From 62cf1a9557bb7a558e0fb9dc818c32ee74267d94 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 30 2018 04:57:27 +0000 Subject: import pki-core-10.5.9-6.el7 --- diff --git a/.gitignore b/.gitignore index 8cd0b17..338cd4c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/pki-core-10.5.1.tar.gz +SOURCES/pki-core-10.5.9.tar.gz diff --git a/.pki-core.metadata b/.pki-core.metadata index a7dde83..3f8ae0b 100644 --- a/.pki-core.metadata +++ b/.pki-core.metadata @@ -1 +1 @@ -e99a26daf55c6d9318bd7ab15388dbe7cd9900d2 SOURCES/pki-core-10.5.1.tar.gz +0ff09fabe2616e54a0a6a71d7af7cc09679b2054 SOURCES/pki-core-10.5.9.tar.gz diff --git a/SOURCES/pki-core-10.5.1-alpha.patch b/SOURCES/pki-core-10.5.1-alpha.patch deleted file mode 100644 index f2e95d7..0000000 --- a/SOURCES/pki-core-10.5.1-alpha.patch +++ /dev/null @@ -1,4270 +0,0 @@ -From 8d109e0b7ca6af60f862c641a6287d93a1dcb01b Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Tue, 7 Nov 2017 11:05:55 -0800 -Subject: Fix #2735 Secure removal of secret data storage (phase 2) - -This portion of the fix attempts to take care of the remaining secret data -storage issues that could be practically taken care of with respect to -servers and clients. - -A new method was placed in CryptoUtil to server the needs of clients. -Change-Id: I1a14daabcad72e531572d1be8bc255e2e501b70a - -(cherry picked from commit f5ec7c2af4a1fb44d5731c74672bf789e9240499) ---- - base/common/src/com/netscape/certsrv/key/Key.java | 6 + - .../src/com/netscape/cmstools/CMCRequest.java | 23 ++- - .../src/com/netscape/cmstools/CMCSharedToken.java | 2 + - .../src/com/netscape/cmstools/PasswordCache.java | 1 + - .../com/netscape/cmstools/key/KeyRetrieveCLI.java | 162 +++++++++++---------- - .../cms/servlet/tks/SecureChannelProtocol.java | 14 +- - .../com/netscape/cmsutil/crypto/CryptoUtil.java | 20 +++ - 7 files changed, 139 insertions(+), 89 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/key/Key.java b/base/common/src/com/netscape/certsrv/key/Key.java -index 1afd54c..69b59f3 100644 ---- a/base/common/src/com/netscape/certsrv/key/Key.java -+++ b/base/common/src/com/netscape/certsrv/key/Key.java -@@ -6,6 +6,7 @@ import javax.xml.bind.annotation.XmlElement; - import javax.xml.bind.annotation.XmlRootElement; - - import com.netscape.certsrv.request.RequestId; -+import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.cmsutil.util.Utils; - - /** -@@ -159,4 +160,9 @@ public class Key { - public void setPublicKey(String publicKey) { - this.publicKey = publicKey; - } -+ -+ public void clearSensitiveData() { -+ CryptoUtil.obscureBytes(data, "random"); -+ data = null; -+ } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -index 37752cd..fc58f4e 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -@@ -38,13 +38,6 @@ import java.util.Arrays; - import java.util.Date; - import java.util.StringTokenizer; - --import netscape.security.pkcs.PKCS10; --import netscape.security.x509.KeyIdentifier; --import netscape.security.x509.PKIXExtensions; --import netscape.security.x509.SubjectKeyIdentifierExtension; --import netscape.security.x509.X500Name; --import netscape.security.x509.X509CertImpl; -- - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.asn1.ANY; - import org.mozilla.jss.asn1.ASN1Util; -@@ -114,6 +107,13 @@ import com.netscape.cmsutil.util.Cert; - import com.netscape.cmsutil.util.HMACDigest; - import com.netscape.cmsutil.util.Utils; - -+import netscape.security.pkcs.PKCS10; -+import netscape.security.x509.KeyIdentifier; -+import netscape.security.x509.PKIXExtensions; -+import netscape.security.x509.SubjectKeyIdentifierExtension; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertImpl; -+ - /** - * Tool for creating CMC full request - * -@@ -1803,6 +1803,7 @@ public class CMCRequest { - System.exit(1); - } - -+ byte challenge[] = null; - try { - TaggedRequest request = encryptedPop.getRequest(); - AlgorithmIdentifier thePOPAlgID = encryptedPop.getThePOPAlgID(); -@@ -1838,7 +1839,7 @@ public class CMCRequest { - } - System.out.println(method + "symKey unwrapped."); - -- byte challenge[] = CryptoUtil.decryptUsingSymmetricKey( -+ challenge = CryptoUtil.decryptUsingSymmetricKey( - token, - ivps, - encCI.getEncryptedContent().toByteArray(), -@@ -1857,13 +1858,16 @@ public class CMCRequest { - MessageDigest hash = MessageDigest.getInstance(CryptoUtil.getNameFromHashAlgorithm(witnessAlgID)); - byte[] digest = hash.digest(challenge); - boolean witnessChecked = Arrays.equals(digest, witness.toByteArray()); -+ CryptoUtil.obscureBytes(digest,"random"); - if (witnessChecked) { - System.out.println(method + "Yay! witness verified"); - } else { -+ CryptoUtil.obscureBytes(challenge, "random"); - System.out.println(method + "Oops! witness failed to verify. Must abort!"); - System.exit(1); - } - } catch (Exception ex) { -+ CryptoUtil.obscureBytes(challenge, "random"); - System.out.println(method + ex); - System.exit(1); - } -@@ -1877,6 +1881,7 @@ public class CMCRequest { - hmacDigest.update(ASN1Util.encode(request)); - popProofValue = hmacDigest.digest(); - } catch (Exception ex) { -+ CryptoUtil.obscureBytes(challenge, "random"); - System.out.println(method + "calculating POP Proof Value failed: " + ex); - System.exit(1); - } -@@ -1912,6 +1917,8 @@ public class CMCRequest { - } catch (Exception e) { - System.out.println(method + e); - System.exit(1); -+ } finally { -+ CryptoUtil.obscureBytes(challenge, "random"); - } - - System.out.println(method + " completes."); -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java b/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java -index a0a7651..d16dd0c 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java -@@ -299,6 +299,8 @@ public class CMCSharedToken { - - String ver_spassphrase = new String(ver_passphrase, "UTF-8"); - -+ CryptoUtil.obscureBytes(ver_passphrase, "random"); -+ - System.out.println("ver_passphrase String = " + ver_spassphrase); - System.out.println("ver_passphrase UTF-8 bytes = "); - System.out.println(Arrays.toString(ver_spassphrase.getBytes("UTF-8"))); -diff --git a/base/java-tools/src/com/netscape/cmstools/PasswordCache.java b/base/java-tools/src/com/netscape/cmstools/PasswordCache.java -index 7f17c8f..859eda3 100644 ---- a/base/java-tools/src/com/netscape/cmstools/PasswordCache.java -+++ b/base/java-tools/src/com/netscape/cmstools/PasswordCache.java -@@ -554,6 +554,7 @@ class PWsdrCache { - byte[] dcryptb = sdr.decrypt(bos.toByteArray()); - - dcrypts = new String(dcryptb, "UTF-8"); -+ CryptoUtil.obscureBytes(dcryptb, "random"); - } catch (TokenException e) { - System.out.println("password cache decrypto failed " + e.toString()); - e.printStackTrace(); -diff --git a/base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java b/base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java -index 736c6e6..8339218 100644 ---- a/base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/key/KeyRetrieveCLI.java -@@ -87,106 +87,116 @@ public class KeyRetrieveCLI extends CLI { - throw new Exception("Incorrect number of parameters provided."); - } - -- String keyId = cmd.getOptionValue("keyID"); -- String passphrase = cmd.getOptionValue("passphrase"); -- String requestId = cmd.getOptionValue("requestID"); -- String outputFilePath = cmd.getOptionValue("output"); -- String outputDataFile = cmd.getOptionValue("output-data"); -- String requestFile = cmd.getOptionValue("input"); -- String transportNickname = cmd.getOptionValue("transport"); -- -- KeyClient keyClient = keyCLI.getKeyClient(transportNickname); - Key keyData = null; - -- if (requestFile != null) { -- JAXBContext context = JAXBContext.newInstance(KeyRecoveryRequest.class); -- Unmarshaller unmarshaller = context.createUnmarshaller(); -- FileInputStream fis = new FileInputStream(requestFile); -- KeyRecoveryRequest req = (KeyRecoveryRequest) unmarshaller.unmarshal(fis); -- -- if (req.getKeyId() == null) { -- throw new Exception("Key ID must be specified in the request file."); -- } -- -- if (req.getCertificate() != null) { -- keyData = keyClient.retrieveKeyByPKCS12(req.getKeyId(), req.getCertificate(), -- req.getPassphrase()); -+ try { -+ String keyId = cmd.getOptionValue("keyID"); -+ String passphrase = cmd.getOptionValue("passphrase"); -+ String requestId = cmd.getOptionValue("requestID"); -+ String outputFilePath = cmd.getOptionValue("output"); -+ String outputDataFile = cmd.getOptionValue("output-data"); -+ String requestFile = cmd.getOptionValue("input"); -+ String transportNickname = cmd.getOptionValue("transport"); -+ -+ KeyClient keyClient = keyCLI.getKeyClient(transportNickname); -+ -+ if (requestFile != null) { -+ JAXBContext context = JAXBContext.newInstance(KeyRecoveryRequest.class); -+ Unmarshaller unmarshaller = context.createUnmarshaller(); -+ FileInputStream fis = new FileInputStream(requestFile); -+ KeyRecoveryRequest req = (KeyRecoveryRequest) unmarshaller.unmarshal(fis); -+ -+ if (req.getKeyId() == null) { -+ throw new Exception("Key ID must be specified in the request file."); -+ } - -- } else if (req.getPassphrase() != null) { -- keyData = keyClient.retrieveKeyByPassphrase(req.getKeyId(), req.getPassphrase()); -+ if (req.getCertificate() != null) { -+ keyData = keyClient.retrieveKeyByPKCS12(req.getKeyId(), req.getCertificate(), -+ req.getPassphrase()); - -- } else if (req.getSessionWrappedPassphrase() != null) { -- keyData = keyClient.retrieveKeyUsingWrappedPassphrase(req.getKeyId(), -- Utils.base64decode(req.getTransWrappedSessionKey()), -- Utils.base64decode(req.getSessionWrappedPassphrase()), -- Utils.base64decode(req.getNonceData())); -+ } else if (req.getPassphrase() != null) { -+ keyData = keyClient.retrieveKeyByPassphrase(req.getKeyId(), req.getPassphrase()); - -- } else if (req.getTransWrappedSessionKey() != null) { -- keyData = keyClient.retrieveKey(req.getKeyId(), -- Utils.base64decode(req.getTransWrappedSessionKey())); -+ } else if (req.getSessionWrappedPassphrase() != null) { -+ keyData = keyClient.retrieveKeyUsingWrappedPassphrase(req.getKeyId(), -+ Utils.base64decode(req.getTransWrappedSessionKey()), -+ Utils.base64decode(req.getSessionWrappedPassphrase()), -+ Utils.base64decode(req.getNonceData())); - -- } else { -- keyData = keyClient.retrieveKey(req.getKeyId()); -- } -+ } else if (req.getTransWrappedSessionKey() != null) { -+ keyData = keyClient.retrieveKey(req.getKeyId(), -+ Utils.base64decode(req.getTransWrappedSessionKey())); - -- } else { -- // Using command line options. -- if (requestId == null && keyId == null) { -- throw new Exception("Either requestID or keyID must be specified"); -- } -- -- if (passphrase != null) { -- if (requestId != null) { -- keyData = keyClient.retrieveKeyByRequestWithPassphrase( -- new RequestId(requestId), passphrase); - } else { -- keyData = keyClient.retrieveKeyByPassphrase(new KeyId(keyId), passphrase); -+ keyData = keyClient.retrieveKey(req.getKeyId()); - } - - } else { -- if (requestId != null) { -- keyData = keyClient.retrieveKeyByRequest(new RequestId(requestId)); -- } else { -- keyData = keyClient.retrieveKey(new KeyId(keyId)); -+ // Using command line options. -+ if (requestId == null && keyId == null) { -+ throw new Exception("Either requestID or keyID must be specified"); - } - -- clientEncryption = false; -+ if (passphrase != null) { -+ if (requestId != null) { -+ keyData = keyClient.retrieveKeyByRequestWithPassphrase( -+ new RequestId(requestId), passphrase); -+ } else { -+ keyData = keyClient.retrieveKeyByPassphrase(new KeyId(keyId), passphrase); -+ } -+ -+ } else { -+ if (requestId != null) { -+ keyData = keyClient.retrieveKeyByRequest(new RequestId(requestId)); -+ } else { -+ keyData = keyClient.retrieveKey(new KeyId(keyId)); -+ } -+ -+ clientEncryption = false; - -- // No need to return the encrypted data since encryption -- // is done locally. -- keyData.setEncryptedData(null); -+ // No need to return the encrypted data since encryption -+ // is done locally. -+ keyData.setEncryptedData(null); -+ } - } -- } - -- MainCLI.printMessage("Retrieve Key Information"); -+ MainCLI.printMessage("Retrieve Key Information"); - -- if (outputDataFile != null) { -+ if (outputDataFile != null) { - -- byte[] data; -- if (clientEncryption) { // store encrypted data -- data = keyData.getEncryptedData(); -+ byte[] data; -+ if (clientEncryption) { // store encrypted data -+ data = keyData.getEncryptedData(); - -- } else { // store unencrypted data -- data = keyData.getData(); -- } -+ } else { // store unencrypted data -+ data = keyData.getData(); -+ } - -- Path path = Paths.get(outputDataFile); -- Files.write(path, data); -+ Path path = Paths.get(outputDataFile); -+ Files.write(path, data); - -- printKeyInfo(keyData); -- System.out.println(" Output: " + outputDataFile); -+ printKeyInfo(keyData); -+ System.out.println(" Output: " + outputDataFile); - -- } else if (outputFilePath != null) { -- JAXBContext context = JAXBContext.newInstance(Key.class); -- Marshaller marshaller = context.createMarshaller(); -- marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); -- marshaller.marshal(keyData, new File(outputFilePath)); -+ } else if (outputFilePath != null) { -+ JAXBContext context = JAXBContext.newInstance(Key.class); -+ Marshaller marshaller = context.createMarshaller(); -+ marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); -+ marshaller.marshal(keyData, new File(outputFilePath)); - -- System.out.println(" Output: " + outputFilePath); -+ System.out.println(" Output: " + outputFilePath); - -- } else { -- printKeyInfo(keyData); -- printKeyData(keyData); -+ } else { -+ printKeyInfo(keyData); -+ printKeyData(keyData); -+ } -+ -+ } catch (Exception e) { -+ throw e; -+ } finally { -+ if (keyData != null) { -+ keyData.clearSensitiveData(); -+ } - } - } - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java -index c3b3952..1110cc6 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java -@@ -25,12 +25,13 @@ import org.mozilla.jss.crypto.SymmetricKey.NotExtractableException; - import org.mozilla.jss.crypto.SymmetricKeyDeriver; - import org.mozilla.jss.crypto.TokenException; - --import sun.security.pkcs11.wrapper.PKCS11Constants; -- - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.base.EBaseException; -+import com.netscape.cmscore.security.JssSubsystem; - import com.netscape.cmsutil.crypto.CryptoUtil; - -+import sun.security.pkcs11.wrapper.PKCS11Constants; -+ - public class SecureChannelProtocol { - - static String sharedSecretKeyName = null; -@@ -341,7 +342,8 @@ public class SecureChannelProtocol { - byte[] finalKeyBytes = nistKdf.kdf_AES_CMAC_SCP03(divKey, context, constant, 16); - sessionKey = unwrapAESSymKeyOnToken(token, finalKeyBytes, false); - -- Arrays.fill(finalKeyBytes,(byte) 0); -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ jssSubsystem.obscureBytes(finalKeyBytes); - - //The final session key is AES. - } -@@ -393,7 +395,8 @@ public class SecureChannelProtocol { - byte[] finalKeyBytes = nistKdf.kdf_AES_CMAC_SCP03(divKey, context, constant, 16); - sessionKey = unwrapAESSymKeyOnToken(token, finalKeyBytes, false); - -- Arrays.fill(finalKeyBytes,(byte) 0); -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ jssSubsystem.obscureBytes(finalKeyBytes); - } - } - } -@@ -908,7 +911,8 @@ public class SecureChannelProtocol { - finalAESKey = keyUnWrap.unwrapSymmetric(wrappedKey, SymmetricKey.AES, 16); - - -- Arrays.fill(wrappedKey,(byte) 0); -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ jssSubsystem.obscureBytes(wrappedKey); - - //byte[] finalKeyBytes = finalAESKey.getKeyData(); - //displayByteArray(finalKeyBytes, false); -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index 1337803..8a0ea08 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -2176,6 +2176,26 @@ public class CryptoUtil { - - } - -+ public static void obscureBytes(byte[] memory, String method) { -+ if (memory == null || memory.length == 0) { -+ //in case we want to log -+ return; -+ } -+ -+ SecureRandom rnd; -+ try { -+ rnd = getRandomNumberGenerator(); -+ } catch (GeneralSecurityException e) { -+ throw new RuntimeException(e); -+ } -+ -+ if ("zeroes".equals(method)) { -+ Arrays.fill(memory, (byte)0); -+ } else { -+ rnd.nextBytes(memory); -+ } -+ } -+ - public static byte[] unwrapUsingPassphrase(byte[] wrappedRecoveredKey, String recoveryPassphrase) - throws IOException, InvalidBERException, InvalidKeyException, IllegalStateException, - NoSuchAlgorithmException, InvalidAlgorithmParameterException, NotInitializedException, TokenException, --- -1.8.3.1 - - -From 0cbe30064861a9908475aa95a686e69e3012a841 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Wed, 8 Nov 2017 20:46:57 +0100 -Subject: Ignore empty key in read_environment_files - -Don't set empty key or key '_' (last command) in read_environment_files. -Fixes "ValueError: illegal environment variable name". - -Change-Id: I22d295ebbf0845bcf8aab3019e1b1f5a3a731e10 -Closes: https://pagure.io/dogtagpki/issue/2850 -Signed-off-by: Christian Heimes -(cherry picked from commit a105341f777354429dfc9f28c7baf5bddd2d5e1f) ---- - base/common/python/pki/util.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py -index 5832f55..871c899 100644 ---- a/base/common/python/pki/util.py -+++ b/base/common/python/pki/util.py -@@ -272,4 +272,6 @@ def read_environment_files(env_file_list=None): - - for env_val in env_vals: - (key, _, value) = env_val.partition("=") -+ if not key.strip() or key == u'_': -+ continue - os.environ[key] = value --- -1.8.3.1 - - -From 45c07d48a8a5f4acda8ce4ca3be5803c2596901e Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Fri, 10 Nov 2017 15:55:36 -0800 -Subject: ReFix for #2824 TPS new configuration to allow the protocol of the - to determine applet loaded. - -The problem discovered was that in only the external registration case, there was a problem obtaining the protocol -information for the token being enrolled. This simple fix makes sure the protocol info is obtained correctly for external -reg and non external reg enrollment cases. - -Change-Id: Iccd40adbdafd5e94e04cbb8c391bd2706e483a1f -(cherry picked from commit e48374cd8a744fad5a03f64e8685ec3b3c465553) ---- - .../src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -index 57e5d79..a78db64 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -@@ -33,8 +33,6 @@ import java.util.List; - import java.util.Map; - import java.util.Set; - --import netscape.security.x509.RevocationReason; -- - import org.dogtagpki.server.tps.TPSSession; - import org.dogtagpki.server.tps.TPSSubsystem; - import org.dogtagpki.server.tps.authentication.AuthUIParameter; -@@ -104,6 +102,8 @@ import com.netscape.cms.servlet.tks.SecureChannelProtocol; - import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.symkey.SessionKey; - -+import netscape.security.x509.RevocationReason; -+ - public class TPSProcessor { - - private static Logger signedAuditLogger = SignedAuditLogger.getLogger(); -@@ -558,8 +558,10 @@ public class TPSProcessor { - CMS.debug("TPSProcessor.setupSecureChannel: obtained randomData"); - } - -- // We already do this when checking for applet upgrade earlier. -- //acquireChannelPlatformAndProtocolInfo(); -+ // Do this on behalf of external reg, which needs it -+ // If already called, the routine will return anyway. -+ -+ acquireChannelPlatformAndProtocolInfo(); - - TPSBuffer initUpdateResp = initializeUpdate(keyVersion, keyIndex, randomData); - --- -1.8.3.1 - - -From 23ce60193a31c070441f93238565a7250cff981b Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Fri, 10 Nov 2017 10:57:36 -0800 -Subject: Fix #2735 Secure removal of secret data storage (phase 3) - -Add more secure data removal with respect to passwords. -Concentrate on the CMC Shared Token area. Done by changing -String based passwords to char[] based password, which then can be cleaned. -Cleaned up a couple of minor review suggestions. - -Change-Id: I898814000353978f403f19f679083474548edc5e -(cherry picked from commit daff3951340246d97a9877d5dde4782c8c675974) ---- - .../certsrv/authentication/ISharedToken.java | 10 +- - .../servlet/test/GeneratePKIArchiveOptions.java | 9 +- - base/kra/src/com/netscape/kra/RecoveryService.java | 30 +- - .../com/netscape/kra/SecurityDataProcessor.java | 8 +- - .../netscape/cms/authentication/SharedSecret.java | 24 +- - .../netscape/cms/profile/common/EnrollProfile.java | 349 ++++++++++++--------- - .../cms/servlet/common/CMCOutputTemplate.java | 19 +- - .../cms/servlet/csadmin/ConfigurationUtils.java | 266 +++++++++------- - .../netscape/cmscore/security/JssSubsystem.java | 8 + - .../com/netscape/cmsutil/crypto/CryptoUtil.java | 65 +++- - 10 files changed, 494 insertions(+), 294 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java -index b33ae7b..761c344 100644 ---- a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java -+++ b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java -@@ -16,24 +16,24 @@ - // All rights reserved. - // --- END COPYRIGHT BLOCK --- - package com.netscape.certsrv.authentication; --import com.netscape.certsrv.base.EBaseException; -- - import java.math.BigInteger; - - import org.mozilla.jss.pkix.cmc.PKIData; - -+import com.netscape.certsrv.base.EBaseException; -+ - /** - * Shared Token interface. - */ - public interface ISharedToken { - - // support for id_cmc_identification -- public String getSharedToken(String identification) -+ public char[] getSharedToken(String identification) - throws EBaseException; - -- public String getSharedToken(PKIData cmcData) -+ public char[] getSharedToken(PKIData cmcData) - throws EBaseException; - -- public String getSharedToken(BigInteger serialnum) -+ public char[] getSharedToken(BigInteger serialnum) - throws EBaseException; - } -diff --git a/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java b/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java -index e1a9816..5ccf7a8 100644 ---- a/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java -+++ b/base/kra/functional/src/com/netscape/cms/servlet/test/GeneratePKIArchiveOptions.java -@@ -213,8 +213,15 @@ public class GeneratePKIArchiveOptions { - new OCTET_STRING(ivps.getIV())); - - if (passphraseMode) { -+ char[] pwdChars = passphrase.toCharArray(); -+ try { - encoded = CryptoUtil.createEncodedPKIArchiveOptions( -- token, transportCert.getPublicKey(), passphrase, params, aid); -+ token, transportCert.getPublicKey(), pwdChars, params, aid); -+ } catch (Exception e) { -+ throw e; -+ } finally { -+ CryptoUtil.obscureChars(pwdChars); -+ } - } else { - encoded = CryptoUtil.createEncodedPKIArchiveOptions( - token, transportCert.getPublicKey(), vek, params, aid); -diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java -index d562c15..96ee73b 100644 ---- a/base/kra/src/com/netscape/kra/RecoveryService.java -+++ b/base/kra/src/com/netscape/kra/RecoveryService.java -@@ -461,6 +461,7 @@ public class RecoveryService implements IService { - public void createPFX(IRequest request, Hashtable params, - PrivateKey priKey, CryptoToken ct) throws EBaseException { - CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=false"); -+ org.mozilla.jss.util.Password pass = null; - try { - // create p12 - X509Certificate x509cert = -@@ -493,9 +494,14 @@ public class RecoveryService implements IService { - // add key - mKRA.log(ILogger.LL_INFO, "KRA adds key to P12"); - CMS.debug("RecoverService: createPFX() adds key to P12"); -- org.mozilla.jss.util.Password pass = new -+ char[] pwdChar = pwd.toCharArray(); -+ pass = new - org.mozilla.jss.util.Password( -- pwd.toCharArray()); -+ pwdChar); -+ { -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ jssSubsystem.obscureChars(pwdChar); -+ } - - SEQUENCE safeContents = new SEQUENCE(); - PasswordConverter passConverter = new -@@ -580,7 +586,6 @@ public class RecoveryService implements IService { - ByteArrayOutputStream(); - - pfx.encode(fos); -- pass.clear(); - - // put final PKCS12 into volatile request - params.put(ATTR_PKCS12, fos.toByteArray()); -@@ -590,6 +595,10 @@ public class RecoveryService implements IService { - CMS.debug("RecoverService: createPFX() exception caught:"+ - e.toString()); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_PKCS12_FAILED_1", e.toString())); -+ } finally { -+ if(pass != null) { -+ pass.clear(); -+ } - } - - // update request -@@ -637,6 +646,7 @@ public class RecoveryService implements IService { - public void createPFX(IRequest request, Hashtable params, - byte priData[]) throws EBaseException { - CMS.debug("RecoverService: createPFX() allowEncDecrypt_recovery=true"); -+ org.mozilla.jss.util.Password pass = null; - try { - // create p12 - X509Certificate x509cert = -@@ -667,9 +677,13 @@ public class RecoveryService implements IService { - - // add key - mKRA.log(ILogger.LL_INFO, "KRA adds key to P12"); -- org.mozilla.jss.util.Password pass = new -- org.mozilla.jss.util.Password( -- pwd.toCharArray()); -+ char[] pwdChars = pwd.toCharArray(); -+ pass = new org.mozilla.jss.util.Password( -+ pwdChars); -+ -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ jssSubsystem.obscureChars(pwdChars); -+ - - SEQUENCE safeContents = new SEQUENCE(); - PrivateKeyInfo pki = (PrivateKeyInfo) -@@ -735,13 +749,15 @@ public class RecoveryService implements IService { - ByteArrayOutputStream(); - - pfx.encode(fos); -- pass.clear(); - - // put final PKCS12 into volatile request - params.put(ATTR_PKCS12, fos.toByteArray()); - } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_CONSTRUCT_P12", e.toString())); - throw new EKRAException(CMS.getUserMessage("CMS_KRA_PKCS12_FAILED_1", e.toString())); -+ } finally { -+ if(pass != null) -+ pass.clear(); - } - - // update request -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index 71d1233..8de1311 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -487,9 +487,11 @@ public class SecurityDataProcessor { - unwrappedSess, - wrapParams.getPayloadEncryptionAlgorithm()); - -- String passStr = new String(unwrappedPass, "UTF-8"); -- pass = new Password(passStr.toCharArray()); -- passStr = null; -+ char[] passChars = CryptoUtil.bytesToChars(unwrappedPass); -+ pass = new Password(passChars); -+ JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); -+ jssSubsystem.obscureChars(passChars); -+ - - if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) { - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -index cf69975..ee7a7d7 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -@@ -240,7 +240,7 @@ public class SharedSecret extends DirBasedAuthentication - * Note: caller should clear the memory for the returned token - * after each use - */ -- public String getSharedToken(String identification) -+ public char[] getSharedToken(String identification) - throws EBaseException { - String method = "SharedSecret.getSharedToken(String identification): "; - String msg = ""; -@@ -319,7 +319,7 @@ public class SharedSecret extends DirBasedAuthentication - } - CMS.debug(method + " got entryShrTok"); - -- String shrSecret = decryptShrTokData(new String(entryShrTok)); -+ char[] shrSecret = decryptShrTokData(new String(entryShrTok)); - CMS.debug(method + "returning"); - return shrSecret; - } catch (Exception e) { -@@ -338,11 +338,11 @@ public class SharedSecret extends DirBasedAuthentication - * encryptedPrivate OCTET STRING - * } - * @param data_s -- * @return -+ * @return phrase in char array. - */ -- private String decryptShrTokData(String data_s) { -+ private char[] decryptShrTokData(String data_s) { - String method = "SharedSecret.decryptShrTokData: "; -- String msg = ""; -+ byte[] ver_passphrase = null; - try { - byte[] wrapped_secret_data = Utils.base64decode(data_s); - DerValue wrapped_val = new DerValue(wrapped_secret_data); -@@ -357,22 +357,24 @@ public class SharedSecret extends DirBasedAuthentication - - SymmetricKey ver_session = CryptoUtil.unwrap(tmpToken, SymmetricKey.AES, 128, SymmetricKey.Usage.UNWRAP, - issuanceProtPrivKey, wrapped_session, wrapAlgorithm); -- byte[] ver_passphrase = CryptoUtil.decryptUsingSymmetricKey(tmpToken, new IVParameterSpec(iv), -+ ver_passphrase = CryptoUtil.decryptUsingSymmetricKey(tmpToken, new IVParameterSpec(iv), - wrapped_passphrase, - ver_session, EncryptionAlgorithm.AES_128_CBC_PAD); - -- String ver_spassphrase = new String(ver_passphrase, "UTF-8"); -- return ver_spassphrase; -+ char[] ver_spassphraseChars = CryptoUtil.bytesToChars(ver_passphrase); -+ return ver_spassphraseChars; - } catch (Exception e) { - CMS.debug(method + e.toString()); - return null; -+ } finally { -+ CryptoUtil.obscureBytes(ver_passphrase, "random"); - } - } - - /** - * unsupported - */ -- public String getSharedToken(PKIData cmcdata) -+ public char[] getSharedToken(PKIData cmcdata) - throws EBaseException { - String method = "SharedSecret.getSharedToken(PKIData cmcdata): "; - String msg = ""; -@@ -389,7 +391,7 @@ public class SharedSecret extends DirBasedAuthentication - * Note: caller should clear the memory for the returned token - * after each use - */ -- public String getSharedToken(BigInteger serial) -+ public char[] getSharedToken(BigInteger serial) - throws EBaseException { - String method = "SharedSecret.getSharedToken(BigInteger serial): "; - String msg = ""; -@@ -417,7 +419,7 @@ public class SharedSecret extends DirBasedAuthentication - throw new EBaseException(method + msg); - } - -- String shrSecret = decryptShrTokData(shrTok_s); -+ char[] shrSecret = decryptShrTokData(shrTok_s); - CMS.debug(method + "returning"); - return shrSecret; - } -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 5f34ec9..9051baf 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -21,6 +21,7 @@ import java.io.ByteArrayInputStream; - import java.io.ByteArrayOutputStream; - import java.io.IOException; - import java.math.BigInteger; -+import java.nio.ByteBuffer; - import java.security.InvalidKeyException; - import java.security.MessageDigest; - import java.security.NoSuchAlgorithmException; -@@ -1300,7 +1301,7 @@ public abstract class EnrollProfile extends BasicProfile - protected boolean verifyPopLinkWitnessV2( - PopLinkWitnessV2 popLinkWitnessV2, - byte[] randomSeed, -- String sharedSecret, -+ byte[] sharedSecret, - String ident_string) { - String method = "EnrollProfile: verifyPopLinkWitnessV2: "; - -@@ -1326,6 +1327,7 @@ public abstract class EnrollProfile extends BasicProfile - return false; - } - -+ byte[] verifyBytes = null; - try { - DigestAlgorithm keyGenAlgID = DigestAlgorithm.fromOID(keyGenAlg.getOID()); - MessageDigest keyGenMDAlg = MessageDigest.getInstance(keyGenAlgID.toString()); -@@ -1335,17 +1337,41 @@ public abstract class EnrollProfile extends BasicProfile - .getInstance(CryptoUtil.getHMACtoMessageDigestName(macAlgID.toString())); - - byte[] witness_bytes = witness.toByteArray(); -- return verifyDigest( -- (ident_string != null) ? (sharedSecret + ident_string).getBytes() : sharedSecret.getBytes(), -+ -+ ByteBuffer bb = null; -+ -+ if(ident_string != null) { -+ bb = ByteBuffer.allocate(ident_string.getBytes().length + sharedSecret.length); -+ bb.put(sharedSecret); -+ bb.put(ident_string.getBytes()); -+ verifyBytes = bb.array(); -+ } else { -+ verifyBytes = sharedSecret; -+ } -+ -+ boolean result = verifyDigest( -+ verifyBytes, - randomSeed, - witness_bytes, - keyGenMDAlg, macMDAlg); -+ -+ //Check ident_string because, verifyBytes will be = sharedSecret otherwise. -+ //Let caller clear sharedSecret when the time comes. -+ if (ident_string != null) { -+ CryptoUtil.obscureBytes(verifyBytes, "random"); -+ } -+ -+ return result; - } catch (NoSuchAlgorithmException e) { - CMS.debug(method + e); - return false; - } catch (Exception e) { - CMS.debug(method + e); - return false; -+ } finally { -+ if (ident_string != null) { -+ CryptoUtil.obscureBytes(verifyBytes, "random"); -+ } - } - } - -@@ -1365,162 +1391,175 @@ public abstract class EnrollProfile extends BasicProfile - - boolean sharedSecretFound = true; - String configName = "SharedToken"; -- String sharedSecret = null; -+ char[] sharedSecret = null; -+ byte[] sharedSecretBytes = null; -+ - try { -- IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); - -- IAuthManager sharedTokenAuth = authSS.getAuthManager(configName); -- if (sharedTokenAuth == null) { -- CMS.debug(method + " Failed to retrieve shared secret authentication plugin class"); -- sharedSecretFound = false; -- } -- ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; -+ try { -+ IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); - -- if (ident_string != null) { -- sharedSecret = tokenClass.getSharedToken(ident_string); -- } else { -- sharedSecret = tokenClass.getSharedToken(mCMCData); -- } -- if (sharedSecret == null) -- sharedSecretFound = false; -+ IAuthManager sharedTokenAuth = authSS.getAuthManager(configName); -+ if (sharedTokenAuth == null) { -+ CMS.debug(method + " Failed to retrieve shared secret authentication plugin class"); -+ sharedSecretFound = false; -+ } -+ ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; - -- } catch (Exception e) { -- CMS.debug(e); -- return false; -- } -+ if (ident_string != null) { -+ sharedSecret = tokenClass.getSharedToken(ident_string); -+ } else { -+ sharedSecret = tokenClass.getSharedToken(mCMCData); -+ } -+ if (sharedSecret == null) { -+ sharedSecretFound = false; -+ } else { -+ sharedSecretBytes = CryptoUtil.charsToBytes(sharedSecret); -+ } - -- INTEGER reqId = null; -- byte[] bv = null; -+ } catch (Exception e) { -+ CMS.debug(e); -+ return false; -+ } - -- if (req.getType().equals(TaggedRequest.PKCS10)) { -- String methodPos = method + "PKCS10: "; -- CMS.debug(methodPos + "begins"); -+ INTEGER reqId = null; -+ byte[] bv = null; - -- TaggedCertificationRequest tcr = req.getTcr(); -- if (!sharedSecretFound) { -- bpids.addElement(tcr.getBodyPartID()); -- context.put("POPLinkWitness", bpids); -- return false; -- } else { -- CertificationRequest creq = tcr.getCertificationRequest(); -- CertificationRequestInfo cinfo = creq.getInfo(); -- SET attrs = cinfo.getAttributes(); -- for (int j = 0; j < attrs.size(); j++) { -- Attribute pkcs10Attr = (Attribute) attrs.elementAt(j); -- if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) { -- CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2"); -- if (ident_string == null) { -- bpids.addElement(reqId); -- context.put("identification", bpids); -- context.put("POPLinkWitnessV2", bpids); -- String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server"; -- CMS.debug(methodPos + msg); -- return false; -- } -+ if (req.getType().equals(TaggedRequest.PKCS10)) { -+ String methodPos = method + "PKCS10: "; -+ CMS.debug(methodPos + "begins"); - -- SET witnessVal = pkcs10Attr.getValues(); -- if (witnessVal.size() > 0) { -- try { -- PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(witnessVal.elementAt(0)); -- boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2, -- randomSeed, -- sharedSecret, -- ident_string); -- if (!valid) { -- bpids.addElement(reqId); -- context.put("POPLinkWitnessV2", bpids); -- return valid; -- } -- return true; -- } catch (Exception ex) { -- CMS.debug(methodPos + ex); -+ TaggedCertificationRequest tcr = req.getTcr(); -+ if (!sharedSecretFound) { -+ bpids.addElement(tcr.getBodyPartID()); -+ context.put("POPLinkWitness", bpids); -+ return false; -+ } else { -+ CertificationRequest creq = tcr.getCertificationRequest(); -+ CertificationRequestInfo cinfo = creq.getInfo(); -+ SET attrs = cinfo.getAttributes(); -+ for (int j = 0; j < attrs.size(); j++) { -+ Attribute pkcs10Attr = (Attribute) attrs.elementAt(j); -+ if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) { -+ CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2"); -+ if (ident_string == null) { -+ bpids.addElement(reqId); -+ context.put("identification", bpids); -+ context.put("POPLinkWitnessV2", bpids); -+ String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server"; -+ CMS.debug(methodPos + msg); - return false; - } -- } -- } else if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { -- SET witnessVal = pkcs10Attr.getValues(); -- if (witnessVal.size() > 0) { -- try { -- OCTET_STRING str = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), -- ASN1Util.encode(witnessVal.elementAt(0)))); -- bv = str.toByteArray(); -- return verifyDigest(sharedSecret.getBytes(), -- randomSeed, bv); -- } catch (InvalidBERException ex) { -- return false; -+ -+ SET witnessVal = pkcs10Attr.getValues(); -+ if (witnessVal.size() > 0) { -+ try { -+ PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control( -+ witnessVal.elementAt(0)); -+ boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2, -+ randomSeed, -+ sharedSecretBytes, -+ ident_string); -+ if (!valid) { -+ bpids.addElement(reqId); -+ context.put("POPLinkWitnessV2", bpids); -+ return valid; -+ } -+ return true; -+ } catch (Exception ex) { -+ CMS.debug(methodPos + ex); -+ return false; -+ } -+ } -+ } else if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { -+ SET witnessVal = pkcs10Attr.getValues(); -+ if (witnessVal.size() > 0) { -+ try { -+ OCTET_STRING str = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), -+ ASN1Util.encode(witnessVal.elementAt(0)))); -+ bv = str.toByteArray(); -+ return verifyDigest(sharedSecretBytes, -+ randomSeed, bv); -+ } catch (InvalidBERException ex) { -+ return false; -+ } - } - } - } -- } -- -- return false; -- } -- } else if (req.getType().equals(TaggedRequest.CRMF)) { -- String methodPos = method + "CRMF: "; -- CMS.debug(methodPos + "begins"); -- -- CertReqMsg crm = req.getCrm(); -- CertRequest certReq = crm.getCertReq(); -- reqId = certReq.getCertReqId(); -- if (!sharedSecretFound) { -- bpids.addElement(reqId); -- context.put("POPLinkWitness", bpids); -- return false; -- } else { -- for (int i = 0; i < certReq.numControls(); i++) { -- AVA ava = certReq.controlAt(i); - -- if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) { -- CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2"); -- if (ident_string == null) { -- bpids.addElement(reqId); -- context.put("identification", bpids); -- context.put("POPLinkWitnessV2", bpids); -- String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server"; -- CMS.debug(methodPos + msg); -- return false; -- } -+ return false; -+ } -+ } else if (req.getType().equals(TaggedRequest.CRMF)) { -+ String methodPos = method + "CRMF: "; -+ CMS.debug(methodPos + "begins"); - -- ASN1Value value = ava.getValue(); -- PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(value); -+ CertReqMsg crm = req.getCrm(); -+ CertRequest certReq = crm.getCertReq(); -+ reqId = certReq.getCertReqId(); -+ if (!sharedSecretFound) { -+ bpids.addElement(reqId); -+ context.put("POPLinkWitness", bpids); -+ return false; -+ } else { -+ for (int i = 0; i < certReq.numControls(); i++) { -+ AVA ava = certReq.controlAt(i); -+ -+ if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) { -+ CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2"); -+ if (ident_string == null) { -+ bpids.addElement(reqId); -+ context.put("identification", bpids); -+ context.put("POPLinkWitnessV2", bpids); -+ String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server"; -+ CMS.debug(methodPos + msg); -+ return false; -+ } - -- boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2, -- randomSeed, -- sharedSecret, -- ident_string); -- if (!valid) { -- bpids.addElement(reqId); -- context.put("POPLinkWitnessV2", bpids); -- return valid; -- } -- } else if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { -- CMS.debug(methodPos + "found id_cmc_idPOPLinkWitness"); -- ASN1Value value = ava.getValue(); -- ByteArrayInputStream bis = new ByteArrayInputStream( -- ASN1Util.encode(value)); -- OCTET_STRING ostr = null; -- try { -- ostr = (OCTET_STRING) (new OCTET_STRING.Template()).decode(bis); -- bv = ostr.toByteArray(); -- } catch (Exception e) { -- bpids.addElement(reqId); -- context.put("POPLinkWitness", bpids); -- return false; -- } -+ ASN1Value value = ava.getValue(); -+ PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(value); -+ -+ boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2, -+ randomSeed, -+ sharedSecretBytes, -+ ident_string); -+ if (!valid) { -+ bpids.addElement(reqId); -+ context.put("POPLinkWitnessV2", bpids); -+ return valid; -+ } -+ } else if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) { -+ CMS.debug(methodPos + "found id_cmc_idPOPLinkWitness"); -+ ASN1Value value = ava.getValue(); -+ ByteArrayInputStream bis = new ByteArrayInputStream( -+ ASN1Util.encode(value)); -+ OCTET_STRING ostr = null; -+ try { -+ ostr = (OCTET_STRING) (new OCTET_STRING.Template()).decode(bis); -+ bv = ostr.toByteArray(); -+ } catch (Exception e) { -+ bpids.addElement(reqId); -+ context.put("POPLinkWitness", bpids); -+ return false; -+ } - -- boolean valid = verifyDigest(sharedSecret.getBytes(), -- randomSeed, bv); -- if (!valid) { -- bpids.addElement(reqId); -- context.put("POPLinkWitness", bpids); -- return valid; -+ boolean valid = verifyDigest(sharedSecretBytes, -+ randomSeed, bv); -+ if (!valid) { -+ bpids.addElement(reqId); -+ context.put("POPLinkWitness", bpids); -+ return valid; -+ } - } - } - } - } -- } - -- return true; -+ return true; -+ -+ } finally { -+ CryptoUtil.obscureBytes(sharedSecretBytes, "random"); -+ CryptoUtil.obscureChars(sharedSecret); -+ } - } - - private boolean verifyDigest(byte[] sharedSecret, byte[] text, byte[] bv) { -@@ -1664,7 +1703,7 @@ public abstract class EnrollProfile extends BasicProfile - } - ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; - -- String token = null; -+ char[] token = null; - if (ident_string != null) { - auditAttemptedCred = ident_string; - token = tokenClass.getSharedToken(ident_string); -@@ -1702,14 +1741,36 @@ public abstract class EnrollProfile extends BasicProfile - - byte[] witness_bytes = witness.toByteArray(); - byte[] request_bytes = ASN1Util.encode(reqSeq); // PKIData reqSequence field -+ -+ byte[] verifyBytes = null; -+ ByteBuffer bb = null; -+ -+ byte[] tokenBytes = CryptoUtil.charsToBytes(token); -+ -+ if(ident_string != null) { -+ bb = ByteBuffer.allocate(ident_string.getBytes().length + token.length); -+ bb.put(tokenBytes); -+ bb.put(ident_string.getBytes()); -+ verifyBytes = bb.array(); -+ } else { -+ verifyBytes = tokenBytes; -+ } -+ -+ - verified = verifyDigest( -- (ident_string != null) ? (token + ident_string).getBytes() : token.getBytes(), -+ verifyBytes, - request_bytes, - witness_bytes, - hashAlg, macAlg); - - String auditSubjectID = null; - -+ if(ident_string != null) { -+ CryptoUtil.obscureBytes(verifyBytes, "random"); -+ } -+ -+ CryptoUtil.obscureChars(token); -+ - if (verified) { - auditSubjectID = (String) sessionContext.get(SessionContext.USER_ID); - CMS.debug(method + "current auditSubjectID was:" + auditSubjectID); -@@ -1760,13 +1821,14 @@ public abstract class EnrollProfile extends BasicProfile - } - - OCTET_STRING ostr = null; -- String token = null; -+ char[] token = null; - try { - token = tokenClass.getSharedToken(mCMCData); - ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(), - ASN1Util.encode(vals.elementAt(0)))); - } catch (InvalidBERException e) { - CMS.debug(method + "Failed to decode the byte value."); -+ CryptoUtil.obscureChars(token); - return false; - } catch (Exception e) { - CMS.debug(method + "exception: " + e.toString()); -@@ -1775,10 +1837,15 @@ public abstract class EnrollProfile extends BasicProfile - byte[] b = ostr.toByteArray(); - byte[] text = ASN1Util.encode(reqSeq); - -- verified = verifyDigest(token.getBytes(), text, b); -+ byte[] verifyBytes = CryptoUtil.charsToBytes(token); -+ verified = verifyDigest(verifyBytes, text, b); - if (verified) {// update auditSubjectID - //placeholder. Should probably just disable this v1 method - } -+ -+ CryptoUtil.obscureBytes(verifyBytes, "random"); -+ CryptoUtil.obscureChars(token); -+ - return verified; - } - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -index 1d70b36..6c40d2d 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -@@ -68,6 +68,7 @@ import org.mozilla.jss.pkix.cms.SignerIdentifier; - import org.mozilla.jss.pkix.cms.SignerInfo; - import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier; - import org.mozilla.jss.pkix.primitive.Name; -+import org.mozilla.jss.util.Password; - - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authentication.IAuthManager; -@@ -1093,7 +1094,7 @@ public class CMCOutputTemplate { - } - ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; - -- String sharedSecret = tokenClass.getSharedToken(revokeSerial); -+ char[] sharedSecret = tokenClass.getSharedToken(revokeSerial); - - if (sharedSecret == null) { - CMS.debug("CMCOutputTemplate: shared secret not found."); -@@ -1110,11 +1111,21 @@ public class CMCOutputTemplate { - } - - byte[] reqSecretb = reqSecret.toByteArray(); -- String clientSC = new String(reqSecretb); -- if (clientSC.equals(sharedSecret)) { -+ char[] reqSecretbChars = CryptoUtil.bytesToChars(reqSecretb); -+ -+ Password secret1 = new Password(sharedSecret); -+ Password secret2 = new Password(reqSecretbChars); -+ -+ CryptoUtil.obscureChars(sharedSecret); -+ CryptoUtil.obscureChars(reqSecretbChars); -+ CryptoUtil.obscureBytes(reqSecretb, "random"); -+ -+ if(secret1.equals(secret2)) { - CMS.debug(method - + " Client and server shared secret are the same, can go ahead and revoke certificate."); - revoke = true; -+ secret1.clear(); -+ secret2.clear(); - } else { - CMS.debug(method - + " Client and server shared secret are not the same, cannot revoke certificate."); -@@ -1137,6 +1148,8 @@ public class CMCOutputTemplate { - auditReasonNum, - auditApprovalStatus)); - -+ secret1.clear(); -+ secret2.clear(); - return bpid; - } - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -index 0018841..1d37d73 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -@@ -217,18 +217,28 @@ public class ConfigurationUtils { - Password password = null; - password = new Password(tokPwd.toCharArray()); - -- if (token.passwordIsInitialized()) { -- CMS.debug("loginToken():token password is initialized"); -- if (!token.isLoggedIn()) { -- CMS.debug("loginToken():Token is not logged in, try it"); -- token.login(password); -+ try { -+ if (token.passwordIsInitialized()) { -+ CMS.debug("loginToken():token password is initialized"); -+ if (!token.isLoggedIn()) { -+ CMS.debug("loginToken():Token is not logged in, try it"); -+ token.login(password); -+ } else { -+ CMS.debug("loginToken():Token has already logged on"); -+ } - } else { -- CMS.debug("loginToken():Token has already logged on"); -+ CMS.debug("loginToken():Token password not initialized"); -+ rv = false; -+ } -+ -+ } catch (TokenException | IncorrectPasswordException e) { -+ throw e; -+ } finally { -+ if (password != null) { -+ password.clear(); - } -- } else { -- CMS.debug("loginToken():Token password not initialized"); -- rv = false; - } -+ - return rv; - } - -@@ -877,117 +887,126 @@ public class ConfigurationUtils { - StringBuffer reason = new StringBuffer(); - Password password = new Password(p12Pass.toCharArray()); - -- PFX pfx = (PFX) (new PFX.Template()).decode(bis); -- boolean verifypfx = pfx.verifyAuthSafes(password, reason); -+ try { - -- if (!verifypfx) { -- throw new IOException("PKCS #12 password is incorrect"); -- } -+ PFX pfx = (PFX) (new PFX.Template()).decode(bis); -+ boolean verifypfx = pfx.verifyAuthSafes(password, reason); - -- AuthenticatedSafes safes = pfx.getAuthSafes(); -- Vector> pkeyinfo_collection = new Vector>(); -- Vector> cert_collection = new Vector>(); -+ if (!verifypfx) { -+ throw new IOException("PKCS #12 password is incorrect"); -+ } - -- CMS.debug("Importing PKCS #12 data"); -+ AuthenticatedSafes safes = pfx.getAuthSafes(); -+ Vector> pkeyinfo_collection = new Vector>(); -+ Vector> cert_collection = new Vector>(); - -- for (int i = 0; i < safes.getSize(); i++) { -+ CMS.debug("Importing PKCS #12 data"); - -- CMS.debug("- Safe #" + i + ":"); -- SEQUENCE scontent = safes.getSafeContentsAt(null, i); -+ for (int i = 0; i < safes.getSize(); i++) { - -- for (int j = 0; j < scontent.size(); j++) { -+ CMS.debug("- Safe #" + i + ":"); -+ SEQUENCE scontent = safes.getSafeContentsAt(null, i); - -- SafeBag bag = (SafeBag) scontent.elementAt(j); -- OBJECT_IDENTIFIER oid = bag.getBagType(); -+ for (int j = 0; j < scontent.size(); j++) { - -- if (oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) { -+ SafeBag bag = (SafeBag) scontent.elementAt(j); -+ OBJECT_IDENTIFIER oid = bag.getBagType(); - -- CMS.debug(" - Bag #" + j + ": key"); -- byte[] epki = bag.getBagContent().getEncoded(); -+ if (oid.equals(SafeBag.PKCS8_SHROUDED_KEY_BAG)) { - -- SET bagAttrs = bag.getBagAttributes(); -- String subjectDN = null; -+ CMS.debug(" - Bag #" + j + ": key"); -+ byte[] epki = bag.getBagContent().getEncoded(); - -- for (int k = 0; k < bagAttrs.size(); k++) { -+ SET bagAttrs = bag.getBagAttributes(); -+ String subjectDN = null; - -- Attribute attrs = (Attribute) bagAttrs.elementAt(k); -- OBJECT_IDENTIFIER aoid = attrs.getType(); -+ for (int k = 0; k < bagAttrs.size(); k++) { - -- if (aoid.equals(SafeBag.FRIENDLY_NAME)) { -- SET val = attrs.getValues(); -- ANY ss = (ANY) val.elementAt(0); -+ Attribute attrs = (Attribute) bagAttrs.elementAt(k); -+ OBJECT_IDENTIFIER aoid = attrs.getType(); - -- ByteArrayInputStream bbis = new ByteArrayInputStream(ss.getEncoded()); -- BMPString sss = (BMPString) new BMPString.Template().decode(bbis); -- subjectDN = sss.toString(); -- CMS.debug(" Subject DN: " + subjectDN); -- break; -+ if (aoid.equals(SafeBag.FRIENDLY_NAME)) { -+ SET val = attrs.getValues(); -+ ANY ss = (ANY) val.elementAt(0); -+ -+ ByteArrayInputStream bbis = new ByteArrayInputStream(ss.getEncoded()); -+ BMPString sss = (BMPString) new BMPString.Template().decode(bbis); -+ subjectDN = sss.toString(); -+ CMS.debug(" Subject DN: " + subjectDN); -+ break; -+ } - } -- } - -- // pkeyinfo_v stores EncryptedPrivateKeyInfo -- // (byte[]) and subject DN (String) -- Vector pkeyinfo_v = new Vector(); -- pkeyinfo_v.addElement(epki); -- if (subjectDN != null) -- pkeyinfo_v.addElement(subjectDN); -+ // pkeyinfo_v stores EncryptedPrivateKeyInfo -+ // (byte[]) and subject DN (String) -+ Vector pkeyinfo_v = new Vector(); -+ pkeyinfo_v.addElement(epki); -+ if (subjectDN != null) -+ pkeyinfo_v.addElement(subjectDN); - -- pkeyinfo_collection.addElement(pkeyinfo_v); -+ pkeyinfo_collection.addElement(pkeyinfo_v); - -- } else if (oid.equals(SafeBag.CERT_BAG)) { -+ } else if (oid.equals(SafeBag.CERT_BAG)) { - -- CMS.debug(" - Bag #" + j + ": certificate"); -- CertBag cbag = (CertBag) bag.getInterpretedBagContent(); -- OCTET_STRING str = (OCTET_STRING) cbag.getInterpretedCert(); -- byte[] x509cert = str.toByteArray(); -+ CMS.debug(" - Bag #" + j + ": certificate"); -+ CertBag cbag = (CertBag) bag.getInterpretedBagContent(); -+ OCTET_STRING str = (OCTET_STRING) cbag.getInterpretedCert(); -+ byte[] x509cert = str.toByteArray(); - -- SET bagAttrs = bag.getBagAttributes(); -- String nickname = null; -+ SET bagAttrs = bag.getBagAttributes(); -+ String nickname = null; - -- if (bagAttrs != null) { -+ if (bagAttrs != null) { - -- for (int k = 0; k < bagAttrs.size(); k++) { -+ for (int k = 0; k < bagAttrs.size(); k++) { - -- Attribute attrs = (Attribute) bagAttrs.elementAt(k); -- OBJECT_IDENTIFIER aoid = attrs.getType(); -+ Attribute attrs = (Attribute) bagAttrs.elementAt(k); -+ OBJECT_IDENTIFIER aoid = attrs.getType(); - -- if (aoid.equals(SafeBag.FRIENDLY_NAME)) { -- SET val = attrs.getValues(); -- ANY ss = (ANY) val.elementAt(0); -+ if (aoid.equals(SafeBag.FRIENDLY_NAME)) { -+ SET val = attrs.getValues(); -+ ANY ss = (ANY) val.elementAt(0); - -- ByteArrayInputStream bbis = new ByteArrayInputStream(ss.getEncoded()); -- BMPString sss = (BMPString) (new BMPString.Template()).decode(bbis); -- nickname = sss.toString(); -- CMS.debug(" Nickname: " + nickname); -- break; -+ ByteArrayInputStream bbis = new ByteArrayInputStream(ss.getEncoded()); -+ BMPString sss = (BMPString) (new BMPString.Template()).decode(bbis); -+ nickname = sss.toString(); -+ CMS.debug(" Nickname: " + nickname); -+ break; -+ } - } - } -- } - -- X509CertImpl certImpl = new X509CertImpl(x509cert); -- CMS.debug(" Serial number: " + certImpl.getSerialNumber()); -+ X509CertImpl certImpl = new X509CertImpl(x509cert); -+ CMS.debug(" Serial number: " + certImpl.getSerialNumber()); - -- try { -- certImpl.checkValidity(); -- CMS.debug(" Status: valid"); -+ try { -+ certImpl.checkValidity(); -+ CMS.debug(" Status: valid"); - -- } catch (CertificateExpiredException | CertificateNotYetValidException e) { -- CMS.debug(" Status: " + e); -- continue; -- } -+ } catch (CertificateExpiredException | CertificateNotYetValidException e) { -+ CMS.debug(" Status: " + e); -+ continue; -+ } - -- // cert_v stores certificate (byte[]) and nickname (String) -- Vector cert_v = new Vector(); -- cert_v.addElement(x509cert); -- if (nickname != null) -- cert_v.addElement(nickname); -+ // cert_v stores certificate (byte[]) and nickname (String) -+ Vector cert_v = new Vector(); -+ cert_v.addElement(x509cert); -+ if (nickname != null) -+ cert_v.addElement(nickname); - -- cert_collection.addElement(cert_v); -+ cert_collection.addElement(cert_v); -+ } - } - } -- } - -- importKeyCert(password, pkeyinfo_collection, cert_collection); -+ importKeyCert(password, pkeyinfo_collection, cert_collection); -+ } catch (Exception e) { -+ throw e; -+ } finally { -+ if (password != null) { -+ password.clear(); -+ } -+ } - } - - public static void verifySystemCertificates() throws Exception { -@@ -3248,54 +3267,63 @@ public class ConfigurationUtils { - - Password pass = new org.mozilla.jss.util.Password(pwd.toCharArray()); - -- PKCS12Util util = new PKCS12Util(); -- PKCS12 pkcs12 = new PKCS12(); -+ try { - -- // load system certificate (with key but without chain) -- while (st.hasMoreTokens()) { -+ PKCS12Util util = new PKCS12Util(); -+ PKCS12 pkcs12 = new PKCS12(); - -- String t = st.nextToken(); -- if (t.equals("sslserver")) -- continue; -+ // load system certificate (with key but without chain) -+ while (st.hasMoreTokens()) { - -- String nickname = cs.getString("preop.cert." + t + ".nickname"); -- String modname = cs.getString("preop.module.token"); -+ String t = st.nextToken(); -+ if (t.equals("sslserver")) -+ continue; - -- if (!CryptoUtil.isInternalToken(modname)) -- nickname = modname + ":" + nickname; -+ String nickname = cs.getString("preop.cert." + t + ".nickname"); -+ String modname = cs.getString("preop.module.token"); - -- util.loadCertFromNSS(pkcs12, nickname, true, false); -- } -+ if (!CryptoUtil.isInternalToken(modname)) -+ nickname = modname + ":" + nickname; - -- // load CA certificates (without keys or chains) -- for (X509Certificate caCert : cm.getCACerts()) { -- util.loadCertFromNSS(pkcs12, caCert, false, false); -- } -+ util.loadCertFromNSS(pkcs12, nickname, true, false); -+ } - -- PFX pfx = util.generatePFX(pkcs12, pass); -+ // load CA certificates (without keys or chains) -+ for (X509Certificate caCert : cm.getCACerts()) { -+ util.loadCertFromNSS(pkcs12, caCert, false, false); -+ } - -- ByteArrayOutputStream bos = new ByteArrayOutputStream(); -- pfx.encode(bos); -- byte[] output = bos.toByteArray(); -+ PFX pfx = util.generatePFX(pkcs12, pass); - -- cs.putString("preop.pkcs12", CryptoUtil.byte2string(output)); -- pass.clear(); -- cs.commit(false); -+ ByteArrayOutputStream bos = new ByteArrayOutputStream(); -+ pfx.encode(bos); -+ byte[] output = bos.toByteArray(); - -- if (fname != null) { -- FileOutputStream fout = null; -- try { -- fout = new FileOutputStream(fname); -- fout.write(output); -+ cs.putString("preop.pkcs12", CryptoUtil.byte2string(output)); -+ cs.commit(false); - -- } catch (Exception e) { -- throw new IOException("Failed to store keys in backup file " + e, e); -+ if (fname != null) { -+ FileOutputStream fout = null; -+ try { -+ fout = new FileOutputStream(fname); -+ fout.write(output); - -- } finally { -- if (fout != null) { -- fout.close(); -+ } catch (Exception e) { -+ throw new IOException("Failed to store keys in backup file " + e, e); -+ -+ } finally { -+ if (fout != null) { -+ fout.close(); -+ } - } - } -+ -+ } catch (Exception e) { -+ throw e; -+ } finally { -+ if (pass != null) { -+ pass.clear(); -+ } - } - } - -diff --git a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java -index be7edd5..a9bb003 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/security/JssSubsystem.java -@@ -409,6 +409,14 @@ public final class JssSubsystem implements ICryptoSubsystem { - } - } - -+ public void obscureChars(char[] memory) { -+ String methodName = "JssSubsystem.obscureBytes: "; -+ if (memory == null || memory.length == 0) -+ return; -+ CMS.debug(methodName + " filling with zeroes, numChars: " + memory.length); -+ Arrays.fill(memory, (char) 0); -+ } -+ - public String getCipherVersion() throws EBaseException { - return "cipherdomestic"; - } -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index 8a0ea08..7a68c9b 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -24,6 +24,9 @@ import java.io.IOException; - import java.io.PrintStream; - import java.math.BigInteger; - import java.net.SocketException; -+import java.nio.ByteBuffer; -+import java.nio.CharBuffer; -+import java.nio.charset.Charset; - import java.security.GeneralSecurityException; - import java.security.InvalidAlgorithmParameterException; - import java.security.InvalidKeyException; -@@ -1950,6 +1953,52 @@ public class CryptoUtil { - return bytes; - } - -+ public static char[] bytesToChars(byte[] bytes) { -+ if(bytes == null) -+ return null; -+ -+ Charset charset = Charset.forName("UTF-8"); -+ CharBuffer charBuffer = charset.decode(ByteBuffer.wrap(bytes)); -+ char[] result = Arrays.copyOf(charBuffer.array(), charBuffer.limit()); -+ -+ //Clear up the CharBuffer we just created -+ if (charBuffer.hasArray()) { -+ char[] contentsToBeErased = charBuffer.array(); -+ CryptoUtil.obscureChars(contentsToBeErased); -+ } -+ return result; -+ } -+ -+ public static byte[] charsToBytes(char[] chars) { -+ if(chars == null) -+ return null; -+ -+ Charset charset = Charset.forName("UTF-8"); -+ ByteBuffer byteBuffer = charset.encode(CharBuffer.wrap(chars)); -+ byte[] result = Arrays.copyOf(byteBuffer.array(), byteBuffer.limit()); -+ -+ if(byteBuffer.hasArray()) { -+ byte[] contentsToBeErased = byteBuffer.array(); -+ CryptoUtil.obscureBytes(contentsToBeErased, "random"); -+ } -+ return result; -+ } -+ -+ /** -+ * Create a jss Password object from a provided byte array. -+ */ -+ public static Password createPasswordFromBytes(byte[] bytes ) { -+ -+ if(bytes == null) -+ return null; -+ -+ char[] pwdChars = bytesToChars(bytes); -+ Password password = new Password(pwdChars); -+ obscureChars(pwdChars); -+ -+ return password; -+ } -+ - /** - * Retrieves a private key from a unique key ID. - */ -@@ -2176,6 +2225,14 @@ public class CryptoUtil { - - } - -+ public static void obscureChars(char[] memory) { -+ if (memory == null || memory.length == 0) { -+ //in case we want to log -+ return; -+ } -+ Arrays.fill(memory, (char) 0); -+ } -+ - public static void obscureBytes(byte[] memory, String method) { - if (memory == null || memory.length == 0) { - //in case we want to log -@@ -2279,7 +2336,7 @@ public class CryptoUtil { - public static PKIArchiveOptions createPKIArchiveOptions( - CryptoToken token, - PublicKey wrappingKey, -- String data, -+ char[] data, - WrappingParams params, - AlgorithmIdentifier aid) throws Exception { - return createPKIArchiveOptionsInternal( -@@ -2289,7 +2346,7 @@ public class CryptoUtil { - public static byte[] createEncodedPKIArchiveOptions( - CryptoToken token, - PublicKey wrappingKey, -- String data, -+ char []data, - WrappingParams params, - AlgorithmIdentifier aid) throws Exception { - PKIArchiveOptions opts = createPKIArchiveOptionsInternal( -@@ -2300,7 +2357,7 @@ public class CryptoUtil { - private static PKIArchiveOptions createPKIArchiveOptionsInternal( - CryptoToken token, - PublicKey wrappingKey, -- String passphraseData, -+ char[] passphraseData, - PrivateKey privKeyData, - SymmetricKey symKeyData, - WrappingParams params, -@@ -2315,7 +2372,7 @@ public class CryptoUtil { - - if (passphraseData != null) { - -- byte[] secret = passphraseData.getBytes("UTF-8"); -+ byte[] secret = CryptoUtil.charsToBytes(passphraseData); - key_data = encryptSecret( - token, - secret, --- -1.8.3.1 - - -From 45a098dfbe3bbb951a7cb22d50e13e8e093d03cc Mon Sep 17 00:00:00 2001 -From: Geetika Kapoor -Date: Mon, 20 Nov 2017 12:13:41 +0530 -Subject: Added ansible playbooks code and documentation for setup - -Change-Id: I0e597ec86661d2ccf72e8a04279981471b0590b1 -Signed-off-by: Geetika Kapoor -(cherry picked from commit 48fbe1e75de5d91699aaa418fd8e34ab3745e25c) ---- - tests/dogtag/pytest-ansible/README.md | 27 ++ - tests/dogtag/pytest-ansible/common-modules/pki.py | 127 +++++++++ - tests/dogtag/pytest-ansible/installation/README.md | 99 +++++++ - tests/dogtag/pytest-ansible/installation/host | 2 + - tests/dogtag/pytest-ansible/installation/main.yml | 11 + - .../files/config_templates/ansible_constants.py | 52 ++++ - .../roles/Test_Execution/files/test/script | 79 ++++++ - .../roles/Test_Execution/handlers/main.yml | 3 + - .../roles/Test_Execution/handlers/pki-core.yml | 54 ++++ - .../roles/Test_Execution/tasks/configure_ca.yml | 18 ++ - .../Test_Execution/tasks/configure_common.yml | 77 +++++ - .../roles/Test_Execution/tasks/configure_kra.yml | 24 ++ - .../roles/Test_Execution/tasks/configure_ldap.yml | 20 ++ - .../roles/Test_Execution/tasks/configure_ocsp.yml | 17 ++ - .../Test_Execution/tasks/configure_shared.yml | 14 + - .../tasks/configure_sharedsecret.yml | 4 + - .../roles/Test_Execution/tasks/configure_tks.yml | 30 ++ - .../roles/Test_Execution/tasks/configure_tps.yml | 24 ++ - .../roles/Test_Execution/tasks/main.yml | 19 ++ - .../files/config_templates/ansible_constants.py | 52 ++++ - .../roles/Test_Trigger/files/test/ca.cfg | 38 +++ - .../roles/Test_Trigger/files/test/constants.py | 67 +++++ - .../roles/Test_Trigger/files/test/kra.cfg | 42 +++ - .../roles/Test_Trigger/files/test/ldap.cfg | 12 + - .../roles/Test_Trigger/files/test/ocsp.cfg | 36 +++ - .../roles/Test_Trigger/files/test/script | 79 ++++++ - .../roles/Test_Trigger/files/test/tks.cfg | 26 ++ - .../roles/Test_Trigger/files/test/tps.cfg | 34 +++ - .../roles/Test_Trigger/tasks/configure_ca.yml | 25 ++ - .../roles/Test_Trigger/tasks/configure_common.yml | 146 ++++++++++ - .../roles/Test_Trigger/tasks/configure_kra.yml | 27 ++ - .../roles/Test_Trigger/tasks/configure_ldap.yml | 47 ++++ - .../roles/Test_Trigger/tasks/configure_ocsp.yml | 27 ++ - .../roles/Test_Trigger/tasks/configure_tks.yml | 27 ++ - .../roles/Test_Trigger/tasks/configure_tps.yml | 39 +++ - .../installation/roles/Test_Trigger/tasks/main.yml | 15 + - .../dogtag/pytest-ansible/installation/vars/ca.yml | 4 + - .../pytest-ansible/installation/vars/ca_shared.yml | 24 ++ - .../pytest-ansible/installation/vars/kra.yml | 4 + - .../pytest-ansible/installation/vars/ldap.yml | 8 + - .../installation/vars/ldap_shared.yml | 3 + - .../pytest-ansible/installation/vars/ocsp.yml | 4 + - .../pytest-ansible/installation/vars/tks.yml | 4 + - .../pytest-ansible/installation/vars/tps.yml | 4 + - tests/dogtag/pytest-ansible/provision/readme.txt | 0 - tests/dogtag/pytest-ansible/pytest/README.md | 313 +++++++++++++++++++++ - .../pytest/tps-token/ldapUserAdd.yml | 35 +++ - .../pytest/tps-token/test_tps_token_show.py | 106 +++++++ - .../pytest/tps-token/tokenEnroll.yml | 35 +++ - tests/dogtag/pytest-ansible/requirements.txt | 5 + - 50 files changed, 1989 insertions(+) - create mode 100644 tests/dogtag/pytest-ansible/README.md - create mode 100644 tests/dogtag/pytest-ansible/common-modules/pki.py - create mode 100644 tests/dogtag/pytest-ansible/installation/README.md - create mode 100644 tests/dogtag/pytest-ansible/installation/host - create mode 100644 tests/dogtag/pytest-ansible/installation/main.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/config_templates/ansible_constants.py - create mode 100755 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/test/script - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/main.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/pki-core.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ca.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_common.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_kra.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ldap.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ocsp.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_shared.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_sharedsecret.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tks.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tps.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/main.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/config_templates/ansible_constants.py - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ca.cfg - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/constants.py - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/kra.cfg - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ldap.cfg - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ocsp.cfg - create mode 100755 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/script - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tks.cfg - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tps.cfg - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ca.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_common.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_kra.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ldap.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ocsp.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tks.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tps.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/main.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/vars/ca.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/vars/ca_shared.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/vars/kra.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/vars/ldap.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/vars/ldap_shared.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/vars/ocsp.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/vars/tks.yml - create mode 100644 tests/dogtag/pytest-ansible/installation/vars/tps.yml - create mode 100644 tests/dogtag/pytest-ansible/provision/readme.txt - create mode 100644 tests/dogtag/pytest-ansible/pytest/README.md - create mode 100644 tests/dogtag/pytest-ansible/pytest/tps-token/ldapUserAdd.yml - create mode 100644 tests/dogtag/pytest-ansible/pytest/tps-token/test_tps_token_show.py - create mode 100644 tests/dogtag/pytest-ansible/pytest/tps-token/tokenEnroll.yml - create mode 100644 tests/dogtag/pytest-ansible/requirements.txt - -diff --git a/tests/dogtag/pytest-ansible/README.md b/tests/dogtag/pytest-ansible/README.md -new file mode 100644 -index 0000000..8142f39 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/README.md -@@ -0,0 +1,27 @@ -+# Environment-Setup Instructions -+ -+## Installing pip -+ -+[pip] (https://pip.pypa.io/en/stable/installing/) is needed for ansible & pytest installation. -+ -+## Installing Supporting Packages -+ -+Install the pip and run requirements.txt file -+ -+``` -+pip install -r requirements.txt -+``` -+ -+## Installing CA, KRA, OCSP, TKS & TPS Subsystems -+ -+Refer [README.md] (installation/README.md) -+ -+ -+ -+## Running Pytest-Ansible test cases. -+ -+### Pre-requisite -+ -+1. Run Role user setup for setting up different users for different subsystem for setting up Admin, Agent, Revoked and Expired certificates. -+ -- To-do -+2. Refer [README.md] (pytest/README.md) -\ No newline at end of file -diff --git a/tests/dogtag/pytest-ansible/common-modules/pki.py b/tests/dogtag/pytest-ansible/common-modules/pki.py -new file mode 100644 -index 0000000..4d489e9 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/common-modules/pki.py -@@ -0,0 +1,127 @@ -+#!/usr/bin/python -+# -*- coding: utf-8 -*- -+# (c) 2016, Geetika Kapoor -+# -+# This file is part of Ansible -+# -+# Ansible is free software: you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# Ansible is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with Ansible. If not, see . -+ -+ANSIBLE_METADATA = {'metadata_version': '1.0', -+ 'status': ['stableinterface'], -+ 'supported_by': 'core'} -+ -+DOCUMENTATION = ''' -+--- -+module: pki -+short_description: Execute dogtag "pki" commands remotely on any machine. -+Point it to the host where you want them to run. -+This utility supports all the authentication modes as mentioned in -+man pages of pki. Refer 'man pki' for supported options. -+ -+Usage: This can be added as mentioned in the example. -+Authentication types supported: -+1. Connection - Plain URI connection -+2. Basic Authentication: username/password support -+3. Client Authentication: certificate authentication support -+conn_args: Name assigned to variable that has common arguments -+needed for all types of connection. -+auth_args: Name assigned to authentication commands that are run using pki. -+cli_args: Name assigned to sub-cli-commands that are run underneath -+pki command. -+ -+Example: -+- name: Call pki command -+ pki: cli='ca-cert-find' authType='connection' -+ -+''' -+ -+import datetime -+import glob -+import shlex -+import os -+ -+if os.path.isfile('/tmp/test_dir/constants.py'): -+ import sys -+ sys.path.append('/tmp/test_dir') -+ import constants -+else: -+ from pki.testlib.common import constants -+from ansible.module_utils.basic import AnsibleModule -+from ansible.module_utils.six import b -+ -+ -+def main(): -+ -+ # the command module is the one ansible module that does not take key=value args -+ # hence don't copy this one if you are looking to build others! -+ module = AnsibleModule( -+ argument_spec=dict( -+ raw_params = dict(default='pki'), -+ port = dict(default=''), -+ cli = dict(default='--help'), -+ extra_args = dict(default=''), -+ certnick = dict(default="'PKI CA Administrator for Example.Org'"), -+ username = dict(default='caadmin'), -+ userpassword = dict(default='Secret123'), -+ userpwdfile = dict(default='Secret123'), -+ dbpassword = dict(default='Secret123'), -+ nssdb = dict(default='/opt/pkitest/certdb'), -+ protocol = dict(default='http'), -+ hostname = dict(default='localhost'), -+ authType = dict(default='clientAuth', choices=['connection', 'basicAuth', 'clientAuth']) -+ ) -+ ) -+ if module.params['port']: -+ port = module.params['port'] -+ else: -+ Subsystem=map(lambda x: {"True" if x in module.params['cli'] else False: x } ,["ca", "kra", "ocsp", "tks", "tps"]) -+ for idx, val in enumerate(Subsystem): -+ for key, value in val.iteritems(): -+ if key == 'True': -+ sub = value -+ port = '_'.join([sub.upper(), module.params['protocol'].upper(), "PORT"]) -+ port = getattr(constants, port) -+ conn_args = [module.params['raw_params'], '-d', module.params['nssdb'], '-P', module.params['protocol'], '-p', '%s' %(port), '-h', module.params['hostname'], '-c', module.params['dbpassword']] -+ cli_args = [module.params['cli'], module.params['extra_args']] -+ -+ if module.params['authType'] == 'clientAuth': -+ auth_args = ['-n', module.params['certnick']] -+ args = ' '.join(conn_args + auth_args + cli_args) -+ -+ if module.params['authType'] == 'basicAuth': -+ auth_args = ['-u', module.params['username'], '-w', module.params['userpassword']] -+ args = ' '.join(conn_args + auth_args + cli_args) -+ -+ if module.params['authType'] == 'connection': -+ args = ' '.join(conn_args) -+ -+ rc, out, err = module.run_command(args) -+ -+ result = dict( -+ cmd = args, -+ stdout = out.rstrip(b("\r\n")), -+ stderr = err.rstrip(b("\r\n")), -+ rc = rc, -+ changed = True, -+ ) -+ -+ if rc != 0: -+ module.fail_json(msg='non-zero return code', **result) -+ -+ module.exit_json(**result) -+ -+ -+if __name__ == '__main__': -+ main() -+ -diff --git a/tests/dogtag/pytest-ansible/installation/README.md b/tests/dogtag/pytest-ansible/installation/README.md -new file mode 100644 -index 0000000..6b18ee0 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/README.md -@@ -0,0 +1,99 @@ -+# Project Name - Dogtagpki -+ -+## Subsystem Installation using Ansible -+ -+### About -+ -+This ansible playbook is written to setup all the subsystems(CA, KRA, OCSP, TKS and TPS). -+These playbooks can setup the environment based on the topology specified in the runtime. -+ -+### Requirements: -+ -+1. Pip should be installed. -+2. Pip [requiremets.txt](../Installation/requirements.txt) should be installed -+3. Make sure to check ansible version after installation.This can be quickly done using -+ansible --version. -+If this commands works, Your ansible is installed properly. -+ -+4. Before running the playbooks make sure machines that are going to communicate with each other they have passwordless communication working. -+This can be easily done using: -+ `ssh-copy-id root@` -+ -+This will ask you for one time password after which it will copy keys between machines. -+ -+### Verification Step -+``` -+ ssh root@ -+``` -+This should not prompt for password any more. -+ -+### Packages to Install `Only for RHEL users` -+ -+Configure repo that have below listed packages.It is mandatory to setup repo's -+correctly before triggering ansible playbooks for system installation. -+ -+``` -+Required Packages: -+ -+ - redhat-pki -+ - redhat-pki-console-theme -+ - redhat-pki-server-theme -+ - pki-console -+ - 389-ds-base -+ - pki-ca -+ - pki-kra -+ - pki-ocsp -+ - pki-tks -+ - pki-tps -+ - policycoreutils-python -+ - expect -+ - libselinux-python -+``` -+ -+### Usage: -+ -+For Setting up Subsystems on different port, use `topology-02 ` -+``` -+ansible-playbook -i /tmp/test/pki-tests/ci/ansible/host main.yml --extra-vars "topology=topology-02" -v -+``` -+ -+For Setting up Subsystems on default and same port, use `topology-01` -+``` -+ansible-playbook -i /tmp/test/pki-tests/ci/ansible/host main.yml --extra-vars "topology=topology-01" -v -+``` -+ -+where, -+ -+ -i INVENTORY, --inventory-file=INVENTORY -+ specify inventory host path -+ (default=/etc/ansible/hosts) or comma separated host -+ list. -+ -+## Examples of ansible-inventory -+ -+Inventory file consist of the roles and the ip-address.Tests will run for the roles and ip's that are mentioned. -+ -+``` -+[master] -+10.1.2.3 -+10.2.3.4 -+``` -+ -+### Sanity tests -+ -+Once playbook installation is complete, use below command and make certificates are returned. -+``` -+ pki -p 20080 ca-cert-find -+``` -+Incase, you are required to run any other topology let us say "topology-01" for shared instance, replace topology-02 with topology-01. -+ -+ -+### Gathering Subsystems Facts -+ -+Gather configuration files, ports and other environment data from `/tmp/test_dir` on the system under test. -+ -+ -+## References: -+ -+1. http://docs.ansible.com/ansible/intro.html -+2. http://docs.ansible.com/ansible/intro_installation.html -\ No newline at end of file -diff --git a/tests/dogtag/pytest-ansible/installation/host b/tests/dogtag/pytest-ansible/installation/host -new file mode 100644 -index 0000000..056033d ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/host -@@ -0,0 +1,2 @@ -+[master] -+10.8.52.99 -diff --git a/tests/dogtag/pytest-ansible/installation/main.yml b/tests/dogtag/pytest-ansible/installation/main.yml -new file mode 100644 -index 0000000..41d4b66 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/main.yml -@@ -0,0 +1,11 @@ -+# Configure cosmos repo and install all pre-requisites on Jenkins slave. -+# Git clone and install ipa-pytests on Jenkins slave. -+- hosts: localhost -+ gather_facts: true -+ roles: -+ - Test_Trigger -+ -+# Git clone and install ipa-pytests on all SUT -+- hosts: master -+ roles: -+ - Test_Execution -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/config_templates/ansible_constants.py b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/config_templates/ansible_constants.py -new file mode 100644 -index 0000000..ccb19b6 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/config_templates/ansible_constants.py -@@ -0,0 +1,52 @@ -+#common to all subsystems -+CLIENT_PKCS12_PASSWORD = 'Secret123' -+CLIENT_DIR_PASSWORD = 'Secret123' -+BACKUP_PASSWORD = 'Secret123' -+CLIENT_DATABASE_PASSWORD = 'Secret123' -+#CA Instance -+CA_HTTPS_PORT = '20443' -+CA_HTTP_PORT = '20080' -+CA_AJP_PORT = '20009' -+CA_TOMCAT_PORT = '20005' -+CA_CLIENT_DIR = '/opt/topology-CA' -+CA_INSTANCE_NAME = 'topology-CA' -+SECURITY_DOMAIN_PASSWORD = 'Secret123' -+CA_PASSWORD = 'Secret123' -+CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org' -+CA_ADMIN_USERNAME = 'caadmin' -+CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org' -+#KRA Instance -+KRA_INSTANCE_NAME = 'topology-KRA' -+KRA_HTTPS_PORT = 21443 -+KRA_HTTP_PORT = 21080 -+KRA_AJP_PORT = 21009 -+KRA_TOMCAT_PORT = 21005 -+KRA_PASSWORD = 'Secret123' -+KRA_CLIENT_DIR = '/opt/topology-KRA' -+KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org' -+#OCSP Instance -+OCSP_INSTANCE_NAME = 'topology-OCSP' -+OCSP_HTTPS_PORT = 22443 -+OCSP_HTTP_PORT = 22080 -+OCSP_AJP_PORT = 22009 -+OCSP_TOMCAT_PORT = 22005 -+OCSP_PASSWORD = 'Secret123' -+OCSP_CLIENT_DIR = '/opt/topology-OCSP' -+OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org' -+#TKS Instance -+TKS_INSTANCE_NAME = 'topology-TKS' -+TKS_HTTPS_PORT = 23443 -+TKS_HTTP_PORT = 23080 -+TKS_AJP_PORT = 23009 -+TKS_TOMCAT_PORT = 23005 -+TKS_PASSWORD = 'Secret123' -+TKS_CLIENT_DIR = '/opt/topology-TKS' -+#TPS instance -+TPS_INSTANCE_NAME = 'topology-TPS' -+TPS_HTTPS_PORT = '25443' -+TPS_HTTP_PORT = '25080' -+TPS_AJP_PORT = '25009' -+TPS_TOMCAT_PORT = '25005' -+TPS_PASSWORD = 'Secret123' -+TPS_CLIENT_DIR = '/opt/topology-TPS' -+TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org' -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/test/script b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/test/script -new file mode 100755 -index 0000000..c98e4ae ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/files/test/script -@@ -0,0 +1,79 @@ -+#!/bin/sh -+#Generate Noise using Openssl -+echo "Defining variables " -+tks_password="/tmp/tkspassword.txt" -+tps_password="/tmp/tpspassword.txt" -+tks_alias="/var/lib/pki/$1-TKS/alias" -+tps_alias="/var/lib/pki/$1-TPS/alias" -+tks_noise="/tmp/tks_noise" -+tks_shared_secret="sharedSecret" -+tks_conf="/var/lib/pki/$1-TKS/tks/conf/CS.cfg" -+tps_conf="/var/lib/pki/$1-TPS/tps/conf/CS.cfg" -+tps_input_file="/tmp/tps-input.txt" -+tks_secret_output="/tmp/secret" -+tks_input_file="/tmp/tks-input.txt" -+tks_input="proceed\r\n" -+tks_secret_output="/tmp/sharedSecret.out" -+tps_key_import_status="/tmp/sharedSecretImport.out" -+echo "proceed\r\n" > $tks_input_file -+echo "Generate Noise using OpenSSL" -+openssl rand -hex 2048 | perl -p -e 's/\n//' > $tks_noise -+cat /var/lib/pki/$1-TKS/conf/password.conf | sed 's/^internal=//' > $tks_password -+cat /var/lib/pki/$1-TPS/conf/password.conf | sed 's/^internal=//' > $tps_password -+ -+echo "Stopping TKS & TPS instance" -+systemctl stop pki-tomcatd@$1-TKS.service -+systemctl stop pki-tomcatd@$1-TPS.service -+echo "Generating shared secret" -+/usr/bin/tkstool -D -d $tks_alias -n "TPS-`hostname`-25443 sharedSecret" -f $tks_password -+/usr/bin/tkstool -T -d $tks_alias -n $tks_shared_secret -f $tks_password -z $tks_noise > $tks_secret_output < $tks_input_file -+/usr/bin/tkstool -L -d $tks_alias -n $tks_shared_secret -f $tks_password > /tmp/sharedSecretList1.out -+grep "$tks_shared_secret" /tmp/sharedSecretList1.out -+first_session_tmp1=$(cat $tks_secret_output | grep -A1 "first\ssession\skey\sshare:") -+first_session_tmp2=$(echo $first_session_tmp1 | sed 's/^first session key share://') -+first_session_key=$(echo ${first_session_tmp2%% }) -+first_session_KCV_tmp1=$(cat $tks_secret_output | grep "first\ssession\skey\sshare\sKCV:") -+first_session_KCV_tmp2=$(echo $first_session_KCV_tmp1 | sed 's/^first session key share KCV://') -+first_session_KCV_key=$(echo ${first_session_KCV_tmp2%% }) -+ -+second_session_tmp1=$(cat $tks_secret_output | grep -A1 "second\ssession\skey\sshare:") -+second_session_tmp2=$(echo $second_session_tmp1 | sed 's/^second session key share://') -+second_session_key=$(echo ${second_session_tmp2%% }) -+second_session_KCV_tmp1=$(cat $tks_secret_output | grep "second\ssession\skey\sshare\sKCV:") -+second_session_KCV_tmp2=$(echo $second_session_KCV_tmp1 | sed 's/^second session key share KCV://') -+second_session_KCV_key=$(echo ${second_session_KCV_tmp2%% }) -+ -+third_session_tmp1=$(cat $tks_secret_output | grep -A1 "third\ssession\skey\sshare:") -+third_session_tmp2=$(echo $third_session_tmp1 | sed 's/^third session key share://') -+third_session_key=$(echo ${third_session_tmp2%% }) -+third_session_KCV_tmp1=$(cat $tks_secret_output | grep "third\ssession\skey\sshare\sKCV:") -+third_session_KCV_tmp2=$(echo $third_session_KCV_tmp1 | sed 's/^third session key share KCV://') -+third_session_KCV_key=$(echo ${third_session_KCV_tmp2%% }) -+ -+sed -i -e "/tps.0.nickname=/s/=.*/=$tks_shared_secret/g" $tks_conf -+sed -i -e "/tks.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tks_conf -+echo "Restart $1-TKS instance" -+systemctl restart pki-tomcatd@$1-TKS.service -+echo "proceed\r\n" > $tps_input_file -+echo "$first_session_key\r\n" >> $tps_input_file -+echo "\r\n" >> $tps_input_file -+echo "$first_session_KCV_key\r\n" >> $tps_input_file -+echo "proceed\r\n" >> $tps_input_file -+echo "proceed\r\n" >> $tps_input_file -+echo "$second_session_key\r\n" >> $tps_input_file -+echo "\r\n" >> $tps_input_file -+echo "$second_session_KCV_key\r\n" >> $tps_input_file -+echo "proceed\r\n" >> $tps_input_file -+echo "proceed\r\n" >> $tps_input_file -+echo "$third_session_key\r\n" >> $tps_input_file -+echo "\r\n" >> $tps_input_file -+echo "$third_session_KCV_key\r\n" >> $tps_input_file -+echo "proceed\r\n" >> $tps_input_file -+ -+/usr/bin/tkstool -I -d $tps_alias -n $tks_shared_secret -f $tps_password < $tps_input_file > $tps_key_import_status -+/usr/bin/tkstool -L -d $tps_alias -n $tks_shared_secret -f $tps_password > /tmp/sharedSecretList2.out -+grep "$tks_shared_secret" /tmp/sharedSecretList2.out -+sed -i -e "/tps.connector.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf -+sed -i -e "/conn.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf -+echo "Restart $1-TPS instance" -+systemctl restart pki-tomcatd@$1-TPS.service -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/main.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/main.yml -new file mode 100644 -index 0000000..3342a9a ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/main.yml -@@ -0,0 +1,3 @@ -+- name: Inclue pki-core handlers -+ include: pki-core.yml -+ tags: pki-core -\ No newline at end of file -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/pki-core.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/pki-core.yml -new file mode 100644 -index 0000000..ed22477 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/handlers/pki-core.yml -@@ -0,0 +1,54 @@ -+- name: STOPCA -+ service: -+ name: pki-tomcatd@{{ topology }}-CA -+ state: stopped -+ -+- name: STARTCA -+ service: -+ name: pki-tomcatd@{{ topology }}-CA -+ state: started -+ -+- name: STOPKRA -+ service: -+ name: pki-tomcatd@{{ topology }}-KRA -+ state: stopped -+ -+- name: STARTKRA -+ service: -+ name: pki-tomcatd@{{ topology }}-KRA -+ state: started -+ -+- name: STOPOCSP -+ service: -+ name: pki-tomcatd@{{ topology }}-OCSP -+ state: stopped -+ -+- name: STARTOCSP -+ service: -+ name: pki-tomcatd@{{ topology }}-OCSP -+ state: started -+ -+- name: STOPTKS -+ service: -+ name: pki-tomcatd@{{ topology }}-TKS -+ state: stopped -+ -+- name: STARTTKS -+ service: -+ name: pki-tomcatd@{{ topology }}-TKS -+ state: started -+ -+- name: STOPTPS -+ service: -+ name: pki-tomcatd@{{ topology }}-TPS -+ state: stopped -+ -+- name: STARTTPS -+ service: -+ name: pki-tomcatd@{{ topology }}-TPS -+ state: started -+ -+- name: INC_CONSTANTS -+ include_vars: -+ file: /tmp/test_dir/constants.yml -+ name: variable -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ca.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ca.yml -new file mode 100644 -index 0000000..a1de87d ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ca.yml -@@ -0,0 +1,18 @@ -+- name: Install CA master -+ shell: pkispawn -s CA -f /tmp/test_dir/ca.cfg -+ -+- name : Stopping CA Subsystem -+ shell: systemctl stop pki-tomcatd@{{ topology }}-CA.service -+ -+- name: Enable SignedAudit for Subsystem -+ replace: dest=/etc/pki/{{ topology }}-CA/ca/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" -+ -+- name: Getting certificate nickname for CA CS.cfg -+ shell: grep "ca.ocsp_signing.nickname" /etc/pki/{{ topology }}-CA/ca/CS.cfg |awk -F"=" ' { print $2 } ' -+ register: nickname_ocsp -+ -+- name: Importing client certificate for OCSP -+ shell: certutil -L -d /var/lib/pki/{{ topology }}-CA/alias -n "{{ nickname_ocsp.stdout }}" -a > /tmp/test_dir/ocsp_signing.crt -+ -+- name : Starting CA Subsystem -+ shell: systemctl start pki-tomcatd@{{ topology }}-CA.service -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_common.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_common.yml -new file mode 100644 -index 0000000..ac44bc5 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_common.yml -@@ -0,0 +1,77 @@ -+- name: Disable firewalld before LDAP and Subsystem installation -+ systemd: state=stopped name=firewalld -+ -+- name : Set hostname for machines Bydefault we choose pki1 for master and pki2 for clones. -+ hostname: name=pki1.example.com -+ tags: platform-ci -+ -+- name: Install a required package for modify hostname task below -+ dnf: pkg={{item}} state=latest -+ with_items: -+ - libselinux-python -+ when: ansible_distribution == "Fedora" -+ -+- name : Modify hostname for master in /etc/hosts -+ lineinfile: dest=/etc/hosts regexp='.*{{ inventory_hostname }}$' create=yes insertafter=EOF line="{{ inventory_hostname }} {{ansible_fqdn}}" state=present -+ tags: platform-ci -+ -+ -+- name : fetch file in master in /etc/hosts -+ fetch: src=/etc/hosts dest=/etc/ flat=yes validate_checksum=no -+ tags: platform-ci -+ -+- name: Install list of packages for CS Master for Redhat -+ yum : pkg={{item}} state=latest -+ with_items: -+ - redhat-pki -+ - redhat-pki-console-theme -+ - redhat-pki-server-theme -+ - pki-console -+ - 389-ds-base -+ - pki-ca -+ - pki-kra -+ - pki-ocsp -+ - pki-tks -+ - pki-tps -+ - policycoreutils-python -+ - expect -+ - libselinux-python -+ when: ansible_distribution == "RedHat" -+ tags: platform-ci -+ -+- name: Install list of packages for CS Master for Fedora -+ dnf : pkg={{item}} state=latest -+ with_items: -+ - 389-ds-base -+ - dogtag-pki -+ - dogtag-pki-console-theme -+ - dogtag-pki-server-theme -+ - policycoreutils-python -+ - expect -+ when: ansible_distribution == "Fedora" -+ tags: platform-ci -+ -+- name: Check for Removed dependency from mod_revocator and mod_nss.If failes refer BZ 1295276 -+ command: rpm -q {{item}} -+ with_items: -+ - mod_revocator -+ - mod_nss -+ register: rpm_check -+ failed_when: "rpm_check.rc == 0" -+ -+- name: Check for Removed dependency of perl from pki-server.If fails, refer BZ 1305769 -+ command: rpm -qR pki-server | grep perl -+ register: rpm_check -+ failed_when: "rpm_check.rc == 0" -+ -+- name: Copying templates to /tmp folder -+ copy : src=/tmp/test_dir dest=/tmp/ -+ tags: platform-ci -+ -+- name: Making constants.py file compatable for including as vars. -+ shell: sed -e "s/ =/:/g;s/'//g" /tmp/test_dir/constants.py > /tmp/test_dir/constants.yml -+ -+- name: Fetch the file -+ fetch: src=/tmp/test_dir/constants.yml dest=/tmp/test_dir/ flat=yes validate_checksum=no -+ -+ -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_kra.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_kra.yml -new file mode 100644 -index 0000000..670fa5e ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_kra.yml -@@ -0,0 +1,24 @@ -+- name: Install KRA master -+ shell: pkispawn -s KRA -f /tmp/test_dir/kra.cfg -+ -+- name : Stopping KRA Subsystem -+ shell: echo "Stopping Subsystem for enabling Audit logging" -+ notify: -+ - STOPKRA -+ - INC_CONSTANTS -+ -+- meta: flush_handlers -+ -+- name: Enable SignedAudit -+ replace: dest=/etc/pki/{{ topology }}-KRA/kra/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" -+ -+- name: Enable OCSP for KRA -+ replace: dest=/etc/pki/{{ topology }}-KRA/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"' -+ -+- name: Pointing KRA to correct OCSP port -+ replace: dest=/etc/pki/{{ topology }}-KRA/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp -+ -+- name: Importing OCSP certificate in kra nssdb -+ shell: certutil -A -d /etc/pki/{{ topology }}-KRA/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt -+ notify: -+ - STARTKRA -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ldap.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ldap.yml -new file mode 100644 -index 0000000..01d867b ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ldap.yml -@@ -0,0 +1,20 @@ -+ -+- name: Setup DS Service -+ shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap.cfg -+ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" -+ -+- name: Setup DS Service -+ shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_kra.cfg -+ when: topology == "topology-05" -+ -+- name: Setup DS Service -+ shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_ocsp.cfg -+ when: topology == "topology-05" -+ -+- name: Setup DS Service -+ shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_tks.cfg -+ when: topology == "topology-05" -+ -+- name: Setup DS Service -+ shell: setup-ds.pl --silent --file=/tmp/test_dir/ldap_tps.cfg -+ when: topology == "topology-05" -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ocsp.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ocsp.yml -new file mode 100644 -index 0000000..373a16c ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_ocsp.yml -@@ -0,0 +1,17 @@ -+- name: sleep -+ shell: sleep 5s -+ -+- name: Install OCSP master -+ shell: pkispawn -s OCSP -f /tmp/test_dir/ocsp.cfg -+ -+- name : Stopping OCSP Subsystem -+ shell: echo "Stopping Subsystem for enabling Audit logging" -+ notify: -+ - STOPOCSP -+ -+- name: Enable SignedAudit -+ replace: dest=/etc/pki/{{ topology }}-OCSP/ocsp/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" -+ notify: -+ - STARTOCSP -+ -+- meta: flush_handlers -\ No newline at end of file -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_shared.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_shared.yml -new file mode 100644 -index 0000000..dee083c ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_shared.yml -@@ -0,0 +1,14 @@ -+- name: Install CA master -+ shell: pkispawn -s CA -f /tmp/test_dir/ca.cfg -+ -+- name: Install KRA master -+ shell: pkispawn -s KRA -f /tmp/test_dir/kra.cfg -+ -+- name: Install OCSP master -+ shell: pkispawn -s OCSP -f /tmp/test_dir/ocsp.cfg -+ -+- name: Install TKS master -+ shell: pkispawn -s TKS -f /tmp/test_dir/tks.cfg -+ -+- name: Install TPS master -+ shell: pkispawn -s TPS -f /tmp/test_dir/tps.cfg -\ No newline at end of file -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_sharedsecret.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_sharedsecret.yml -new file mode 100644 -index 0000000..f2e4de4 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_sharedsecret.yml -@@ -0,0 +1,4 @@ -+- name: Shared Secret sharing between TPS and TKS -+ script: test/script {{ topology }} -+ when: topology == "topology-02" or topology == "topology-05" -+ tags: platform-ci -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tks.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tks.yml -new file mode 100644 -index 0000000..78295d1 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tks.yml -@@ -0,0 +1,30 @@ -+- name: Install TKS master -+ shell: pkispawn -s TKS -f /tmp/test_dir/tks.cfg -+ -+- name : Stopping TKS Subsystem -+ shell: echo "Stopping Subsystem for enabling Audit logging" -+ notify: -+ - STOPTKS -+ - INC_CONSTANTS -+ -+- meta: flush_handlers -+ -+- name: Enable SignedAudit -+ replace: dest=/etc/pki/{{ topology }}-TKS/tks/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" -+ -+- name: Enable OCSP for TKS -+ replace: dest=/etc/pki/{{ topology }}-TKS/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"' -+ -+- name: Pointing TKS to correct OCSP port -+ replace: dest=/etc/pki/{{ topology }}-TKS/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp -+ -+- name: Importing OCSP certificate in TKS nssdb -+ shell: certutil -A -d /etc/pki/{{ topology }}-TKS/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt -+ notify: -+ - STARTTKS -+ -+- meta: flush_handlers -+ -+- name: Sleep for a while to start TKS -+ shell: sleep 3s -+ -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tps.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tps.yml -new file mode 100644 -index 0000000..5aa1021 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/configure_tps.yml -@@ -0,0 +1,24 @@ -+- name: Install TPS master -+ shell: pkispawn -s TPS -f /tmp/test_dir/tps.cfg -+ -+- name : Stopping TPS Subsystem -+ shell: echo "Stopping Subsystem for enabling Audit logging" -+ notify: -+ - STOPTPS -+ - INC_CONSTANTS -+ -+- meta: flush_handlers -+ -+- name: Enable SignedAudit -+ replace: dest=/etc/pki/{{ topology }}-TPS/tps/CS.cfg regexp="log.instance.SignedAudit.logSigning=false" replace="log.instance.SignedAudit.logSigning=true" -+ -+- name: Enable OCSP for TPS -+ replace: dest=/etc/pki/{{ topology }}-TPS/server.xml regexp='enableOCSP="false"' replace='enableOCSP="true"' -+ -+- name: Pointing TPS to correct OCSP port -+ replace: dest=/etc/pki/{{ topology }}-TPS/server.xml regexp='([0-9]+)/ca/ocsp' replace={{ variable.CA_HTTP_PORT }}/ca/ocsp -+ -+- name: Importing OCSP certificate in tps nssdb -+ shell: certutil -A -d /etc/pki/{{ topology }}-TPS/alias -n "ocspSigningCert cert-pki-ca" -t "C,," -i /tmp/test_dir/ocsp_signing.crt -+ notify: -+ - STARTTPS -\ No newline at end of file -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/main.