinfo +- +- +- tif +- image/tiff +- +- +- tiff +- image/tiff +- +- +- tr +- application/x-troff +- +- +- tsv +- text/tab-separated-values +- +- +- txt +- text/plain +- +- +- ulw +- audio/basic +- +- +- ustar +- application/x-ustar +- +- +- vxml +- application/voicexml+xml +- +- +- xbm +- image/x-xbitmap +- +- +- xht +- application/xhtml+xml +- +- +- xhtml +- application/xhtml+xml +- +- +- xml +- application/xml +- +- +- xpm +- image/x-xpixmap +- +- +- xsl +- application/xml +- +- +- xslt +- application/xslt+xml +- +- +- xul +- application/vnd.mozilla.xul+xml +- +- +- xwd +- image/x-xwindowdump +- +- +- wav +- audio/x-wav +- +- +- svg +- image/svg +- +- +- svgz +- image/svg +- +- +- vsd +- application/x-visio +- +- +- +- wbmp +- image/vnd.wap.wbmp +- +- +- +- wml +- text/vnd.wap.wml +- +- +- +- wmlc +- application/vnd.wap.wmlc +- +- +- +- wmls +- text/vnd.wap.wmlscript +- +- +- +- wmlscriptc +- application/vnd.wap.wmlscriptc +- +- +- wrl +- x-world/x-vrml +- +- +- Z +- application/x-compress +- +- +- z +- application/x-compress +- +- +- zip +- application/zip +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- index.html +- index.htm +- index.jsp +- +- +- +- 404 +- /404.html +- +- +- +- 500 +- /500.html +- +- +- +diff --git a/base/tps/shared/webapps/tps/WEB-INF/web.xml b/base/tps/shared/webapps/tps/WEB-INF/web.xml +index 8506b27..c99c918 100644 +--- a/base/tps/shared/webapps/tps/WEB-INF/web.xml ++++ b/base/tps/shared/webapps/tps/WEB-INF/web.xml +@@ -133,16 +133,6 @@ + /tps + + +- +- +- +- +- +- +- +- 30 +- +- + + + Account Services +-- +1.8.3.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index c9837a8..44bb188 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -66,22 +66,24 @@ Name: pki-core %if 0%{?rhel} Version: 10.5.9 -%define redhat_release 6 +%define redhat_release 10 %define redhat_stage 0 #%define default_release %{redhat_release}.%{redhat_stage} %define default_release %{redhat_release} %else -Version: 10.5.12 -%define fedora_release 1 +Version: 10.5.14 +%define fedora_release 3 %define fedora_stage 0 #%define default_release %{fedora_release}.%{fedora_stage} %define default_release %{fedora_release} %endif %if 0%{?use_pki_release} -Release: %{pki_release}%{?dist} +#Release: %{pki_release}%{?dist} +Release: %{pki_release}.el7_6 %else -Release: %{default_release}%{?dist} +#Release: %{default_release}%{?dist} +Release: %{default_release}.el7_6 %endif Summary: Certificate System - PKI Core Components @@ -169,9 +171,9 @@ BuildRequires: junit BuildRequires: jpackage-utils >= 0:1.7.5-10 BuildRequires: jss >= 4.4.4-3 %if 0%{?rhel} && 0%{?rhel} <= 7 -BuildRequires: tomcatjss >= 7.2.1-7 +BuildRequires: tomcatjss >= 7.2.1-8 %else -BuildRequires: tomcatjss >= 7.2.4-3 +BuildRequires: tomcatjss >= 7.2.4-4 %endif BuildRequires: systemd-units @@ -211,6 +213,10 @@ Patch0: pki-core-10.5.9-alpha.patch Patch1: pki-core-10.5.9-beta.patch Patch2: pki-core-nsds5replicaLastInitStatus-format.patch Patch3: pki-core-10.5.9-snapshot-1.patch +Patch4: pki-core-10.5.9-batch-1.0.patch +Patch5: pki-core-10.5.9-batch-2.0.patch +Patch6: pki-core-CA-OCSP-SystemCertsVerification.patch +Patch7: pki-core-Session-Timeout.patch # Obtain version phase number (e. g. - used by "alpha", "beta", etc.) # @@ -542,9 +548,9 @@ Requires(preun): systemd-units Requires(postun): systemd-units Requires(pre): shadow-utils %if 0%{?rhel} && 0%{?rhel} <= 7 -Requires: tomcatjss >= 7.2.1-7 +Requires: tomcatjss >= 7.2.1-8 %else -Requires: tomcatjss >= 7.2.4-3 +Requires: tomcatjss >= 7.2.4-4 %endif %if 0%{?rhel} && 0%{?rhel} <= 7 @@ -807,6 +813,10 @@ This package is a part of the PKI Core used by the Certificate System. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 %clean %{__rm} -rf %{buildroot} @@ -814,7 +824,9 @@ This package is a part of the PKI Core used by the Certificate System. %build %{__mkdir_p} build cd build -%cmake -DVERSION=%{version}-%{release} \ +%cmake \ + --no-warn-unused-cli \ + -DVERSION=%{version}-%{release} \ -DVAR_INSTALL_DIR:PATH=/var \ -DBUILD_PKI_CORE:BOOL=ON \ -DJAVA_HOME=%{java_home} \ @@ -841,13 +853,19 @@ cd build -DWITH_JAVADOC:BOOL=OFF \ %endif .. -%{__make} VERBOSE=1 %{?_smp_mflags} -j 1 all unit-test - %install -%{__rm} -rf %{buildroot} + cd build -%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +# Do not use _smp_mflags to preserve build order +%{__make} \ + VERBOSE=%{?