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/main.yml -new file mode 100644 -index 0000000..2aa432b ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Execution/tasks/main.yml -@@ -0,0 +1,19 @@ -+--- -+- include: configure_common.yml -+ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" -+- include: configure_ldap.yml -+ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" -+- include: configure_shared.yml -+ when: topology == "topology-01" -+- include: configure_ca.yml -+ when: topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" -+- include: configure_ocsp.yml -+ when: topology == "topology-02" or topology == "topology-03" or topology == "topology-05" or topology == "topology-ecc" -+- include: configure_kra.yml -+ when: topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" -+- include: configure_tks.yml -+ when: topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" -+- include: configure_tps.yml -+ when: topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" -+- include: configure_sharedsecret.yml -+ when: topology == "topology-02" or topology == "topology-04" or topology == "topology-05" -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/config_templates/ansible_constants.py b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/config_templates/ansible_constants.py -new file mode 100644 -index 0000000..ccb19b6 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/config_templates/ansible_constants.py -@@ -0,0 +1,52 @@ -+#common to all subsystems -+CLIENT_PKCS12_PASSWORD = 'Secret123' -+CLIENT_DIR_PASSWORD = 'Secret123' -+BACKUP_PASSWORD = 'Secret123' -+CLIENT_DATABASE_PASSWORD = 'Secret123' -+#CA Instance -+CA_HTTPS_PORT = '20443' -+CA_HTTP_PORT = '20080' -+CA_AJP_PORT = '20009' -+CA_TOMCAT_PORT = '20005' -+CA_CLIENT_DIR = '/opt/topology-CA' -+CA_INSTANCE_NAME = 'topology-CA' -+SECURITY_DOMAIN_PASSWORD = 'Secret123' -+CA_PASSWORD = 'Secret123' -+CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org' -+CA_ADMIN_USERNAME = 'caadmin' -+CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org' -+#KRA Instance -+KRA_INSTANCE_NAME = 'topology-KRA' -+KRA_HTTPS_PORT = 21443 -+KRA_HTTP_PORT = 21080 -+KRA_AJP_PORT = 21009 -+KRA_TOMCAT_PORT = 21005 -+KRA_PASSWORD = 'Secret123' -+KRA_CLIENT_DIR = '/opt/topology-KRA' -+KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org' -+#OCSP Instance -+OCSP_INSTANCE_NAME = 'topology-OCSP' -+OCSP_HTTPS_PORT = 22443 -+OCSP_HTTP_PORT = 22080 -+OCSP_AJP_PORT = 22009 -+OCSP_TOMCAT_PORT = 22005 -+OCSP_PASSWORD = 'Secret123' -+OCSP_CLIENT_DIR = '/opt/topology-OCSP' -+OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org' -+#TKS Instance -+TKS_INSTANCE_NAME = 'topology-TKS' -+TKS_HTTPS_PORT = 23443 -+TKS_HTTP_PORT = 23080 -+TKS_AJP_PORT = 23009 -+TKS_TOMCAT_PORT = 23005 -+TKS_PASSWORD = 'Secret123' -+TKS_CLIENT_DIR = '/opt/topology-TKS' -+#TPS instance -+TPS_INSTANCE_NAME = 'topology-TPS' -+TPS_HTTPS_PORT = '25443' -+TPS_HTTP_PORT = '25080' -+TPS_AJP_PORT = '25009' -+TPS_TOMCAT_PORT = '25005' -+TPS_PASSWORD = 'Secret123' -+TPS_CLIENT_DIR = '/opt/topology-TPS' -+TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org' -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ca.cfg b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ca.cfg -new file mode 100644 -index 0000000..e286927 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ca.cfg -@@ -0,0 +1,38 @@ -+[DEFAULT] -+pki_instance_name = topology-CA -+pki_https_port = capki_https_port -+pki_http_port = capki_http_port -+pki_token_password = Secret123 -+pki_admin_password = Secret123 -+pki_hostname = SERVERNAME -+pki_security_domain_name = topology_Foobarmaster.org -+pki_security_domain_password = Secret123 -+pki_client_dir = /opt/topology-CA -+pki_client_pkcs12_password = Secret123 -+pki_backup_keys = True -+pki_backup_password = Secret123 -+pki_ds_password = Secret123 -+pki_ds_ldap_port = ldapServerPort -+pki_ssl_server_key_algorithm=SHA512withRSA -+pki_ssl_server_key_size=2048 -+pki_ssl_server_key_type=rsa -+pki_subsystem_key_algorithm=SHA512withRSA -+pki_subsystem_key_size=2048 -+pki_subsystem_key_type=rsa -+ -+[Tomcat] -+pki_ajp_port = capki_ajp_port -+pki_tomcat_server_port = capki_tomcat_port -+ -+[CA] -+pki_import_admin_cert = False -+pki_ds_hostname = SERVERNAME -+pki_admin_nickname = PKI CA Administrator for Example.Org -+pki_ca_signing_key_algorithm=SHA512withRSA -+pki_ca_signing_key_size=2048 -+pki_ca_signing_key_type=rsa -+pki_ca_signing_signing_algorithm=SHA512withRSA -+pki_ocsp_signing_key_algorithm=SHA512withRSA -+pki_ocsp_signing_key_size=2048 -+pki_ocsp_signing_key_type=rsa -+pki_ocsp_signing_signing_algorithm=SHA512withRSA -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/constants.py b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/constants.py -new file mode 100644 -index 0000000..8df625c ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/constants.py -@@ -0,0 +1,67 @@ -+#common to all subsystems -+CLIENT_PKCS12_PASSWORD = 'Secret123' -+CLIENT_DIR_PASSWORD = 'Secret123' -+BACKUP_PASSWORD = 'Secret123' -+CLIENT_DATABASE_PASSWORD = 'Secret123' -+#CA Instance -+CA_HTTPS_PORT = 'capki_https_port' -+CA_HTTP_PORT = 'capki_http_port' -+CA_AJP_PORT = 'capki_ajp_port' -+CA_TOMCAT_PORT = 'capki_tomcat_port' -+CA_CLIENT_DIR = '/opt/topology-CA' -+CA_INSTANCE_NAME = 'topology-CA' -+SECURITY_DOMAIN_PASSWORD = 'Secret123' -+CA_PASSWORD = 'Secret123' -+CA_SECURITY_DOMAIN_NAME = 'topology_Foobarmaster.org' -+CA_ADMIN_USERNAME = 'caadmin' -+CA_ADMIN_NICK = 'PKI CA Administrator for Example.Org' -+#KRA Instance -+KRA_INSTANCE_NAME = 'topology-KRA' -+KRA_HTTPS_PORT = 'krapki_https_port' -+KRA_HTTP_PORT = 'krapki_http_port' -+KRA_AJP_PORT = 'krapki_ajp_port' -+KRA_TOMCAT_PORT = 'krapki_tomcat_server_port' -+KRA_PASSWORD = 'Secret123' -+KRA_CLIENT_DIR = '/opt/topology-KRA' -+KRA_ADMIN_NICK = 'PKI KRA Administrator for Example.Org' -+#OCSP Instance -+OCSP_INSTANCE_NAME = 'topology-OCSP' -+OCSP_HTTPS_PORT = 'ocsppki_https_port' -+OCSP_HTTP_PORT = 'ocsppki_http_port' -+OCSP_AJP_PORT = 'ocsppki_ajp_port' -+OCSP_TOMCAT_PORT = 'ocsppki_tomcat_server_port' -+OCSP_PASSWORD = 'Secret123' -+OCSP_CLIENT_DIR = '/opt/topology-OCSP' -+OCSP_ADMIN_NICK = 'PKI OCSP Administrator for Example.Org' -+#TKS Instance -+TKS_INSTANCE_NAME = 'topology-TKS' -+TKS_HTTPS_PORT = 'tkspki_https_port' -+TKS_HTTP_PORT = 'tkspki_http_port' -+TKS_AJP_PORT = 'tkspki_ajp_port' -+TKS_TOMCAT_PORT = 'tkspki_tomcat_server_port' -+TKS_PASSWORD = 'Secret123' -+TKS_CLIENT_DIR = '/opt/topology-TKS' -+TKS_ADMIN_NICK = 'PKI TKS Administrator for Example.Org' -+#TPS instance -+TPS_INSTANCE_NAME = 'topology-TPS' -+TPS_HTTPS_PORT = 'tpspki_https_port' -+TPS_HTTP_PORT = 'tpspki_http_port' -+TPS_AJP_PORT = 'tpspki_ajp_port' -+TPS_TOMCAT_PORT = 'tpspki_tomcat_server_port' -+TPS_PASSWORD = 'Secret123' -+TPS_CLIENT_DIR = '/opt/topology-TPS' -+TPS_ADMIN_NICK = 'PKI TPS Administrator for Example.Org' -+#LDAP Details -+LDAP_PORT = 'ldapServerPort' -+LDAP_BIND_DN = 'cn=Directory Manager' -+LDAP_PASSWD = 'Secret123' -+LDAP_BASE_DN = 'dc=example,dc=org' -+LDAP_KRA_PORT = 'ldapkraServerPort' -+LDAP_OCSP_PORT = 'ldapocspServerPort' -+LDAP_TKS_PORT = 'ldaptksServerPort' -+LDAP_TPS_PORT = 'ldaptpsServerPort' -+LDAP_USER = 'foobar' -+LDAP_USER_ENROLL = 'testuser' -+CUID = '40906145C76224192D2B' -+CUID_01 = '40906145C76224192D11' -+TPS_OPERATION = 'ra_enroll' -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/kra.cfg b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/kra.cfg -new file mode 100644 -index 0000000..fd46b09 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/kra.cfg -@@ -0,0 +1,42 @@ -+[DEFAULT] -+pki_instance_name = topology-KRA -+pki_https_port = krapki_https_port -+pki_http_port = krapki_http_port -+pki_token_password = Secret123 -+pki_admin_password = Secret123 -+pki_hostname = SERVERNAME -+pki_security_domain_hostname = SERVERNAME -+pki_security_domain_https_port = secure_domain_port -+pki_security_domain_name = topology_Foobarmaster.org -+pki_security_domain_password = Secret123 -+pki_client_dir = /opt/topology-KRA -+pki_client_pkcs12_password = Secret123 -+pki_backup_keys = True -+pki_backup_password = Secret123 -+pki_ds_password = Secret123 -+pki_ds_ldap_port = ldapServerPort -+pki_client_database_password = Secret123 -+pki_ssl_server_key_algorithm=SHA512withRSA -+pki_ssl_server_key_size=2048 -+pki_ssl_server_key_type=rsa -+pki_subsystem_key_algorithm=SHA512withRSA -+pki_subsystem_key_size=2048 -+pki_subsystem_key_type=rsa -+ -+[Tomcat] -+pki_ajp_port = krapki_ajp_port -+pki_tomcat_server_port = krapki_tomcat_server_port -+ -+[KRA] -+pki_import_admin_cert = False -+pki_ds_hostname = SERVERNAME -+pki_admin_nickname = PKI KRA Administrator for Example.Org -+pki_storage_key_algorithm=SHA512withRSA -+pki_storage_key_size=2048 -+pki_storage_key_type=rsa -+pki_storage_signing_algorithm=SHA512withRSA -+pki_transport_key_algorithm=SHA512withRSA -+pki_transport_key_size=2048 -+pki_transport_key_type=rsa -+pki_transport_signing_algorithm=SHA512withRSA -+ -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ldap.cfg b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ldap.cfg -new file mode 100644 -index 0000000..820efec ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ldap.cfg -@@ -0,0 +1,12 @@ -+[General] -+FullMachineName = SERVERNAME -+SuiteSpotUserID = nobody -+SuiteSpotGroup = nobody -+ConfigDirectoryAdminID = admin -+ -+[slapd] -+ServerIdentifier = topology-testingmaster -+ServerPort = ldapServerPort -+Suffix = dc=example,dc=org -+RootDN = CN=Directory Manager -+RootDNPwd = Secret123 -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ocsp.cfg b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ocsp.cfg -new file mode 100644 -index 0000000..e553c32 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/ocsp.cfg -@@ -0,0 +1,36 @@ -+[DEFAULT] -+pki_instance_name = topology-OCSP -+pki_https_port = ocsppki_https_port -+pki_http_port = ocsppki_http_port -+pki_token_password = Secret123 -+pki_admin_password = Secret123 -+pki_hostname = SERVERNAME -+pki_security_domain_name = topology_Foobarmaster.org -+pki_security_domain_password = Secret123 -+pki_security_domain_https_port = secure_domain_port -+pki_client_dir = /opt/topology-OCSP -+pki_client_pkcs12_password = Secret123 -+pki_backup_keys = True -+pki_backup_password = Secret123 -+pki_ds_password = Secret123 -+pki_ds_ldap_port = ldapServerPort -+pki_client_database_password = Secret123 -+pki_ssl_server_key_algorithm=SHA512withRSA -+pki_ssl_server_key_size=2048 -+pki_ssl_server_key_type=rsa -+pki_subsystem_key_algorithm=SHA512withRSA -+pki_subsystem_key_size=2048 -+pki_subsystem_key_type=rsa -+ -+[Tomcat] -+pki_ajp_port = ocsppki_ajp_port -+pki_tomcat_server_port = ocsppki_tomcat_server_port -+ -+[OCSP] -+pki_import_admin_cert = False -+pki_ds_hostname = SERVERNAME -+pki_admin_nickname= PKI OCSP Administrator for Example.Org -+pki_ocsp_signing_key_algorithm=SHA512withRSA -+pki_ocsp_signing_key_size=2048 -+pki_ocsp_signing_key_type=rsa -+pki_ocsp_signing_signing_algorithm=SHA512withRSA -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/script b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/script -new file mode 100755 -index 0000000..c98e4ae ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/script -@@ -0,0 +1,79 @@ -+#!/bin/sh -+#Generate Noise using Openssl -+echo "Defining variables " -+tks_password="/tmp/tkspassword.txt" -+tps_password="/tmp/tpspassword.txt" -+tks_alias="/var/lib/pki/$1-TKS/alias" -+tps_alias="/var/lib/pki/$1-TPS/alias" -+tks_noise="/tmp/tks_noise" -+tks_shared_secret="sharedSecret" -+tks_conf="/var/lib/pki/$1-TKS/tks/conf/CS.cfg" -+tps_conf="/var/lib/pki/$1-TPS/tps/conf/CS.cfg" -+tps_input_file="/tmp/tps-input.txt" -+tks_secret_output="/tmp/secret" -+tks_input_file="/tmp/tks-input.txt" -+tks_input="proceed\r\n" -+tks_secret_output="/tmp/sharedSecret.out" -+tps_key_import_status="/tmp/sharedSecretImport.out" -+echo "proceed\r\n" > $tks_input_file -+echo "Generate Noise using OpenSSL" -+openssl rand -hex 2048 | perl -p -e 's/\n//' > $tks_noise -+cat /var/lib/pki/$1-TKS/conf/password.conf | sed 's/^internal=//' > $tks_password -+cat /var/lib/pki/$1-TPS/conf/password.conf | sed 's/^internal=//' > $tps_password -+ -+echo "Stopping TKS & TPS instance" -+systemctl stop pki-tomcatd@$1-TKS.service -+systemctl stop pki-tomcatd@$1-TPS.service -+echo "Generating shared secret" -+/usr/bin/tkstool -D -d $tks_alias -n "TPS-`hostname`-25443 sharedSecret" -f $tks_password -+/usr/bin/tkstool -T -d $tks_alias -n $tks_shared_secret -f $tks_password -z $tks_noise > $tks_secret_output < $tks_input_file -+/usr/bin/tkstool -L -d $tks_alias -n $tks_shared_secret -f $tks_password > /tmp/sharedSecretList1.out -+grep "$tks_shared_secret" /tmp/sharedSecretList1.out -+first_session_tmp1=$(cat $tks_secret_output | grep -A1 "first\ssession\skey\sshare:") -+first_session_tmp2=$(echo $first_session_tmp1 | sed 's/^first session key share://') -+first_session_key=$(echo ${first_session_tmp2%% }) -+first_session_KCV_tmp1=$(cat $tks_secret_output | grep "first\ssession\skey\sshare\sKCV:") -+first_session_KCV_tmp2=$(echo $first_session_KCV_tmp1 | sed 's/^first session key share KCV://') -+first_session_KCV_key=$(echo ${first_session_KCV_tmp2%% }) -+ -+second_session_tmp1=$(cat $tks_secret_output | grep -A1 "second\ssession\skey\sshare:") -+second_session_tmp2=$(echo $second_session_tmp1 | sed 's/^second session key share://') -+second_session_key=$(echo ${second_session_tmp2%% }) -+second_session_KCV_tmp1=$(cat $tks_secret_output | grep "second\ssession\skey\sshare\sKCV:") -+second_session_KCV_tmp2=$(echo $second_session_KCV_tmp1 | sed 's/^second session key share KCV://') -+second_session_KCV_key=$(echo ${second_session_KCV_tmp2%% }) -+ -+third_session_tmp1=$(cat $tks_secret_output | grep -A1 "third\ssession\skey\sshare:") -+third_session_tmp2=$(echo $third_session_tmp1 | sed 's/^third session key share://') -+third_session_key=$(echo ${third_session_tmp2%% }) -+third_session_KCV_tmp1=$(cat $tks_secret_output | grep "third\ssession\skey\sshare\sKCV:") -+third_session_KCV_tmp2=$(echo $third_session_KCV_tmp1 | sed 's/^third session key share KCV://') -+third_session_KCV_key=$(echo ${third_session_KCV_tmp2%% }) -+ -+sed -i -e "/tps.0.nickname=/s/=.*/=$tks_shared_secret/g" $tks_conf -+sed -i -e "/tks.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tks_conf -+echo "Restart $1-TKS instance" -+systemctl restart pki-tomcatd@$1-TKS.service -+echo "proceed\r\n" > $tps_input_file -+echo "$first_session_key\r\n" >> $tps_input_file -+echo "\r\n" >> $tps_input_file -+echo "$first_session_KCV_key\r\n" >> $tps_input_file -+echo "proceed\r\n" >> $tps_input_file -+echo "proceed\r\n" >> $tps_input_file -+echo "$second_session_key\r\n" >> $tps_input_file -+echo "\r\n" >> $tps_input_file -+echo "$second_session_KCV_key\r\n" >> $tps_input_file -+echo "proceed\r\n" >> $tps_input_file -+echo "proceed\r\n" >> $tps_input_file -+echo "$third_session_key\r\n" >> $tps_input_file -+echo "\r\n" >> $tps_input_file -+echo "$third_session_KCV_key\r\n" >> $tps_input_file -+echo "proceed\r\n" >> $tps_input_file -+ -+/usr/bin/tkstool -I -d $tps_alias -n $tks_shared_secret -f $tps_password < $tps_input_file > $tps_key_import_status -+/usr/bin/tkstool -L -d $tps_alias -n $tks_shared_secret -f $tps_password > /tmp/sharedSecretList2.out -+grep "$tks_shared_secret" /tmp/sharedSecretList2.out -+sed -i -e "/tps.connector.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf -+sed -i -e "/conn.tks1.tksSharedSymKeyName=/s/=.*/=$tks_shared_secret/g" $tps_conf -+echo "Restart $1-TPS instance" -+systemctl restart pki-tomcatd@$1-TPS.service -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tks.cfg b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tks.cfg -new file mode 100644 -index 0000000..479bbbf ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tks.cfg -@@ -0,0 +1,26 @@ -+[DEFAULT] -+pki_instance_name = topology-TKS -+pki_https_port = tkspki_https_port -+pki_http_port = tkspki_http_port -+pki_token_password = Secret123 -+pki_admin_password = Secret123 -+pki_hostname = SERVERNAME -+pki_security_domain_name = topology_Foobarmaster.org -+pki_security_domain_password = Secret123 -+pki_security_domain_https_port = secure_domain_port -+pki_client_dir = /opt/topology-TKS -+pki_client_pkcs12_password = Secret123 -+pki_backup_keys = True -+pki_backup_password = Secret123 -+pki_ds_password = Secret123 -+pki_ds_ldap_port = ldapServerPort -+pki_client_database_password = Secret123 -+ -+[Tomcat] -+pki_ajp_port = tkspki_ajp_port -+pki_tomcat_server_port = tkspki_tomcat_server_port -+ -+[TKS] -+pki_import_admin_cert = False -+pki_ds_hostname = SERVERNAME -+pki_admin_nickname= PKI TKS Administrator for Example.Org -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tps.cfg b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tps.cfg -new file mode 100644 -index 0000000..b878abc ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/files/test/tps.cfg -@@ -0,0 +1,34 @@ -+[DEFAULT] -+pki_instance_name = topology-TPS -+pki_https_port = tpspki_https_port -+pki_http_port = tpspki_http_port -+pki_token_password = Secret123 -+pki_admin_password = Secret123 -+pki_hostname = SERVERNAME -+pki_security_domain_hostname = SERVERNAME -+pki_security_domain_https_port = secure_domain_port -+pki_security_domain_name = topology_Foobarmaster.org -+pki_security_domain_password = Secret123 -+pki_client_dir = /opt/topology-TPS -+pki_client_pkcs12_password = Secret123 -+pki_backup_keys = True -+pki_backup_password = Secret123 -+pki_ds_password = Secret123 -+pki_ds_ldap_port = ldapServerPort -+pki_client_database_password = Secret123 -+ -+[Tomcat] -+pki_ajp_port = tpspki_ajp_port -+pki_tomcat_server_port = tpspki_tomcat_server_port -+ -+[TPS] -+pki_import_admin_cert = False -+pki_ds_hostname = SERVERNAME -+pki_authdb_basedn = ou=People,dc=example,dc=org -+pki_authdb_hostname=SERVERNAME -+pki_authdb_port=3389 -+pki_ca_uri=https://SERVERNAME:capki_https_port -+pki_tks_uri=https://SERVERNAME:tkspki_https_port -+pki_kra_uri=https://SERVERNAME:krapki_https_port -+pki_admin_nickname=PKI TPS Administrator for Example.Org -+pki_enable_server_side_keygen=True -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ca.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ca.yml -new file mode 100644 -index 0000000..67c112b ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ca.yml -@@ -0,0 +1,25 @@ -+ -+- name: Replace CA specific changes -+ replace: dest={{item}} regexp="capki_https_port" replace={{capki_https_port}} -+ with_items: -+ - /tmp/test_dir/ca.cfg -+ - /tmp/test_dir/constants.py -+ -+- name: Replace http port for CA. -+ replace: dest={{item}} regexp="capki_http_port" replace={{capki_http_port}} -+ with_items: -+ - /tmp/test_dir/ca.cfg -+ - /tmp/test_dir/constants.py -+ -+- name: Replace ajp port for CA -+ replace: dest={{item}} regexp="capki_ajp_port" replace={{capki_ajp_port}} -+ with_items: -+ - /tmp/test_dir/ca.cfg -+ - /tmp/test_dir/constants.py -+ -+- name : Replace tomcat port for CA -+ replace: dest={{item}} regexp="capki_tomcat_port" replace={{capki_tomcat_port}} -+ with_items: -+ - /tmp/test_dir/ca.cfg -+ - /tmp/test_dir/constants.py -+ -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_common.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_common.yml -new file mode 100644 -index 0000000..4bb8bc4 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_common.yml -@@ -0,0 +1,146 @@ -+- name: Pick constants based on {{topology}} -+ include_vars: "{{ item }}" -+ with_items: -+ - "{{ playbook_dir }}/vars/ldap_shared.yml" -+ - "{{ playbook_dir }}/vars/ca_shared.yml" -+ when: topology == "topology-01" -+ -+- name: Pick constants based on {{topology}} -+ include_vars: "{{ item }}" -+ with_items: -+ - "{{ playbook_dir }}/vars/ldap.yml" -+ - "{{ playbook_dir }}/vars/ca.yml" -+ - "{{ playbook_dir }}/vars/kra.yml" -+ - "{{ playbook_dir }}/vars/ocsp.yml" -+ - "{{ playbook_dir }}/vars/tks.yml" -+ - "{{ playbook_dir }}/vars/tps.yml" -+ when: topology == "topology-02" -+ -+- name: Pick constants based on {{topology}} -+ include_vars: "{{ item }}" -+ with_items: -+ - "{{ playbook_dir }}/vars/ldap.yml" -+ - "{{ playbook_dir }}/vars/ca.yml" -+ - "{{ playbook_dir }}/vars/kra.yml" -+ - "{{ playbook_dir }}/vars/ocsp.yml" -+ when: topology == "topology-03" -+ -+- name: Pick constants based on {{topology}} -+ include_vars: "{{ item }}" -+ with_items: -+ - "{{ playbook_dir }}/vars/ldap.yml" -+ - "{{ playbook_dir }}/vars/ca.yml" -+ - "{{ playbook_dir }}/vars/kra.yml" -+ - "{{ playbook_dir }}/vars/tks.yml" -+ - "{{ playbook_dir }}/vars/tps.yml" -+ when: topology == "topology-04" -+ -+- name: Pick constants based on {{topology}} -+ include_vars: "{{ item }}" -+ with_items: -+ - "{{ playbook_dir }}/vars/ldap.yml" -+ - "{{ playbook_dir }}/vars/ca.yml" -+ - "{{ playbook_dir }}/vars/kra.yml" -+ - "{{ playbook_dir }}/vars/ocsp.yml" -+ - "{{ playbook_dir }}/vars/tks.yml" -+ - "{{ playbook_dir }}/vars/tps.yml" -+ when: topology == "topology-05" -+ -+- name: Pick constants based on {{topology}} -+ include_vars: "{{ item }}" -+ with_items: -+ - "{{ playbook_dir }}/vars/ldap.yml" -+ - "{{ playbook_dir }}/vars/ca.yml" -+ - "{{ playbook_dir }}/vars/kra.yml" -+ - "{{ playbook_dir }}/vars/ocsp.yml" -+ - "{{ playbook_dir }}/vars/tks.yml" -+ - "{{ playbook_dir }}/vars/tps.yml" -+ when: topology == "topology-ecc" -+ -+- name: Creates directory -+ file: path=/tmp/test_files state=directory -+ -+- name: Copying templates to /tmp folder -+ copy : src=test/ dest=/tmp/test_dir -+ tags: platform-ci -+ -+- name: Replace Ldap server port in all configuration files -+ replace: dest={{item}} regexp="ldapServerPort" replace={{ldapServerPort}} -+ with_items: -+ - /tmp/test_dir/ldap.cfg -+ - /tmp/test_dir/ca.cfg -+ - /tmp/test_dir/kra.cfg -+ - /tmp/test_dir/ocsp.cfg -+ - /tmp/test_dir/tks.cfg -+ - /tmp/test_dir/tps.cfg -+ - /tmp/test_dir/constants.py -+ -+- name: Replace topology in use in all configuration files -+ replace: dest={{item}} regexp="topology" replace={{topology}} -+ with_items: -+ - /tmp/test_dir/ldap.cfg -+ - /tmp/test_dir/ca.cfg -+ - /tmp/test_dir/kra.cfg -+ - /tmp/test_dir/ocsp.cfg -+ - /tmp/test_dir/tks.cfg -+ - /tmp/test_dir/tps.cfg -+ - /tmp/test_dir/constants.py -+ -+- name : Substitute ecc with rsa when topology=topology-ecc -+ replace: dest={{item}} regexp="SHA512withRSA" replace="SHA384withEC" -+ with_items: -+ - /tmp/test_dir/ca.cfg -+ - /tmp/test_dir/kra.cfg -+ - /tmp/test_dir/ocsp.cfg -+ when: -+ - topology == "topology-ecc" -+ -+- name : Substitute ecc with rsa when topology=topology-ecc -+ replace: dest={{item}} regexp="rsa" replace="ecc" -+ with_items: -+ - /tmp/test_dir/ca.cfg -+ - /tmp/test_dir/kra.cfg -+ - /tmp/test_dir/ocsp.cfg -+ when: -+ - topology == "topology-ecc" -+ -+- name : Substitute ecc with rsa when topology=topology-ecc -+ replace: dest={{item}} regexp="2048" replace="nistp384" -+ with_items: -+ - /tmp/test_dir/ca.cfg -+ - /tmp/test_dir/kra.cfg -+ - /tmp/test_dir/ocsp.cfg -+ when: -+ - topology == "topology-ecc" -+ -+- name : For topology-01 -+ replace: dest={{item}} regexp="pki_instance_name" replace="#pki_instance_name" -+ with_items: -+ - /tmp/test_dir/ca.cfg -+ - /tmp/test_dir/kra.cfg -+ - /tmp/test_dir/ocsp.cfg -+ - /tmp/test_dir/tks.cfg -+ - /tmp/test_dir/tps.cfg -+ when: -+ - topology == "topology-01" -+ -+ -+- name: Replace ServerName in all configuration files. -+ replace: dest={{item}} regexp="SERVERNAME" replace=pki1.example.com -+ with_items: -+ - /tmp/test_dir/ldap.cfg -+ - /tmp/test_dir/ca.cfg -+ - /tmp/test_dir/kra.cfg -+ - /tmp/test_dir/ocsp.cfg -+ - /tmp/test_dir/tks.cfg -+ - /tmp/test_dir/tps.cfg -+ -+- name: Replace ServerName in all configuration files. -+ replace: dest={{item}} regexp="SERVERNAME" replace=pki1.example.com -+ with_items: -+ - /tmp/test_dir/ldap_kra.cfg -+ - /tmp/test_dir/ldap_ocsp.cfg -+ - /tmp/test_dir/ldap_tks.cfg -+ - /tmp/test_dir/ldap_tps.cfg -+ when: topology == "topology-05" -+ -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_kra.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_kra.yml -new file mode 100644 -index 0000000..e0edeea ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_kra.yml -@@ -0,0 +1,27 @@ -+- name: Replace KRA specific changes -+ replace: dest={{item}} regexp="krapki_https_port" replace={{krapki_https_port}} -+ with_items: -+ - /tmp/test_dir/kra.cfg -+ - /tmp/test_dir/constants.py -+ -+- name: Replace http port for KRA. -+ replace: dest={{item}} regexp="krapki_http_port" replace={{krapki_http_port}} -+ with_items: -+ - /tmp/test_dir/kra.cfg -+ - /tmp/test_dir/constants.py -+ -+- name: Replace ajp port for KRA -+ replace: dest={{item}} regexp="krapki_ajp_port" replace={{krapki_ajp_port}} -+ with_items: -+ - /tmp/test_dir/kra.cfg -+ - /tmp/test_dir/constants.py -+ -+- name : Replace tomcat port for KRA -+ replace: dest={{item}} regexp="krapki_tomcat_server_port" replace={{krapki_tomcat_server_port}} -+ with_items: -+ - /tmp/test_dir/kra.cfg -+ - /tmp/test_dir/constants.py -+ -+- name : Replace tomcat port for KRA -+ replace: dest=/tmp/test_dir/kra.cfg regexp="secure_domain_port" replace={{capki_https_port}} -+ -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ldap.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ldap.yml -new file mode 100644 -index 0000000..f9af68c ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ldap.yml -@@ -0,0 +1,47 @@ -+- name : Create different ldap files for ca,kra,ocsp,tks and tps. -+ shell : for i in kra ocsp tks tps ;do cp /tmp/test_dir/ldap.cfg /tmp/test_dir/ldap_$i.cfg ; sed -i "s/testingmaster/$i-testingmaster/" /tmp/test_dir/ldap_$i.cfg; done -+ when: topology == "topology-05" -+ -+- name : Conditional check before replacing values in ldap.cfg file. -+ replace: dest={{item}} regexp="3389" replace={{ldapkraServerPort}} -+ with_items: -+ - /tmp/test_dir/ldap_kra.cfg -+ - /tmp/test_dir/kra.cfg -+ when: topology == "topology-05" -+ -+- name : Conditional check before replacing values in ldap.cfg file. -+ replace: dest={{item}} regexp="3389" replace={{ldapocspServerPort}} -+ with_items: -+ - /tmp/test_dir/ldap_ocsp.cfg -+ - /tmp/test_dir/ocsp.cfg -+ when: topology == "topology-05" -+ -+- name : Conditional check before replacing values in ldap.cfg file. -+ replace: dest={{item}} regexp="3389" replace={{ldaptksServerPort}} -+ with_items: -+ - /tmp/test_dir/ldap_tks.cfg -+ - /tmp/test_dir/tks.cfg -+ when: topology == "topology-05" -+ -+- name : Conditional check before replacing values in ldap.cfg file. -+ replace: dest={{item}} regexp="3389" replace={{ldaptpsServerPort}} -+ with_items: -+ - /tmp/test_dir/ldap_tps.cfg -+ - /tmp/test_dir/tps.cfg -+ when: topology == "topology-05" -+ -+- name: Replace Ldap server port in all configuration files -+ replace: dest=/tmp/test_dir/constants.py regexp="ldapkraServerPort" replace={{ldapkraServerPort}} -+ when: topology == "topology-05" -+ -+- name: Replace Ldap server port in all configuration files -+ replace: dest=/tmp/test_dir/constants.py regexp="ldapocspServerPort" replace={{ldapocspServerPort}} -+ when: topology == "topology-05" -+ -+- name: Replace Ldap server port in all configuration files -+ replace: dest=/tmp/test_dir/constants.py regexp="ldaptksServerPort" replace={{ldaptksServerPort}} -+ when: topology == "topology-05" -+ -+- name: Replace Ldap server port in all configuration files -+ replace: dest=/tmp/test_dir/constants.py regexp="ldaptpsServerPort" replace={{ldaptpsServerPort}} -+ when: topology == "topology-05" -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ocsp.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ocsp.yml -new file mode 100644 -index 0000000..dea8645 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_ocsp.yml -@@ -0,0 +1,27 @@ -+- name: Replace OCSP specific changes -+ replace: dest={{item}} regexp="ocsppki_https_port" replace={{ocsppki_https_port}} -+ with_items: -+ - /tmp/test_dir/ocsp.cfg -+ - /tmp/test_dir/constants.py -+ -+- name: Replace http port for OCSP. -+ replace: dest={{item}} regexp="ocsppki_http_port" replace={{ocsppki_http_port}} -+ with_items: -+ - /tmp/test_dir/ocsp.cfg -+ - /tmp/test_dir/constants.py -+ -+- name: Replace ajp port for OCSP -+ replace: dest={{item}} regexp="ocsppki_ajp_port" replace={{ocsppki_ajp_port}} -+ with_items: -+ - /tmp/test_dir/ocsp.cfg -+ - /tmp/test_dir/constants.py -+ -+- name : Replace tomcat port for OCSP -+ replace: dest={{item}} regexp="ocsppki_tomcat_server_port" replace={{ocsppki_tomcat_server_port}} -+ with_items: -+ - /tmp/test_dir/ocsp.cfg -+ - /tmp/test_dir/constants.py -+ -+- name : Replace tomcat port for OCSP -+ replace: dest=/tmp/test_dir/ocsp.cfg regexp="secure_domain_port" replace={{capki_https_port}} -+ -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tks.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tks.yml -new file mode 100644 -index 0000000..9cd2bc7 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tks.yml -@@ -0,0 +1,27 @@ -+- name: Replace TKS specific changes -+ replace: dest={{item}} regexp="tkspki_https_port" replace={{tkspki_https_port}} -+ with_items: -+ - /tmp/test_dir/tks.cfg -+ - /tmp/test_dir/constants.py -+ -+- name: Replace http port for TKS. -+ replace: dest={{item}} regexp="tkspki_http_port" replace={{tkspki_http_port}} -+ with_items: -+ - /tmp/test_dir/tks.cfg -+ - /tmp/test_dir/constants.py -+ -+- name: Replace ajp port for TKS -+ replace: dest={{item}} regexp="tkspki_ajp_port" replace={{tkspki_ajp_port}} -+ with_items: -+ - /tmp/test_dir/tks.cfg -+ - /tmp/test_dir/constants.py -+ -+- name : Replace tomcat port for TKS -+ replace: dest={{item}} regexp="tkspki_tomcat_server_port" replace={{tkspki_tomcat_server_port}} -+ with_items: -+ - /tmp/test_dir/tks.cfg -+ - /tmp/test_dir/constants.py -+ -+- name : Replace tomcat port for TKS -+ replace: dest=/tmp/test_dir/tks.cfg regexp="secure_domain_port" replace={{capki_https_port}} -+ -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tps.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tps.yml -new file mode 100644 -index 0000000..69fe4c5 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/configure_tps.yml -@@ -0,0 +1,39 @@ -+- name: Replace TPS specific changes -+ replace: dest={{item}} regexp="tpspki_https_port" replace={{tpspki_https_port}} -+ with_items: -+ - /tmp/test_dir/tps.cfg -+ - /tmp/test_dir/constants.py -+ -+- name: Replace http port for TPS. -+ replace: dest={{item}} regexp="tpspki_http_port" replace={{tpspki_http_port}} -+ with_items: -+ - /tmp/test_dir/tps.cfg -+ - /tmp/test_dir/constants.py -+ -+- name: Replace ajp port for TPS -+ replace: dest={{item}} regexp="tpspki_ajp_port" replace={{tpspki_ajp_port}} -+ with_items: -+ - /tmp/test_dir/tps.cfg -+ - /tmp/test_dir/constants.py -+ -+- name : Replace tomcat port for TPS -+ replace: dest={{item}} regexp="tpspki_tomcat_server_port" replace={{tpspki_tomcat_server_port}} -+ with_items: -+ - /tmp/test_dir/tps.cfg -+ - /tmp/test_dir/constants.py -+ -+- name : Replace tomcat port for TPS -+ replace: dest={{item}} regexp="secure_domain_port" replace={{capki_https_port}} -+ with_items: -+ - /tmp/test_dir/tps.cfg -+ - /tmp/test_dir/constants.py -+ -+- name : Replace ca uri for TPS -+ replace: dest=/tmp/test_dir/tps.cfg regexp="capki_https_port" replace={{capki_https_port}} -+ -+- name : Replace kra uri for TPS -+ replace: dest=/tmp/test_dir/tps.cfg regexp="krapki_https_port" replace={{krapki_https_port}} -+ -+- name : Replace tks uri for TPS -+ replace: dest=/tmp/test_dir/tps.cfg regexp="tkspki_https_port" replace={{tkspki_https_port}} -+ -diff --git a/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/main.yml b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/main.yml -new file mode 100644 -index 0000000..17e0ecc ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/roles/Test_Trigger/tasks/main.yml -@@ -0,0 +1,15 @@ -+--- -+- include: configure_common.yml -+ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" -+- include: configure_ca.yml -+ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" -+- include: configure_ldap.yml -+ when: topology == "topology-05" -+- include: configure_kra.yml -+ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" or topology == "topology-ecc" -+- include: configure_ocsp.yml -+ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-05" or topology == "topology-ecc" -+- include: configure_tks.yml -+ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" -+- include: configure_tps.yml -+ when: topology == "topology-01" or topology == "topology-02" or topology == "topology-03" or topology == "topology-04" or topology == "topology-05" -diff --git a/tests/dogtag/pytest-ansible/installation/vars/ca.yml b/tests/dogtag/pytest-ansible/installation/vars/ca.yml -new file mode 100644 -index 0000000..6768f66 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/vars/ca.yml -@@ -0,0 +1,4 @@ -+capki_https_port: '20443' -+capki_http_port: '20080' -+capki_ajp_port: '20009' -+capki_tomcat_port: '20005' -diff --git a/tests/dogtag/pytest-ansible/installation/vars/ca_shared.yml b/tests/dogtag/pytest-ansible/installation/vars/ca_shared.yml -new file mode 100644 -index 0000000..83aa43e ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/vars/ca_shared.yml -@@ -0,0 +1,24 @@ -+capki_https_port: '8443' -+capki_http_port: '8080' -+capki_ajp_port: '8009' -+capki_tomcat_port: '8005' -+capki_https_port: '8443' -+capki_http_port: '8080' -+capki_ajp_port: '8009' -+capki_tomcat_port: '8005' -+krapki_https_port: '8443' -+krapki_http_port: '8080' -+krapki_ajp_port: '8009' -+krapki_tomcat_server_port: '8005' -+ocsppki_https_port: '8443' -+ocsppki_http_port: '8080' -+ocsppki_ajp_port: '8009' -+ocsppki_tomcat_server_port: '8005' -+tkspki_https_port: '8443' -+tkspki_http_port: '8080' -+tkspki_ajp_port: '8009' -+tkspki_tomcat_server_port: '8005' -+tpspki_https_port: '8443' -+tpspki_http_port: '8080' -+tpspki_ajp_port: '8009' -+tpspki_tomcat_server_port: '8005' -diff --git a/tests/dogtag/pytest-ansible/installation/vars/kra.yml b/tests/dogtag/pytest-ansible/installation/vars/kra.yml -new file mode 100644 -index 0000000..2d45fab ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/vars/kra.yml -@@ -0,0 +1,4 @@ -+krapki_https_port: '21443' -+krapki_http_port: '21080' -+krapki_ajp_port: '21009' -+krapki_tomcat_server_port: '21005' -diff --git a/tests/dogtag/pytest-ansible/installation/vars/ldap.yml b/tests/dogtag/pytest-ansible/installation/vars/ldap.yml -new file mode 100644 -index 0000000..401c4a7 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/vars/ldap.yml -@@ -0,0 +1,8 @@ -+ldapServerPort: '3389' -+ldapRootDN: CN=Directory Manager -+ldapRootDNPwd: Secret123 -+ldapcaServerPort: '4389' -+ldapkraServerPort: '5389' -+ldapocspServerPort: '6389' -+ldaptksServerPort: '7389' -+ldaptpsServerPort: '8389' -diff --git a/tests/dogtag/pytest-ansible/installation/vars/ldap_shared.yml b/tests/dogtag/pytest-ansible/installation/vars/ldap_shared.yml -new file mode 100644 -index 0000000..0e1d7e6 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/vars/ldap_shared.yml -@@ -0,0 +1,3 @@ -+ldapServerPort: '2389' -+ldapRootDN: CN=Directory Manager -+ldapRootDNPwd: Secret123 -diff --git a/tests/dogtag/pytest-ansible/installation/vars/ocsp.yml b/tests/dogtag/pytest-ansible/installation/vars/ocsp.yml -new file mode 100644 -index 0000000..497ebb8 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/vars/ocsp.yml -@@ -0,0 +1,4 @@ -+ocsppki_https_port: '22443' -+ocsppki_http_port: '22080' -+ocsppki_ajp_port: '22009' -+ocsppki_tomcat_server_port: '22005' -diff --git a/tests/dogtag/pytest-ansible/installation/vars/tks.yml b/tests/dogtag/pytest-ansible/installation/vars/tks.yml -new file mode 100644 -index 0000000..3f402a4 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/vars/tks.yml -@@ -0,0 +1,4 @@ -+tkspki_https_port: '23443' -+tkspki_http_port: '23080' -+tkspki_ajp_port: '23009' -+tkspki_tomcat_server_port: '23005' -diff --git a/tests/dogtag/pytest-ansible/installation/vars/tps.yml b/tests/dogtag/pytest-ansible/installation/vars/tps.yml -new file mode 100644 -index 0000000..92534c2 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/installation/vars/tps.yml -@@ -0,0 +1,4 @@ -+tpspki_https_port: '25443' -+tpspki_http_port: '25080' -+tpspki_ajp_port: '25009' -+tpspki_tomcat_server_port: '25005' -diff --git a/tests/dogtag/pytest-ansible/provision/readme.txt b/tests/dogtag/pytest-ansible/provision/readme.txt -new file mode 100644 -index 0000000..e69de29 -diff --git a/tests/dogtag/pytest-ansible/pytest/README.md b/tests/dogtag/pytest-ansible/pytest/README.md -new file mode 100644 -index 0000000..24c3f66 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/pytest/README.md -@@ -0,0 +1,313 @@ -+# Pytest-ansible for Dogtag Tests -+ -+## Note -+Recommended version to install ansible version 2.3.x. -+Integration testing with other versions like pytest-ansible 2.4.0 are still in-progress. -+ -+## Installing pip -+ -+[pip] (https://pip.pypa.io/en/stable/installing/) is needed for ansible & pytest installation. -+ -+## Description about pytest-ansible & pytest-ansible-playbook -+ -+This repository contains a plugin for py.test which adds several fixtures for running ansible modules, or inspecting ansible_facts. While one can simply call out to ansible using the subprocess module, having to parse stdout to determine the outcome of the operation is unpleasant and prone to error. With pytest-ansible, modules return JSON data which you can inspect and act on, much like with an ansible playbook. -+See [pytest-ansible] (https://pypi.python.org/pypi/pytest-ansible) -+ -+### Installation -+ -+#### Installing ansible -+#### Installing pytest-ansible -+#### Installing pytest-ansible-playbook -+ -+Covered under [README] (../README.md#installing-supporting-packages) -+### Usage -+ -+Once installed, the following py.test command-line parameters are available: -+ -+``` -+ py.test \ -+ [--ansible-inventory ] \ -+ [--ansible-host-pattern ] \ -+ [--ansible-playbook-directory ] \ -+ [--ansible-playbook-inventory ] -+ [--ansible-connection ] \ -+ [--ansible-user ] \ -+ [--ansible-sudo] \ -+ [--ansible-sudo-user ] -+ -+``` -+ -+#### Mandatory command-line parameters: -+ -+``` -+ py.test \ -+ [--ansible-inventory ] \ -+ [--ansible-playbook-directory ] \ -+ [--ansible-playbook-inventory ] \ -+ [--ansible-host-pattern ] -+``` -+ -+### Available Fixtures with pytest-ansible -+ -+1. Fixture ansible_module -+ -+ The ansible_module fixture allows tests and fixtures to call ansible modules. See [ansible_module] (http://docs.ansible.com/ansible/2.3/modules.html) -+ -+2. Fixture ansible_facts -+ -+ The ansible_facts fixture returns a JSON structure representing the system facts for the associated inventory. Sample fact data is available in the [ansible documentation](http://docs.ansible.com/ansible/latest/playbooks_variables.html#information-discovered-from-systems-facts) -+ -+### Available Fixtures with pytest-ansible-playbook -+ -+1. Fixture ansible playbook -+ -+ The plugin provides a single pytest fixture called ansible_playbook. To specify playbooks to be executed by the fixture, use the following pytest markers: -+ -+``` -+ -+ @pytest.mark.ansible_playbook_setup('playbook.yml') -+ @pytest.mark.ansible_playbook_teardown('playbook.yml') -+ -+ @pytest.mark.ansible_playbook_setup('playbook.01.yml', 'playbook.02.yml') -+ -+``` -+ -+### Install pytest-autochecklog -+ -+In case you have plans to use logging that we get from `pytest-autochecklog`, get it using -+ -+``` -+pip install pytest-autochecklog -+``` -+ -+### Parameterizing with pytest.mark.ansible -+ -+Perhaps the --ansible-inventory= includes many systems, but you only wish to interact with a subset. The pytest.mark.ansible marker can be used to modify the pytest-ansible command-line parameters for a single test. -+ -+For example, to interact with the local system, you would adjust the host_pattern and connection parameters. -+ -+ -+``` -+@pytest.mark.ansible(host_pattern='local,', connection='local') -+class Test_Local(object): -+ def test_install(self, ansible_module): -+ '''do some testing''' -+ def test_template(self, ansible_module): -+ '''do some testing''' -+ def test_service(self, ansible_module): -+ '''do some testing''' -+``` -+It works with both class and function. -+ -+More on [Paramaterizing](https://docs.pytest.org/en/latest/example/parametrize.html) -+ -+### Exception Handling -+ -+Below is the example of exception handling.During runtime, if we wanted to change inventory file it can be done using `@pytest.mark.ansible(inventory='abc')`. -+Here , if host mentioned in file "abc" is not reachable using ping it should raise exception `AnsibleHostUnreachable` -+ -+``` -+@pytest.mark.ansible(inventory='abc') -+def test_shutdown(ansible_module): -+ pytest.raises(pytest_ansible.plugin.AnsibleHostUnreachable, ansible_module.ping) -+``` -+ -+## About PKI Module -+ -+PKI module is an ansible module that can be called either from python code or from ansible-playbooks to run any pki client commands -+See [PKI Module](https://copr.fedorainfracloud.org/coprs/g/pki/10.5/package/test-pki-modules/) for latest modules and common packages. -+ -+PKI Module has few default values and those can be over-written by defining them during tests creation.This is same as any standard ansible modules. -+ -+### Getting PKI Module -+ -+PKI module can be installed with below procedure. Install latest rpm from [copr site] (https://copr.fedorainfracloud.org/coprs/g/pki/10.5/package/test-pki-modules/) -+ -+``` -+Example: -+ -+1. wget https://copr.fedorainfracloud.org/coprs/g/pki/10.5/package/test-pki-modules/ -+2. rpm -qlp idm-modules -+ - Make sure above command lists pki.py module -+3. rpm -ivh idm-modules -+ -+Make sure pki.py exist under PYTHONPATH/ansible/modules/identity/pki/pki.py -+``` -+ -+In case, it is difficult with above procedure, this can be done manually using -+ -+``` -+cp pki-pytest-ansible/raw/pytest-task/common-modules/pki.py PYTHONPATH/ansible/modules/identity/pki/pki.py -+``` -+ -+All the common modules are part of common-modules code. -+ -+### Usage -+ -+`with python` -+ -+``` -+def test_pki(ansible_facts,ansible_module): -+ for (host, facts) in ansible_facts.items(): -+ contacted = ansible_module.pki( -+ cli='ca-cert-find', -+ hostname = host, -+ nssdb = '/root/nssdb', -+ certnick = "'PKI Administrator for example.com'" -+ ) -+ item=contacted.items() -+ print dict(item) -+ -+For Positive test case: -+---------------------- -+ -+@pytest.mark.positive -+def test_tpsToken_show_01(ansible_module, certnick, expected): -+ contacted = ansible_module.pki( -+ cli='ca-cert-find', -+ protocol='http', -+ certnick = certnick -+ ) -+ for result in contacted.values(): -+ for iter in expected: -+ assert iter in result['stdout'] -+ -+For Negative test case: -+----------------------- -+ -+@pytest.mark.negative -+def test_tpsToken_show_01(ansible_module, certnick, expected): -+ contacted = ansible_module.pki( -+ cli='ca-cert-find', -+ protocol='http', -+ certnick = certnick -+ ) -+ for result in contacted.values(): -+ for iter in expected: -+ assert iter in result['stderr'] -+ -+ -+``` -+ -+`with ansible-playbook` -+ -+``` -+ tasks: -+ -+ - name: Run pki module from ansible-playbook -+ pki: cli='ca-cert-show' port='9443' -+ -+Output -+ -+"cmd": "pki -d -P http -p 9443 -h localhost -c Secret123 -n 'PKI CA Administrator for Example.Org' ca-cert-show " -+ -+``` -+### Examples -+ -+See [Examples](tps-token/test_tps_token_show.py) -+ -+### Parametrizing your tests -+ -+This involves clubbing of tests which are similar in nature. -+ -+Example: All Positive tests whose output comes under stdout can be clubbed together. -+ -+Negative tests where output goes in stderr can be put together. -+ -+See [Parametrizing your tests](tps-token/test_tps_token_show.py) -+ -+### Advantages of parametrizing tests -+ -+1. Test cases are much shorter. -+2. Easy to run smoke, positive, negative cases using markers. -+3. Similar kind of test are clubbed together and avoid code duplication. -+4. Multiple asserts are implemented. -+5. Code is never touched.Just input and output is changed. -+ -+## Pre-requisite before running a pytest-ansible using pki module -+ -+Py.test assumes that your Subsystem installation is done using [ansible-playbooks](../installation/README.md) -+Tests look for ansible environment constants file for fetching port if not provided in pytest code. -+ -+ -+## Importing the CA cert to nssdb. Please run this command on the machine on which RHCS is setup -+ -+``` -+1. Create nssdb in . -+2. Import CA Admin Certificate into nssdb. -+pki -d -c Secret123 -h -p client-cert-import "RootCA" --ca-server -+pk12util -i -d -K Secret123 -W Secret123 -+``` -+ -+## Running a pytest-ansible test -+ -+``` -+py.test --ansible-inventory host --ansible-host-pattern master -q -s -vvv -+``` -+ -+where, -+ -+ --ansible-inventory, the inventory file from where hosts ip are picked. -+ --ansible-host-pattern, the host pattern on which tests needs to be run like master or clone -+ -+ -+## Running a combination of pytest-ansible and pytest-ansible-playbook -+ -+``` -+py.test --ansible-inventory host --ansible-host-pattern master --ansible-playbook-inventory host -q -s -vvv -+``` -+ -+ -+where, -+ -+ --ansible-inventory, the inventory file from where hosts ip are picked. -+ --ansible-host-pattern, the host pattern on which tests needs to be run. -+ --ansible-playbook-inventory, the inventory file used for running playbooks which are defined in form of fixtures to run. -+ -+Refer [Available Fixtures with pytest-ansible-playbook](README.md#available-fixtures-with-pytest-ansible-playbook) -+ -+## Examples of ansible-inventory and ansible-playbook-inventory -+ -+Inventory file consist of the roles and the ip-address.Tests will run for the roles and ip's that are mentioned. -+ -+``` -+[master] -+10.1.2.3 -+10.2.3.4 -+``` -+ -+## Troubleshooting Errors -+ -+To Debug any error, `Run py.test command with reporting option.` -+ -+``` -+reporting: -+ -v, --verbose increase verbosity. -+ -q, --quiet decrease verbosity. -+ -r chars show extra test summary info as specified by chars -+ (f)ailed, (E)error, (s)skipped, (x)failed, (X)passed, -+ (p)passed, (P)passed with output, (a)all except pP. -+ The pytest warnings are displayed at all times except -+ when --disable-pytest-warnings is set -+ --disable-pytest-warnings -+ disable warnings summary, overrides -r w flag -+ -l, --showlocals show locals in tracebacks (disabled by default). -+ --tb=style traceback print mode (auto/long/short/line/native/no). -+ --full-trace don't cut any tracebacks (default is to cut). -+ --color=color color terminal output (yes/no/auto). -+ --durations=N show N slowest setup/test durations (N=0 for all). -+ --pastebin=mode send failed|all info to bpaste.net pastebin service. -+ --junit-xml=path create junit-xml style report file at given path. -+ --junit-prefix=str prepend prefix to classnames in junit-xml output -+ --result-log=path DEPRECATED path for machine-readable result log. -+ --excel-report=path create excel report file at given path. -+``` -+ -+## Additional Packages -+ -+These are additional logging packages that could be used in future if logging improvement is needed. -+ -+- [Logging-1](https://pypi.python.org/pypi/pytest-logger). -+- [Logging-2](ttps://pypi.python.org/pypi/pytest-autochecklog). -+ -+ -diff --git a/tests/dogtag/pytest-ansible/pytest/tps-token/ldapUserAdd.yml b/tests/dogtag/pytest-ansible/pytest/tps-token/ldapUserAdd.yml -new file mode 100644 -index 0000000..1648266 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/pytest/tps-token/ldapUserAdd.yml -@@ -0,0 +1,35 @@ -+- hosts: master -+ gather_facts: true -+ -+ tasks: -+ - name: Making constants.py file compatable for including as vars. -+ shell: sed -e "s/ =/:/g;s/'//g" /tmp/test_dir/constants.py > /tmp/test_dir/constants.yml -+ -+ - name: Fetch the file -+ fetch: src=/tmp/test_dir/constants.yml dest=/tmp/test_dir flat=yes validate_checksum=no -+ -+ - name: Including variables from Environment -+ include_vars: -+ file: /tmp/test_dir/constants.yml -+ name: variable -+ -+ - name: Gather facts -+ set_fact: -+ var: "{{ inventory_hostname }}" -+ userPasswd: "{{ variable.LDAP_PASSWD }}" -+ -+ - name: Get rid of an old entry -+ ldap_entry: -+ dn: uid={{ variable.LDAP_USER }},ou=People,dc=example,dc=org -+ objectClass: -+ - top -+ - person -+ - inetOrgPerson -+ - organizationalRole -+ params: -+ cn: "{{ variable.LDAP_USER }}" -+ sn: "{{ variable.LDAP_USER }}" -+ userPassword: "{{ variable.LDAP_PASSWD }}" -+ server_uri: ldap://{{ inventory_hostname }}:{{ variable.LDAP_PORT }} -+ bind_dn: cn=Directory Manager -+ bind_pw: "{{ variable.LDAP_PASSWD }}" -diff --git a/tests/dogtag/pytest-ansible/pytest/tps-token/test_tps_token_show.py b/tests/dogtag/pytest-ansible/pytest/tps-token/test_tps_token_show.py -new file mode 100644 -index 0000000..9c30b19 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/pytest/tps-token/test_tps_token_show.py -@@ -0,0 +1,106 @@ -+""" -+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+# -+# Description: PKI TPS-TOKEN-SHOW tests -+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+# The following pki tps commands needs to be tested: -+# pki tps-token-show -+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+# -+# Author: Geetika Kapoor -+# -+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -+# -+# Copyright (c) 2016 Red Hat, Inc. All rights reserved. -+# -+# This copyrighted material is made available to anyone wishing -+# to use, modify, copy, or redistribute it subject to the terms -+# and conditions of the GNU General Public License version 2. -+# -+# This program is distributed in the hope that it will be -+# useful, but WITHOUT ANY WARRANTY; without even the implied -+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -+# PURPOSE. See the GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public -+# License along with this program; if not, write to the Free -+# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -+# Boston, MA 02110-1301, USA. -+""" -+ -+ -+import pytest -+import ansible -+import logging -+from ansible.inventory import Inventory -+from pytest_ansible import plugin -+import ansible.constants -+import os -+ -+from test_steps import * -+import random -+ -+@pytest.mark.ansible_playbook_setup('ldapUserAdd.yml', 'tokenEnroll.yml') -+@pytest.mark.setup -+def test_setup(ansible_playbook): -+ pass -+ -+@pytest.mark.parametrize("certnick,expected", [ -+ ('"PKI TPS Administrator for Example.Org"', ['Token ID: 40906145C76224192D2B', 'User ID: foobar', 'Type: userKey', 'Status: ACTIVE']), -+]) -+ -+@pytest.mark.positive -+def test_tpstoken_show_validgroup(ansible_module, certnick, expected): -+ """ -+ :Description: Command should successfully show tokens. -+ """ -+ contacted = ansible_module.pki( -+ cli='tps-token-show', -+ extra_args='40906145C76224192D2B', -+ protocol='http', -+ certnick=certnick -+ ) -+ for (host, result) in contacted.items(): -+ for iter in expected: -+ ok("Certificate: %s, Expected Output: %s , Actual Output : %s" %(certnick, iter, result['stdout'])) -+ assert iter in result['stdout'] -+@pytest.mark.parametrize("certnick,expected", [ -+ ('"PKI TPS Administrator for Example.Org"', ["PKIException: Record not found"]), -+]) -+ -+@pytest.mark.negative -+def test_tpstoken_show_exception(ansible_module, certnick, expected): -+ """ -+ :Description: Command should give "Records" not found. -+ """ -+ contacted = ansible_module.pki( -+ cli='tps-token-show', -+ extra_args='40906145C76224192D2BRR', -+ certnick=certnick -+ ) -+ for (host, result) in contacted.items(): -+ for iter in expected: -+ ok("Certificate: %s, Expected Output: %s , Actual Output : %s" %(certnick, iter, result['stderr'])) -+ assert iter in result['stderr'] -+ -+@pytest.mark.positive -+@pytest.mark.parametrize("extra_args, certnick, expected", [ -+ ('40906145C76224192D2B', '"PKI TPS Administrator for Example.Org"', ['Token ID: 40906145C76224192D2B', 'User ID: foobar', 'Type: userKey', 'Status: ACTIVE']), -+ ('--help', '"PKI TPS Administrator for Example.Org"', ['usage: tps-token-show', '', '--help Show help options']), -+]) -+ -+@pytest.mark.positive -+def test_tpstoken_show_help(ansible_module, extra_args, certnick, expected): -+ """ -+ :Description: Command should successfully show tokens. -+ """ -+ contacted = ansible_module.pki( -+ cli='tps-token-show', -+ extra_args=extra_args, -+ protocol='https', -+ certnick=certnick -+ ) -+ for (host, result) in contacted.items(): -+ for iter in expected: -+ ok("Certificate: %s, Expected Output: %s , Actual Output : %s" %(certnick, iter, result['stdout'])) -+ assert iter in result['stdout'] -diff --git a/tests/dogtag/pytest-ansible/pytest/tps-token/tokenEnroll.yml b/tests/dogtag/pytest-ansible/pytest/tps-token/tokenEnroll.yml -new file mode 100644 -index 0000000..872ee51 ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/pytest/tps-token/tokenEnroll.yml -@@ -0,0 +1,35 @@ -+- hosts: master -+ gather_facts: true -+ tasks: -+ - name: Going to TPSClient -+ shell: echo -e "op=var_set name=ra_host value=hostname\nop=var_set name=ra_port value=TPS_HTTP_PORT\nop=var_set name=ra_uri value=/tps/tps\nop=token_set cuid=TOKEN_CUID msn=0120304 app_ver=6FBBC105 key_info=0101 major_ver=0 minor_ver=0\nop=token_set auth_key=404142434445464748494a4b4c4d4e4f\nop=token_set mac_key=404142434445464748494a4b4c4d4e4f\nop=token_set kek_key=404142434445464748494a4b4c4d4e4f\nop=TPS_OPERATION uid=LDAP_USER pwd=LDAP_PASSWD new_pin=LDAP_NEW_PIN num_threads=1 extensions=tokenType=userKey\nop=exit" > /tmp/tpsclient.txt -+ -+ - name: Including variables from Environment -+ include_vars: -+ file: /tmp/test_dir/constants.yml -+ name: variable -+ -+ - name: Replacing correct hostname -+ replace: dest=/tmp/tpsclient.txt regexp=hostname replace={{ inventory_hostname }} -+ -+ - name: Replacing correct Port -+ replace: dest=/tmp/tpsclient.txt regexp=TPS_HTTP_PORT replace={{ variable.TPS_HTTP_PORT }} -+ -+ - name: Replacing correct Password -+ replace: dest=/tmp/tpsclient.txt regexp=LDAP_PASSWD replace={{ variable.LDAP_PASSWD }} -+ -+ - name: Replacing correct pin -+ replace: dest=/tmp/tpsclient.txt regexp=LDAP_NEW_PIN replace={{ variable.LDAP_PASSWD }} -+ -+ - name: Replacing correct Cuid -+ replace: dest=/tmp/tpsclient.txt regexp=TOKEN_CUID replace={{ variable.CUID }} -+ -+ - name: Replacing correct TPS Operation -+ replace: dest=/tmp/tpsclient.txt regexp=TPS_OPERATION replace={{ variable.TPS_OPERATION }} -+ -+ - name: Adding LDAP user in tpsclient configuration -+ replace: dest=/tmp/tpsclient.txt regexp=LDAP_USER replace={{ variable.LDAP_USER }} -+ -+ - name: Performing token enrollment -+ shell: tpsclient < /tmp/tpsclient.txt -+ ignore_errors: yes -diff --git a/tests/dogtag/pytest-ansible/requirements.txt b/tests/dogtag/pytest-ansible/requirements.txt -new file mode 100644 -index 0000000..160b10e ---- /dev/null -+++ b/tests/dogtag/pytest-ansible/requirements.txt -@@ -0,0 +1,5 @@ -+ansible==2.3.2 -+pytest-ansible==1.3.1 -+pytest-ansible-playbook==0.3.0 -+pytest-logger -+pytest-autochecklog==0.2.0 --- -1.8.3.1 - - -From 53ad8042f1145aa33990298a4d7dc4d6e4fe646b Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Mon, 27 Nov 2017 13:43:33 -0500 -Subject: Add pkispawn option for ephemeral requests - -Ticket 2820 - -Change-Id: I8865d74dd221b69b7fd53f1dbc941c7686bbd858 -(cherry picked from commit 44c732c5ebb1fc6ef7ca851f4118bf58311588bc) ---- - base/server/etc/default.cfg | 1 + - base/server/man/man5/pki_default.cfg.5 | 7 +++++++ - .../python/pki/server/deployment/scriptlets/configuration.py | 9 +++++++++ - 3 files changed, 17 insertions(+) - -diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg -index ce10d7f..ad19105 100644 ---- a/base/server/etc/default.cfg -+++ b/base/server/etc/default.cfg -@@ -436,6 +436,7 @@ pki_replica_number_range_end=100 - [KRA] - pki_import_admin_cert=True - pki_standalone=False -+pki_kra_ephemeral_requests=False - - # DEPRECATED - # Use 'pki_*_csr_path' instead. -diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 -index ab3e617..a505c4b 100644 ---- a/base/server/man/man5/pki_default.cfg.5 -+++ b/base/server/man/man5/pki_default.cfg.5 -@@ -439,6 +439,13 @@ Required for the second step of a stand-alone PKI process. This is the location - .IP - [KRA ONLY] Required for the second step of a stand-alone KRA process. This is the location of the file containing the transport certificate (as issued by the external CA). Defaults to '%(pki_instance_configuration_path)s/kra_transport.cert'. - -+.SS KRA PARAMETERS -+.BR -+.TP -+.B pki_kra_ephemeral_requests -+.IP -+Specifies to use ephemeral requests for archivals and retrievals. Defaults to False. -+ - .SS TPS PARAMETERS - .BR - .TP -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index b21adb6..1870505 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -968,6 +968,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - subsystem.config['ca.defaultOcspUri'] = ocsp_uri - subsystem.save() - -+ # set ephemeral requests if needed -+ if subsystem.name == 'kra': -+ if config.str2bool(deployer.mdict['pki_kra_ephemeral_requests']): -+ config.pki_log.info( -+ "setting ephemeral requests to true", -+ extra=config.PKI_INDENTATION_LEVEL_1) -+ subsystem.config['kra.ephemeralRequests'] = 'true' -+ subsystem.save() -+ - token = deployer.mdict['pki_token_name'] - nssdb = instance.open_nssdb(token) - --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.1-batch-1.0.patch b/SOURCES/pki-core-10.5.1-batch-1.0.patch deleted file mode 100644 index 242e90a..0000000 --- a/SOURCES/pki-core-10.5.1-batch-1.0.patch +++ /dev/null @@ -1,5342 +0,0 @@ -From 0e6b54df7e0470a5fc18217acc1b800391144ad0 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 21 Feb 2018 18:57:41 +1100 -Subject: [PATCH 01/20] libtps.so: link zlib - -nss-3.35 no longer links zlib. libtps calls `compress` and -`uncompress` but we were not explicitly linking zlib so the build -fails as of nss-3.35. Include -lz when linking libtps. - -Fixes: https://pagure.io/dogtagpki/issue/2946 -Change-Id: If26d71d8c6ad2cc89f60c0de26ccf48673971d55 -(cherry picked from commit dfeb3c66d107123f173d58bf0a6571eb7fa3f260) ---- - base/tps-client/src/CMakeLists.txt | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/base/tps-client/src/CMakeLists.txt b/base/tps-client/src/CMakeLists.txt -index a86e392..229ea0f 100644 ---- a/base/tps-client/src/CMakeLists.txt -+++ b/base/tps-client/src/CMakeLists.txt -@@ -25,12 +25,24 @@ set(TPS_SHARED_LIBRARY - CACHE INTERNAL "tps shared library" - ) - -+find_library(ZLIB_LIBRARY -+ NAMES -+ z -+ PATHS -+ /usr/lib -+ /usr/lib64 -+ /usr/local/lib -+ /opt/local/lib -+ /sw/lib -+) -+ - set(TPS_LINK_LIBRARIES - ${NSPR_LIBRARIES} - ${NSS_LIBRARIES} - ${APR_LIBRARIES} - ${LDAP_LIBRARIES} - ${TOKENDB_SHARED_LIBRARY} -+ ${ZLIB_LIBRARY} - ) - - set(tps_library_SRCS --- -1.8.3.1 - - -From fff31f97e0123b49961972c12ee3ee82f83920de Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 26 Feb 2018 14:01:18 -0800 -Subject: [PATCH 02/20] Ticket #2949 CMCAuth throws - org.mozilla.jss.crypto.TokenException: Unable to insert certificate into - temporary database - -This patch addresses the "TokenException: Unable to insert certificate into temporary database" issue caused by CMC authentication. During the CMC authentication, looks like the following JSS CryptoManager call actually tries to import the certificate temporarily into the token and causes conflicts: -public boolean isCertValid(byte[] certPackage, boolean checkSig, - CertUsage certUsage) -That call is not appropriate for the purpose. - -Looking closely, certificate validation has been done in various places: -* SSL client authentication (if used) -* the isRevoked() call either in agent authentication or in CMCUserSignedAuth -* the cert.checkValidity() call in CMCUserSignedAuth - -The extra isCertValid call is not only redundant but also problematic. - -This patch fixes https://pagure.io/dogtagpki/issue/2949 -(cherry picked from commit c6630a429f6f4a9b2c2090001f0a2c50e10ba5c4) - -Change-Id: I47367b02c8a53a9cfa99b5da370a3a6af1cb9676 ---- - .../cms/src/com/netscape/cms/authentication/CMCAuth.java | 3 --- - .../com/netscape/cms/authentication/CMCUserSignedAuth.java | 12 ------------ - 2 files changed, 15 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -index db3ca2b..86ffa2f 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -@@ -945,9 +945,6 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - si.verify(digest, id, pubK); - } - CMS.debug("CMCAuth: finished checking signature"); -- // verify signer's certificate using the revocator -- if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) -- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL")); - - // authenticate signer's certificate using the userdb - IAuthSubsystem authSS = (IAuthSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTH); -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index 527b7e5..d92b33b 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -1132,19 +1132,7 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - } - CMS.debug(method + "finished checking signature"); - -- // verify signer's certificate using the revocator -- // ...or not; I think it just checks usage and -- // validity, but not revocation status -- if (!cm.isCertValid(certByteArray, true, CryptoManager.CertUsage.SSLClient)) { -- msg = "CMC signing cert is invalid"; -- CMS.debug(method + msg); -- s.close(); -- throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL") + ":" + msg); -- } else { -- CMS.debug(method + "CMC signature verified; but signer not yet;"); -- } - // At this point, the signature has been verified; -- - // now check revocation status of the cert - if (CMS.isRevoked(x509Certs)) { - msg = "CMC signing cert is a revoked certificate"; --- -1.8.3.1 - - -From cc55aa9cc84bf9a17641b0fd0e509633bf115e44 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 12 Feb 2018 22:37:50 +0100 -Subject: [PATCH 03/20] Added two-step installation mode in pkispawn man page. - -The pkispawn man page has been updated to include the two-step -installation mode. - -https://pagure.io/dogtagpki/issue/2938 - -Change-Id: Icf2edad5477072e33c8eab556b95d5ad4b986131 -(cherry picked from commit 7455cc2023c74d0bd72bbb8f224ba880b1364118) ---- - base/server/man/man8/pkispawn.8 | 39 ++++++++++++++++++++++++++++++++++++++- - 1 file changed, 38 insertions(+), 1 deletion(-) - -diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 -index 1411592..21f6308 100644 ---- a/base/server/man/man8/pkispawn.8 -+++ b/base/server/man/man8/pkispawn.8 -@@ -18,7 +18,7 @@ - pkispawn \- Sets up an instance of Certificate Server. - - .SH SYNOPSIS --pkispawn \-s \-f [\-h] [\-v] [\-p ] -+pkispawn \-s \-f [options] [\-p ] - - .SH DESCRIPTION - Sets up a Certificate Server subsystem (CA, KRA, OCSP, TKS, or TPS) in a -@@ -84,6 +84,12 @@ Specifies the path to the user-defined configuration file. This file contains d - .B --precheck - Execute pre-checks and exit. - .TP -+.B --skip-configuration -+Run the first step of the installation (i.e. skipping the instance configuration step). -+.TP -+.B --skip-installation -+Run the second step of the installation (i.e. skipping the instance installation step). -+.TP - .B -h, --help - Prints additional help information. - .TP -@@ -244,6 +250,37 @@ directory server instance has not yet been created. - - See \fB pki_default.cfg(5) \fP for more details about available flags. - -+.SH TWO-STEP INSTALLATION MODE -+.PP -+pkispawn provides a number of parameters to customize an instance before it is -+created. Usually, most other customization can be done after the server is created. -+However, sometimes certain types of customization need to be done before the server is -+created, but there are no parameters for that. For example, configuring session timeout, -+adding CSR extensions, customizing certificate profiles, configuring TLS ciphers, etc. -+To support such customization, pkispawn provides a two-step installation mode. -+ -+Generally, instance creation happens in one step (except for the external CA case). -+Internally, the process happens in two stages. In the first stage, pkispawn will -+install the instance files (e.g. CS.cfg, NSS database, profiles, etc.) in the instance -+directory and customize them based on pkispawn parameters. In the second stage, -+pkispawn will start the instance and configure the instance based on the instance -+configuration files (e.g. initializing database, generating certificates, configuring -+connectors, etc.). The two-step process allows the process to be stopped after the first -+stage, allowing further customization to be done before running the second stage. -+ -+To use two-step installation mode, prepare a normal pkispawn configuration file, then -+run pkispawn with the --skip-configuration parameter. For example: -+ -+.IP -+\x'-1'\fBpkispawn -s CA -f myconfig.txt --skip-configuration\fR -+ -+.PP -+Then customize the files in the instance directory as needed. Finally, finish the -+installation by running pkispawn again with the --skip-installation parameter. For example: -+ -+.IP -+\x'-1'\fBpkispawn -s CA -f myconfig.txt --skip-installation\fR -+ - .SH EXAMPLES - - .SS Installing a root CA --- -1.8.3.1 - - -From 652d8c3616fea5d2632e80889445c7f1497572af Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Thu, 22 Feb 2018 10:22:41 +0100 -Subject: [PATCH 04/20] Modernize sslget's TLS version and cipher suite - -Disable all cipher suites unless NSS says it's a FIPS approved suite. - -* SSL 2.0 and SSL 3.0 are disabled -* Broken or weak suites with 3DES, RC4 and effective key bits less than - 80 bits are disabled. - -Fixes: https://pagure.io/dogtagpki/issue/2918 -Change-Id: Iae0f0bf5a17d3c2dc1e6e4db1420a6b9da11a6a8 -Signed-off-by: Christian Heimes -(cherry picked from commit 27142606930f87023e7e1981dfbc76199d4dd240) ---- - base/native-tools/src/sslget/sslget.c | 108 +++++++++++++++++++++++++--------- - 1 file changed, 81 insertions(+), 27 deletions(-) - -diff --git a/base/native-tools/src/sslget/sslget.c b/base/native-tools/src/sslget/sslget.c -index bd631c6..b058209 100644 ---- a/base/native-tools/src/sslget/sslget.c -+++ b/base/native-tools/src/sslget/sslget.c -@@ -58,6 +58,7 @@ - #include "prio.h" - #include "prnetdb.h" - #include "nss.h" -+#include - - - /* set Tabs to 8 */ -@@ -122,7 +123,8 @@ int verbose; - SECItem bigBuf; - - --char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) -+static char* -+ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) - { - char *passwd = NULL; - -@@ -300,7 +302,7 @@ printSecurityInfo(PRFileDesc *fd) - PRBool useModelSocket = PR_TRUE; - - --PRInt32 -+static PRInt32 - do_writes( - void * a - ) -@@ -334,7 +336,8 @@ do_writes( - } - - --int isLinkLocalAddress(char *address, int family) -+static int -+isLinkLocalAddress(char *address, int family) - { - if ( !address || ( strlen(address) == 0 ) ) { - return 0; -@@ -363,7 +366,7 @@ int isLinkLocalAddress(char *address, int family) - } - - --SECStatus -+static SECStatus - do_io( PRFileDesc *ssl_sock, int connection) - { - int countRead = 0; -@@ -472,7 +475,7 @@ do_io( PRFileDesc *ssl_sock, int connection) - return SECSuccess; /* success */ - } - --int -+static int - do_connect( - PRNetAddr *addr, - PRFileDesc *model_sock, -@@ -543,7 +546,7 @@ do_connect( - ** Since the value returned is an integer (not a string of bytes), - ** it is inherently in Host Byte Order. - */ --PRUint32 -+static PRUint32 - getIPAddress(const char * hostName) - { - const unsigned char *p; -@@ -565,7 +568,7 @@ getIPAddress(const char * hostName) - return rv; - } - --void -+static void - client_main( - unsigned short port, - int connections, -@@ -576,31 +579,82 @@ client_main( - { - PRFileDesc *model_sock = NULL; - int rv; -- -+ int i; -+ const PRUint16* ssl_ciphers; -+ PRUint16 num_ciphers; -+ PRBool enabled; -+ SSLCipherSuiteInfo info; -+ SSLVersionRange versions = { -+ SSL_LIBRARY_VERSION_TLS_1_1, -+ SSL_LIBRARY_VERSION_TLS_1_2 -+ }; - - FPRINTF(stderr, "port: %d\n", port); - - /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ - NSS_SetDomesticPolicy(); - -- /* all the SSL2 and SSL3 cipher suites are enabled by default. */ -- -- /* enable FIPS ciphers */ -- SSL_CipherPrefSetDefault(0xc004 /* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0xc003 /* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0xc00a /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0x2f /* TLS_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0x35 /* TLS_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0xc008 /* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0xc009 /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0xc012 /* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0xc013 /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0xc014 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0x32 /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0x38 /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0x33 /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA */, PR_TRUE); -- SSL_CipherPrefSetDefault(0x39 /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA */, PR_TRUE); -+ /* disable SSL 2.0 and SSL 3.0 */ -+ SSL_VersionRangeSetDefault(ssl_variant_stream, &versions); -+ -+ /* disable all weak or non-FIPS compliant ciphers */ -+ ssl_ciphers = SSL_GetImplementedCiphers(); -+ num_ciphers = SSL_GetNumImplementedCiphers(); -+ -+ for (i = 0; i < num_ciphers; i++) { -+ if (SSL_GetCipherSuiteInfo(ssl_ciphers[i], &info, sizeof(info)) == SECSuccess) { -+ SSL_CipherPrefGetDefault(ssl_ciphers[i], &enabled); -+ if (!enabled) { -+ /* Although some NSS versions do not support SHA384, try to enable select SHA384 ciphers by default */ -+ if (PL_strcmp(info.cipherSuiteName, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384") == 0) { -+ SSL_CipherPrefSetDefault(0x009f /* TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 */, PR_TRUE); -+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); -+ } -+ else if (PL_strcmp(info.cipherSuiteName, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384") == 0) { -+ /* NOTE: CBC ciphers may be deprecated in TLS v1.3 */ -+ SSL_CipherPrefSetDefault(0xc024 /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 */, PR_TRUE); -+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); -+ } -+ else if (PL_strcmp(info.cipherSuiteName, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384") == 0) { -+ SSL_CipherPrefSetDefault(0xc02c /* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 */, PR_TRUE); -+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); -+ } -+ else if (PL_strcmp(info.cipherSuiteName, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384") == 0) { -+ /* NOTE: CBC ciphers may be deprecated in TLS v1.3 */ -+ SSL_CipherPrefSetDefault(0xc028 /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 */, PR_TRUE); -+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); -+ } -+ else if (PL_strcmp(info.cipherSuiteName, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384") == 0) { -+ SSL_CipherPrefSetDefault(0xc030 /* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 */, PR_TRUE); -+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); -+ } -+ else if (PL_strcmp(info.cipherSuiteName, "TLS_RSA_WITH_AES_256_GCM_SHA384") == 0) { -+ SSL_CipherPrefSetDefault(0x009d /* TLS_RSA_WITH_AES_256_GCM_SHA384 */, PR_TRUE); -+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); -+ } else { -+ FPRINTF(stderr, "disabled %-42s\t(disabled by default)\n", info.cipherSuiteName); -+ } -+ } -+ else if (!info.isFIPS) { -+ /* Disable non-FIPS compliant ciphers */ -+ enabled = PR_FALSE; -+ FPRINTF(stderr, "disabled %-42s\t(not FIPS)\n", info.cipherSuiteName); -+ } -+ else if (info.symCipher == ssl_calg_rc4) { -+ /* No RC4, see RFC 7465 (recent NSS flag RC4 as not FIPS) */ -+ enabled = PR_FALSE; -+ FPRINTF(stderr, "disabled %-42s\t(RC4)\n", info.cipherSuiteName); -+ } -+ else if (info.symCipher == ssl_calg_3des) { -+ /* No 3DES to mitigate SWEET32 attack */ -+ enabled = PR_FALSE; -+ FPRINTF(stderr, "disabled %-42s\t(3DES)\n", info.cipherSuiteName); -+ } else { -+ FPRINTF(stderr, "enabled %-42s\n", info.cipherSuiteName); -+ } -+ SSL_CipherPrefSetDefault(ssl_ciphers[i], enabled); -+ } -+ } - - /* - * Rifle through the values for the host -@@ -694,7 +748,7 @@ client_main( - } - - --SECStatus -+static SECStatus - createRequest( - char * url, - char *post, --- -1.8.3.1 - - -From 83c6d20414f4b344994a8112298512d642eae98f Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 2 Feb 2018 15:54:50 +1100 -Subject: [PATCH 05/20] IPAddressName: remove unused getLength method - -Part of: https://pagure.io/dogtagpki/issue/2922 -Change-Id: I732bd39446efcce18b6dc597d9c613a6b0a6422d ---- - base/util/src/netscape/security/x509/IPAddressName.java | 10 ---------- - 1 file changed, 10 deletions(-) - -diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java -index bb27548..4d08b8c 100644 ---- a/base/util/src/netscape/security/x509/IPAddressName.java -+++ b/base/util/src/netscape/security/x509/IPAddressName.java -@@ -166,8 +166,6 @@ public class IPAddressName implements GeneralNameInterface { - - interface IPAddr { - public int getIPAddr(String s, byte[] address, int start); -- -- public int getLength(); - } - - class IPv4Addr implements IPAddr { -@@ -192,10 +190,6 @@ class IPv4Addr implements IPAddr { - } - return nt; - } -- -- public int getLength() { -- return IPv4_LEN; -- } - } - - class IPv6Addr implements IPAddr { -@@ -270,8 +264,4 @@ class IPv6Addr implements IPAddr { - } - return 16; - } -- -- public int getLength() { -- return 16; -- } - } --- -1.8.3.1 - - -From 8a2bec1661ff8f86c3501f3d0975fe3fc45e254e Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 2 Feb 2018 18:31:46 +1100 -Subject: [PATCH 06/20] parseGeneralName: properly parse iPAddress GN with - netmask - -There are a couple of problems with iPAddress general name parsing -(primarily used for the Name Constraints extension). - -First, an IP address with netmask expressed as e.g. -1.2.3.4,255.0.0.0 or ::1,ffff:: is outright rejected, causing -issuance failure with a message like: - - NameConstraintsExtDefault: createExtension - netscape.security.x509.InvalidIPAddressException: Invalid IP - Address '10.10.10.10,255.255.255.0' - -Second, an IPv4 address with CIDR-style netmask is misinterpreted as -an IPv6 address _without_ netmask, e.g. the input "192.168.1.1/24" -gets misinterpreted as "c0a8:1c8:ffff:ffff:000:000:000:000", which -is not a conforming value in the Name Constraints extension. - -To resolve these problems, separate the handling of these two cases -and fix the logic. A new class, CIDRNetmask, does the heavy lifting -in the CIDR netmask case. - -Consider the following configuration (irrelevant keys and key -prefixes omitted for brevity). It contains values which caused -failures or incorrect outputs: - - nameConstraintsExcludedSubtreeNameChoice_0=IPAddress - nameConstraintsExcludedSubtreeNameValue_0=10.10.10.10/24 - nameConstraintsExcludedSubtreeNameChoice_1=IPAddress - nameConstraintsExcludedSubtreeNameValue_1=10.10.10.10,255.255.255.0 - nameConstraintsExcludedSubtreeNameChoice_2=IPAddress - nameConstraintsExcludedSubtreeNameValue_2=dead:beef::1/128 - nameConstraintsExcludedSubtreeNameChoice_3=IPAddress - nameConstraintsExcludedSubtreeNameValue_3=dead:beef::,ffff:ffff:: - -This configuration now succeeds and produces the correct output. -The extension value produced using the above configuration is (per -OpenSSL pretty print): - - X509v3 Name Constraints: critical - Excluded: - IP:10.10.10.10/255.255.255.0 - IP:10.10.10.10/255.255.255.0 - IP:DEAD:BEEF:0:0:0:0:0:1/FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF - IP:DEAD:BEEF:0:0:0:0:0:0/FFFF:FFFF:0:0:0:0:0:0 - -Part of: https://pagure.io/dogtagpki/issue/2922 -Change-Id: I61d5fcceadcca28cc951802ee4b95691653dd356 ---- - .../netscape/cms/profile/def/EnrollDefault.java | 11 +++- - .../src/netscape/security/x509/CIDRNetmask.java | 77 ++++++++++++++++++++++ - .../src/netscape/security/x509/IPAddressName.java | 51 +++++++------- - .../security/x509/InvalidNetmaskException.java | 27 ++++++++ - 4 files changed, 140 insertions(+), 26 deletions(-) - create mode 100644 base/util/src/netscape/security/x509/CIDRNetmask.java - create mode 100644 base/util/src/netscape/security/x509/InvalidNetmaskException.java - -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java -index 6192888..173ff83 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java -@@ -46,6 +46,7 @@ import netscape.security.util.DerInputStream; - import netscape.security.util.DerOutputStream; - import netscape.security.util.DerValue; - import netscape.security.util.ObjectIdentifier; -+import netscape.security.x509.CIDRNetmask; - import netscape.security.x509.CertificateExtensions; - import netscape.security.x509.DNSName; - import netscape.security.x509.EDIPartyName; -@@ -497,9 +498,17 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe - if (nameType.equalsIgnoreCase("IPAddress")) { - CMS.debug("IP Value:" + nameValue); - if (nameValue.indexOf('/') != -1) { -- // CIDR support for NameConstraintsExt - StringTokenizer st = new StringTokenizer(nameValue, "/"); - String addr = st.nextToken(); -+ CIDRNetmask netmask = new CIDRNetmask(st.nextToken()); -+ CMS.debug("addr:" + addr + " CIDR netmask: " + netmask); -+ return new IPAddressName(addr, netmask); -+ } else if (nameValue.indexOf(',') != -1) { -+ // interpret as IPADDR "," NETMASK e.g. -+ // "192.168.1.0,255.255.255.0" (/24) -+ // "2001:0db8:0123:4567::,ffff:ffff:ffff:ffff::" (/64) -+ StringTokenizer st = new StringTokenizer(nameValue, ","); -+ String addr = st.nextToken(); - String netmask = st.nextToken(); - CMS.debug("addr:" + addr + " netmask: " + netmask); - return new IPAddressName(addr, netmask); -diff --git a/base/util/src/netscape/security/x509/CIDRNetmask.java b/base/util/src/netscape/security/x509/CIDRNetmask.java -new file mode 100644 -index 0000000..80f1a79 ---- /dev/null -+++ b/base/util/src/netscape/security/x509/CIDRNetmask.java -@@ -0,0 +1,77 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2018 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package netscape.security.x509; -+ -+import java.nio.ByteBuffer; -+ -+/** -+ * Netmask that is the number of significant bits. -+ */ -+public class CIDRNetmask { -+ private int n; -+ -+ public CIDRNetmask(String s) { -+ this(Integer.parseInt(s)); -+ } -+ -+ public CIDRNetmask(int n) { -+ if (n < 0) -+ throw new InvalidNetmaskException("cannot be negative"); -+ this.n = n; -+ } -+ -+ /** -+ * Write the netmask into a byte buffer. -+ * -+ * Throw InvalidNetmaskException if negative or if the -+ * size exceeds the size of the address type inferred -+ * from the remaining buffer space (which must be 4 -+ * bytes for IPv4 and 16 bytes for IPv6). -+ * -+ * exceeds the size of the buffer -+ */ -+ protected void write(ByteBuffer buf) { -+ // determine type of addr based on bytes left in buffer -+ int remaining = buf.remaining(); -+ int bits = 0; -+ if (remaining == 4) -+ bits = 32; -+ else if (remaining == 16) -+ bits = 128; -+ else -+ throw new InvalidNetmaskException( -+ "cannot determine type of address for netmask"); -+ -+ if (n > bits) -+ throw new InvalidNetmaskException("netmask exceed address size"); -+ -+ int maskSigBits = n; -+ for (; remaining > 0; remaining--) { -+ int maskByteSigBits = Math.min(8, maskSigBits); -+ byte maskByte = (byte) (0xff - (0xff >> maskByteSigBits)); -+ buf.put(maskByte); -+ maskSigBits = Math.max(maskSigBits - 8, 0); -+ } -+ } -+ -+ public String toString() { -+ return "/" + n; -+ } -+ -+} -diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java -index 4d08b8c..bc63615 100644 ---- a/base/util/src/netscape/security/x509/IPAddressName.java -+++ b/base/util/src/netscape/security/x509/IPAddressName.java -@@ -18,6 +18,7 @@ - package netscape.security.x509; - - import java.io.IOException; -+import java.nio.ByteBuffer; - import java.util.StringTokenizer; - - import netscape.security.util.DerOutputStream; -@@ -77,25 +78,22 @@ public class IPAddressName implements GeneralNameInterface { - * @param netmask the netmask address in the format: n.n.n.n or x:x:x:x:x:x:x:x (RFC 1884) - */ - public IPAddressName(String s, String netmask) { -- // Based on PKIX RFC2459. IPAddress has -- // 8 bytes (instead of 4 bytes) in the -- // context of NameConstraints -- IPAddr ipAddr = null; -- if (s.indexOf(':') != -1) { -- ipAddr = IPv6; -- address = new byte[IPv6_LEN * 2]; -- } else { -- ipAddr = IPv4; -- address = new byte[IPv4_LEN * 2]; -- } -- StringTokenizer st = new StringTokenizer(s, ","); -- int numFilled = ipAddr.getIPAddr(st.nextToken(), address, 0); -- if (st.hasMoreTokens()) { -- ipAddr.getIPAddr(st.nextToken(), address, numFilled); -- } else { -- for (int i = numFilled; i < address.length; i++) -- address[i] = (byte) 0xff; -- } -+ IPAddr ipAddr = initAddress(true, s); -+ int numFilled = ipAddr.getIPAddr(s, address, 0); -+ ipAddr.getIPAddr(netmask, address, numFilled); -+ } -+ -+ /** -+ * IP address with CIDR netmask -+ * -+ * @param s a single IPv4 or IPv6 address -+ * @param mask a CIDR netmask -+ */ -+ public IPAddressName(String s, CIDRNetmask mask) { -+ IPAddr ipAddr = initAddress(true, s); -+ int numFilled = ipAddr.getIPAddr(s, address, 0); -+ mask.write(ByteBuffer.wrap( -+ address, address.length / 2, address.length / 2)); - } - - /** -@@ -105,15 +103,18 @@ public class IPAddressName implements GeneralNameInterface { - * @param s the ip address in the format: n.n.n.n or x:x:x:x:x:x:x:x - */ - public IPAddressName(String s) { -- IPAddr ipAddr = null; -+ IPAddr ipAddr = initAddress(false, s); -+ ipAddr.getIPAddr(s, address, 0); -+ } -+ -+ private IPAddr initAddress(boolean withNetmask, String s) { - if (s.indexOf(':') != -1) { -- ipAddr = IPv6; -- address = new byte[IPv6_LEN]; -+ address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)]; -+ return IPv6; - } else { -- ipAddr = IPv4; -- address = new byte[IPv4_LEN]; -+ address = new byte[IPv4_LEN * (withNetmask ? 2 : 1)]; -+ return IPv4; - } -- ipAddr.getIPAddr(s, address, 0); - } - - /** -diff --git a/base/util/src/netscape/security/x509/InvalidNetmaskException.java b/base/util/src/netscape/security/x509/InvalidNetmaskException.java -new file mode 100644 -index 0000000..3041377 ---- /dev/null -+++ b/base/util/src/netscape/security/x509/InvalidNetmaskException.java -@@ -0,0 +1,27 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2018 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package netscape.security.x509; -+ -+public class InvalidNetmaskException extends RuntimeException { -+ -+ public InvalidNetmaskException(String desc) { -+ super("Invalid netmask (" + desc + ")"); -+ } -+ -+} --- -1.8.3.1 - - -From c9b323331eef1f1934f8430053a72f7b2a21b084 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Mon, 5 Feb 2018 14:53:35 +1100 -Subject: [PATCH 07/20] GeneralNameInterface: methods for checking name - validity - -Some general names may be valid only for describing a single subject -(e.g. Subject Alt Name extension), or for describing a range of -subjects (e.g. Name Constraints extension). For example, an -iPAddress name MUST have 4 (IPv4) or 16 (IPv6) octets in the -"single" context, or 8 (IPv4) or 32 (IPv6) octets in range context. - -Add the validSingle() and validSubtree() methods to -GeneralNameInterface and all implementing classes. These methods -can be used to check whether the value is valid for use in the -corresponding context. - -Part of: https://pagure.io/dogtagpki/issue/2922 - -Change-Id: Ib77286b309f1d505fe15313483ec658a55780f83 ---- - base/util/src/netscape/security/x509/GeneralName.java | 12 ++++++++++++ - .../src/netscape/security/x509/GeneralNameInterface.java | 16 ++++++++++++++++ - base/util/src/netscape/security/x509/IPAddressName.java | 10 ++++++++++ - 3 files changed, 38 insertions(+) - -diff --git a/base/util/src/netscape/security/x509/GeneralName.java b/base/util/src/netscape/security/x509/GeneralName.java -index 55b5bfc..80d020e 100644 ---- a/base/util/src/netscape/security/x509/GeneralName.java -+++ b/base/util/src/netscape/security/x509/GeneralName.java -@@ -197,6 +197,18 @@ public class GeneralName implements GeneralNameInterface { - } - } - -+ @Override -+ public boolean validSingle() { -+ if (this == name) return false; // can't happen, but just in case... -+ return name.validSingle(); -+ } -+ -+ @Override -+ public boolean validSubtree() { -+ if (this == name) return false; // can't happen, but just in case... -+ return name.validSubtree(); -+ } -+ - /** - * Unwrap this GeneralName until we reach something that is not - * a GeneralName. -diff --git a/base/util/src/netscape/security/x509/GeneralNameInterface.java b/base/util/src/netscape/security/x509/GeneralNameInterface.java -index 7225ccc..61ba06a 100644 ---- a/base/util/src/netscape/security/x509/GeneralNameInterface.java -+++ b/base/util/src/netscape/security/x509/GeneralNameInterface.java -@@ -57,4 +57,20 @@ public interface GeneralNameInterface extends java.io.Serializable { - * encoded. - */ - void encode(DerOutputStream out) throws IOException; -+ -+ /** -+ * Whether the name is valid as a single name (e.g. for use in -+ * Subject Alternative Name extension). -+ */ -+ default boolean validSingle() { -+ return true; -+ } -+ -+ /** -+ * Whether the name is valid as a subtree name (e.g. for use in -+ * Name Constraints extension) -+ */ -+ default boolean validSubtree() { -+ return true; -+ } - } -diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java -index bc63615..768d2d6 100644 ---- a/base/util/src/netscape/security/x509/IPAddressName.java -+++ b/base/util/src/netscape/security/x509/IPAddressName.java -@@ -124,6 +124,16 @@ public class IPAddressName implements GeneralNameInterface { - return (GeneralNameInterface.NAME_IP); - } - -+ @Override -+ public boolean validSingle() { -+ return address.length == IPv4_LEN || address.length == IPv6_LEN; -+ } -+ -+ @Override -+ public boolean validSubtree() { -+ return address.length == 2*IPv4_LEN || address.length == 2*IPv6_LEN; -+ } -+ - /** - * Encode the IPAddress name into the DerOutputStream. - * --- -1.8.3.1 - - -From 9086bedfa105078362573c49a65d0084254ffa35 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Mon, 5 Feb 2018 15:27:05 +1100 -Subject: [PATCH 08/20] Check validity of Subject/Issuer Alt Names and Name - Constraints - -Different forms of some GeneralName types (in particular, iPAddress) -are valid only in "single subject" or "multiple subject / range" -context. Update SubjectAltNameExtDefault, IssuerAltNameExtDefault -and NameConstraintsExtDefault to check the validity of GeneralName -values for use in the prevailing context. - -This change prevents certificates being issued with netmasked -iPAddress values in the SAN/Issuer Alt Name extension, or -non-netmasked iPAddress values in the Name Constraints extension. - -Fixes: https://pagure.io/dogtagpki/issue/2922 -Change-Id: I42478e2b554e7d53a7c07db59208bf855b476572 ---- - .../cms/profile/def/IssuerAltNameExtDefault.java | 17 +++++++++++++--- - .../cms/profile/def/NameConstraintsExtDefault.java | 23 +++++++++++++++++----- - .../cms/profile/def/SubjectAltNameExtDefault.java | 10 +++++++++- - 3 files changed, 41 insertions(+), 9 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java -index ec20371..924b15a 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/IssuerAltNameExtDefault.java -@@ -164,6 +164,10 @@ public class IssuerAltNameExtDefault extends EnrollExtDefault { - - GeneralNameInterface n = parseGeneralName(gname); - if (n != null) { -+ if (!n.validSingle()) { -+ throw new EPropertyException( -+ "Not valid for Issuer Alternative Name: " + gname); -+ } - gn.addElement(n); - } - } -@@ -285,7 +289,7 @@ public class IssuerAltNameExtDefault extends EnrollExtDefault { - } - - public IssuerAlternativeNameExtension createExtension(IRequest request) -- throws IOException { -+ throws IOException, EProfileException { - IssuerAlternativeNameExtension ext = null; - - try { -@@ -307,8 +311,15 @@ public class IssuerAltNameExtDefault extends EnrollExtDefault { - gname = mapPattern(request, pattern); - } - -- gn.addElement(parseGeneralName( -- getConfig(CONFIG_TYPE) + ":" + gname)); -+ String gtype = getConfig(CONFIG_TYPE); -+ GeneralNameInterface n = parseGeneralName(gtype + ":" + gname); -+ if (n != null) { -+ if (!n.validSingle()) { -+ throw new EProfileException( -+ "Not valid for Issuer Alternative Name: " + gtype + ":" + gname); -+ } -+ gn.addElement(n); -+ } - ext.set(IssuerAlternativeNameExtension.ISSUER_NAME, gn); - } - ext.setCritical(critical); -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java -index f010b61..a3d41b7 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java -@@ -408,6 +408,10 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { - } - - if (gnI != null) { -+ if (!gnI.validSubtree()) { -+ throw new EPropertyException( -+ "Not valid for Name Constraints: " + val); -+ } - gn = new GeneralName(gnI); - } else { - throw new EPropertyException(CMS.getUserMessage(locale, -@@ -591,7 +595,8 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { - addExtension(PKIXExtensions.NameConstraints_Id.toString(), ext, info); - } - -- public NameConstraintsExtension createExtension() { -+ public NameConstraintsExtension createExtension() -+ throws EProfileException { - NameConstraintsExtension ext = null; - - try { -@@ -632,6 +637,8 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { - - ext = new NameConstraintsExtension(critical, - new GeneralSubtrees(v), new GeneralSubtrees(v1)); -+ } catch (EProfileException e) { -+ throw e; // re-throw - } catch (Exception e) { - CMS.debug("NameConstraintsExtDefault: createExtension " + - e.toString()); -@@ -640,8 +647,9 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { - return ext; - } - -- private GeneralSubtree createSubtree(String choice, String value, -- String minS, String maxS) { -+ private GeneralSubtree createSubtree( -+ String choice, String value, String minS, String maxS -+ ) throws EProfileException { - GeneralName gn = null; - GeneralNameInterface gnI = null; - -@@ -650,11 +658,16 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { - } catch (IOException e) { - CMS.debug(e.toString()); - } -- if (gnI != null) -+ if (gnI != null) { -+ if (!gnI.validSubtree()) { -+ throw new EProfileException( -+ "Not valid for Name Constraints: " + value); -+ } - gn = new GeneralName(gnI); -- else -+ } else { - //throw new EPropertyException("GeneralName must not be null"); - return null; -+ } - - int min = 0; - -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java -index ca3d05f..e99acd2 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/SubjectAltNameExtDefault.java -@@ -277,6 +277,10 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { - } - GeneralNameInterface n = parseGeneralName(gname); - if (n != null) { -+ if (!n.validSingle()) { -+ throw new EPropertyException( -+ "Not valid for Subject Alternative Name: " + gname); -+ } - gn.addElement(n); - } - } -@@ -428,7 +432,7 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { - } - - public SubjectAlternativeNameExtension createExtension(IRequest request) -- throws IOException { -+ throws IOException, EProfileException { - SubjectAlternativeNameExtension ext = null; - int num = getNumGNs(); - -@@ -495,6 +499,10 @@ public class SubjectAltNameExtDefault extends EnrollExtDefault { - - CMS.debug("adding gname: " + gname); - if (n != null) { -+ if (!n.validSingle()) { -+ throw new EProfileException( -+ "Not valid for Subject Alternative Name: " + gtype + ":" + gname); -+ } - CMS.debug("SubjectAlternativeNameExtension: n not null"); - gn.addElement(n); - count++; --- -1.8.3.1 - - -From a66ba7f834d1eb6e828739b74e5c67bbbd741ba8 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 7 Mar 2018 13:42:01 +1100 -Subject: [PATCH 09/20] IPAddressName: refactoring - -Merge the content of some classes that don't need to be classes into -the main IPAddressName. Rename the 'getIPAddress' method to -'fillIPv(4|6)Address', to better reflect its behaviour. Enhance -initAddress to not only intialise the byte[] but also populate the -address. - -Part of: https://pagure.io/dogtagpki/issue/2922 -Change-Id: If9cd9f3134ef2086b283a51abc35f2918869aca2 ---- - .../src/netscape/security/x509/IPAddressName.java | 53 ++++++++++------------ - 1 file changed, 25 insertions(+), 28 deletions(-) - -diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java -index 768d2d6..1c01f58 100644 ---- a/base/util/src/netscape/security/x509/IPAddressName.java -+++ b/base/util/src/netscape/security/x509/IPAddressName.java -@@ -65,8 +65,6 @@ public class IPAddressName implements GeneralNameInterface { - - protected static final char IPv4_LEN = 4; - protected static final char IPv6_LEN = 16; -- protected static final IPAddr IPv4 = new IPv4Addr(); -- protected static final IPAddr IPv6 = new IPv6Addr(); - - /** - * Create the IPAddressName object with a string representing the -@@ -78,9 +76,11 @@ public class IPAddressName implements GeneralNameInterface { - * @param netmask the netmask address in the format: n.n.n.n or x:x:x:x:x:x:x:x (RFC 1884) - */ - public IPAddressName(String s, String netmask) { -- IPAddr ipAddr = initAddress(true, s); -- int numFilled = ipAddr.getIPAddr(s, address, 0); -- ipAddr.getIPAddr(netmask, address, numFilled); -+ address = initAddress(true, s); -+ if (address.length == IPv4_LEN * 2) -+ fillIPv4Address(netmask, address, address.length / 2); -+ else -+ fillIPv6Address(netmask, address, address.length / 2); - } - - /** -@@ -90,8 +90,7 @@ public class IPAddressName implements GeneralNameInterface { - * @param mask a CIDR netmask - */ - public IPAddressName(String s, CIDRNetmask mask) { -- IPAddr ipAddr = initAddress(true, s); -- int numFilled = ipAddr.getIPAddr(s, address, 0); -+ address = initAddress(true, s); - mask.write(ByteBuffer.wrap( - address, address.length / 2, address.length / 2)); - } -@@ -103,17 +102,26 @@ public class IPAddressName implements GeneralNameInterface { - * @param s the ip address in the format: n.n.n.n or x:x:x:x:x:x:x:x - */ - public IPAddressName(String s) { -- IPAddr ipAddr = initAddress(false, s); -- ipAddr.getIPAddr(s, address, 0); -+ initAddress(false, s); - } - -- private IPAddr initAddress(boolean withNetmask, String s) { -+ /** -+ * Initialise and return a byte[] and write the IP address into it. -+ * If withNetmask == true, the byte[] will be double the size, -+ * with the latter half uninitialised. -+ * -+ * @return byte[] of length 4 or 16 if withNetmask == false, -+ * or length 8 or 32 if withNetmask == true. -+ */ -+ private static byte[] initAddress(boolean withNetmask, String s) { - if (s.indexOf(':') != -1) { -- address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)]; -- return IPv6; -+ byte[] address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)]; -+ fillIPv6Address(s, address, 0); -+ return address; - } else { -- address = new byte[IPv4_LEN * (withNetmask ? 2 : 1)]; -- return IPv4; -+ byte[] address = new byte[IPv4_LEN * (withNetmask ? 2 : 1)]; -+ fillIPv4Address(s, address, 0); -+ return address; - } - } - -@@ -173,19 +181,11 @@ public class IPAddressName implements GeneralNameInterface { - return r.toString(); - } - } --} -- --interface IPAddr { -- public int getIPAddr(String s, byte[] address, int start); --} -- --class IPv4Addr implements IPAddr { -- protected static final int IPv4_LEN = 4; - - /** - * Gets an IP v4 address in the form n.n.n.n. - */ -- public int getIPAddr(String s, byte[] address, int start) { -+ public static int fillIPv4Address(String s, byte[] address, int start) { - StringTokenizer st = new StringTokenizer(s, "."); - int nt = st.countTokens(); - if (nt != IPv4_LEN) -@@ -201,9 +201,7 @@ class IPv4Addr implements IPAddr { - } - return nt; - } --} - --class IPv6Addr implements IPAddr { - /** - * Gets an IP address in the forms as defined in RFC1884:
- *
    -@@ -212,7 +210,7 @@ class IPv6Addr implements IPAddr { - *
  • ...:n.n.n.n (with n.n.n.n at the end) - *