_verbose} \ + CMAKE_NO_VERBOSE=1 \ + DESTDIR=%{buildroot} \ + INSTALL="install -p" \ + --no-print-directory \ + all unit-test install # Create symlinks for admin console (TPS does not use admin console) for subsystem in ca kra ocsp tks; do @@ -1345,6 +1363,80 @@ fi %endif # %{with server} %changelog +* Mon Dec 17 2018 Dogtag Team 10.5.9-10 +- ########################################################################## +- # RHEL 7.6: +- ########################################################################## +- Bugzilla Bug #1659939 - CC: Simplifying Web UI session timeout + configuration [rhel-7.6.z] (edewata) +- ########################################################################## +- # RHCS 9.4: +- ########################################################################## +- # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA, + # OCSP, and TKS using browser [RHCS] (mharmsen) +- # Added Batch Update Information to Product Version (mharmsen) + +* Mon Dec 10 2018 Dogtag Team 10.5.9-9 +- ########################################################################## +- # RHEL 7.6: +- ########################################################################## +- Bugzilla Bug #1657922 - CC: CA/OCSP startup fail on SystemCertsVerification + if enableOCSP is true [rhel-7.6.z] (jmagne) +- ########################################################################## +- # RHCS 9.4: +- ########################################################################## +- # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA, + # OCSP, and TKS using browser [RHCS] (mharmsen) + +* Wed Dec 5 2018 Dogtag Team 10.5.9-8 +- ########################################################################## +- # RHEL 7.6: +- ########################################################################## +- Bugzilla Bug #1645262 - pkidestroy may not remove all files [rhel-7.6.z] + (dmoluguw) +- Bugzilla Bug #1645263 - Auth plugins leave passwords in the access + log and audit log using REST [rhel-7.6.z] (dmoluguw) +- Bugzilla Bug #1645429 - pkispawn fails due to name collision with + /var/log/pki/ [rhel-7.6.z] (dmoluguw) +- Bugzilla Bug #1655951 - CC: tools supporting CMC requests output + keyID needs to be captured in file [rhel-7.6.z] (cfu) +- Bugzilla Bug #1656297 - Unable to install with admin-generated keys + [rhel-7.6.z] (edewata) +- ########################################################################## +- # RHCS 9.4: +- ########################################################################## +- # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA, + # OCSP, and TKS using browser [RHCS] (mharmsen) + +* Mon Oct 29 2018 Dogtag Team 10.5.9-7 +- Require "tomcatjss >= 7.2.1-8" as a build and runtime requirement +- ########################################################################## +- # RHEL 7.6: +- ########################################################################## +- Bugzilla Bug #1632116 - CC: missing audit event for CS acting as + TLS client [rhel-7.6.z] (cfu) +- Bugzilla Bug #1632120 - Unsupported RSA_ ciphers should be + removed from the default ciphers list [rhel-7.6.z] (cfu) +- Bugzilla Bug #1632615 - Permit certain SHA384 FIPS ciphers to be + enabled by default for RSA and ECC . . . [rhel-7.6.z] (cfu) +- Bugzilla Bug #1632616 - X500Name.directoryStringEncodingOrder + overridden by CSR encoding (coverity changes) [rhel-7.6.z] (mharmsen) +- Bugzilla Bug #1633104 - CMC: add config to allow non-clientAuth + [rhel-7.6.z] (cfu) +- Bugzilla Bug #1636490 - Installation of CA using an existing CA fails + [rhel-7.6.z] (edewata) +- Bugzilla Bug #1643878 - pki cli command for RHCS doesn't prompt for + a password [rhel-7.6.z] (edewata) +- Bugzilla Bug #1643879 - CC: Identify version/release of pki-ca, pki-kra, + pki-ocsp, pki-tks, and pki-tps remotely [RHEL] [rhel-7.6.z] (cfu, jmagne) +- Bugzilla Bug #1643880 - PKI subsystem process is not shutdown when + there is no space on the disk to write logs [rhel-7.6.z] (edewata) +- ########################################################################## +- # RHCS 9.4: +- ########################################################################## +- # Bugzilla Bug #1639836 - CC: Identify RHCS version of CA, KRA, + # OCSP, and TKS using browser [RHCS] (mharmsen) + * Tue Aug 21 2018 Dogtag Team 10.5.9-6 - Updated nuxwdog dependencies - ##########################################################################