- */ -- public int getIPAddr(String s, byte[] address, int start) { -+ public static int fillIPv6Address(String s, byte[] address, int start) { - int lastcolon = -2; - int end = start + 16; - int idx = start; -@@ -223,8 +221,7 @@ class IPv6Addr implements IPAddr { - if (lastcolon == -1) - throw new InvalidIPAddressException(s); - end -= 4; -- IPAddressName.IPv4.getIPAddr( -- s.substring(lastcolon + 1), address, end); -+ fillIPv4Address(s.substring(lastcolon + 1), address, end); - } - try { - String s1 = s; --- -1.8.3.1 - - -From c1aca1d718e9f3590bea9ee934d3dda25fa4ff74 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 7 Mar 2018 14:56:44 -0800 -Subject: [PATCH 10/20] Ticket #2950 Need ECC-specific Enrollment Profiles for - standard conformance - -This patch adds ECC-specific enrollment profiles where the Key Usage Extension -bits for SSL server and client certificates are notably different per RFC 6960: - - new file: base/ca/shared/conf/ECadminCert.profile - new file: base/ca/shared/conf/ECserverCert.profile - new file: base/ca/shared/conf/ECsubsystemCert.profile - new file: base/ca/shared/profiles/ca/ECAdminCert.cfg - new file: base/ca/shared/profiles/ca/caCMCECUserCert.cfg - new file: base/ca/shared/profiles/ca/caCMCECserverCert.cfg - new file: base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg - new file: base/ca/shared/profiles/ca/caECAdminCert.cfg - new file: base/ca/shared/profiles/ca/caECAgentServerCert.cfg - new file: base/ca/shared/profiles/ca/caECDirPinUserCert.cfg - new file: base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg - new file: base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg - new file: base/ca/shared/profiles/ca/caECServerCert.cfg - new file: base/ca/shared/profiles/ca/caECSubsystemCert.cfg - new file: base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg - new file: base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg - new file: base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg - new file: base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg - -In addition, some existing enrollment profiles are adjusted. -And while in there, signing algorithms with SHA1, MD2, and MD5 are removed - -No attempt has been made for TPS enrollment profiles in this round. -No attempt has been made for adding ECDH-appropriate profile. - -This patch addresses: https://pagure.io/dogtagpki/issue/2950 - -Change-Id: I26e7f9888372acbab4fbd185883427ef030d5e8d -(cherry picked from commit 27cf99efe1e52249f226db24ef28b0990a654dd5) ---- - base/ca/shared/conf/CS.cfg | 44 +++++++-- - base/ca/shared/conf/ECadminCert.profile | 39 ++++++++ - base/ca/shared/conf/ECserverCert.profile | 39 ++++++++ - base/ca/shared/conf/ECsubsystemCert.profile | 39 ++++++++ - base/ca/shared/conf/serverCert.profile | 2 +- - base/ca/shared/conf/subsystemCert.profile | 8 +- - base/ca/shared/profiles/ca/AdminCert.cfg | 4 +- - base/ca/shared/profiles/ca/ECAdminCert.cfg | 86 ++++++++++++++++ - base/ca/shared/profiles/ca/caAdminCert.cfg | 6 +- - base/ca/shared/profiles/ca/caAgentServerCert.cfg | 10 +- - base/ca/shared/profiles/ca/caCACert.cfg | 2 +- - base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 86 ++++++++++++++++ - base/ca/shared/profiles/ca/caCMCECserverCert.cfg | 90 +++++++++++++++++ - .../ca/shared/profiles/ca/caCMCECsubsystemCert.cfg | 86 ++++++++++++++++ - base/ca/shared/profiles/ca/caCMCUserCert.cfg | 10 +- - .../shared/profiles/ca/caCMCauditSigningCert.cfg | 2 +- - base/ca/shared/profiles/ca/caCMCcaCert.cfg | 2 +- - base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 2 +- - .../shared/profiles/ca/caCMCkraTransportCert.cfg | 2 +- - base/ca/shared/profiles/ca/caCMCocspCert.cfg | 2 +- - base/ca/shared/profiles/ca/caCMCserverCert.cfg | 10 +- - base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg | 6 +- - base/ca/shared/profiles/ca/caDirUserCert.cfg | 4 +- - base/ca/shared/profiles/ca/caECAdminCert.cfg | 87 ++++++++++++++++ - base/ca/shared/profiles/ca/caECAgentServerCert.cfg | 85 ++++++++++++++++ - base/ca/shared/profiles/ca/caECDirPinUserCert.cfg | 99 +++++++++++++++++++ - base/ca/shared/profiles/ca/caECDirUserCert.cfg | 20 ++-- - base/ca/shared/profiles/ca/caECDualCert.cfg | 4 +- - .../profiles/ca/caECFullCMCSelfSignedCert.cfg | 85 ++++++++++++++++ - base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 85 ++++++++++++++++ - .../profiles/ca/caECFullCMCUserSignedCert.cfg | 94 ++++++++++++++++++ - .../profiles/ca/caECInternalAuthServerCert.cfg | 109 +++++++++++++++++++++ - .../profiles/ca/caECInternalAuthSubsystemCert.cfg | 88 +++++++++++++++++ - base/ca/shared/profiles/ca/caECServerCert.cfg | 85 ++++++++++++++++ - .../shared/profiles/ca/caECSimpleCMCUserCert.cfg | 84 ++++++++++++++++ - base/ca/shared/profiles/ca/caECSubsystemCert.cfg | 85 ++++++++++++++++ - base/ca/shared/profiles/ca/caECUserCert.cfg | 14 +-- - base/ca/shared/profiles/ca/caEncECUserCert.cfg | 4 +- - .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 6 +- - base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 6 +- - .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 6 +- - .../profiles/ca/caInternalAuthServerCert.cfg | 10 +- - .../profiles/ca/caInternalAuthSubsystemCert.cfg | 10 +- - base/ca/shared/profiles/ca/caOCSPCert.cfg | 2 +- - base/ca/shared/profiles/ca/caServerCert.cfg | 10 +- - base/ca/shared/profiles/ca/caSigningECUserCert.cfg | 4 +- - base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 10 +- - base/ca/shared/profiles/ca/caSubsystemCert.cfg | 10 +- - base/ca/shared/profiles/ca/caUserCert.cfg | 4 +- - 49 files changed, 1581 insertions(+), 106 deletions(-) - create mode 100644 base/ca/shared/conf/ECadminCert.profile - create mode 100644 base/ca/shared/conf/ECserverCert.profile - create mode 100644 base/ca/shared/conf/ECsubsystemCert.profile - create mode 100644 base/ca/shared/profiles/ca/ECAdminCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caCMCECUserCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caCMCECserverCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caECAdminCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caECAgentServerCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caECDirPinUserCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caECServerCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg - create mode 100644 base/ca/shared/profiles/ca/caECSubsystemCert.cfg - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 59de904..1d65835 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -233,8 +233,8 @@ ca.scep._004=## ca.scep.nickname= - ca.scep._005=## ca.scep.tokenname= - ca.scep._006=## - ca.scep.enable=false --ca.scep.hashAlgorithm=SHA1 --ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512 -+ca.scep.hashAlgorithm=SHA256 -+ca.scep.allowedHashAlgorithms=SHA256,SHA512 - ca.scep.encryptionAlgorithm=DES3 - ca.scep.allowedEncryptionAlgorithms=DES3 - ca.scep.nonceSizeLimit=16 -@@ -666,7 +666,7 @@ ca.notification.requestInQ.senderEmail= - ca.ocsp_signing.cacertnickname=ocspSigningCert cert-[PKI_INSTANCE_NAME] - ca.ocsp_signing.defaultSigningAlgorithm=SHA256withRSA - ca.ocsp_signing.tokenname=internal --ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withEC,SHA512withEC -+ca.profiles.defaultSigningAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withEC,SHA512withEC - ca.publish.createOwnDNEntry=false - ca.publish.queue.enable=true - ca.publish.queue.maxNumberOfThreads=3 -@@ -975,7 +975,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 - oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension - oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 - os.userid=nobody --profile.list=caCMCserverCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,caECDualCert,AdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caFullCMCUserSignedCert,caFullCMCSelfSignedCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caSigningECUserCert,caEncECUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment -+profile.list=caCMCserverCert,caCMCECserverCert,caCMCECsubsystemCert,caCMCsubsystemCert,caCMCauditSigningCert,caCMCcaCert,caCMCocspCert,caCMCkraTransportCert,caCMCkraStorageCert,caUserCert,caECUserCert,caUserSMIMEcapCert,caDualCert,caDirBasedDualCert,AdminCert,ECAdminCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caECServerCert,caSubsystemCert,caECSubsystemCert,caOtherCert,caCACert,caCMCcaCert,caCrossSignedCACert,caInstallCACert,caRACert,caOCSPCert,caStorageCert,caTransportCert,caDirPinUserCert,caECDirPinUserCert,caDirUserCert,caECDirUserCert,caAgentServerCert,caECAgentServerCert,caAgentFileSigning,caCMCUserCert,caCMCECUserCert,caFullCMCUserCert,caECFullCMCUserCert,caFullCMCUserSignedCert,caECFullCMCUserSignedCert,caFullCMCSelfSignedCert,caECFullCMCSelfSignedCert,caSimpleCMCUserCert,caECSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caECAdminCert,caInternalAuthServerCert,caECInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caECInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal,caTokenMSLoginEnrollment,caTokenUserSigningKeyRenewal,caTokenUserEncryptionKeyRenewal,caTokenUserAuthKeyRenewal,caJarSigningCert,caIPAserviceCert,caEncUserCert,caSigningUserCert,caTokenUserDelegateAuthKeyEnrollment,caTokenUserDelegateSigningKeyEnrollment - profile.caUUIDdeviceCert.class_id=caEnrollImpl - profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caUUIDdeviceCert.cfg - profile.caManualRenewal.class_id=caEnrollImpl -@@ -986,16 +986,22 @@ profile.caSSLClientSelfRenewal.class_id=caEnrollImpl - profile.caSSLClientSelfRenewal.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSSLClientSelfRenewal.cfg - profile.AdminCert.class_id=caEnrollImpl - profile.AdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/AdminCert.cfg -+profile.ECAdminCert.class_id=caEnrollImpl -+profile.ECAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/ECAdminCert.cfg - profile.DomainController.class_id=caEnrollImpl - profile.DomainController.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/DomainController.cfg - profile.caAgentFileSigning.class_id=caEnrollImpl - profile.caAgentFileSigning.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAgentFileSigning.cfg - profile.caAgentServerCert.class_id=caEnrollImpl - profile.caAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAgentServerCert.cfg -+profile.caECAgentServerCert.class_id=caEnrollImpl -+profile.caECAgentServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECAgentServerCert.cfg - profile.caRAserverCert.class_id=caEnrollImpl - profile.caRAserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAserverCert.cfg - profile.caCMCUserCert.class_id=caEnrollImpl - profile.caCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCUserCert.cfg -+profile.caCMCECUserCert.class_id=caEnrollImpl -+profile.caCMCECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCECUserCert.cfg - profile.caCMCauditSigningCert.class_id=caEnrollImpl - profile.caCMCauditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCauditSigningCert.cfg - profile.caCMCcaCert.class_id=caEnrollImpl -@@ -1008,8 +1014,12 @@ profile.caCMCocspCert.class_id=caEnrollImpl - profile.caCMCocspCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCocspCert.cfg - profile.caCMCserverCert.class_id=caEnrollImpl - profile.caCMCserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCserverCert.cfg -+profile.caCMCECserverCert.class_id=caEnrollImpl -+profile.caCMCECserverCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCECserverCert.cfg - profile.caCMCsubsystemCert.class_id=caEnrollImpl - profile.caCMCsubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCsubsystemCert.cfg -+profile.caCMCECsubsystemCert.class_id=caEnrollImpl -+profile.caCMCECsubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCMCECsubsystemCert.cfg - profile.caCACert.class_id=caEnrollImpl - profile.caCACert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caCACert.cfg - profile.caInstallCACert.class_id=caEnrollImpl -@@ -1020,32 +1030,42 @@ profile.caDirBasedDualCert.class_id=caEnrollImpl - profile.caDirBasedDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDirBasedDualCert.cfg - profile.caDirPinUserCert.class_id=caEnrollImpl - profile.caDirPinUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDirPinUserCert.cfg -+profile.caECDirPinUserCert.class_id=caEnrollImpl -+profile.caECDirPinUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECDirPinUserCert.cfg - profile.caDirUserCert.class_id=caEnrollImpl - profile.caDirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDirUserCert.cfg - profile.caECDirUserCert.class_id=caEnrollImpl - profile.caECDirUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECDirUserCert.cfg - profile.caDualCert.class_id=caEnrollImpl - profile.caDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDualCert.cfg --profile.caECDualCert.class_id=caEnrollImpl --profile.caECDualCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECDualCert.cfg - profile.caDualRAuserCert.class_id=caEnrollImpl - profile.caDualRAuserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caDualRAuserCert.cfg - profile.caRAagentCert.class_id=caEnrollImpl - profile.caRAagentCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRAagentCert.cfg - profile.caFullCMCUserCert.class_id=caEnrollImpl - profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserCert.cfg -+profile.caECFullCMCUserCert.class_id=caEnrollImpl -+profile.caECFullCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCUserCert.cfg - profile.caFullCMCUserSignedCert.class_id=caEnrollImpl - profile.caFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCUserSignedCert.cfg -+profile.caECFullCMCUserSignedCert.class_id=caEnrollImpl -+profile.caECFullCMCUserSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCUserSignedCert.cfg - profile.caFullCMCSelfSignedCert.class_id=caEnrollImpl - profile.caFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caFullCMCSelfSignedCert.cfg -+profile.caECFullCMCSelfSignedCert.class_id=caEnrollImpl -+profile.caECFullCMCSelfSignedCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECFullCMCSelfSignedCert.cfg - profile.caInternalAuthOCSPCert.class_id=caEnrollImpl - profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthOCSPCert.cfg - profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl - profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthAuditSigningCert.cfg - profile.caInternalAuthServerCert.class_id=caEnrollImpl - profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthServerCert.cfg -+profile.caECInternalAuthServerCert.class_id=caEnrollImpl -+profile.caECInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECInternalAuthServerCert.cfg - profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl - profile.caInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthSubsystemCert.cfg -+profile.caECInternalAuthSubsystemCert.class_id=caEnrollImpl -+profile.caECInternalAuthSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECInternalAuthSubsystemCert.cfg - profile.caInternalAuthDRMstorageCert.class_id=caEnrollImpl - profile.caInternalAuthDRMstorageCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caInternalAuthDRMstorageCert.cfg - profile.caInternalAuthTransportCert.class_id=caEnrollImpl -@@ -1062,20 +1082,26 @@ profile.caRouterCert.class_id=caEnrollImpl - profile.caRouterCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caRouterCert.cfg - profile.caServerCert.class_id=caEnrollImpl - profile.caServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caServerCert.cfg -+profile.caECServerCert.class_id=caEnrollImpl -+profile.caECServerCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECServerCert.cfg - profile.caSignedLogCert.class_id=caEnrollImpl - profile.caSignedLogCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSignedLogCert.cfg --profile.caSigningECUserCert.class_id=caEnrollImpl --profile.caSigningECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningECUserCert.cfg - profile.caSigningUserCert.class_id=caEnrollImpl - profile.caSigningUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSigningUserCert.cfg - profile.caSimpleCMCUserCert.class_id=caEnrollImpl - profile.caSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSimpleCMCUserCert.cfg -+profile.caECSimpleCMCUserCert.class_id=caEnrollImpl -+profile.caECSimpleCMCUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECSimpleCMCUserCert.cfg - profile.caSubsystemCert.class_id=caEnrollImpl - profile.caSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caSubsystemCert.cfg -+profile.caECSubsystemCert.class_id=caEnrollImpl -+profile.caECSubsystemCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caECSubsystemCert.cfg - profile.caTPSCert.class_id=caEnrollImpl - profile.caTPSCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTPSCert.cfg - profile.caAdminCert.class_id=caEnrollImpl - profile.caAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAdminCert.cfg -+profile.caECAdminCert.class_id=caEnrollImpl -+profile.caECAdminCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caAdminCert.cfg - profile.caTempTokenDeviceKeyEnrollment.class_id=caUserCertEnrollImpl - profile.caTempTokenDeviceKeyEnrollment.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caTempTokenDeviceKeyEnrollment.cfg - profile.caTempTokenUserEncryptionKeyEnrollment.class_id=caUserCertEnrollImpl -@@ -1116,8 +1142,6 @@ profile.caIPAserviceCert.class_id=caEnrollImpl - profile.caIPAserviceCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caIPAserviceCert.cfg - profile.caEncUserCert.class_id=caEnrollImpl - profile.caEncUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncUserCert.cfg --profile.caEncECUserCert.class_id=caEnrollImpl --profile.caEncECUserCert.config=[PKI_INSTANCE_PATH]/[PKI_SUBSYSTEM_TYPE]/profiles/ca/caEncECUserCert.cfg - registry.file=[PKI_INSTANCE_PATH]/conf/[PKI_SUBSYSTEM_TYPE]/registry.cfg - processor.caProfileProcess.getClientCert=true - processor.caProfileProcess.authzMgr=BasicAclAuthz -diff --git a/base/ca/shared/conf/ECadminCert.profile b/base/ca/shared/conf/ECadminCert.profile -new file mode 100644 -index 0000000..46d157a ---- /dev/null -+++ b/base/ca/shared/conf/ECadminCert.profile -@@ -0,0 +1,39 @@ -+# -+# Admin Certificate -+# -+id=adminCert.profile -+name=All Purpose admin cert with ECC keys Profile -+description=This profile creates an administrator's certificate with ECC keys -+profileIDMapping=caAdminCert -+profileSetIDMapping=adminCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=true -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=false -+6.default.params.keyUsageKeyAgreement=true -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -diff --git a/base/ca/shared/conf/ECserverCert.profile b/base/ca/shared/conf/ECserverCert.profile -new file mode 100644 -index 0000000..8c679f7 ---- /dev/null -+++ b/base/ca/shared/conf/ECserverCert.profile -@@ -0,0 +1,39 @@ -+# -+# ECC Server Certificate -+# -+id=serverCert.profile -+name=All Purpose SSL server cert with ECC keys Profile -+description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers -+profileIDMapping=caECServerCert -+profileSetIDMapping=serverCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=false -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=false -+6.default.params.keyUsageKeyAgreement=true -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 -diff --git a/base/ca/shared/conf/ECsubsystemCert.profile b/base/ca/shared/conf/ECsubsystemCert.profile -new file mode 100644 -index 0000000..d11dabb ---- /dev/null -+++ b/base/ca/shared/conf/ECsubsystemCert.profile -@@ -0,0 +1,39 @@ -+# -+# ECC Subsystem Certificate -+# -+id=subsystemCert.profile -+name=Subsystem cert with ECC keys Profile -+description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients -+profileIDMapping=caECSubsystemCert -+profileSetIDMapping=serverCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=false -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=false -+6.default.params.keyUsageKeyAgreement=true -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile -index 8b436b2..3674cbc 100644 ---- a/base/ca/shared/conf/serverCert.profile -+++ b/base/ca/shared/conf/serverCert.profile -@@ -25,7 +25,7 @@ list=2,4,5,6,7 - 6.default.name=Key Usage Default - 6.default.params.keyUsageCritical=true - 6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=true -+6.default.params.keyUsageNonRepudiation=false - 6.default.params.keyUsageDataEncipherment=true - 6.default.params.keyUsageKeyEncipherment=true - 6.default.params.keyUsageKeyAgreement=false -diff --git a/base/ca/shared/conf/subsystemCert.profile b/base/ca/shared/conf/subsystemCert.profile -index a8f08e4..fa8f84e 100644 ---- a/base/ca/shared/conf/subsystemCert.profile -+++ b/base/ca/shared/conf/subsystemCert.profile -@@ -1,10 +1,10 @@ - # --# Server Certificate -+# Subsystem Certificate - # - id=subsystemCert.profile - name=All Purpose SSL server cert Profile --description=This profile creates an SSL server certificate that is valid for SSL servers --profileIDMapping=caServerCert -+description=This profile creates a subsystem certificate that is valid for SSL client -+profileIDMapping=caSubsystemCert - profileSetIDMapping=serverCertSet - list=2,4,5,6,7 - 2.default.class=com.netscape.cms.profile.def.ValidityDefault -@@ -36,4 +36,4 @@ list=2,4,5,6,7 - 7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault - 7.default.name=Extended Key Usage Extension Default - 7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -diff --git a/base/ca/shared/profiles/ca/AdminCert.cfg b/base/ca/shared/profiles/ca/AdminCert.cfg -index 292beb4..7879614 100644 ---- a/base/ca/shared/profiles/ca/AdminCert.cfg -+++ b/base/ca/shared/profiles/ca/AdminCert.cfg -@@ -30,8 +30,8 @@ policyset.adminCertSet.2.default.params.range=365 - policyset.adminCertSet.2.default.params.startTime=0 - policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl - policyset.adminCertSet.3.constraint.name=Key Constraint --policyset.adminCertSet.3.constraint.params.keyType=- --policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.adminCertSet.3.constraint.params.keyType=RSA -+policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl - policyset.adminCertSet.3.default.name=Key Default - policyset.adminCertSet.4.constraint.class_id=noConstraintImpl -diff --git a/base/ca/shared/profiles/ca/ECAdminCert.cfg b/base/ca/shared/profiles/ca/ECAdminCert.cfg -new file mode 100644 -index 0000000..e00022e ---- /dev/null -+++ b/base/ca/shared/profiles/ca/ECAdminCert.cfg -@@ -0,0 +1,86 @@ -+desc=This certificate profile is for enrolling Administrator's certificates with ECC keys suitable for use by clients such as browsers. -+visible=true -+enable=true -+enableBy=admin -+auth.instance_id= -+name=Manual Administrator Certificate Enrollment with ECC keys -+input.list=i1,i2,i3 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+input.i3.class_id=subjectDNInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=adminCertSet -+policyset.adminCertSet.list=1,2,3,4,5,6,7,8 -+policyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.adminCertSet.1.constraint.name=Subject Name Constraint -+policyset.adminCertSet.1.constraint.params.pattern=.* -+policyset.adminCertSet.1.constraint.params.accept=true -+policyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.adminCertSet.1.default.name=Subject Name Default -+policyset.adminCertSet.1.default.params.name= -+policyset.adminCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.adminCertSet.2.constraint.name=Validity Constraint -+policyset.adminCertSet.2.constraint.params.range=365 -+policyset.adminCertSet.2.constraint.params.notBeforeCheck=false -+policyset.adminCertSet.2.constraint.params.notAfterCheck=false -+policyset.adminCertSet.2.default.class_id=validityDefaultImpl -+policyset.adminCertSet.2.default.name=Validity Default -+policyset.adminCertSet.2.default.params.range=365 -+policyset.adminCertSet.2.default.params.startTime=0 -+policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.adminCertSet.3.constraint.name=Key Constraint -+policyset.adminCertSet.3.constraint.params.keyType=- -+policyset.adminCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 -+policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.adminCertSet.3.default.name=Key Default -+policyset.adminCertSet.4.constraint.class_id=noConstraintImpl -+policyset.adminCertSet.4.constraint.name=No Constraint -+policyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.adminCertSet.4.default.name=Authority Key Identifier Default -+policyset.adminCertSet.5.constraint.class_id=noConstraintImpl -+policyset.adminCertSet.5.constraint.name=No Constraint -+policyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.adminCertSet.5.default.name=AIA Extension Default -+policyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.adminCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.adminCertSet.5.default.params.authInfoAccessCritical=false -+policyset.adminCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.adminCertSet.6.constraint.params.keyUsageCritical=true -+policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.adminCertSet.6.default.name=Key Usage Default -+policyset.adminCertSet.6.default.params.keyUsageCritical=true -+policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.adminCertSet.6.default.params.keyUsageCrlSign=false -+policyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.adminCertSet.7.constraint.class_id=noConstraintImpl -+policyset.adminCertSet.7.constraint.name=No Constraint -+policyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.adminCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.adminCertSet.7.default.params.exKeyUsageCritical=false -+policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.adminCertSet.8.constraint.name=No Constraint -+policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.adminCertSet.8.default.name=Signing Alg -+policyset.adminCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caAdminCert.cfg b/base/ca/shared/profiles/ca/caAdminCert.cfg -index 6eb784b..86a3b11 100644 ---- a/base/ca/shared/profiles/ca/caAdminCert.cfg -+++ b/base/ca/shared/profiles/ca/caAdminCert.cfg -@@ -31,8 +31,8 @@ policyset.adminCertSet.2.default.params.range=365 - policyset.adminCertSet.2.default.params.startTime=0 - policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl - policyset.adminCertSet.3.constraint.name=Key Constraint --policyset.adminCertSet.3.constraint.params.keyType=- --policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.adminCertSet.3.constraint.params.keyType=RSA -+policyset.adminCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl - policyset.adminCertSet.3.default.name=Key Default - policyset.adminCertSet.4.constraint.class_id=noConstraintImpl -@@ -81,7 +81,7 @@ policyset.adminCertSet.7.default.params.exKeyUsageCritical=false - policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 - policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.adminCertSet.8.constraint.name=No Constraint --policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA1withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA256withEC,SHA1withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.adminCertSet.8.default.name=Signing Alg - policyset.adminCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caAgentServerCert.cfg b/base/ca/shared/profiles/ca/caAgentServerCert.cfg -index 924046d..c4d109f 100644 ---- a/base/ca/shared/profiles/ca/caAgentServerCert.cfg -+++ b/base/ca/shared/profiles/ca/caAgentServerCert.cfg -@@ -29,8 +29,8 @@ policyset.serverCertSet.2.default.params.range=180 - policyset.serverCertSet.2.default.params.startTime=0 - policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl - policyset.serverCertSet.3.constraint.name=Key Constraint --policyset.serverCertSet.3.constraint.params.keyType=- --policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.constraint.params.keyType=RSA -+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl - policyset.serverCertSet.3.default.name=Key Default - policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.serverCertSet.6.constraint.params.keyUsageCritical=true - policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false -@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.serverCertSet.6.default.name=Key Usage Default - policyset.serverCertSet.6.default.params.keyUsageCritical=true - policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false -@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCACert.cfg b/base/ca/shared/profiles/ca/caCACert.cfg -index 2f898b8..e4f491d 100644 ---- a/base/ca/shared/profiles/ca/caCACert.cfg -+++ b/base/ca/shared/profiles/ca/caCACert.cfg -@@ -79,7 +79,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default - policyset.caCertSet.8.default.params.critical=false - policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.caCertSet.9.constraint.name=No Constraint --policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.caCertSet.9.default.name=Signing Alg - policyset.caCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg -new file mode 100644 -index 0000000..5185891 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg -@@ -0,0 +1,86 @@ -+desc=This certificate profile is for enrolling user certificates with ECC keys by using the CMC certificate request with CMC Signature authentication. -+visible=true -+enable=true -+enableBy=admin -+auth.instance_id=CMCAuth -+authz.acl=group="Certificate Manager Agents" -+name=Signed CMC-Authenticated User Certificate wth ECC keys Enrollment -+input.list=i1,i2 -+input.i1.class_id=cmcCertReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=cmcUserCertSet -+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 -+policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint -+policyset.cmcUserCertSet.1.constraint.params.pattern=.* -+policyset.cmcUserCertSet.1.constraint.params.accept=true -+policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.default.name=Subject Name Default -+policyset.cmcUserCertSet.1.default.params.name= -+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint -+policyset.cmcUserCertSet.2.constraint.params.range=365 -+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false -+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false -+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl -+policyset.cmcUserCertSet.2.default.name=Validity Default -+policyset.cmcUserCertSet.2.default.params.range=180 -+policyset.cmcUserCertSet.2.default.params.startTime=0 -+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.cmcUserCertSet.3.constraint.name=Key Constraint -+policyset.cmcUserCertSet.3.constraint.params.keyType=EC -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 -+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.cmcUserCertSet.3.default.name=Key Default -+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.4.constraint.name=No Constraint -+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default -+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.5.constraint.name=No Constraint -+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.cmcUserCertSet.5.default.name=AIA Extension Default -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false -+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.cmcUserCertSet.6.default.name=Key Usage Default -+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.7.constraint.name=No Constraint -+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false -+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.cmcUserCertSet.8.constraint.name=No Constraint -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.cmcUserCertSet.8.default.name=Signing Alg -+policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg -new file mode 100644 -index 0000000..158d9fe ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg -@@ -0,0 +1,90 @@ -+desc=This certificate profile is for enrolling server certificates with ECC keys using CMC. -+visible=false -+enable=true -+enableBy=admin -+auth.instance_id=CMCAuth -+authz.acl=group="Certificate Manager Agents" -+name=Server Certificate wth ECC keys Enrollment using CMC -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=serverCertSet -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9 -+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.serverCertSet.1.constraint.name=Subject Name Constraint -+policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* -+policyset.serverCertSet.1.constraint.params.accept=true -+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.serverCertSet.1.default.name=Subject Name Default -+policyset.serverCertSet.1.default.params.name= -+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.serverCertSet.2.constraint.name=Validity Constraint -+policyset.serverCertSet.2.constraint.params.range=720 -+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false -+policyset.serverCertSet.2.constraint.params.notAfterCheck=false -+policyset.serverCertSet.2.default.class_id=validityDefaultImpl -+policyset.serverCertSet.2.default.name=Validity Default -+policyset.serverCertSet.2.default.params.range=720 -+policyset.serverCertSet.2.default.params.startTime=0 -+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.serverCertSet.3.constraint.name=Key Constraint -+policyset.serverCertSet.3.constraint.params.keyType=EC -+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.serverCertSet.3.default.name=Key Default -+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.4.constraint.name=No Constraint -+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.serverCertSet.4.default.name=Authority Key Identifier Default -+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.5.constraint.name=No Constraint -+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.serverCertSet.5.default.name=AIA Extension Default -+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false -+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true -+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.serverCertSet.6.default.name=Key Usage Default -+policyset.serverCertSet.6.default.params.keyUsageCritical=true -+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.7.constraint.name=No Constraint -+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.serverCertSet.8.constraint.name=No Constraint -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.serverCertSet.8.default.name=Signing Alg -+policyset.serverCertSet.8.default.params.signingAlg=- -+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.9.constraint.name=No Constraint -+policyset.serverCertSet.9.default.class_id=commonNameToSANDefaultImpl -+policyset.serverCertSet.9.default.name=copy CN to SAN Default -diff --git a/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg -new file mode 100644 -index 0000000..f755243 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg -@@ -0,0 +1,86 @@ -+desc=This certificate profile is for enrolling subsystem certificates with ECC keys using CMC. -+visible=false -+enable=true -+enableBy=admin -+auth.instance_id=CMCAuth -+authz.acl=group="Certificate Manager Agents" -+name=Subsystem Certificate Enrollment with ECC keys using CMC -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=serverCertSet -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.serverCertSet.1.constraint.name=Subject Name Constraint -+policyset.serverCertSet.1.constraint.params.pattern=CN=.* -+policyset.serverCertSet.1.constraint.params.accept=true -+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.serverCertSet.1.default.name=Subject Name Default -+policyset.serverCertSet.1.default.params.name= -+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.serverCertSet.2.constraint.name=Validity Constraint -+policyset.serverCertSet.2.constraint.params.range=720 -+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false -+policyset.serverCertSet.2.constraint.params.notAfterCheck=false -+policyset.serverCertSet.2.default.class_id=validityDefaultImpl -+policyset.serverCertSet.2.default.name=Validity Default -+policyset.serverCertSet.2.default.params.range=720 -+policyset.serverCertSet.2.default.params.startTime=0 -+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.serverCertSet.3.constraint.name=Key Constraint -+policyset.serverCertSet.3.constraint.params.keyType=EC -+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.serverCertSet.3.default.name=Key Default -+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.4.constraint.name=No Constraint -+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.serverCertSet.4.default.name=Authority Key Identifier Default -+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.5.constraint.name=No Constraint -+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.serverCertSet.5.default.name=AIA Extension Default -+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false -+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true -+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.serverCertSet.6.default.name=Key Usage Default -+policyset.serverCertSet.6.default.params.keyUsageCritical=true -+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.7.constraint.name=No Constraint -+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.serverCertSet.8.constraint.name=No Constraint -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.serverCertSet.8.default.name=Signing Alg -+policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg -index 7ff1329..fe2a8b3 100644 ---- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg -@@ -30,8 +30,8 @@ policyset.cmcUserCertSet.2.default.params.range=180 - policyset.cmcUserCertSet.2.default.params.startTime=0 - policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl - policyset.cmcUserCertSet.3.constraint.name=Key Constraint --policyset.cmcUserCertSet.3.constraint.params.keyType=- --policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 -+policyset.cmcUserCertSet.3.constraint.params.keyType=RSA -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl - policyset.cmcUserCertSet.3.default.name=Key Default - policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -@@ -53,7 +53,7 @@ policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false -@@ -65,7 +65,7 @@ policyset.cmcUserCertSet.6.default.name=Key Usage Default - policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true - policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=true - policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=false - policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false -@@ -80,7 +80,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false - policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 - policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.cmcUserCertSet.8.constraint.name=No Constraint --policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.cmcUserCertSet.8.default.name=Signing Alg - policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -index ed5a1b2..967d6ef 100644 ---- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false - policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false - policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.auditSigningCertSet.9.constraint.name=No Constraint --policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.auditSigningCertSet.9.default.name=Signing Alg - policyset.auditSigningCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg -index 9c95182..49a356d 100644 ---- a/base/ca/shared/profiles/ca/caCMCcaCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg -@@ -78,7 +78,7 @@ policyset.caCertSet.8.default.name=Subject Key Identifier Extension Default - policyset.caCertSet.8.default.params.critical=false - policyset.caCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.caCertSet.9.constraint.name=No Constraint --policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.caCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.caCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.caCertSet.9.default.name=Signing Alg - policyset.caCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg -index 259430b..bbe733a 100644 ---- a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg -@@ -80,7 +80,7 @@ policyset.drmStorageCertSet.7.default.params.exKeyUsageCritical=false - policyset.drmStorageCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 - policyset.drmStorageCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.drmStorageCertSet.9.constraint.name=No Constraint --policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.drmStorageCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.drmStorageCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.drmStorageCertSet.9.default.name=Signing Alg - policyset.drmStorageCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg -index ec54f9c..60b19bf 100644 ---- a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg -@@ -80,7 +80,7 @@ policyset.transportCertSet.7.default.params.exKeyUsageCritical=false - policyset.transportCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 - policyset.transportCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.transportCertSet.8.constraint.name=No Constraint --policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.transportCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.transportCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.transportCertSet.8.default.name=Signing Alg - policyset.transportCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg -index 8afbd46..cd60562 100644 ---- a/base/ca/shared/profiles/ca/caCMCocspCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg -@@ -65,7 +65,7 @@ policyset.ocspCertSet.8.default.name=OCSP No Check Extension - policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false - policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.ocspCertSet.9.constraint.name=No Constraint --policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.ocspCertSet.9.default.name=Signing Alg - policyset.ocspCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg -index 8215d65..89bbbea 100644 ---- a/base/ca/shared/profiles/ca/caCMCserverCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg -@@ -30,8 +30,8 @@ policyset.serverCertSet.2.default.params.range=720 - policyset.serverCertSet.2.default.params.startTime=0 - policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl - policyset.serverCertSet.3.constraint.name=Key Constraint --policyset.serverCertSet.3.constraint.params.keyType=- --policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.constraint.params.keyType=RSA -+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl - policyset.serverCertSet.3.default.name=Key Default - policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -@@ -52,7 +52,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.serverCertSet.6.constraint.params.keyUsageCritical=true - policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false -@@ -64,7 +64,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.serverCertSet.6.default.name=Key Usage Default - policyset.serverCertSet.6.default.params.keyUsageCritical=true - policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false -@@ -80,7 +80,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg -index f473f98..4a922fc 100644 ---- a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg -@@ -30,8 +30,8 @@ policyset.serverCertSet.2.default.params.range=720 - policyset.serverCertSet.2.default.params.startTime=0 - policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl - policyset.serverCertSet.3.constraint.name=Key Constraint --policyset.serverCertSet.3.constraint.params.keyType=- --policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.constraint.params.keyType=RSA -+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl - policyset.serverCertSet.3.default.name=Key Default - policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -@@ -80,7 +80,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg -index b447297..f12c7ed 100644 ---- a/base/ca/shared/profiles/ca/caDirUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg -@@ -34,8 +34,8 @@ policyset.userCertSet.2.default.params.range=180 - policyset.userCertSet.2.default.params.startTime=0 - policyset.userCertSet.3.constraint.class_id=keyConstraintImpl - policyset.userCertSet.3.constraint.name=Key Constraint --policyset.userCertSet.3.constraint.params.keyType=- --policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.userCertSet.3.constraint.params.keyType=EC -+policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.userCertSet.3.default.class_id=userKeyDefaultImpl - policyset.userCertSet.3.default.name=Key Default - policyset.userCertSet.4.constraint.class_id=noConstraintImpl -diff --git a/base/ca/shared/profiles/ca/caECAdminCert.cfg b/base/ca/shared/profiles/ca/caECAdminCert.cfg -new file mode 100644 -index 0000000..d57bae1 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caECAdminCert.cfg -@@ -0,0 +1,87 @@ -+desc=This certificate profile is for enrolling Security Domain administrator's certificates with ECC keys using LDAP authentication against the internal LDAP database. -+visible=false -+enable=true -+enableBy=admin -+auth.instance_id=TokenAuth -+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" -+name=Security Domain Administrator Certificate Enrollment with ECC keys -+input.list=i1,i2,i3 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+input.i3.class_id=subjectDNInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=adminCertSet -+policyset.adminCertSet.list=1,2,3,4,5,6,7,8 -+policyset.adminCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.adminCertSet.1.constraint.name=Subject Name Constraint -+policyset.adminCertSet.1.constraint.params.pattern=.* -+policyset.adminCertSet.1.constraint.params.accept=true -+policyset.adminCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.adminCertSet.1.default.name=Subject Name Default -+policyset.adminCertSet.1.default.params.name= -+policyset.adminCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.adminCertSet.2.constraint.name=Validity Constraint -+policyset.adminCertSet.2.constraint.params.range=365 -+policyset.adminCertSet.2.constraint.params.notBeforeCheck=false -+policyset.adminCertSet.2.constraint.params.notAfterCheck=false -+policyset.adminCertSet.2.default.class_id=validityDefaultImpl -+policyset.adminCertSet.2.default.name=Validity Default -+policyset.adminCertSet.2.default.params.range=365 -+policyset.adminCertSet.2.default.params.startTime=0 -+policyset.adminCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.adminCertSet.3.constraint.name=Key Constraint -+policyset.adminCertSet.3.constraint.params.keyType=- -+policyset.adminCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 -+policyset.adminCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.adminCertSet.3.default.name=Key Default -+policyset.adminCertSet.4.constraint.class_id=noConstraintImpl -+policyset.adminCertSet.4.constraint.name=No Constraint -+policyset.adminCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.adminCertSet.4.default.name=Authority Key Identifier Default -+policyset.adminCertSet.5.constraint.class_id=noConstraintImpl -+policyset.adminCertSet.5.constraint.name=No Constraint -+policyset.adminCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.adminCertSet.5.default.name=AIA Extension Default -+policyset.adminCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.adminCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.adminCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.adminCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.adminCertSet.5.default.params.authInfoAccessCritical=false -+policyset.adminCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.adminCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.adminCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.adminCertSet.6.constraint.params.keyUsageCritical=true -+policyset.adminCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.adminCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.adminCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.adminCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.adminCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.adminCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.adminCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.adminCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.adminCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.adminCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.adminCertSet.6.default.name=Key Usage Default -+policyset.adminCertSet.6.default.params.keyUsageCritical=true -+policyset.adminCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.adminCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.adminCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.adminCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.adminCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.adminCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.adminCertSet.6.default.params.keyUsageCrlSign=false -+policyset.adminCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.adminCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.adminCertSet.7.constraint.class_id=noConstraintImpl -+policyset.adminCertSet.7.constraint.name=No Constraint -+policyset.adminCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.adminCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.adminCertSet.7.default.params.exKeyUsageCritical=false -+policyset.adminCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.adminCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.adminCertSet.8.constraint.name=No Constraint -+policyset.adminCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.adminCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.adminCertSet.8.default.name=Signing Alg -+policyset.adminCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECAgentServerCert.cfg b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg -new file mode 100644 -index 0000000..c56b6de ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg -@@ -0,0 +1,85 @@ -+desc=This certificate profile is for enrolling server certificates with ECC keys using agent authentication. -+visible=true -+enable=true -+enableBy=admin -+auth.instance_id=AgentCertAuth -+name=Agent-Authenticated Server Certificate Enrollment with ECC keys -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=serverCertSet -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.serverCertSet.1.constraint.name=Subject Name Constraint -+policyset.serverCertSet.1.constraint.params.pattern=CN=.* -+policyset.serverCertSet.1.constraint.params.accept=true -+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.serverCertSet.1.default.name=Subject Name Default -+policyset.serverCertSet.1.default.params.name= -+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.serverCertSet.2.constraint.name=Validity Constraint -+policyset.serverCertSet.2.constraint.params.range=365 -+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false -+policyset.serverCertSet.2.constraint.params.notAfterCheck=false -+policyset.serverCertSet.2.default.class_id=validityDefaultImpl -+policyset.serverCertSet.2.default.name=Validity Default -+policyset.serverCertSet.2.default.params.range=180 -+policyset.serverCertSet.2.default.params.startTime=0 -+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.serverCertSet.3.constraint.name=Key Constraint -+policyset.serverCertSet.3.constraint.params.keyType=- -+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.serverCertSet.3.default.name=Key Default -+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.4.constraint.name=No Constraint -+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.serverCertSet.4.default.name=Authority Key Identifier Default -+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.5.constraint.name=No Constraint -+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.serverCertSet.5.default.name=AIA Extension Default -+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false -+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true -+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.serverCertSet.6.default.name=Key Usage Default -+policyset.serverCertSet.6.default.params.keyUsageCritical=true -+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.7.constraint.name=No Constraint -+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 -+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.serverCertSet.8.constraint.name=No Constraint -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.serverCertSet.8.default.name=Signing Alg -+policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg -new file mode 100644 -index 0000000..4143102 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caECDirPinUserCert.cfg -@@ -0,0 +1,99 @@ -+desc=This certificate profile is for enrolling user ECC certificates with directory-pin-based authentication. -+visible=true -+enable=false -+enableBy=admin -+name=Directory-Pin-Authenticated User Dual-Use ECC Certificate Enrollment -+auth.instance_id=PinDirEnrollment -+input.list=i1 -+input.i1.class_id=keyGenInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=userCertSet -+policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9 -+policyset.userCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.userCertSet.1.constraint.name=Subject Name Constraint -+policyset.userCertSet.1.constraint.params.pattern=(UID|CN)=.* -+policyset.userCertSet.1.constraint.params.accept=true -+policyset.userCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl -+policyset.userCertSet.1.default.name=Subject Name Default -+policyset.userCertSet.1.default.params.name= -+policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl -+policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint -+policyset.userCertSet.10.constraint.params.renewal.graceBefore=30 -+policyset.userCertSet.10.constraint.params.renewal.graceAfter=30 -+policyset.userCertSet.10.default.class_id=noDefaultImpl -+policyset.userCertSet.10.default.name=No Default -+policyset.userCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.userCertSet.2.constraint.name=Validity Constraint -+policyset.userCertSet.2.constraint.params.range=365 -+policyset.userCertSet.2.constraint.params.notBeforeCheck=false -+policyset.userCertSet.2.constraint.params.notAfterCheck=false -+policyset.userCertSet.2.default.class_id=validityDefaultImpl -+policyset.userCertSet.2.default.name=Validity Default -+policyset.userCertSet.2.default.params.range=180 -+policyset.userCertSet.2.default.params.startTime=0 -+policyset.userCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.userCertSet.3.constraint.name=Key Constraint -+policyset.userCertSet.3.constraint.params.keyType=- -+policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 -+policyset.userCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.userCertSet.3.default.name=Key Default -+policyset.userCertSet.4.constraint.class_id=noConstraintImpl -+policyset.userCertSet.4.constraint.name=No Constraint -+policyset.userCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.userCertSet.4.default.name=Authority Key Identifier Default -+policyset.userCertSet.5.constraint.class_id=noConstraintImpl -+policyset.userCertSet.5.constraint.name=No Constraint -+policyset.userCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.userCertSet.5.default.name=AIA Extension Default -+policyset.userCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.userCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.userCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.userCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.userCertSet.5.default.params.authInfoAccessCritical=false -+policyset.userCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.userCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.userCertSet.6.constraint.params.keyUsageCritical=true -+policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.userCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.userCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.userCertSet.6.default.name=Key Usage Default -+policyset.userCertSet.6.default.params.keyUsageCritical=true -+policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.userCertSet.6.default.params.keyUsageCrlSign=false -+policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.userCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.userCertSet.7.constraint.class_id=noConstraintImpl -+policyset.userCertSet.7.constraint.name=No Constraint -+policyset.userCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.userCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.userCertSet.7.default.params.exKeyUsageCritical=false -+policyset.userCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.userCertSet.8.constraint.class_id=noConstraintImpl -+policyset.userCertSet.8.constraint.name=No Constraint -+policyset.userCertSet.8.default.class_id=subjectAltNameExtDefaultImpl -+policyset.userCertSet.8.default.name=Subject Alt Name Constraint -+policyset.userCertSet.8.default.params.subjAltNameExtCritical=false -+policyset.userCertSet.8.default.params.subjAltExtType_0=RFC822Name -+policyset.userCertSet.8.default.params.subjAltExtPattern_0=$request.requestor_email$ -+policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true -+policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 -+policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl -+policyset.userCertSet.9.constraint.name=No Constraint -+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl -+policyset.userCertSet.9.default.name=Signing Alg -+policyset.userCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg -index c692bcf..0663b40 100644 ---- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg -@@ -1,8 +1,8 @@ --desc=This certificate profile is for enrolling user certificates with directory-based authentication. -+desc=This certificate profile is for enrolling user ECC certificates with directory-based authentication. - visible=true - enable=true - enableBy=admin --name=Directory-Authenticated User Dual-Use ECC Certificate Enrollment -+name=Directory-Authenticated User ECC Certificate Enrollment - auth.instance_id=UserDirEnrollment - input.list=i1 - input.i1.class_id=keyGenInputImpl -@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180 - policyset.userCertSet.2.default.params.startTime=0 - policyset.userCertSet.3.constraint.class_id=keyConstraintImpl - policyset.userCertSet.3.constraint.name=Key Constraint --policyset.userCertSet.3.constraint.params.keyType=EC -+policyset.userCertSet.3.constraint.params.keyType=- - policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 - policyset.userCertSet.3.default.class_id=userKeyDefaultImpl - policyset.userCertSet.3.default.name=Key Default -@@ -57,9 +57,9 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.userCertSet.6.constraint.params.keyUsageCritical=true - policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false --policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true --policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false -+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true - policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false - policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false - policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false -@@ -69,9 +69,9 @@ policyset.userCertSet.6.default.name=Key Usage Default - policyset.userCertSet.6.default.params.keyUsageCritical=true - policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false --policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true --policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false -+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true - policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false - policyset.userCertSet.6.default.params.keyUsageCrlSign=false - policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false -@@ -93,7 +93,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.userCertSet.9.constraint.name=No Constraint --policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.userCertSet.9.default.name=Signing Alg - policyset.userCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECDualCert.cfg b/base/ca/shared/profiles/ca/caECDualCert.cfg -index 1a51dc6..0a56caf 100644 ---- a/base/ca/shared/profiles/ca/caECDualCert.cfg -+++ b/base/ca/shared/profiles/ca/caECDualCert.cfg -@@ -1,6 +1,6 @@ - desc=This certificate profile is for enrolling dual user ECC certificates. It works only with Netscape 7.0 or later. - visible=false --enable=true -+enable=false - enableBy=admin - name=Manual User Signing & Encryption ECC Certificates Enrollment - auth.class_id= -@@ -89,7 +89,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.encryptionCertSet.9.constraint.name=No Constraint --policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.encryptionCertSet.9.default.name=Signing Alg - policyset.encryptionCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -new file mode 100644 -index 0000000..816a1f8 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -@@ -0,0 +1,85 @@ -+desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request -+enable=true -+enableBy=admin -+name=Self-Signed CMC User Certificate Enrollment -+visible=false -+auth.instance_id=CMCUserSignedAuth -+input.list=i1,i2 -+input.i1.class_id=cmcCertReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=cmcUserCertSet -+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 -+policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint -+policyset.cmcUserCertSet.1.constraint.params.accept=true -+policyset.cmcUserCertSet.1.constraint.params.pattern=.* -+policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.default.name=Subject Name Default -+policyset.cmcUserCertSet.1.default.params.name= -+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint -+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false -+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false -+policyset.cmcUserCertSet.2.constraint.params.range=365 -+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl -+policyset.cmcUserCertSet.2.default.name=Validity Default -+policyset.cmcUserCertSet.2.default.params.range=180 -+policyset.cmcUserCertSet.2.default.params.startTime=0 -+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.cmcUserCertSet.3.constraint.name=Key Constraint -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 -+policyset.cmcUserCertSet.3.constraint.params.keyType=EC -+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.cmcUserCertSet.3.default.name=Key Default -+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.4.constraint.name=No Constraint -+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default -+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.5.constraint.name=No Constraint -+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.cmcUserCertSet.5.default.name=AIA Extension Default -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false -+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.cmcUserCertSet.6.default.name=Key Usage Default -+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.7.constraint.name=No Constraint -+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false -+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.cmcUserCertSet.8.constraint.name=No Constraint -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.cmcUserCertSet.8.default.name=Signing Alg -+policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg -new file mode 100644 -index 0000000..0116053 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg -@@ -0,0 +1,85 @@ -+desc=This certificate profile is for enrolling user certificates by using the agent-signed CMC certificate request with CMC Signature authentication. -+enable=true -+enableBy=admin -+name=Agent-Signed CMC-Authenticated User Certificate Enrollment -+visible=false -+auth.instance_id=CMCAuth -+input.list=i1,i2 -+input.i1.class_id=cmcCertReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=cmcUserCertSet -+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 -+policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint -+policyset.cmcUserCertSet.1.constraint.params.accept=true -+policyset.cmcUserCertSet.1.constraint.params.pattern=.* -+policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.default.name=Subject Name Default -+policyset.cmcUserCertSet.1.default.params.name= -+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint -+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false -+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false -+policyset.cmcUserCertSet.2.constraint.params.range=365 -+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl -+policyset.cmcUserCertSet.2.default.name=Validity Default -+policyset.cmcUserCertSet.2.default.params.range=180 -+policyset.cmcUserCertSet.2.default.params.startTime=0 -+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.cmcUserCertSet.3.constraint.name=Key Constraint -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 -+policyset.cmcUserCertSet.3.constraint.params.keyType=EC -+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.cmcUserCertSet.3.default.name=Key Default -+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.4.constraint.name=No Constraint -+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default -+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.5.constraint.name=No Constraint -+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.cmcUserCertSet.5.default.name=AIA Extension Default -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false -+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.cmcUserCertSet.6.default.name=Key Usage Default -+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.7.constraint.name=No Constraint -+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false -+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.cmcUserCertSet.8.constraint.name=No Constraint -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.cmcUserCertSet.8.default.name=Signing Alg -+policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -new file mode 100644 -index 0000000..a15aa53 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -@@ -0,0 +1,94 @@ -+desc=This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication. -+enable=true -+enableBy=admin -+name=User-Signed CMC-Authenticated User Certificate Enrollment -+visible=false -+auth.instance_id=CMCUserSignedAuth -+input.list=i1,i2 -+input.i1.class_id=cmcCertReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=cmcUserCertSet -+policyset.cmcUserCertSet.list=1,9,10,2,3,4,5,6,7,8 -+policyset.cmcUserCertSet.1.constraint.class_id=cmcUserSignedSubjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=CMC User Signed Subject Name Constraint -+policyset.cmcUserCertSet.1.default.class_id=cmcUserSignedSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.default.name=User Signed Subject Name Default -+policyset.cmcUserCertSet.1.default.params.name= -+policyset.cmcUserCertSet.9.constraint.class_id=uniqueKeyConstraintImpl -+policyset.cmcUserCertSet.9.constraint.name=Unique Key Constraint -+policyset.cmcUserCertSet.9.constraint.params.allowSameKeyRenewal=true -+policyset.cmcUserCertSet.9.default.class_id=noDefaultImpl -+policyset.cmcUserCertSet.9.default.name=No Default -+policyset.cmcUserCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl -+policyset.cmcUserCertSet.10.constraint.name=Renewal Grace Period Constraint -+policyset.cmcUserCertSet.10.constraint.params.renewal.graceBefore=30 -+policyset.cmcUserCertSet.10.constraint.params.renewal.graceAfter=30 -+policyset.cmcUserCertSet.10.default.class_id=noDefaultImpl -+policyset.cmcUserCertSet.10.default.name=No Default -+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint -+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false -+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false -+policyset.cmcUserCertSet.2.constraint.params.range=365 -+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl -+policyset.cmcUserCertSet.2.default.name=Validity Default -+policyset.cmcUserCertSet.2.default.params.range=180 -+policyset.cmcUserCertSet.2.default.params.startTime=0 -+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.cmcUserCertSet.3.constraint.name=Key Constraint -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 -+policyset.cmcUserCertSet.3.constraint.params.keyType=EC -+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.cmcUserCertSet.3.default.name=Key Default -+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.4.constraint.name=No Constraint -+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default -+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.5.constraint.name=No Constraint -+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.cmcUserCertSet.5.default.name=AIA Extension Default -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false -+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.cmcUserCertSet.6.default.name=Key Usage Default -+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.7.constraint.name=No Constraint -+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false -+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.cmcUserCertSet.8.constraint.name=No Constraint -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.cmcUserCertSet.8.default.name=Signing Alg -+policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg -new file mode 100644 -index 0000000..4fc8a9c ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg -@@ -0,0 +1,109 @@ -+desc=This certificate profile is for enrolling Security Domain ECC server certificates. -+visible=false -+enable=true -+enableBy=admin -+auth.instance_id=TokenAuth -+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" -+name=Security Domain Server Certificate Enrollment -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+input.i3.class_id=subjectAltNameExtInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=serverCertSet -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.serverCertSet.1.constraint.name=Subject Name Constraint -+policyset.serverCertSet.1.constraint.params.pattern=CN=.* -+policyset.serverCertSet.1.constraint.params.accept=true -+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.serverCertSet.1.default.name=Subject Name Default -+policyset.serverCertSet.1.default.params.name= -+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.serverCertSet.2.constraint.name=Validity Constraint -+policyset.serverCertSet.2.constraint.params.range=720 -+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false -+policyset.serverCertSet.2.constraint.params.notAfterCheck=false -+policyset.serverCertSet.2.default.class_id=validityDefaultImpl -+policyset.serverCertSet.2.default.name=Validity Default -+policyset.serverCertSet.2.default.params.range=720 -+policyset.serverCertSet.2.default.params.startTime=0 -+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.serverCertSet.3.constraint.name=Key Constraint -+policyset.serverCertSet.3.constraint.params.keyType=- -+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.serverCertSet.3.default.name=Key Default -+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.4.constraint.name=No Constraint -+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.serverCertSet.4.default.name=Authority Key Identifier Default -+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.5.constraint.name=No Constraint -+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.serverCertSet.5.default.name=AIA Extension Default -+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false -+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true -+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.serverCertSet.6.default.name=Key Usage Default -+policyset.serverCertSet.6.default.params.keyUsageCritical=true -+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.7.constraint.name=No Constraint -+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.serverCertSet.8.constraint.name=No Constraint -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.serverCertSet.8.default.name=Signing Alg -+policyset.serverCertSet.8.default.params.signingAlg=- -+# allows SAN to be specified from client side -+# need to: -+# 1. add i3 to input.list above -+# 2. add 9 to policyset.serverCertSet.list above -+# 3. change below to reflect the number of general names, and -+# turn each corresponding subjAltExtPattern_ to true -+# policyset.serverCertSet.9.default.params.subjAltNameNumGNs -+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.9.constraint.name=No Constraint -+policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl -+policyset.serverCertSet.9.default.name=Subject Alternative Name Extension Default -+policyset.serverCertSet.9.default.params.subjAltExtGNEnable_0=true -+policyset.serverCertSet.9.default.params.subjAltExtPattern_0=$request.req_san_pattern_0$ -+policyset.serverCertSet.9.default.params.subjAltExtType_0=DNSName -+policyset.serverCertSet.9.default.params.subjAltExtGNEnable_1=false -+policyset.serverCertSet.9.default.params.subjAltExtPattern_1=$request.req_san_pattern_1$ -+policyset.serverCertSet.9.default.params.subjAltExtType_1=DNSName -+policyset.serverCertSet.9.default.params.subjAltExtGNEnable_2=false -+policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pattern_2$ -+policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName -+policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false -+policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 -diff --git a/base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg -new file mode 100644 -index 0000000..551cb68 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caECInternalAuthSubsystemCert.cfg -@@ -0,0 +1,88 @@ -+desc=This certificate profile is for enrolling Security Domain subsystem certificates with ECC keys. -+visible=false -+enable=true -+enableBy=admin -+auth.instance_id=TokenAuth -+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" -+name=Security Domain Subsystem Certificate Enrollment -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+updater.list=u1 -+updater.u1.class_id=subsystemGroupUpdaterImpl -+policyset.list=serverCertSet -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.serverCertSet.1.constraint.name=Subject Name Constraint -+policyset.serverCertSet.1.constraint.params.pattern=CN=.* -+policyset.serverCertSet.1.constraint.params.accept=true -+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.serverCertSet.1.default.name=Subject Name Default -+policyset.serverCertSet.1.default.params.name= -+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.serverCertSet.2.constraint.name=Validity Constraint -+policyset.serverCertSet.2.constraint.params.range=720 -+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false -+policyset.serverCertSet.2.constraint.params.notAfterCheck=false -+policyset.serverCertSet.2.default.class_id=validityDefaultImpl -+policyset.serverCertSet.2.default.name=Validity Default -+policyset.serverCertSet.2.default.params.range=720 -+policyset.serverCertSet.2.default.params.startTime=0 -+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.serverCertSet.3.constraint.name=Key Constraint -+policyset.serverCertSet.3.constraint.params.keyType=- -+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.serverCertSet.3.default.name=Key Default -+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.4.constraint.name=No Constraint -+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.serverCertSet.4.default.name=Authority Key Identifier Default -+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.5.constraint.name=No Constraint -+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.serverCertSet.5.default.name=AIA Extension Default -+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false -+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true -+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.serverCertSet.6.default.name=Key Usage Default -+policyset.serverCertSet.6.default.params.keyUsageCritical=true -+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.7.constraint.name=No Constraint -+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.serverCertSet.8.constraint.name=No Constraint -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.serverCertSet.8.default.name=Signing Alg -+policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECServerCert.cfg b/base/ca/shared/profiles/ca/caECServerCert.cfg -new file mode 100644 -index 0000000..0ae4371 ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caECServerCert.cfg -@@ -0,0 +1,85 @@ -+desc=This certificate profile is for enrolling server certificates with ECC keys. -+visible=true -+enable=true -+enableBy=admin -+auth.class_id= -+name=Manual Server Certificate Enrollment with ECC keys -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=serverCertSet -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.serverCertSet.1.constraint.name=Subject Name Constraint -+policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* -+policyset.serverCertSet.1.constraint.params.accept=true -+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.serverCertSet.1.default.name=Subject Name Default -+policyset.serverCertSet.1.default.params.name= -+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.serverCertSet.2.constraint.name=Validity Constraint -+policyset.serverCertSet.2.constraint.params.range=720 -+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false -+policyset.serverCertSet.2.constraint.params.notAfterCheck=false -+policyset.serverCertSet.2.default.class_id=validityDefaultImpl -+policyset.serverCertSet.2.default.name=Validity Default -+policyset.serverCertSet.2.default.params.range=720 -+policyset.serverCertSet.2.default.params.startTime=0 -+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.serverCertSet.3.constraint.name=Key Constraint -+policyset.serverCertSet.3.constraint.params.keyType=- -+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.serverCertSet.3.default.name=Key Default -+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.4.constraint.name=No Constraint -+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.serverCertSet.4.default.name=Authority Key Identifier Default -+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.5.constraint.name=No Constraint -+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.serverCertSet.5.default.name=AIA Extension Default -+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false -+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true -+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.serverCertSet.6.default.name=Key Usage Default -+policyset.serverCertSet.6.default.params.keyUsageCritical=true -+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.7.constraint.name=No Constraint -+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.serverCertSet.8.constraint.name=No Constraint -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.serverCertSet.8.default.name=Signing Alg -+policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -new file mode 100644 -index 0000000..14d610c ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -@@ -0,0 +1,84 @@ -+desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. -+enable=true -+enableBy=admin -+name=Simple CMC Enrollment Request for User Certificate -+visible=false -+auth.instance_id= -+input.list=i1 -+input.i1.class_id=certReqInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=cmcUserCertSet -+policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 -+policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint -+policyset.cmcUserCertSet.1.constraint.params.accept=true -+policyset.cmcUserCertSet.1.constraint.params.pattern=.* -+policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.default.name=Subject Name Default -+policyset.cmcUserCertSet.1.default.params.name= -+policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.cmcUserCertSet.2.constraint.name=Validity Constraint -+policyset.cmcUserCertSet.2.constraint.params.notAfterCheck=false -+policyset.cmcUserCertSet.2.constraint.params.notBeforeCheck=false -+policyset.cmcUserCertSet.2.constraint.params.range=365 -+policyset.cmcUserCertSet.2.default.class_id=validityDefaultImpl -+policyset.cmcUserCertSet.2.default.name=Validity Default -+policyset.cmcUserCertSet.2.default.params.range=180 -+policyset.cmcUserCertSet.2.default.params.startTime=0 -+policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.cmcUserCertSet.3.constraint.name=Key Constraint -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=nistp256,nistp521 -+policyset.cmcUserCertSet.3.constraint.params.keyType=EC -+policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.cmcUserCertSet.3.default.name=Key Default -+policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.4.constraint.name=No Constraint -+policyset.cmcUserCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.cmcUserCertSet.4.default.name=Authority Key Identifier Default -+policyset.cmcUserCertSet.5.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.5.constraint.name=No Constraint -+policyset.cmcUserCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.cmcUserCertSet.5.default.name=AIA Extension Default -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.cmcUserCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.cmcUserCertSet.5.default.params.authInfoAccessCritical=false -+policyset.cmcUserCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.cmcUserCertSet.6.default.name=Key Usage Default -+policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true -+policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.cmcUserCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.cmcUserCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.cmcUserCertSet.7.constraint.class_id=noConstraintImpl -+policyset.cmcUserCertSet.7.constraint.name=No Constraint -+policyset.cmcUserCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.cmcUserCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false -+policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -+policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.cmcUserCertSet.8.constraint.name=No Constraint -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.cmcUserCertSet.8.default.name=Signing Alg -+policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECSubsystemCert.cfg b/base/ca/shared/profiles/ca/caECSubsystemCert.cfg -new file mode 100644 -index 0000000..89f342a ---- /dev/null -+++ b/base/ca/shared/profiles/ca/caECSubsystemCert.cfg -@@ -0,0 +1,85 @@ -+desc=This certificate profile is for enrolling subsystem certificates with ECC keys. -+visible=true -+enable=true -+enableBy=admin -+auth.class_id= -+name=Manual Subsystem Certificate Enrollment with ECC keys -+input.list=i1,i2 -+input.i1.class_id=certReqInputImpl -+input.i2.class_id=submitterInfoInputImpl -+output.list=o1 -+output.o1.class_id=certOutputImpl -+policyset.list=serverCertSet -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl -+policyset.serverCertSet.1.constraint.name=Subject Name Constraint -+policyset.serverCertSet.1.constraint.params.pattern=CN=.* -+policyset.serverCertSet.1.constraint.params.accept=true -+policyset.serverCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.serverCertSet.1.default.name=Subject Name Default -+policyset.serverCertSet.1.default.params.name= -+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl -+policyset.serverCertSet.2.constraint.name=Validity Constraint -+policyset.serverCertSet.2.constraint.params.range=720 -+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false -+policyset.serverCertSet.2.constraint.params.notAfterCheck=false -+policyset.serverCertSet.2.default.class_id=validityDefaultImpl -+policyset.serverCertSet.2.default.name=Validity Default -+policyset.serverCertSet.2.default.params.range=720 -+policyset.serverCertSet.2.default.params.startTime=0 -+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl -+policyset.serverCertSet.3.constraint.name=Key Constraint -+policyset.serverCertSet.3.constraint.params.keyType=- -+policyset.serverCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl -+policyset.serverCertSet.3.default.name=Key Default -+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.4.constraint.name=No Constraint -+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl -+policyset.serverCertSet.4.default.name=Authority Key Identifier Default -+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.5.constraint.name=No Constraint -+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl -+policyset.serverCertSet.5.default.name=AIA Extension Default -+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true -+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName -+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0= -+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false -+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 -+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl -+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint -+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true -+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl -+policyset.serverCertSet.6.default.name=Key Usage Default -+policyset.serverCertSet.6.default.params.keyUsageCritical=true -+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false -+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=true -+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false -+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false -+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false -+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false -+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.7.constraint.name=No Constraint -+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl -+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default -+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false -+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl -+policyset.serverCertSet.8.constraint.name=No Constraint -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl -+policyset.serverCertSet.8.default.name=Signing Alg -+policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caECUserCert.cfg b/base/ca/shared/profiles/ca/caECUserCert.cfg -index 383af01..a6bf04a 100644 ---- a/base/ca/shared/profiles/ca/caECUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECUserCert.cfg -@@ -59,9 +59,9 @@ policyset.userCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.userCertSet.6.constraint.params.keyUsageCritical=true - policyset.userCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.userCertSet.6.constraint.params.keyUsageNonRepudiation=true --policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=false --policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=true --policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=false -+policyset.userCertSet.6.constraint.params.keyUsageDataEncipherment=true -+policyset.userCertSet.6.constraint.params.keyUsageKeyEncipherment=false -+policyset.userCertSet.6.constraint.params.keyUsageKeyAgreement=true - policyset.userCertSet.6.constraint.params.keyUsageKeyCertSign=false - policyset.userCertSet.6.constraint.params.keyUsageCrlSign=false - policyset.userCertSet.6.constraint.params.keyUsageEncipherOnly=false -@@ -71,9 +71,9 @@ policyset.userCertSet.6.default.name=Key Usage Default - policyset.userCertSet.6.default.params.keyUsageCritical=true - policyset.userCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.userCertSet.6.default.params.keyUsageNonRepudiation=true --policyset.userCertSet.6.default.params.keyUsageDataEncipherment=false --policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=true --policyset.userCertSet.6.default.params.keyUsageKeyAgreement=false -+policyset.userCertSet.6.default.params.keyUsageDataEncipherment=true -+policyset.userCertSet.6.default.params.keyUsageKeyEncipherment=false -+policyset.userCertSet.6.default.params.keyUsageKeyAgreement=true - policyset.userCertSet.6.default.params.keyUsageKeyCertSign=false - policyset.userCertSet.6.default.params.keyUsageCrlSign=false - policyset.userCertSet.6.default.params.keyUsageEncipherOnly=false -@@ -95,7 +95,7 @@ policyset.userCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.userCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.userCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.userCertSet.9.constraint.name=No Constraint --policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.userCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.userCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.userCertSet.9.default.name=Signing Alg - policyset.userCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caEncECUserCert.cfg b/base/ca/shared/profiles/ca/caEncECUserCert.cfg -index 9faa4a5..8b1c1fb 100644 ---- a/base/ca/shared/profiles/ca/caEncECUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caEncECUserCert.cfg -@@ -1,6 +1,6 @@ - desc=This certificate profile is for enrolling user ECC encryption certificates. It works only with latest Firefox. - visible=false --enable=true -+enable=false - enableBy=admin - name=Manual User Encryption ECC Certificates Enrollment - auth.class_id= -@@ -87,7 +87,7 @@ policyset.encryptionCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.encryptionCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.encryptionCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.encryptionCertSet.9.constraint.name=No Constraint --policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.encryptionCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.encryptionCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.encryptionCertSet.9.default.name=Signing Alg - policyset.encryptionCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -index db3fbd6..1a7c22d 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -@@ -29,8 +29,8 @@ policyset.cmcUserCertSet.2.default.params.range=180 - policyset.cmcUserCertSet.2.default.params.startTime=0 - policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl - policyset.cmcUserCertSet.3.constraint.name=Key Constraint --policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 --policyset.cmcUserCertSet.3.constraint.params.keyType=- -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.cmcUserCertSet.3.constraint.params.keyType=RSA - policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl - policyset.cmcUserCertSet.3.default.name=Key Default - policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -@@ -79,7 +79,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false - policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 - policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.cmcUserCertSet.8.constraint.name=No Constraint --policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.cmcUserCertSet.8.default.name=Signing Alg - policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg -index 90cb424..b06f35d 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg -@@ -29,8 +29,8 @@ policyset.cmcUserCertSet.2.default.params.range=180 - policyset.cmcUserCertSet.2.default.params.startTime=0 - policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl - policyset.cmcUserCertSet.3.constraint.name=Key Constraint --policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 --policyset.cmcUserCertSet.3.constraint.params.keyType=- -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.cmcUserCertSet.3.constraint.params.keyType=RSA - policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl - policyset.cmcUserCertSet.3.default.name=Key Default - policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -@@ -79,7 +79,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false - policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 - policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.cmcUserCertSet.8.constraint.name=No Constraint --policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.cmcUserCertSet.8.default.name=Signing Alg - policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -index 7bfad9c..0c2b97b 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -@@ -38,8 +38,8 @@ policyset.cmcUserCertSet.2.default.params.range=180 - policyset.cmcUserCertSet.2.default.params.startTime=0 - policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl - policyset.cmcUserCertSet.3.constraint.name=Key Constraint --policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 --policyset.cmcUserCertSet.3.constraint.params.keyType=- -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.cmcUserCertSet.3.constraint.params.keyType=RSA - policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl - policyset.cmcUserCertSet.3.default.name=Key Default - policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -@@ -88,7 +88,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false - policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 - policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.cmcUserCertSet.8.constraint.name=No Constraint --policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.cmcUserCertSet.8.default.name=Signing Alg - policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg -index 5d4fbee..dd10f6f 100644 ---- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg -+++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg -@@ -31,8 +31,8 @@ policyset.serverCertSet.2.default.params.range=720 - policyset.serverCertSet.2.default.params.startTime=0 - policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl - policyset.serverCertSet.3.constraint.name=Key Constraint --policyset.serverCertSet.3.constraint.params.keyType=- --policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.constraint.params.keyType=RSA -+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl - policyset.serverCertSet.3.default.name=Key Default - policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -@@ -53,7 +53,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.serverCertSet.6.constraint.params.keyUsageCritical=true - policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false -@@ -65,7 +65,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.serverCertSet.6.default.name=Key Usage Default - policyset.serverCertSet.6.default.params.keyUsageCritical=true - policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false -@@ -81,7 +81,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg -index 3a8c202..7b3d34c 100644 ---- a/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg -+++ b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg -@@ -32,8 +32,8 @@ policyset.serverCertSet.2.default.params.range=720 - policyset.serverCertSet.2.default.params.startTime=0 - policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl - policyset.serverCertSet.3.constraint.name=Key Constraint --policyset.serverCertSet.3.constraint.params.keyType=- --policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.constraint.params.keyType=RSA -+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl - policyset.serverCertSet.3.default.name=Key Default - policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -@@ -54,7 +54,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.serverCertSet.6.constraint.params.keyUsageCritical=true - policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false -@@ -66,7 +66,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.serverCertSet.6.default.name=Key Usage Default - policyset.serverCertSet.6.default.params.keyUsageCritical=true - policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false -@@ -82,7 +82,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caOCSPCert.cfg b/base/ca/shared/profiles/ca/caOCSPCert.cfg -index 0a855b9..a1dedd3 100644 ---- a/base/ca/shared/profiles/ca/caOCSPCert.cfg -+++ b/base/ca/shared/profiles/ca/caOCSPCert.cfg -@@ -64,7 +64,7 @@ policyset.ocspCertSet.8.default.name=OCSP No Check Extension - policyset.ocspCertSet.8.default.params.ocspNoCheckCritical=false - policyset.ocspCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.ocspCertSet.9.constraint.name=No Constraint --policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.ocspCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.ocspCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.ocspCertSet.9.default.name=Signing Alg - policyset.ocspCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caServerCert.cfg b/base/ca/shared/profiles/ca/caServerCert.cfg -index 997a056..2f44c96 100644 ---- a/base/ca/shared/profiles/ca/caServerCert.cfg -+++ b/base/ca/shared/profiles/ca/caServerCert.cfg -@@ -29,8 +29,8 @@ policyset.serverCertSet.2.default.params.range=720 - policyset.serverCertSet.2.default.params.startTime=0 - policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl - policyset.serverCertSet.3.constraint.name=Key Constraint --policyset.serverCertSet.3.constraint.params.keyType=- --policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.constraint.params.keyType=RSA -+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl - policyset.serverCertSet.3.default.name=Key Default - policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.serverCertSet.6.constraint.params.keyUsageCritical=true - policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false -@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.serverCertSet.6.default.name=Key Usage Default - policyset.serverCertSet.6.default.params.keyUsageCritical=true - policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false -@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caSigningECUserCert.cfg b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg -index b410504..39a7c36 100644 ---- a/base/ca/shared/profiles/ca/caSigningECUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caSigningECUserCert.cfg -@@ -1,6 +1,6 @@ - desc=This certificate profile is for enrolling user ECC signing certificates. It works only with the latest Firefox. - visible=false --enable=true -+enable=false - enableBy=admin - name=Manual User Signing ECC Certificate Enrollment - auth.class_id= -@@ -79,7 +79,7 @@ policyset.signingCertSet.8.default.params.subjAltExtGNEnable_0=true - policyset.signingCertSet.8.default.params.subjAltNameNumGNs=1 - policyset.signingCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.signingCertSet.9.constraint.name=No Constraint --policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.signingCertSet.9.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.signingCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.signingCertSet.9.default.name=Signing Alg - policyset.signingCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -index 34015e2..a9c2b0c 100644 ---- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -@@ -28,8 +28,8 @@ policyset.cmcUserCertSet.2.default.params.range=180 - policyset.cmcUserCertSet.2.default.params.startTime=0 - policyset.cmcUserCertSet.3.constraint.class_id=keyConstraintImpl - policyset.cmcUserCertSet.3.constraint.name=Key Constraint --policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 --policyset.cmcUserCertSet.3.constraint.params.keyType=- -+policyset.cmcUserCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.cmcUserCertSet.3.constraint.params.keyType=RSA - policyset.cmcUserCertSet.3.default.class_id=userKeyDefaultImpl - policyset.cmcUserCertSet.3.default.name=Key Default - policyset.cmcUserCertSet.4.constraint.class_id=noConstraintImpl -@@ -50,7 +50,7 @@ policyset.cmcUserCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.cmcUserCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.cmcUserCertSet.6.constraint.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=false -+policyset.cmcUserCertSet.6.constraint.params.keyUsageDataEncipherment=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageDecipherOnly=false - policyset.cmcUserCertSet.6.constraint.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.constraint.params.keyUsageEncipherOnly=false -@@ -62,7 +62,7 @@ policyset.cmcUserCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.cmcUserCertSet.6.default.name=Key Usage Default - policyset.cmcUserCertSet.6.default.params.keyUsageCritical=true - policyset.cmcUserCertSet.6.default.params.keyUsageCrlSign=false --policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=false -+policyset.cmcUserCertSet.6.default.params.keyUsageDataEncipherment=true - policyset.cmcUserCertSet.6.default.params.keyUsageDecipherOnly=false - policyset.cmcUserCertSet.6.default.params.keyUsageDigitalSignature=true - policyset.cmcUserCertSet.6.default.params.keyUsageEncipherOnly=false -@@ -78,7 +78,7 @@ policyset.cmcUserCertSet.7.default.params.exKeyUsageCritical=false - policyset.cmcUserCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 - policyset.cmcUserCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.cmcUserCertSet.8.constraint.name=No Constraint --policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.cmcUserCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.cmcUserCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.cmcUserCertSet.8.default.name=Signing Alg - policyset.cmcUserCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caSubsystemCert.cfg b/base/ca/shared/profiles/ca/caSubsystemCert.cfg -index 63fd3a6..12e1629 100644 ---- a/base/ca/shared/profiles/ca/caSubsystemCert.cfg -+++ b/base/ca/shared/profiles/ca/caSubsystemCert.cfg -@@ -29,8 +29,8 @@ policyset.serverCertSet.2.default.params.range=720 - policyset.serverCertSet.2.default.params.startTime=0 - policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl - policyset.serverCertSet.3.constraint.name=Key Constraint --policyset.serverCertSet.3.constraint.params.keyType=- --policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.serverCertSet.3.constraint.params.keyType=RSA -+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl - policyset.serverCertSet.3.default.name=Key Default - policyset.serverCertSet.4.constraint.class_id=noConstraintImpl -@@ -51,7 +51,7 @@ policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl - policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint - policyset.serverCertSet.6.constraint.params.keyUsageCritical=true - policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false -@@ -63,7 +63,7 @@ policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl - policyset.serverCertSet.6.default.name=Key Usage Default - policyset.serverCertSet.6.default.params.keyUsageCritical=true - policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true --policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true -+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=false - policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true - policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false -@@ -79,7 +79,7 @@ policyset.serverCertSet.7.default.params.exKeyUsageCritical=false - policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 - policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl - policyset.serverCertSet.8.constraint.name=No Constraint --policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA512withRSA,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caUserCert.cfg b/base/ca/shared/profiles/ca/caUserCert.cfg -index 917c589..1f62bb8 100644 ---- a/base/ca/shared/profiles/ca/caUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caUserCert.cfg -@@ -36,8 +36,8 @@ policyset.userCertSet.2.default.params.range=180 - policyset.userCertSet.2.default.params.startTime=0 - policyset.userCertSet.3.constraint.class_id=keyConstraintImpl - policyset.userCertSet.3.constraint.name=Key Constraint --policyset.userCertSet.3.constraint.params.keyType=- --policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp384,nistp521 -+policyset.userCertSet.3.constraint.params.keyType=EC -+policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.userCertSet.3.default.class_id=userKeyDefaultImpl - policyset.userCertSet.3.default.name=Key Default - policyset.userCertSet.4.constraint.class_id=noConstraintImpl --- -1.8.3.1 - - -From f87c7525632f33ad9f351f8db0acb8ccc98ce7ec Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Mon, 5 Mar 2018 18:33:51 -0700 -Subject: [PATCH 11/20] Permit additional FIPS ciphers to be enabled by default - for RSA . . . - -It was determined that the following additional FIPS ciphers should be -enabled by default for RSA: - - * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - -Reference: dogtagpki Pagure Issue #2855 - restrict default cipher suite to - those ciphers permitted in fips mode - -Fixes: https://pagure.io/dogtagpki/issue/2952 -Change-Id: I0947e8581beb3140e4c07800dd2c6bc9d90a6cd8 -(cherry picked from commit 7809f40bcd49ad11f0a314cd45979cfdcb55686f) ---- - base/server/python/pki/server/deployment/pkiparser.py | 8 ++++---- - base/server/share/conf/ciphers.info | 6 +++++- - 2 files changed, 9 insertions(+), 5 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index b64e99b..53296fc 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -1165,8 +1165,8 @@ class PKIConfigParser: - "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ - "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ - "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ -- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ -- "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ -+ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ -+ "+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ - "-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ - "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ - "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ -@@ -1178,9 +1178,9 @@ class PKIConfigParser: - "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ - "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ -- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ -+ "+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ - "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ -- "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ -+ "+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ - "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ - "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ - "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ -diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info -index b3e74d3..44c6e4b 100644 ---- a/base/server/share/conf/ciphers.info -+++ b/base/server/share/conf/ciphers.info -@@ -98,6 +98,10 @@ - # +TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, - # +TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, - # +TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, -+# +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, -+# +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, -+# +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -+# +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - # +TLS_RSA_WITH_AES_128_CBC_SHA256, - # +TLS_RSA_WITH_AES_256_CBC_SHA256, - # +TLS_RSA_WITH_AES_128_CBC_SHA, -@@ -119,7 +123,7 @@ - # - ## - # For RSA servers: -- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" -+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" - # - # - # For ECC servers: --- -1.8.3.1 - - -From 2ba512b4bc7fddc8c279733dd35c8105dd134224 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 26 Feb 2018 13:16:01 -0800 -Subject: [PATCH 12/20] Ticket #2940 [MAN] Missing Man pages for tools - CMCRequest, CMCResponse, CMCSharedToken, and CMCRevoke - -This patch adds man pages for CMCRequest, CMCResponse, and CMCSharedToken. -In addition, the usage in CMCResponse has been enhanced to include a -verbose mode which will output certs in Base64 encoding individually. -A "note" has been added to CMCRevoke --help to direct users to CMCRequest -for better usability. The man page for CMCRevoke is intentionaly left out -for this reason. - -The URL in CMCRequest.1 is a placeholder for the follow-up patch. It will -be replaced once the examples are complete. - -This patch addresses https://pagure.io/dogtagpki/issue/2940 - -Change-Id: Id1df31a29207a0d12d50b7a3b959a3abcd9748d0 -(cherry picked from commit 1597b5bc09b39f7ee248e9f7ef5da55c8846a1c0) -(cherry picked from commit 08ac412c0a724b88817038e89563f928cc522357) ---- - base/java-tools/man/man1/CMCEnroll.1 | 3 + - base/java-tools/man/man1/CMCRequest.1 | 188 +++++++++++++++++++++ - base/java-tools/man/man1/CMCResponse.1 | 63 +++++++ - base/java-tools/man/man1/CMCSharedToken.1 | 79 +++++++++ - .../src/com/netscape/cmstools/CMCResponse.java | 25 ++- - .../src/com/netscape/cmstools/CMCRevoke.java | 1 + - 6 files changed, 356 insertions(+), 3 deletions(-) - create mode 100644 base/java-tools/man/man1/CMCRequest.1 - create mode 100644 base/java-tools/man/man1/CMCResponse.1 - create mode 100644 base/java-tools/man/man1/CMCSharedToken.1 - -diff --git a/base/java-tools/man/man1/CMCEnroll.1 b/base/java-tools/man/man1/CMCEnroll.1 -index 4cc861f..9700307 100644 ---- a/base/java-tools/man/man1/CMCEnroll.1 -+++ b/base/java-tools/man/man1/CMCEnroll.1 -@@ -16,6 +16,9 @@ - .\" for man page specific macros, see man(7) - .SH NAME - CMCEnroll \- Used to sign a certificate request with an agent's certificate. -+.PP -+\fBNote:\fP -+This tool has not yet been updated to work with the latest improvement in the CA to conform to RFC 5272. Please use \fBCMCRequest\fP instead. - - .SH SYNOPSIS - .PP -diff --git a/base/java-tools/man/man1/CMCRequest.1 b/base/java-tools/man/man1/CMCRequest.1 -new file mode 100644 -index 0000000..f647ef7 ---- /dev/null -+++ b/base/java-tools/man/man1/CMCRequest.1 -@@ -0,0 +1,188 @@ -+.\" First parameter, NAME, should be all caps -+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection -+.\" other parameters are allowed: see man(7), man(1) -+.TH CMCRequest 1 "March 14, 2018" "version 10.5" "PKI CMC Request Generation Tool" Dogtag Team -+.\" Please adjust this date whenever revising the man page. -+.\" -+.\" Some roff macros, for reference: -+.\" .nh disable hyphenation -+.\" .hy enable hyphenation -+.\" .ad l left justify -+.\" .ad b justify to both left and right margins -+.\" .nf disable filling -+.\" .fi enable filling -+.\" .br insert line break -+.\" .sp insert n+1 empty lines -+.\" for man page specific macros, see man(7) -+.SH NAME -+CMCRequest \- Used to generate a CMC certificate issuance or revocation request. -+ -+.SH SYNOPSIS -+.PP -+\fBCMCRequest \fP -+ -+.SH DESCRIPTION -+.PP -+The Certificate Management over Cryptographic Message Syntax (CMC) Request Generation utility, \fBCMCRequest\fP, provides a command-line utility used to generate a CMC certificate issuance or revocation request. For issuance request, it requires either a PKCS#10 or CRMF request as input. The resulting CMC request can be sent to the CA via tool such as \fBHttpClient\fP. -+.PP -+\fBCMCRequest\fP takes a configuration file where various configuration parametrs are supported. -+ -+.SH CONFIGURATION PARAMETERS -+.PP -+The following are supported configuration parameters for the configuration file. Each parameter is in the format of = (e.g. format=pkcs10). -+.PP -+.TP -+.B numRequests -+Total number of PKCS10 or CRMF requests. (note: lately the CA has only been tested to work with one) -+ -+.TP -+.B input -+full path for PKCS #10 or CRMF certificate request in PEM. -+ -+For example if \fBPKCS10Client\fP or \fBCRMFPopClient\fP are used to generate the PKCS#10 or CRMF requests respectively, this value should be the value of the \fB"-o"\fP option of those command line tools. -+ -+.TP -+.B format -+request format. Either \fBpkcs10\fP or \fBcrmf\fP. -+ -+.TP -+.B output -+full path for the resulting CMC request in ASN.1 DER encoded format. -+ -+Note that this would be the \fBinput\fP in the \fBHttpClient\fP configuration file if it is used to submit the CMC request. -+ -+.TP -+.B dbdir -+directory for NSS database: cert8.db, key3.db and secmod.db -+ -+.TP -+.B tokenname -+name of crypto token where user signing certificate key can be found (default is internal) -+ -+.TP -+.B nickname -+The nickname of the user certificate that corresponds to the private key that is used to sign the request. -+ -+This parameter is ignored if \fBselfSign\fP or \fBidentityProofV2.enable\fP is true. -+ -+.TP -+.B password -+password to the crypto token where the signing user's certificate and keys are stored. -+ -+.TP -+.B identification[.enable] -+RFC 5272 allows the CA to require inclusion of the \fBidentification\fP control to accompany the \fBidentityProofV2\fP control in a CMC request. -+ -+In Dogtag, CA employs the \fBidentification\fP control to assist in locating the shared secret required for verification of the shared secret computed in the \fBidentityProofV2\fP. -+ -+In addition, the \fBidentification\fP control is also required for \fBpopLinkWitnessV2\fP for locating the shared secret. -+ -+When \fBidentification.eanble\fP is true, \fBidentification\fP should contain a user id known by the CA. -+ -+.TP -+.B witness.sharedSecret -+The \fBwitness.sharedSecret\fP should contain a passphrase that is known by the CA. One usually obtains it from the CA administrator. -+ -+This parameter is required by the following options: \fBidentityProofV2\fP, and \fBpopLinkWitnessV2\fP. -+ -+See man pages for \fBCMCSharedToken\fP for information on usage. -+ -+.TP -+.B identityProofV2.[enable, hashAlg, macAlg] -+Identity Proof V2 allows one to provide proof of identity without a signing certificate. It does so by embedding a "witness" value that's calculated from a shared secret (see \fBwitness.sharedSecret\fP) known by the CA. -+ -+The \fBidentityProofV2\fP parameter set allows a user to specify the hashing algorithm as well as MAC (Message Authentication Code) algorithm used to compute the value of the witness value. -+ -+Supported \fBidentityProofV2.hashAlg\fP are: \fBSHA-256, SHA-384, and SHA-512\fP -+ -+Supported \fBidentityProofV2.macAlg\fP are: \fBSHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC\fP -+ -+When \fBidentityProofV2.eanble\fP is true, these parameters must be accompanied by the \fBidentification\fP as well as the \fBwitness.sharedSecret\fP parameters. -+ -+These parameters could be accompanied by the \fBpopLinkWitnessV2\fP parameter set if required by the CA. -+ -+.TP -+.B popLinkWitnessV2.[enable, keyGenAlg, macAlg] -+The POPLinkWitnessV2 control is a mechanim that links the POP (Proof of Possession) to the identity, which adds more credibility to the otherwise distinct POP and Proof of Identity mechanisms. It does so by employing calculation of a random value with a shared secret (see \fBwitness.sharedSecret\fP) known by the CA. -+ -+The POP Link Witness V2 value must be baked into the PKCS#10 or CRMF requests. It is therefore crutial that the caller that employs this option has access to the private key of the certificate request. -+ -+If \fBpopLinkWitnessV2\fP is used, then \fBidentification\fP and \fBwitness.sharedSecret\fP must be supplied, and the \fBidentityProofV2\fP parameter set is in general used. -+ -+Supported keyGenAlg are: \fBSHA-256, SHA-384, and SHA-512\fP -+ -+Supported macAlg are: \fBSHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC\fP -+ -+.TP -+.B request.selfSign -+\fBtrue\fP or \fBfalse\fP. If \fBselfSign\fP is true, the CMC request will be "signed" with the pairing private key of the enrollment request; and in which case the \fBnickname\fP parameter will be ignored. -+ -+\fBrequest.selfSign\fP is only used if a signing certificate (of the agent or user herself) is not available to sign. Because the request itself is not signed with a certificate (a proven identity), the proof of origin (proof of identification) must be provided by some other means. -+ -+In Dogtag, if \fBselfSign\fP is true, it must be used in conjunction with the \fBidentityProofV2\fP and \fBidentification\fP parameters. And in that case the Proof Of Origin is accomplished by the Shared Secret (\fBwitness.sharedSecret\fP) mechanism. -+ -+The \fBselfSign\fP option is normally used to enroll for a user's first signing certificate while auto-approval (without agent's pre-approval) is preferred. In general, once a user has obtained the first signing certificate, such signing certificate can be used to sign (thus proving origin) and obtain other certificate such as encryption-only ceritifcate, or when doing a renewal or revocation. -+ -+By default, if unspecified, \fBselfSign\fP is false. -+ -+\fBNote\fP: to employ the \fBselfSign\fP option, the PKCS#10 or CRMF requests must have the \fBSubjectKeyIdentifier extension\fP. (hint: \fBCRMFPopClient\fP and \fBPKCS10Client\fP should be called with the "-y" option) -+ -+If \fBselfSign\fP is true, \fBrequest.privKeyId\fP must be specified. -+It is crutial that the caller that employs this option has access to the private key of the certificate request. -+ -+.TP -+.B request.privKeyId -+The \fBrequest.privKeyId\fP parameter is required in the following cases: -+ -+\fBselfSign\fP, \fBpopLinkWitnessV2\fP, and \fBdecryptedPop\fP -+ -+.TP -+.B decryptedPop.enable, encryptedPopResponseFile, decryptedPopRequestFile -+In case when the enrolling key is an encryption-only key, the traditional POP (Proof of Possession) that employs signing of the request is not possible, CMC provides the EncryptedPOP/DecryptedPOP mechanism to allow the CA to challenge the client. This mechanism requires two trips. Frist trip (a CMC request without POP) would trigger the CA to generate a challenge and encrypt the challenge with the request public key in the certificate response (one should find the EncryptedPOP control as well as status with "failedInfo=POP required" in the CMCResponse); while second trip from the client would contain proof that the client has decrypted the challenge and thereby proving ownership of the private key to the enrollment request. -+When preparing for the second trip, the following parameters must be present: -+ -+\fBdecryptedPop.enable\fP - set to true; default is false; -+ -+\fBencryptedPopResponseFile\fP - the input file that contains the CMCResponse from first trip; It should contains the CMC EncryptedPop control. -+ -+\fBdecryptedPopRequestFile\fP - the output file for the CMC request which should contain the CMC DecryptedPOP control. -+ -+\fBrequest.privKeyId\fP - see descripton for \fBrequest.privKeyId\fP; It is used to decrypt the EncryptedPop, thereby proving the possession of the private key. -+ -+Please note that the \fBPopLinkWitnessV2\fP control as well as the \fBselfSign\fP directive do not apply to EncryptedPOP/DecryptedPOP for the simple fact that the enrollment private key is not capable of signing. -+ -+.TP -+.B revRequest.[enable, serial, reason, comment, issuer, sharedSecret] -+Revocation can be done either by signing with user's own valid signing certificate, or by authenticating with user's shared secret (see \fBwitness.sharedSecret\fP) known by the CA. -+ -+For revocation request signed with user's own valid signing certificate, the \fBnicname\fP parameter should be a valid user signing certificate that belongs to the same user subject as that of the certificate to be revoked (but not necessarily the same certificate); Also, \fBrevRequest.issuer\fP and \fBrevRequest.sharedSecret\fP are ignored, while \fBrevRequest.serial\fP and \fBrevRequest.reason\fP must contain valid values. -+ -+For revocation by authenticating with user's shared secret, the following parameters are required: \fBrevRequest.serial\fP, \fBrevRequest.reason\fP, \fBrevRequest.issuer\fP, \fBrevRequest.sharedSecret\fP, while \fBnickname\fP will be ignored. -+ -+\fBrevRequest.reason\fP can have one of the following values: \fBunspecified\fP, \fBkeyCompromise\fP, \fBcaCompromise\fP, \fBaffiliationChanged\fP, \fBsuperseded\fP, \fBcessationOfOperation\fP, \fBcertificateHold\fP, \fBremoveFromCRL\fP. -+ -+\fBrevRequest.serial\fP is in Decimal. -+ -+\fBrevRequest.issuer\fP is issuer subject DN. -+ -+\fBrevRequest.invalidityDatePresent\fP is optional. \fBtrue\fP or \fBfalse\fP. When true, the invalidityDate of the RevokeRequest will be set to the current time when this tool is being run. -+ -+\fBrevRequest.comment\fP is optional. -+ -+.SH EXAMPLES -+.PP -+CMC requests must be submitted to the CA to be processed. Tool supported by Dogtag for submitting these requests is \fBHttpClient\fP. -+.PP -+\fBNote:\fP For examples on how to use this tool, please see -+http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Practical_Usage_Scenarios for Practical Usage Scenarios, and their examples. -+ -+.SH AUTHORS -+Christina Fu . -+ -+.SH COPYRIGHT -+Copyright (c) 2018 Red Hat, Inc. This is licensed under the GNU General Public -+License, version 2 (GPLv2). A copy of this license is available at -+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. -+ -+.SH SEE ALSO -+.BR CMCResponse(1), CMCSharedToken(1), CMCRevoke(1), pki(1) -diff --git a/base/java-tools/man/man1/CMCResponse.1 b/base/java-tools/man/man1/CMCResponse.1 -new file mode 100644 -index 0000000..3d5703e ---- /dev/null -+++ b/base/java-tools/man/man1/CMCResponse.1 -@@ -0,0 +1,63 @@ -+.\" First parameter, NAME, should be all caps -+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection -+.\" other parameters are allowed: see man(7), man(1) -+.TH CMCResponse 1 "March 14, 2018" "version 10.5" "PKI CMC Response Parsing Tool" Dogtag Team -+.\" Please adjust this date whenever revising the man page. -+.\" -+.\" Some roff macros, for reference: -+.\" .nh disable hyphenation -+.\" .hy enable hyphenation -+.\" .ad l left justify -+.\" .ad b justify to both left and right margins -+.\" .nf disable filling -+.\" .fi enable filling -+.\" .br insert line break -+.\" .sp insert n+1 empty lines -+.\" for man page specific macros, see man(7) -+.SH NAME -+CMCResponse \- Used to parse CMC responses returned from CMC issuance or revocation requests. -+ -+.SH SYNOPSIS -+.PP -+\fBCMCResponse [OPTIONS]\fP -+ -+.SH DESCRIPTION -+.PP -+The Certificate Management over Cryptographic Message Syntax (CMC) Response parsing utility, \fBCMCResponse\fP, provides a command-line utility used to parse and present CMC responses from CMC issuance or revocation requests. -+.PP -+It takes the CMC response returned from the CA as input, parses, and shows the content of the response along with CMC status in a human-readable format. In addition, it can optionally output the response in PKCS#7 PEM format for further processing by other tools. -+ -+.SH OPTIONS -+.PP -+The following are supported options. -+.PP -+.TP -+.B -d -+Path of directory to the NSS database. This option is required. -+ -+.TP -+.B -i -+Name of file (could include path) for the CMC issuance or revocation response. This option is required. -+ -+.TP -+.B -o -+Name of file (could include path) to store the certificate chain in PKCS#7 PEM. This is optional. -+ -+.TP -+.B -v -+If specified, will run in verbose mode, which would entail all certs in the chain being displayed individually in Base64 encoding format. It is false by default. -+ -+.SH EXAMPLE -+.PP -+CMCResponse -d . -i cmc.role_p10-ec3.resp -o cmc.role_p10-ec3.resp.PEM -+ -+.SH AUTHORS -+Christina Fu . -+ -+.SH COPYRIGHT -+Copyright (c) 2018 Red Hat, Inc. This is licensed under the GNU General Public -+License, version 2 (GPLv2). A copy of this license is available at -+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. -+ -+.SH SEE ALSO -+.BR CMCRequest(1) -diff --git a/base/java-tools/man/man1/CMCSharedToken.1 b/base/java-tools/man/man1/CMCSharedToken.1 -new file mode 100644 -index 0000000..e4a26f0 ---- /dev/null -+++ b/base/java-tools/man/man1/CMCSharedToken.1 -@@ -0,0 +1,79 @@ -+.\" First parameter, NAME, should be all caps -+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection -+.\" other parameters are allowed: see man(7), man(1) -+.TH CMCSharedToken 1 "March 14, 2018" "version 10.5" "PKI CMC Shared Secret Generation Tool" Dogtag Team -+.\" Please adjust this date whenever revising the man page. -+.\" -+.\" Some roff macros, for reference: -+.\" .nh disable hyphenation -+.\" .hy enable hyphenation -+.\" .ad l left justify -+.\" .ad b justify to both left and right margins -+.\" .nf disable filling -+.\" .fi enable filling -+.\" .br insert line break -+.\" .sp insert n+1 empty lines -+.\" for man page specific macros, see man(7) -+.SH NAME -+CMCSharedToken \- Used to process a user passphrase and create shared token to be stored by the CA to allow Shared Secret-based proof of origin in cases such as CMC certificate issuance and revocation. -+ -+.SH SYNOPSIS -+.PP -+\fBCMCSharedToken [OPTIONS]\fP -+ -+.SH DESCRIPTION -+.PP -+The Certificate Management over Cryptographic Message Syntax (CMC) shared secret generation tool, \fBCMCSharedToken\fP, provides a command-line utility used to process a user passphrase to be shared with the CA. -+.PP -+It takes a passphrase provided by the user, encrypts it with an issuance protection certificate, and outputs the encrypted blob which could be stored on the CA for subsequent enrollment or revocation activities by the user. -+.PP -+This tool can be run either by the user or by the administrator. If run by the user, the output (encrypted passphrase, i.e. shared token) needs to be sent to the CA administrator to store on the CA; if run by the CA administrator, the passphrase itself needs to be passed to the intended user. It is outside of the scope of this software to state how such communication takes place. It is up to the site policy to decide which way best suits the deployment site. -+.PP -+For information on how the administrator would store the shared tokens on the CA, see Red Hat Certificate System Administrator's Guide. -+ -+.SH OPTIONS -+.PP -+The following are supported options. -+.PP -+.TP -+.B -d -+Path of directory to the NSS database. This option is required. -+ -+.TP -+.B -h -+Security token name (default: internal) -+ -+.TP -+.B -p -+Security token password. -+ -+.TP -+.B -p -+CMC enrollment passphrase (shared secret) (put in "" if containing spaces) -+ -+.TP -+.B -b -+PEM issuance protection certificate. Note: only one of the -b or -n options should be used. -+ -+.TP -+.B -n -+PEM issuance protection certificate on token. Note: only one of the -b or -n options should be used. -+ -+.TP -+.B -v -+Run in verbose mode. -+ -+.SH EXAMPLE -+.PP -+CMCSharedToken -d . -p myNSSPassword -s "just another good day" -o cmcSharedTok2.b64 -n "subsystemCert cert-pki-tomcat" -+ -+.SH AUTHORS -+Christina Fu . -+ -+.SH COPYRIGHT -+Copyright (c) 2018 Red Hat, Inc. This is licensed under the GNU General Public -+License, version 2 (GPLv2). A copy of this license is available at -+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. -+ -+.SH SEE ALSO -+.BR CMCRequest(1) -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java -index 6d84a19..945f09f 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java -@@ -18,6 +18,7 @@ - package com.netscape.cmstools; - - import java.io.ByteArrayInputStream; -+import java.io.ByteArrayOutputStream; - import java.io.FileWriter; - import java.io.IOException; - import java.math.BigInteger; -@@ -53,6 +54,7 @@ import org.mozilla.jss.pkix.cms.ContentInfo; - import org.mozilla.jss.pkix.cms.EncapsulatedContentInfo; - import org.mozilla.jss.pkix.cms.SignedData; - -+import com.netscape.cmsutil.util.Utils; - import netscape.security.pkcs.PKCS7; - import netscape.security.util.CertPrettyPrint; - import netscape.security.x509.X509CertImpl; -@@ -124,7 +126,7 @@ public class CMCResponse { - return list; - } - -- public void printContent() { -+ public void printContent(boolean printCerts) { - try { - SignedData cmcFullResp = (SignedData) contentInfo.getInterpretedContent(); - -@@ -137,6 +139,18 @@ public class CMCResponse { - for (int i = 0; i < numCerts; i++) { - Certificate cert = (Certificate) certs.elementAt(i); - X509CertImpl certImpl = new X509CertImpl(ASN1Util.encode(cert)); -+ -+ if (printCerts) { -+ System.out.println("Cert:" + i ); -+ ByteArrayOutputStream fos = new ByteArrayOutputStream(); -+ certImpl.encode(fos); -+ fos.close(); -+ byte[] certBytes = fos.toByteArray(); -+ String certB64 = Utils.base64encode(certBytes, true); -+ System.out.println(certB64); -+ System.out.println("==="); -+ } -+ - CertPrettyPrint print = new CertPrettyPrint(certImpl); - content.append(print.toString(Locale.getDefault())); - } -@@ -320,10 +334,12 @@ public class CMCResponse { - option.setArgName("path"); - options.addOption(option); - -- option = new Option("o", true, "Output file to store certificate chain in PKCS #7 PEM format"); -+ option = new Option("o", true, "Output file to store certificate chain in PKCS #7 PEM format; also prints out cert base 64 encoding individually"); - option.setArgName("path"); - options.addOption(option); - -+ options.addOption("v", "verbose", false, "Run in verbose mode. Base64 encoding of certs in response will be printed individually"); -+ - options.addOption(null, "help", false, "Show help message."); - - CommandLine cmd = parser.parse(options, args, true); -@@ -333,6 +349,7 @@ public class CMCResponse { - - String input = cmd.getOptionValue("i"); - String output = cmd.getOptionValue("o"); -+ boolean printCerts = cmd.hasOption("v"); - - if (cmd.hasOption("help")) { - printUsage(); -@@ -341,6 +358,7 @@ public class CMCResponse { - - if (input == null) { - System.err.println("ERROR: Missing input CMC response"); -+ System.err.println("Try 'CMCResponse --help' for more information."); - System.exit(1); - } - -@@ -349,7 +367,7 @@ public class CMCResponse { - - // display CMC response - CMCResponse response = new CMCResponse(data); -- response.printContent(); -+ response.printContent(printCerts); - - // terminate if any of the statuses is not a SUCCESS - Collection statusInfos = response.getStatusInfos(); -@@ -379,6 +397,7 @@ public class CMCResponse { - try (FileWriter fw = new FileWriter(output)) { - fw.write(pkcs7.toPEMString()); - } -+ System.out.println("\nPKCS#7 now stored in file: " + output); - } - } - } -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java -index d041cd3..203bc02 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRevoke.java -@@ -115,6 +115,7 @@ public class CMCRevoke { - "-p " + - "-h " + - "-c "); -+ System.out.println("\nNOTE: You can alternatively use CMCRequest instead for better usability."); - for (int i = 0; i < s.length; i++) { - System.out.println(i + ":" + s[i]); - } --- -1.8.3.1 - - -From e6881a52e9998bd328a0021600b82d26534ff912 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 8 Mar 2018 18:46:16 +1100 -Subject: [PATCH 13/20] Move parseACL to ACL.java - -The parseACL function currently lives in CMSEngine, which is an -awkward place for it. Move it into the ACL class as a static -method. - -Part of: https://pagure.io/dogtagpki/issue/2957 -Change-Id: I2a22618a8e295864e218e067fadf4255ceada9b3 - -(cherry picked from commit 80577d3480c8f5aa917db86f962b8acf6f750c55) ---- - base/common/src/com/netscape/certsrv/acls/ACL.java | 120 ++++++++++++++++++++ - base/common/src/com/netscape/certsrv/apps/CMS.java | 18 --- - .../src/com/netscape/certsrv/apps/ICMSEngine.java | 16 --- - .../com/netscape/cms/authorization/AAclAuthz.java | 4 +- - .../src/com/netscape/cmscore/apps/CMSEngine.java | 121 --------------------- - .../netscape/cmscore/app/CMSEngineDefaultStub.java | 6 - - 6 files changed, 122 insertions(+), 163 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java -index 8672081..fc031e4 100644 ---- a/base/common/src/com/netscape/certsrv/acls/ACL.java -+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java -@@ -20,9 +20,12 @@ package com.netscape.certsrv.acls; - import java.util.Collection; - import java.util.Collections; - import java.util.Enumeration; -+import java.util.StringTokenizer; - import java.util.TreeSet; - import java.util.Vector; - -+import com.netscape.certsrv.apps.CMS; -+ - /** - * A class represents an access control list (ACL). An ACL - * is associated with an protected resources. The policy -@@ -194,4 +197,121 @@ public class ACL implements IACL, java.io.Serializable { - public Enumeration rights() { - return Collections.enumeration(rights); - } -+ -+ /** -+ * Parse ACL resource attributes -+ * -+ * @param resACLs same format as the resourceACLs attribute: -+ * -+ * 
-+     *     ::
-+     *      () 
-+     *
-+ * -+ * @exception EACLsException ACL related parsing errors for resACLs -+ * @return an ACL instance built from the parsed resACLs -+ */ -+ public static ACL parseACL(String resACLs) throws EACLsException { -+ if (resACLs == null) { -+ throw new EACLsException(CMS.getUserMessage("CMS_ACL_NULL_VALUE", "resACLs")); -+ } -+ -+ ACL acl = null; -+ Vector rights = null; -+ int idx1 = resACLs.indexOf(":"); -+ -+ if (idx1 <= 0) { -+ acl = new ACL(resACLs, rights, resACLs); -+ } else { -+ // getting resource id -+ String resource = resACLs.substring(0, idx1); -+ -+ if (resource == null) { -+ String infoMsg = "resource not specified in resourceACLS attribute:" + -+ resACLs; -+ -+ String[] params = new String[2]; -+ -+ params[0] = resACLs; -+ params[1] = infoMsg; -+ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); -+ } -+ -+ // getting list of applicable rights -+ String st = resACLs.substring(idx1 + 1); -+ int idx2 = st.indexOf(":"); -+ String rightsString = null; -+ -+ if (idx2 != -1) -+ rightsString = st.substring(0, idx2); -+ else { -+ String infoMsg = -+ "rights not specified in resourceACLS attribute:" + resACLs; -+ String[] params = new String[2]; -+ -+ params[0] = resACLs; -+ params[1] = infoMsg; -+ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); -+ } -+ -+ if (rightsString != null) { -+ rights = new Vector(); -+ StringTokenizer rtok = new StringTokenizer(rightsString, ","); -+ -+ while (rtok.hasMoreTokens()) { -+ rights.addElement(rtok.nextToken()); -+ } -+ } -+ -+ acl = new ACL(resource, rights, resACLs); -+ -+ // search *backwards* for final instance of ':', to handle case -+ // where acl expressions contain colon, e.g. in a group name. -+ String stx = st.substring(idx2 + 1); -+ int idx3 = stx.lastIndexOf(":"); -+ String aclStr = stx.substring(0, idx3); -+ -+ // getting list of acl entries -+ if (aclStr != null) { -+ StringTokenizer atok = new StringTokenizer(aclStr, ";"); -+ -+ while (atok.hasMoreTokens()) { -+ String acs = atok.nextToken(); -+ -+ // construct ACL entry -+ ACLEntry entry = ACLEntry.parseACLEntry(acl, acs); -+ -+ if (entry == null) { -+ String infoMsg = "parseACLEntry() call failed"; -+ String[] params = new String[2]; -+ -+ params[0] = "ACLEntry = " + acs; -+ params[1] = infoMsg; -+ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); -+ } -+ -+ entry.setACLEntryString(acs); -+ acl.addEntry(entry); -+ } -+ } else { -+ // fine -+ String infoMsg = "acls not specified in resourceACLS attribute:" + -+ -+ resACLs; -+ -+ String[] params = new String[2]; -+ -+ params[0] = resACLs; -+ params[1] = infoMsg; -+ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); -+ } -+ -+ // getting description -+ String desc = stx.substring(idx3 + 1); -+ -+ acl.setDescription(desc); -+ } -+ -+ return (acl); -+ } - } -diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java -index a6cd582..d04223f 100644 ---- a/base/common/src/com/netscape/certsrv/apps/CMS.java -+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java -@@ -36,8 +36,6 @@ import org.dogtagpki.legacy.policy.ISubjAltNameConfig; - import org.mozilla.jss.CryptoManager.CertificateUsage; - import org.mozilla.jss.util.PasswordCallback; - --import com.netscape.certsrv.acls.EACLsException; --import com.netscape.certsrv.acls.IACL; - import com.netscape.certsrv.authentication.IAuthSubsystem; - import com.netscape.certsrv.authentication.ISharedToken; - import com.netscape.certsrv.authority.IAuthority; -@@ -316,22 +314,6 @@ public final class CMS { - } - - /** -- * Parse ACL resource attributes -- * -- * @param resACLs same format as the resourceACLs attribute: -- * -- * 
--     *     ::
--     *      () 
--     *
-- * @exception EACLsException ACL related parsing errors for resACLs -- * @return an ACL instance built from the parsed resACLs -- */ -- public static IACL parseACL(String resACLs) throws EACLsException { -- return _engine.parseACL(resACLs); -- } -- -- /** - * Creates an issuing poing record. - * - * @return issuing record -diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java -index f861b95..d996d90 100644 ---- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java -+++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java -@@ -36,8 +36,6 @@ import org.dogtagpki.legacy.policy.ISubjAltNameConfig; - import org.mozilla.jss.CryptoManager.CertificateUsage; - import org.mozilla.jss.util.PasswordCallback; - --import com.netscape.certsrv.acls.EACLsException; --import com.netscape.certsrv.acls.IACL; - import com.netscape.certsrv.authentication.ISharedToken; - import com.netscape.certsrv.authority.IAuthority; - import com.netscape.certsrv.base.EBaseException; -@@ -468,20 +466,6 @@ public interface ICMSEngine extends ISubsystem { - String p7, String p8, String p9, String p10); - - /** -- * Parse ACL resource attributes -- * -- * @param resACLs same format as the resourceACLs attribute: -- * -- * 
--     *     ::
--     *      () 
--     *
-- * @exception EACLsException ACL related parsing errors for resACLs -- * @return an ACL instance built from the parsed resACLs -- */ -- public IACL parseACL(String resACLs) throws EACLsException; -- -- /** - * Creates an issuing poing record. - * - * @return issuing record -diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java -index 4e864fd..2d4a94f 100644 ---- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java -+++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java -@@ -180,7 +180,7 @@ public abstract class AAclAuthz implements IAuthzManager { - * @throws EBaseException parsing error from parseACL - */ - public void addACLs(String resACLs) throws EBaseException { -- ACL acl = (ACL) CMS.parseACL(resACLs); -+ ACL acl = ACL.parseACL(resACLs); - - if (acl != null) { - ACL curACL = mACLs.get(acl.getName()); -@@ -791,7 +791,7 @@ public abstract class AAclAuthz implements IAuthzManager { - ACL ac = null; - - try { -- ac = (ACL) CMS.parseACL(resourceACLs); -+ ac = ACL.parseACL(resourceACLs); - } catch (EBaseException ex) { - throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR_0")); - } -diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -index b1df429..eaf57fa 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -@@ -38,7 +38,6 @@ import java.util.Hashtable; - import java.util.List; - import java.util.Locale; - import java.util.ResourceBundle; --import java.util.StringTokenizer; - import java.util.Timer; - import java.util.Vector; - -@@ -62,10 +61,6 @@ import org.mozilla.jss.util.PasswordCallback; - import org.w3c.dom.Element; - import org.w3c.dom.NodeList; - --import com.netscape.certsrv.acls.ACL; --import com.netscape.certsrv.acls.ACLEntry; --import com.netscape.certsrv.acls.EACLsException; --import com.netscape.certsrv.acls.IACL; - import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.apps.ICMSEngine; - import com.netscape.certsrv.apps.ICommandQueue; -@@ -618,122 +613,6 @@ public class CMSEngine implements ICMSEngine { - } - - /** -- * Parse ACL resource attributes -- * -- * @param resACLs same format as the resourceACLs attribute: -- * -- * 
--     *     ::
--     *      () 
--     *
-- * @exception EACLsException ACL related parsing errors for resACLs -- * @return an ACL instance built from the parsed resACLs -- */ -- public IACL parseACL(String resACLs) throws EACLsException { -- if (resACLs == null) { -- throw new EACLsException(CMS.getUserMessage("CMS_ACL_NULL_VALUE", "resACLs")); -- } -- -- ACL acl = null; -- Vector rights = null; -- int idx1 = resACLs.indexOf(":"); -- -- if (idx1 <= 0) { -- acl = new ACL(resACLs, rights, resACLs); -- } else { -- // getting resource id -- String resource = resACLs.substring(0, idx1); -- -- if (resource == null) { -- String infoMsg = "resource not specified in resourceACLS attribute:" + -- resACLs; -- -- String[] params = new String[2]; -- -- params[0] = resACLs; -- params[1] = infoMsg; -- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); -- } -- -- // getting list of applicable rights -- String st = resACLs.substring(idx1 + 1); -- int idx2 = st.indexOf(":"); -- String rightsString = null; -- -- if (idx2 != -1) -- rightsString = st.substring(0, idx2); -- else { -- String infoMsg = -- "rights not specified in resourceACLS attribute:" + resACLs; -- String[] params = new String[2]; -- -- params[0] = resACLs; -- params[1] = infoMsg; -- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); -- } -- -- if (rightsString != null) { -- rights = new Vector(); -- StringTokenizer rtok = new StringTokenizer(rightsString, ","); -- -- while (rtok.hasMoreTokens()) { -- rights.addElement(rtok.nextToken()); -- } -- } -- -- acl = new ACL(resource, rights, resACLs); -- -- // search *backwards* for final instance of ':', to handle case -- // where acl expressions contain colon, e.g. in a group name. -- String stx = st.substring(idx2 + 1); -- int idx3 = stx.lastIndexOf(":"); -- String aclStr = stx.substring(0, idx3); -- -- // getting list of acl entries -- if (aclStr != null) { -- StringTokenizer atok = new StringTokenizer(aclStr, ";"); -- -- while (atok.hasMoreTokens()) { -- String acs = atok.nextToken(); -- -- // construct ACL entry -- ACLEntry entry = ACLEntry.parseACLEntry(acl, acs); -- -- if (entry == null) { -- String infoMsg = "parseACLEntry() call failed"; -- String[] params = new String[2]; -- -- params[0] = "ACLEntry = " + acs; -- params[1] = infoMsg; -- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); -- } -- -- entry.setACLEntryString(acs); -- acl.addEntry(entry); -- } -- } else { -- // fine -- String infoMsg = "acls not specified in resourceACLS attribute:" + -- -- resACLs; -- -- String[] params = new String[2]; -- -- params[0] = resACLs; -- params[1] = infoMsg; -- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); -- } -- -- // getting description -- String desc = stx.substring(idx3 + 1); -- -- acl.setDescription(desc); -- } -- -- return (acl); -- } -- -- /** - * Parse server.xml to get the ports and IPs - * @throws EBaseException - */ -diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java -index b314dac..b65dae1 100644 ---- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java -+++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java -@@ -19,8 +19,6 @@ import org.dogtagpki.legacy.policy.ISubjAltNameConfig; - import org.mozilla.jss.CryptoManager.CertificateUsage; - import org.mozilla.jss.util.PasswordCallback; - --import com.netscape.certsrv.acls.EACLsException; --import com.netscape.certsrv.acls.IACL; - import com.netscape.certsrv.apps.ICMSEngine; - import com.netscape.certsrv.apps.ICommandQueue; - import com.netscape.certsrv.authentication.ISharedToken; -@@ -260,10 +258,6 @@ public class CMSEngineDefaultStub implements ICMSEngine { - return null; - } - -- public IACL parseACL(String resACLs) throws EACLsException { -- return null; -- } -- - public ICRLIssuingPointRecord createCRLIssuingPointRecord(String id, BigInteger crlNumber, Long crlSize, - Date thisUpdate, Date nextUpdate) { - return null; --- -1.8.3.1 - - -From 973c83b316272319ccb958ff6f391dfccb0c4e76 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 9 Mar 2018 10:39:33 +1100 -Subject: [PATCH 14/20] ACL.java: Remove unused constructor - -Part of: https://pagure.io/dogtagpki/issue/2957 -Change-Id: Id8eee2d31538e2c95debb03a6102e0a7fdb0bd60 - -(cherry picked from commit 8748541f70e1c753589b37f76331a7cadc684253) ---- - base/common/src/com/netscape/certsrv/acls/ACL.java | 5 ----- - 1 file changed, 5 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java -index fc031e4..0e3c28e 100644 ---- a/base/common/src/com/netscape/certsrv/acls/ACL.java -+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java -@@ -51,11 +51,6 @@ public class ACL implements IACL, java.io.Serializable { - protected String name = null; // resource name - protected String description = null; // resource description - -- /** -- * Class constructor. -- */ -- public ACL() { -- } - - /** - * Class constructor. --- -1.8.3.1 - - -From aa1c01265acd8e92a7cf8880d594ab554dc5efbc Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 9 Mar 2018 10:58:21 +1100 -Subject: [PATCH 15/20] ACL.java: Make constructor private and add sanity check - -Part of: https://pagure.io/dogtagpki/issue/2957 -Change-Id: I5b15695df8692941646151b92ddaa893b3f93468 - -(cherry picked from commit fcacf3d579a2562b764e0caed2cab81d73aa053f) ---- - base/common/src/com/netscape/certsrv/acls/ACL.java | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java -index 0e3c28e..d1560ab 100644 ---- a/base/common/src/com/netscape/certsrv/acls/ACL.java -+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java -@@ -66,8 +66,10 @@ public class ACL implements IACL, java.io.Serializable { - * Allow administrators to read and modify log - * configuration" - */ -- public ACL(String name, Collection rights, String resourceACLs) { -- setName(name); -+ private ACL(String name, Collection rights, String resourceACLs) { -+ if (name == null) -+ throw new IllegalArgumentException("ACL name cannot be null"); -+ this.name = name; - if (rights != null) { - this.rights = new TreeSet<>(rights); - } else { --- -1.8.3.1 - - -From fd7dc5e953fccd966f940b4060e35935ef4a3146 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 9 Mar 2018 11:12:41 +1100 -Subject: [PATCH 16/20] ACL.java: retain all resourceACLs strings when merging - -When writing a merged ACL back to the database, only the first -resourceACLs string is written, and the other resourceACLs strings -are lost. - -Retain all the original resourceACLs strings when merging ACLs and -write them all back to the database when saving. - -This commit also performs some minor refactors. Extract the merging -routine into ACL.merge(). Remove the now-unused addRight(), -addEntry() and setName() methods. - -Part of: https://pagure.io/dogtagpki/issue/2957 -Change-Id: Ica36f1ed1517b4d13f13fd78259b6bb78ef1f22c - -(cherry picked from commit 414a6a63d4833cfe0e575a682378fb9515ad59a6) ---- - base/common/src/com/netscape/certsrv/acls/ACL.java | 47 ++++++++-------------- - .../com/netscape/cms/authorization/AAclAuthz.java | 9 +---- - .../netscape/cms/authorization/DirAclAuthz.java | 6 +-- - 3 files changed, 20 insertions(+), 42 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java -index d1560ab..cce41a8 100644 ---- a/base/common/src/com/netscape/certsrv/acls/ACL.java -+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java -@@ -47,10 +47,11 @@ public class ACL implements IACL, java.io.Serializable { - - protected Vector entries = new Vector(); // ACL entries - protected TreeSet rights = null; // possible rights entries -- protected String resourceACLs = null; // exact resourceACLs string on ldap server - protected String name = null; // resource name - protected String description = null; // resource description - -+ // exact resourceACLs strings on ldap server -+ protected TreeSet resourceACLs = new TreeSet<>(); - - /** - * Class constructor. -@@ -75,18 +76,20 @@ public class ACL implements IACL, java.io.Serializable { - } else { - this.rights = new TreeSet<>(); - } -- this.resourceACLs = resourceACLs; -- -+ this.resourceACLs.add(resourceACLs); - } - -- /** -- * Sets the name of the resource governed by this -- * access control. -+ /** Merge the rules of the other ACL into this one. - * -- * @param name name of the resource -+ * @throws IllegalArgumentException if the ACLs do not have the same name. - */ -- public void setName(String name) { -- this.name = name; -+ public void merge(ACL other) { -+ if (!this.name.equals(other.name)) -+ throw new IllegalArgumentException("Cannot merge ACLs; names do not match."); -+ -+ this.rights.addAll(other.rights); -+ this.entries.addAll(other.entries); -+ this.resourceACLs.addAll(other.resourceACLs); - } - - /** -@@ -100,11 +103,11 @@ public class ACL implements IACL, java.io.Serializable { - } - - /** -- * Retrieves the exact string of the resourceACLs -+ * Retrieve an iterable of strings that were used to produce this ACL. - * -- * @return resource's acl -+ * @return Iterable of formatted ACLs - */ -- public String getResourceACLs() { -+ public Iterable getResourceACLs() { - return resourceACLs; - } - -@@ -129,15 +132,6 @@ public class ACL implements IACL, java.io.Serializable { - } - - /** -- * Adds an ACL entry to this list. -- * -- * @param entry the ACLEntry to be added to this resource -- */ -- public void addEntry(ACLEntry entry) { -- entries.addElement(entry); -- } -- -- /** - * Returns ACL entries. - * - * @return enumeration for the ACLEntry vector -@@ -168,15 +162,6 @@ public class ACL implements IACL, java.io.Serializable { - } - - /** -- * Adds an rights entry to this list. -- * -- * @param right The right to be added for this ACL -- */ -- public void addRight(String right) { -- rights.add(right); -- } -- -- /** - * Tells if the permission is one of the defined "rights" - * - * @param permission permission to be checked -@@ -288,7 +273,7 @@ public class ACL implements IACL, java.io.Serializable { - } - - entry.setACLEntryString(acs); -- acl.addEntry(entry); -+ acl.entries.add(entry); - } - } else { - // fine -diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java -index 2d4a94f..7b69ec4 100644 ---- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java -+++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java -@@ -187,14 +187,7 @@ public abstract class AAclAuthz implements IAuthzManager { - if (curACL == null) { - mACLs.put(acl.getName(), acl); - } else { -- for (Enumeration entries = acl.entries() ; -- entries.hasMoreElements() ; ) { -- curACL.addEntry(entries.nextElement()); -- } -- for (Enumeration rights = acl.rights() ; -- rights.hasMoreElements() ; ) { -- curACL.addRight(rights.nextElement()); -- } -+ curACL.merge(acl); - } - } else { - log(ILogger.LL_FAILURE, "parseACL failed"); -diff --git a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java -index 3e2a1b3..13360ef 100644 ---- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java -+++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java -@@ -231,9 +231,9 @@ public class DirAclAuthz extends AAclAuthz - if (en.hasMoreElements() == true) { - while (en.hasMoreElements()) { - ACL a = en.nextElement(); -- String resAclString = a.getResourceACLs(); -- -- attrs.addValue(resAclString); -+ for (String s : a.getResourceACLs()) { -+ attrs.addValue(s); -+ } - } - - mod.add(LDAPModification.REPLACE, attrs); --- -1.8.3.1 - - -From 5cf81863d7813259a526af38e32d504ca5cc59bb Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 9 Mar 2018 15:14:06 +1100 -Subject: [PATCH 17/20] ACL.java: remove setDescription method - -The only place setDescription was used was in parseACL() which is -now part of this class, so we can replace that method with a new -constructor argument and avoid another way to unreasonably mutate -an ACL. - -Part of: https://pagure.io/dogtagpki/issue/2957 -Change-Id: I8cff0cbb5cb47b80b7b0e6dc37702e16ec2a85e0 - -(cherry picked from commit 5e36d86d2c5ab2264768e64fe8029e428ce01b92) ---- - base/common/src/com/netscape/certsrv/acls/ACL.java | 29 ++++++++-------------- - 1 file changed, 10 insertions(+), 19 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/acls/ACL.java b/base/common/src/com/netscape/certsrv/acls/ACL.java -index cce41a8..09a4b2b 100644 ---- a/base/common/src/com/netscape/certsrv/acls/ACL.java -+++ b/base/common/src/com/netscape/certsrv/acls/ACL.java -@@ -67,7 +67,11 @@ public class ACL implements IACL, java.io.Serializable { - * Allow administrators to read and modify log - * configuration" - */ -- private ACL(String name, Collection rights, String resourceACLs) { -+ private ACL( -+ String name, -+ Collection rights, -+ String desc, -+ String resourceACLs) { - if (name == null) - throw new IllegalArgumentException("ACL name cannot be null"); - this.name = name; -@@ -77,6 +81,7 @@ public class ACL implements IACL, java.io.Serializable { - this.rights = new TreeSet<>(); - } - this.resourceACLs.add(resourceACLs); -+ this.description = desc; - } - - /** Merge the rules of the other ACL into this one. -@@ -112,16 +117,6 @@ public class ACL implements IACL, java.io.Serializable { - } - - /** -- * Sets the description of the resource governed by this -- * access control. -- * -- * @param description Description of the protected resource -- */ -- public void setDescription(String description) { -- this.description = description; -- } -- -- /** - * Retrieves the description of the resource governed by - * this access control. - * -@@ -203,7 +198,7 @@ public class ACL implements IACL, java.io.Serializable { - int idx1 = resACLs.indexOf(":"); - - if (idx1 <= 0) { -- acl = new ACL(resACLs, rights, resACLs); -+ acl = new ACL(resACLs, rights, null /* desc */, resACLs); - } else { - // getting resource id - String resource = resACLs.substring(0, idx1); -@@ -245,13 +240,14 @@ public class ACL implements IACL, java.io.Serializable { - } - } - -- acl = new ACL(resource, rights, resACLs); -- - // search *backwards* for final instance of ':', to handle case - // where acl expressions contain colon, e.g. in a group name. - String stx = st.substring(idx2 + 1); - int idx3 = stx.lastIndexOf(":"); - String aclStr = stx.substring(0, idx3); -+ String desc = stx.substring(idx3 + 1); -+ -+ acl = new ACL(resource, rights, desc, resACLs); - - // getting list of acl entries - if (aclStr != null) { -@@ -287,11 +283,6 @@ public class ACL implements IACL, java.io.Serializable { - params[1] = infoMsg; - throw new EACLsException(CMS.getUserMessage("CMS_ACL_PARSING_ERROR", params)); - } -- -- // getting description -- String desc = stx.substring(idx3 + 1); -- -- acl.setDescription(desc); - } - - return (acl); --- -1.8.3.1 - - -From 987c3e042b0419aaa75f11e936effd52bc9da6d5 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 9 Mar 2018 16:39:20 +1100 -Subject: [PATCH 18/20] ACLEntry.java: return null on parse error - -If an ACL entry has an empty permission expression a -StringIndexOutOfBoundsException is thrown because an expected space -character cannot be found. Detect this condition and return null. - -Part of: https://pagure.io/dogtagpki/issue/2957 -Change-Id: I1518f53f68e106e877d24d7dce8a5756ca5aedbd - -(cherry picked from commit 682fcf270f6b49ff5a6e7133f022982445a74422) ---- - base/common/src/com/netscape/certsrv/acls/ACLEntry.java | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/base/common/src/com/netscape/certsrv/acls/ACLEntry.java b/base/common/src/com/netscape/certsrv/acls/ACLEntry.java -index 23f8596..5cca230 100644 ---- a/base/common/src/com/netscape/certsrv/acls/ACLEntry.java -+++ b/base/common/src/com/netscape/certsrv/acls/ACLEntry.java -@@ -203,6 +203,11 @@ public class ACLEntry implements IACLEntry, java.io.Serializable { - } - // locate the second space - i = suffix.indexOf(' '); -+ if (i <= 0) { -+ // second space not found, or is at start of string -+ return null; -+ } -+ - // this prefix should be rights list, delimited by "," - prefix = suffix.substring(1, i - 1); - // the suffix is the rest, which is the "expressions" --- -1.8.3.1 - - -From 5a918d21aba41516054f232141752dd5a708cf77 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 9 Mar 2018 17:58:39 +1100 -Subject: [PATCH 19/20] DirAclAuthz.updateACLs: re-throw ACL exception - -Currently DirAclAuthz catches EACLsException when attempting to -update an ACL, logs the error, and then throws a new EACLsException, -discarding the info about where the original exception occurred. -There is no need to throw a new exception of the same type, so -re-throw the caught exception. - -Part of: https://pagure.io/dogtagpki/issue/2957 -Change-Id: If6e38e2217b8884b54b7daf07a7b79e23b8175d7 - -(cherry picked from commit 021ebec5d54a85d8de56478fb4762c4b15ee0a3a) ---- - base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java -index 13360ef..e2c1229 100644 ---- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java -+++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java -@@ -211,7 +211,7 @@ public class DirAclAuthz extends AAclAuthz - - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", ex.toString())); - -- throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL")); -+ throw ex; - } - } - --- -1.8.3.1 - - -From 65a1edc262a2abb4b3bbcf7a46d775dbaffa4937 Mon Sep 17 00:00:00 2001 -From: Amol Kahat -Date: Tue, 27 Feb 2018 19:56:31 +0530 -Subject: [PATCH 20/20] Fixed BZ 1549632: Not able to generate certificate - request with ECC using pki client-cert-request - -Change-Id: I23a51af2c9e9bcc62983332bee22fe3c56ce1409 -Signed-off-by: Amol Kahat -(cherry picked from commit 69434ec08442b92cab8c304caef98200ff71e8e2) -(cherry picked from commit 15911c8e65eb1543776a64f567ca3e281091e750) ---- - .../cmstools/client/ClientCertRequestCLI.java | 45 ++++++++++++++-------- - 1 file changed, 29 insertions(+), 16 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -index 54acd65..b440fc6 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java -@@ -123,7 +123,8 @@ public class ClientCertRequestCLI extends CLI { - option.setArgName("path"); - options.addOption(option); - -- option = new Option(null, "profile", true, "Certificate profile (RSA default: caUserCert, ECC default: caECUserCert)"); -+ option = new Option(null, "profile", true, -+ "Certificate profile (RSA default: caUserCert, ECC default: caECUserCert)"); - option.setArgName("profile"); - options.addOption(option); - -@@ -242,7 +243,7 @@ public class ClientCertRequestCLI extends CLI { - throw new Exception("--issuer-id and --issuer-dn options are mutually exclusive"); - } - -- MainCLI mainCLI = (MainCLI)parent.getParent(); -+ MainCLI mainCLI = (MainCLI) parent.getParent(); - File certDatabase = mainCLI.certDatabase; - - String password = mainCLI.config.getCertPassword(); -@@ -253,13 +254,21 @@ public class ClientCertRequestCLI extends CLI { - String csr; - PKIClient client; - if ("pkcs10".equals(requestType)) { -- csr = generatePkcs10Request(certDatabase, password, algorithm, length, subjectDN); -+ if ("rsa".equals(algorithm)) { -+ csr = generatePkcs10Request(certDatabase, password, algorithm, -+ Integer.toString(length), subjectDN); -+ } -+ -+ else if ("ec".equals(algorithm)) { -+ csr = generatePkcs10Request(certDatabase, password, algorithm, curve, subjectDN); -+ } else { -+ throw new Exception("Error: Unknown algorithm: " + algorithm); -+ } - - // initialize database after PKCS10Client to avoid conflict - mainCLI.init(); - client = getClient(); - -- - } else if ("crmf".equals(requestType)) { - - // initialize database before CRMFPopClient to load transport certificate -@@ -325,8 +334,8 @@ public class ClientCertRequestCLI extends CLI { - Vector rdns = dn.getRDNs(); - - Map subjectAttributes = new HashMap(); -- for (int i=0; i< rdns.size(); i++) { -- RDN rdn = (RDN)rdns.elementAt(i); -+ for (int i = 0; i < rdns.size(); i++) { -+ RDN rdn = (RDN) rdns.elementAt(i); - String type = rdn.getTypes()[0].toLowerCase(); - String value = rdn.getValues()[0]; - subjectAttributes.put(type, value); -@@ -334,7 +343,8 @@ public class ClientCertRequestCLI extends CLI { - - ProfileInput sn = request.getInput("Subject Name"); - if (sn != null) { -- if (verbose) System.out.println("Subject Name:"); -+ if (verbose) -+ System.out.println("Subject Name:"); - - for (ProfileAttribute attribute : sn.getAttributes()) { - String name = attribute.getName(); -@@ -350,13 +360,16 @@ public class ClientCertRequestCLI extends CLI { - - } else { - // unknown attribute, ignore -- if (verbose) System.out.println(" - " + name); -+ if (verbose) -+ System.out.println(" - " + name); - continue; - } - -- if (value == null) continue; -+ if (value == null) -+ continue; - -- if (verbose) System.out.println(" - " + name + ": " + value); -+ if (verbose) -+ System.out.println(" - " + name + ": " + value); - attribute.setValue(value); - } - } -@@ -385,19 +398,20 @@ public class ClientCertRequestCLI extends CLI { - File certDatabase, - String password, - String algorithm, -- int length, -- String subjectDN -- ) throws Exception { -+ String length, -+ String subjectDN) throws Exception { - - File csrFile = File.createTempFile("pki-client-cert-request-", ".csr", certDatabase); - csrFile.deleteOnExit(); - -+ String lenOrCurve = "ec".equals(algorithm) ? "-c" : "-l"; -+ - String[] commands = { - "/usr/bin/PKCS10Client", - "-d", certDatabase.getAbsolutePath(), - "-p", password, - "-a", algorithm, -- "-l", "" + length, -+ lenOrCurve, "" + length, - "-o", csrFile.getAbsolutePath(), - "-n", subjectDN - }; -@@ -427,8 +441,7 @@ public class ClientCertRequestCLI extends CLI { - int sensitive, - int extractable, - boolean withPop, -- KeyWrapAlgorithm keyWrapAlgorithm -- ) throws Exception { -+ KeyWrapAlgorithm keyWrapAlgorithm) throws Exception { - - CryptoManager manager = CryptoManager.getInstance(); - CryptoToken token = manager.getThreadToken(); --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.1-batch-1.1.patch b/SOURCES/pki-core-10.5.1-batch-1.1.patch deleted file mode 100644 index c90d0b6..0000000 --- a/SOURCES/pki-core-10.5.1-batch-1.1.patch +++ /dev/null @@ -1,87 +0,0 @@ -From d34d825473a50a66b9b21d0a5b072fc12f71821c Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 22 Mar 2018 11:39:05 -0700 -Subject: [PATCH 1/3] fix TPS CS.cfg param from tps.connector.connCAList to - tps.connCAList - -Change-Id: Ic391b845358736daab4b814c86e6f7f512a209bb -(cherry picked from commit 4e237910d02918a53618154bf923204b3e2be085) -(cherry picked from commit 3f0f0d971e4382ef9ea1490d1a07644fcef0b343) ---- - base/tps/man/man5/pki-tps-connector.5 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/tps/man/man5/pki-tps-connector.5 b/base/tps/man/man5/pki-tps-connector.5 -index b3e405e..a2df454 100644 ---- a/base/tps/man/man5/pki-tps-connector.5 -+++ b/base/tps/man/man5/pki-tps-connector.5 -@@ -68,7 +68,7 @@ Example ops: enrollment, renewal, revoke, unrevoke, getcert. - - This property contains the connection timeout. - --.SS tps.connector.connCAList -+.SS tps.connCAList - - This property is used for \fIRevocation Routing\fP. It contains a list of ordered ca id's separated by ',' that the revocation attempt should be made to. - Example: --- -1.8.3.1 - - -From fbd5122bd3e7ffe3632406f006630e2ddbc41907 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 26 Mar 2018 10:09:42 -0700 -Subject: [PATCH 2/3] reflect dogtagpki url change in CMCRequest man page. - -Change-Id: I8eb5884a26850b87f378c4417939c873c27fd409 -(cherry picked from commit 3ce3ae9bd73a906beb0254a7488b15e11ddcf905) -(cherry picked from commit 08c6684dfbabb53ab9301e33e2b40389b93f18bc) ---- - base/java-tools/man/man1/CMCRequest.1 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/java-tools/man/man1/CMCRequest.1 b/base/java-tools/man/man1/CMCRequest.1 -index f647ef7..8c67fc0 100644 ---- a/base/java-tools/man/man1/CMCRequest.1 -+++ b/base/java-tools/man/man1/CMCRequest.1 -@@ -174,7 +174,7 @@ For revocation by authenticating with user's shared secret, the following parame - CMC requests must be submitted to the CA to be processed. Tool supported by Dogtag for submitting these requests is \fBHttpClient\fP. - .PP - \fBNote:\fP For examples on how to use this tool, please see --http://pki.fedoraproject.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Practical_Usage_Scenarios for Practical Usage Scenarios, and their examples. -+http://www.dogtagpki.org/wiki/PKI_10.4_CMC_Feature_Update_(RFC5272)#Practical_Usage_Scenarios for Practical Usage Scenarios, and their examples. - - .SH AUTHORS - Christina Fu . --- -1.8.3.1 - - -From 7b5a899e3d237e2be3bc1c7d9e4dd7613cdd9f24 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 29 Mar 2018 09:59:02 -0700 -Subject: [PATCH 3/3] quick fix on wrong keyType in profile - -Change-Id: I0fa90ebb559e0fb8af123191f7bc7cdedbc55d87 -(cherry picked from commit 995682153e10393dc46f16090c26f28ca1b6cfc6) -(cherry picked from commit 3e0f7dfac7c8ba0859aad6a082eb1659631e2620) ---- - base/ca/shared/profiles/ca/caUserCert.cfg | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/ca/shared/profiles/ca/caUserCert.cfg b/base/ca/shared/profiles/ca/caUserCert.cfg -index 1f62bb8..9164dac 100644 ---- a/base/ca/shared/profiles/ca/caUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caUserCert.cfg -@@ -36,7 +36,7 @@ policyset.userCertSet.2.default.params.range=180 - policyset.userCertSet.2.default.params.startTime=0 - policyset.userCertSet.3.constraint.class_id=keyConstraintImpl - policyset.userCertSet.3.constraint.name=Key Constraint --policyset.userCertSet.3.constraint.params.keyType=EC -+policyset.userCertSet.3.constraint.params.keyType=RSA - policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.userCertSet.3.default.class_id=userKeyDefaultImpl - policyset.userCertSet.3.default.name=Key Default --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.1-batch-2.0.patch b/SOURCES/pki-core-10.5.1-batch-2.0.patch deleted file mode 100644 index 73aff94..0000000 --- a/SOURCES/pki-core-10.5.1-batch-2.0.patch +++ /dev/null @@ -1,1069 +0,0 @@ -From c4f6b7c6d4a0d8130c46cd1f820f8980b7f314e2 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 16 Apr 2018 14:28:39 -0700 -Subject: [PATCH 1/7] Ticket #2940 post-ticket simple typo fix. - -Change-Id: I98558f607cb611981bcafd42d6500fd26a9664be -(cherry picked from commit 2e299050016094c4ab9b739bc68a27787d8aadb4) -(cherry picked from commit 7ed0b12aa3bc9a04acd417fc0757500d585c57e8) ---- - base/java-tools/man/man1/CMCSharedToken.1 | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/base/java-tools/man/man1/CMCSharedToken.1 b/base/java-tools/man/man1/CMCSharedToken.1 -index e4a26f0..64c97f8 100644 ---- a/base/java-tools/man/man1/CMCSharedToken.1 -+++ b/base/java-tools/man/man1/CMCSharedToken.1 -@@ -48,7 +48,7 @@ Security token name (default: internal) - Security token password. - - .TP --.B -p -+.B -s - CMC enrollment passphrase (shared secret) (put in "" if containing spaces) - - .TP -@@ -56,7 +56,7 @@ CMC enrollment passphrase (shared secret) (put in "" if containing spaces) - PEM issuance protection certificate. Note: only one of the -b or -n options should be used. - - .TP --.B -n -+.B -n - PEM issuance protection certificate on token. Note: only one of the -b or -n options should be used. - - .TP --- -1.8.3.1 - - -From b189ac5a9fe0eee529893ca1b3616a12fd1d0631 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 19 Apr 2018 17:11:34 -0700 -Subject: [PATCH 2/7] Ticket #2992 servlet profileSubmitCMCSimple throws NPE - -This patch addresses the issue that when auth.instance_id is not specified in -the profile, NPE is thrown. -Alternative is to add auth.instance_id value, but it's better to leave this -as manual approval only without changing the functionality. - -fixes https://pagure.io/dogtagpki/issue/2992 - -Change-Id: I0a3afca1c66af96917a81c94b088d792f0332a4d -(cherry picked from commit 203db212a3dce216687dd2aac349fe37d2e92a96) ---- - .../com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 91a26b1..a0bcfb5 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -509,7 +509,10 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - CMS.debug("ProfileSubmitCMCServlet: null it out"); - ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); - } -- String signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT); -+ String signingCertSerialS = null; -+ if (authToken != null) { -+ signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT); -+ } - if (signingCertSerialS != null) { - CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth"); - ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); --- -1.8.3.1 - - -From ff37277ba6ee49e92f9bad078f23e66b79315535 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 24 Apr 2018 02:44:15 +0200 -Subject: [PATCH 3/7] Fixed token name normalization in pki-server - subsystem-cert-validate - -The pki-server subsystem-cert-validate has been modified to -normalize cert token name before calling pki client-cert-validate. -This way "Internal Key Storage Token" will be considered as an -internal token and no longer specified as a parameter. - -https://pagure.io/dogtagpki/issue/2997 - -Change-Id: I452d8e4b404086c3add6b52a9aa2acd2993d7e97 -(cherry picked from commit d61f9729dcc102c9acbbaa8129fffb6c30fb7116) ---- - base/common/python/pki/nssdb.py | 27 +++++++++++++++++++++----- - base/server/python/pki/server/__init__.py | 7 +++++++ - base/server/python/pki/server/cli/subsystem.py | 3 +++ - base/server/sbin/pkidestroy | 13 +++++++++++-- - base/server/sbin/pkispawn | 10 ++++++++++ - 5 files changed, 53 insertions(+), 7 deletions(-) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index 934fe8b..0f3c97a 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -43,6 +43,9 @@ CERT_FOOTER = '-----END CERTIFICATE-----' - PKCS7_HEADER = '-----BEGIN PKCS7-----' - PKCS7_FOOTER = '-----END PKCS7-----' - -+INTERNAL_TOKEN_NAME = 'internal' -+INTERNAL_TOKEN_FULL_NAME = 'Internal Key Storage Token' -+ - logger = logging.LoggerAdapter( - logging.getLogger(__name__), - extra={'indent': ''}) -@@ -112,6 +115,24 @@ def get_file_type(filename): - return None - - -+def normalize_token(token): -+ """ -+ Normalize internal token name (e.g. empty string, 'internal', -+ 'Internal Key Storage Token') into None. Other token names -+ will be unchanged. -+ """ -+ if not token: -+ return None -+ -+ if token.lower() == INTERNAL_TOKEN_NAME: -+ return None -+ -+ if token.lower() == INTERNAL_TOKEN_FULL_NAME.lower(): -+ return None -+ -+ return token -+ -+ - class NSSDatabase(object): - - def __init__(self, directory=None, token=None, password=None, -@@ -123,11 +144,7 @@ class NSSDatabase(object): - os.path.expanduser("~"), '.dogtag', 'nssdb') - - self.directory = directory -- -- if token == 'internal' or token == 'Internal Key Storage Token': -- self.token = None -- else: -- self.token = token -+ self.token = normalize_token(token) - - self.tmpdir = tempfile.mkdtemp() - -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index 65aee2f..b5180f0 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -28,6 +28,7 @@ import grp - import io - import ldap - import ldap.filter -+import logging - import operator - import os - import pwd -@@ -50,6 +51,10 @@ SUBSYSTEM_CLASSES = {} - - SELFTEST_CRITICAL = 'critical' - -+logger = logging.LoggerAdapter( -+ logging.getLogger(__name__), -+ extra={'indent': ''}) -+ - - class PKIServer(object): - -@@ -206,6 +211,8 @@ class PKISubsystem(object): - if cert_id: - cmd.append(cert_id) - -+ logger.debug('Command: %s', ' '.join(cmd)) -+ - subprocess.check_output( - cmd, - stderr=subprocess.STDOUT) -diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py -index 0abf90a..57093d4 100644 ---- a/base/server/python/pki/server/cli/subsystem.py -+++ b/base/server/python/pki/server/cli/subsystem.py -@@ -1000,6 +1000,9 @@ class SubsystemCertValidateCLI(pki.cli.CLI): - token = cert.get('token', '') - print(' Token: %s' % token) - -+ # normalize internal token into None -+ token = pki.nssdb.normalize_token(token) -+ - # get token password and store in temporary file - passwd = instance.get_token_password(token) - -diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy -index 4df74a4..58f0541 100755 ---- a/base/server/sbin/pkidestroy -+++ b/base/server/sbin/pkidestroy -@@ -24,6 +24,7 @@ from __future__ import absolute_import - from __future__ import print_function - import sys - import signal -+import subprocess - - if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: - print("Python version %s.%s.%s is too old." % sys.version_info[:3]) -@@ -235,8 +236,16 @@ def main(argv): - - scriptlet.destroy(deployer) - -- # pylint: disable=W0703 -- except Exception as e: -+ except subprocess.CalledProcessError as e: -+ log_error_details() -+ print() -+ print("Uninstallation failed: Command failed: %s" % ' '.join(e.cmd)) -+ if e.output: -+ print(e.output) -+ print() -+ sys.exit(1) -+ -+ except Exception as e: # pylint: disable=broad-except - log_error_details() - print() - print("Uninstallation failed: %s" % e) -diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn -index b2ac8b4..ab94b8b 100755 ---- a/base/server/sbin/pkispawn -+++ b/base/server/sbin/pkispawn -@@ -24,6 +24,7 @@ from __future__ import absolute_import - from __future__ import print_function - import sys - import signal -+import subprocess - - if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: - print("Python version %s.%s.%s is too old." % sys.version_info[:3]) -@@ -549,6 +550,15 @@ def main(argv): - - sys.exit(1) - -+ except subprocess.CalledProcessError as e: -+ log_error_details() -+ print() -+ print("Installation failed: Command failed: %s" % ' '.join(e.cmd)) -+ if e.output: -+ print(e.output) -+ print() -+ sys.exit(1) -+ - except Exception as e: # pylint: disable=broad-except - log_error_details() - print() --- -1.8.3.1 - - -From 5df4e1a9418a9d276170c0c9c8bdec2f0de0d759 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 15 May 2018 19:06:48 -0700 -Subject: [PATCH 4/7] Ticket 1741 ECDSA Signature Algorithm encoding - -This patch addresses part of the issue where params were in the AlgorithmIdentifier of the ECDSA signature algorithm. The JSS portion is addressed by https://pagure.io/jss/issue/3 - -Fixes https://pagure.io/dogtagpki/issue/1741 - -Change-Id: I5dfea6eb2ca4711da2a983382c3f6607d95f3e0d -(cherry picked from commit 01dcdee01ab9c231e89169e422e452ce5ef22257) ---- - base/util/src/netscape/security/x509/AlgorithmId.java | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java -index a89843e..ae5975a 100644 ---- a/base/util/src/netscape/security/x509/AlgorithmId.java -+++ b/base/util/src/netscape/security/x509/AlgorithmId.java -@@ -142,7 +142,16 @@ public class AlgorithmId implements Serializable, DerEncoder { - * Figure out what class (if any) knows about this oid's - * parameters. Make one, and give it the data to decode. - */ -- AlgorithmId alg = new AlgorithmId(algid, params); -+ AlgorithmId alg = null; -+ // omit parameter field for ECDSA -+ if (!algid.equals(sha224WithEC_oid) && -+ !algid.equals(sha256WithEC_oid) && -+ !algid.equals(sha384WithEC_oid) && -+ !algid.equals(sha512WithEC_oid)) { -+ alg = new AlgorithmId(algid, params); -+ } else { -+ alg = new AlgorithmId(algid); -+ } - if (params != null) - alg.decodeParams(); - --- -1.8.3.1 - - -From e4324c4fe54c8b139fbb522c1ad899579ce0aaec Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 16 May 2018 14:52:21 -0700 -Subject: [PATCH 5/7] Ticket 3018 CMC profiles: Some CMC profiles have wrong - input class_id - -This patch fixes the profile input area where -cmcCertReqInputImpl should replace certReqInputImpl -and submitterInfoInputImpl should not be present - -fixes https://pagure.io/dogtagpki/issue/3018 - -Change-Id: Id4e03961110b19b2c73ebd9def89919d5dd3b0ad -(cherry picked from commit ac8c853ed9b06f4dfdbeb4d00f3f425f5d479824) ---- - base/ca/shared/profiles/ca/caCMCECUserCert.cfg | 3 +-- - base/ca/shared/profiles/ca/caCMCECserverCert.cfg | 5 ++--- - base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg | 5 ++--- - base/ca/shared/profiles/ca/caCMCUserCert.cfg | 3 +-- - base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg | 5 ++--- - base/ca/shared/profiles/ca/caCMCcaCert.cfg | 5 ++--- - base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg | 5 ++--- - base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg | 5 ++--- - base/ca/shared/profiles/ca/caCMCocspCert.cfg | 5 ++--- - base/ca/shared/profiles/ca/caCMCserverCert.cfg | 5 ++--- - base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg | 5 ++--- - base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 3 +-- - base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 3 +-- - base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg | 3 +-- - base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg | 2 +- - base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 3 +-- - base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 3 +-- - base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg | 3 +-- - base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 2 +- - 19 files changed, 28 insertions(+), 45 deletions(-) - -diff --git a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg -index 5185891..b7b4881 100644 ---- a/base/ca/shared/profiles/ca/caCMCECUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCECUserCert.cfg -@@ -5,9 +5,8 @@ enableBy=admin - auth.instance_id=CMCAuth - authz.acl=group="Certificate Manager Agents" - name=Signed CMC-Authenticated User Certificate wth ECC keys Enrollment --input.list=i1,i2 -+input.list=i1 - input.i1.class_id=cmcCertReqInputImpl --input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg -index 158d9fe..53b0c4d 100644 ---- a/base/ca/shared/profiles/ca/caCMCECserverCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCECserverCert.cfg -@@ -5,9 +5,8 @@ enableBy=admin - auth.instance_id=CMCAuth - authz.acl=group="Certificate Manager Agents" - name=Server Certificate wth ECC keys Enrollment using CMC --input.list=i1,i2 --input.i1.class_id=certReqInputImpl --input.i2.class_id=submitterInfoInputImpl -+input.list=i1 -+input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=serverCertSet -diff --git a/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg -index f755243..6e41e06 100644 ---- a/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCECsubsystemCert.cfg -@@ -5,9 +5,8 @@ enableBy=admin - auth.instance_id=CMCAuth - authz.acl=group="Certificate Manager Agents" - name=Subsystem Certificate Enrollment with ECC keys using CMC --input.list=i1,i2 --input.i1.class_id=certReqInputImpl --input.i2.class_id=submitterInfoInputImpl -+input.list=i1 -+input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=serverCertSet -diff --git a/base/ca/shared/profiles/ca/caCMCUserCert.cfg b/base/ca/shared/profiles/ca/caCMCUserCert.cfg -index fe2a8b3..df47758 100644 ---- a/base/ca/shared/profiles/ca/caCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCUserCert.cfg -@@ -5,9 +5,8 @@ enableBy=admin - auth.instance_id=CMCAuth - authz.acl=group="Certificate Manager Agents" - name=Signed CMC-Authenticated User Certificate Enrollment --input.list=i1,i2 -+input.list=i1 - input.i1.class_id=cmcCertReqInputImpl --input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -index 967d6ef..ff4856c 100644 ---- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -@@ -5,9 +5,8 @@ enableBy=admin - auth.instance_id=CMCAuth - authz.acl=group="Certificate Manager Agents" - name=Audit Signing Certificate Enrollment using CMC --input.list=i1,i2 --input.i1.class_id=certReqInputImpl --input.i2.class_id=submitterInfoInputImpl -+input.list=i1 -+input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=auditSigningCertSet -diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg -index 49a356d..bf6c59a 100644 ---- a/base/ca/shared/profiles/ca/caCMCcaCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg -@@ -5,9 +5,8 @@ enableBy=admin - auth.instance_id=CMCAuth - authz.acl=group="Certificate Manager Agents" - name=Certificate Manager Signing Certificate Enrollment using CMC --input.list=i1,i2 --input.i1.class_id=certReqInputImpl --input.i2.class_id=submitterInfoInputImpl -+input.list=i1 -+input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=caCertSet -diff --git a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg -index bbe733a..1c2630d 100644 ---- a/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCkraStorageCert.cfg -@@ -5,9 +5,8 @@ enableBy=admin - auth.instance_id=CMCAuth - authz.acl=group="Certificate Manager Agents" - name=KRA storage Certificate Enrollment using CMC --input.list=i1,i2 --input.i1.class_id=certReqInputImpl --input.i2.class_id=submitterInfoInputImpl -+input.list=i1 -+input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=drmStorageCertSet -diff --git a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg -index 60b19bf..3d00408 100644 ---- a/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCkraTransportCert.cfg -@@ -5,9 +5,8 @@ enableBy=admin - auth.instance_id=CMCAuth - authz.acl=group="Certificate Manager Agents" - name=Key Archival Authority Transport Certificate Enrollment using CMC --input.list=i1,i2 --input.i1.class_id=certReqInputImpl --input.i2.class_id=submitterInfoInputImpl -+input.list=i1 -+input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=transportCertSet -diff --git a/base/ca/shared/profiles/ca/caCMCocspCert.cfg b/base/ca/shared/profiles/ca/caCMCocspCert.cfg -index cd60562..14464bf 100644 ---- a/base/ca/shared/profiles/ca/caCMCocspCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCocspCert.cfg -@@ -5,9 +5,8 @@ enableBy=admin - auth.instance_id=CMCAuth - authz.acl=group="Certificate Manager Agents" - name=OCSP Responder Signing Certificate Enrollment using CMC --input.list=i1,i2 --input.i1.class_id=certReqInputImpl --input.i2.class_id=submitterInfoInputImpl -+input.list=i1 -+input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=ocspCertSet -diff --git a/base/ca/shared/profiles/ca/caCMCserverCert.cfg b/base/ca/shared/profiles/ca/caCMCserverCert.cfg -index 89bbbea..9ad9fac 100644 ---- a/base/ca/shared/profiles/ca/caCMCserverCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCserverCert.cfg -@@ -5,9 +5,8 @@ enableBy=admin - auth.instance_id=CMCAuth - authz.acl=group="Certificate Manager Agents" - name=Server Certificate Enrollment using CMC --input.list=i1,i2 --input.i1.class_id=certReqInputImpl --input.i2.class_id=submitterInfoInputImpl -+input.list=i1 -+input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=serverCertSet -diff --git a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg -index 4a922fc..c25ed79 100644 ---- a/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCsubsystemCert.cfg -@@ -5,9 +5,8 @@ enableBy=admin - auth.instance_id=CMCAuth - authz.acl=group="Certificate Manager Agents" - name=Subsystem Certificate Enrollment using CMC --input.list=i1,i2 --input.i1.class_id=certReqInputImpl --input.i2.class_id=submitterInfoInputImpl -+input.list=i1 -+input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=serverCertSet -diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -index 816a1f8..d0a3c25 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -@@ -4,9 +4,8 @@ enableBy=admin - name=Self-Signed CMC User Certificate Enrollment - visible=false - auth.instance_id=CMCUserSignedAuth --input.list=i1,i2 -+input.list=i1 - input.i1.class_id=cmcCertReqInputImpl --input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg -index 0116053..469dbb0 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg -@@ -4,9 +4,8 @@ enableBy=admin - name=Agent-Signed CMC-Authenticated User Certificate Enrollment - visible=false - auth.instance_id=CMCAuth --input.list=i1,i2 -+input.list=i1 - input.i1.class_id=cmcCertReqInputImpl --input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -index a15aa53..d2286de 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -@@ -4,9 +4,8 @@ enableBy=admin - name=User-Signed CMC-Authenticated User Certificate Enrollment - visible=false - auth.instance_id=CMCUserSignedAuth --input.list=i1,i2 -+input.list=i1 - input.i1.class_id=cmcCertReqInputImpl --input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -index 14d610c..64a6ad9 100644 ---- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -@@ -5,7 +5,7 @@ name=Simple CMC Enrollment Request for User Certificate - visible=false - auth.instance_id= - input.list=i1 --input.i1.class_id=certReqInputImpl -+input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -index 1a7c22d..6b2da33 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -@@ -4,9 +4,8 @@ enableBy=admin - name=Self-Signed CMC User Certificate Enrollment - visible=false - auth.instance_id=CMCUserSignedAuth --input.list=i1,i2 -+input.list=i1 - input.i1.class_id=cmcCertReqInputImpl --input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg -index b06f35d..dd336ad 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg -@@ -4,9 +4,8 @@ enableBy=admin - name=Agent-Signed CMC-Authenticated User Certificate Enrollment - visible=false - auth.instance_id=CMCAuth --input.list=i1,i2 -+input.list=i1 - input.i1.class_id=cmcCertReqInputImpl --input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -index 0c2b97b..9b5d3e9 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -@@ -4,9 +4,8 @@ enableBy=admin - name=User-Signed CMC-Authenticated User Certificate Enrollment - visible=false - auth.instance_id=CMCUserSignedAuth --input.list=i1,i2 -+input.list=i1 - input.i1.class_id=cmcCertReqInputImpl --input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -index a9c2b0c..0628a36 100644 ---- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -@@ -5,7 +5,7 @@ name=Simple CMC Enrollment Request for User Certificate - visible=false - auth.instance_id= - input.list=i1 --input.i1.class_id=certReqInputImpl -+input.i1.class_id=cmcCertReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet --- -1.8.3.1 - - -From b66e3a729b0413d8851b6d5a875c6f6542823463 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 17 May 2018 19:36:10 -0700 -Subject: [PATCH 6/7] Ticket #2995 SAN in internal SSL server certificate in - pkispawn configuration step - -This patch adds CommonNameToSANDefault to all server profiles so that -SAN will be placed in server certs by default. -For more flexible SAN or multi-value SAN, SubjectAltNameExtDefault -will have to be used instead. - -fixes: https://pagure.io/dogtagpki/issue/2995 - -Change-Id: I66556f2cb8ed4e1cbe2d0949c5848c6978ea9641 -(cherry picked from commit 7eae0d840c1b7494db2cea67744366fe409eafea) ---- - base/ca/shared/conf/serverCert.profile | 4 +++- - base/ca/shared/profiles/ca/caAgentServerCert.cfg | 6 +++++- - base/ca/shared/profiles/ca/caECAgentServerCert.cfg | 6 +++++- - .../shared/profiles/ca/caECInternalAuthServerCert.cfg | 18 +++++++++++++++++- - base/ca/shared/profiles/ca/caECServerCert.cfg | 6 +++++- - .../ca/shared/profiles/ca/caInternalAuthServerCert.cfg | 18 +++++++++++++++++- - base/ca/shared/profiles/ca/caServerCert.cfg | 6 +++++- - 7 files changed, 57 insertions(+), 7 deletions(-) - -diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile -index 3674cbc..e740760 100644 ---- a/base/ca/shared/conf/serverCert.profile -+++ b/base/ca/shared/conf/serverCert.profile -@@ -6,7 +6,7 @@ name=All Purpose SSL server cert Profile - description=This profile creates an SSL server certificate that is valid for SSL servers - profileIDMapping=caServerCert - profileSetIDMapping=serverCertSet --list=2,4,5,6,7 -+list=2,4,5,6,7,8 - 2.default.class=com.netscape.cms.profile.def.ValidityDefault - 2.default.name=Validity Default - 2.default.params.range=720 -@@ -37,3 +37,5 @@ list=2,4,5,6,7 - 7.default.name=Extended Key Usage Extension Default - 7.default.params.exKeyUsageCritical=false - 7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 -+8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault -+8.default.name=Copy Common Name to Subjec Alternative Name Extension -diff --git a/base/ca/shared/profiles/ca/caAgentServerCert.cfg b/base/ca/shared/profiles/ca/caAgentServerCert.cfg -index c4d109f..0662b0a 100644 ---- a/base/ca/shared/profiles/ca/caAgentServerCert.cfg -+++ b/base/ca/shared/profiles/ca/caAgentServerCert.cfg -@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=serverCertSet --policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 - policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.serverCertSet.1.constraint.name=Subject Name Constraint - policyset.serverCertSet.1.constraint.params.pattern=CN=.* -@@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.12.constraint.name=No Constraint -+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl -+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension -diff --git a/base/ca/shared/profiles/ca/caECAgentServerCert.cfg b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg -index c56b6de..da4811e 100644 ---- a/base/ca/shared/profiles/ca/caECAgentServerCert.cfg -+++ b/base/ca/shared/profiles/ca/caECAgentServerCert.cfg -@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=serverCertSet --policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 - policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.serverCertSet.1.constraint.name=Subject Name Constraint - policyset.serverCertSet.1.constraint.params.pattern=CN=.* -@@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.12.constraint.name=No Constraint -+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl -+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension -diff --git a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg -index 4fc8a9c..8580544 100644 ---- a/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg -+++ b/base/ca/shared/profiles/ca/caECInternalAuthServerCert.cfg -@@ -12,7 +12,7 @@ input.i3.class_id=subjectAltNameExtInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=serverCertSet --policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 - policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.serverCertSet.1.constraint.name=Subject Name Constraint - policyset.serverCertSet.1.constraint.params.pattern=CN=.* -@@ -92,6 +92,10 @@ policyset.serverCertSet.8.default.params.signingAlg=- - # 3. change below to reflect the number of general names, and - # turn each corresponding subjAltExtPattern_ to true - # policyset.serverCertSet.9.default.params.subjAltNameNumGNs -+# -+# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault -+# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry -+# - policyset.serverCertSet.9.constraint.class_id=noConstraintImpl - policyset.serverCertSet.9.constraint.name=No Constraint - policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl -@@ -107,3 +111,15 @@ policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pa - policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName - policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false - policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 -+# -+# While the subjectAltNameExtDefaultImpl above allows multiple SANs to be -+# specified during installation, the commonNameToSANDefaultImpl adds a simple -+# default single SAN from CN. -+# -+# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault -+# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry -+# -+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.12.constraint.name=No Constraint -+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl -+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension -diff --git a/base/ca/shared/profiles/ca/caECServerCert.cfg b/base/ca/shared/profiles/ca/caECServerCert.cfg -index 0ae4371..7517a5f 100644 ---- a/base/ca/shared/profiles/ca/caECServerCert.cfg -+++ b/base/ca/shared/profiles/ca/caECServerCert.cfg -@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=serverCertSet --policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 - policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.serverCertSet.1.constraint.name=Subject Name Constraint - policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* -@@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.12.constraint.name=No Constraint -+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl -+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension -diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg -index dd10f6f..de3c2a5 100644 ---- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg -+++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg -@@ -12,7 +12,7 @@ input.i3.class_id=subjectAltNameExtInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=serverCertSet --policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 - policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.serverCertSet.1.constraint.name=Subject Name Constraint - policyset.serverCertSet.1.constraint.params.pattern=CN=.* -@@ -92,6 +92,10 @@ policyset.serverCertSet.8.default.params.signingAlg=- - # 3. change below to reflect the number of general names, and - # turn each corresponding subjAltExtPattern_ to true - # policyset.serverCertSet.9.default.params.subjAltNameNumGNs -+# -+# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault -+# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry -+# - policyset.serverCertSet.9.constraint.class_id=noConstraintImpl - policyset.serverCertSet.9.constraint.name=No Constraint - policyset.serverCertSet.9.default.class_id=subjectAltNameExtDefaultImpl -@@ -107,3 +111,15 @@ policyset.serverCertSet.9.default.params.subjAltExtPattern_2=$request.req_san_pa - policyset.serverCertSet.9.default.params.subjAltExtType_2=DNSName - policyset.serverCertSet.9.default.params.subjAltNameExtCritical=false - policyset.serverCertSet.9.default.params.subjAltNameNumGNs=1 -+# -+# While the subjectAltNameExtDefaultImpl above allows multiple SANs to be -+# specified during installation, the commonNameToSANDefaultImpl adds a simple -+# default single SAN from CN. -+# -+# If the subjectAltNameExtDefaultImpl is on, then commonNameToSANDefault -+# would "merge" into existing SAN. Keep commonNameToSANDefault as last entry -+# -+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.12.constraint.name=No Constraint -+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl -+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension -diff --git a/base/ca/shared/profiles/ca/caServerCert.cfg b/base/ca/shared/profiles/ca/caServerCert.cfg -index 2f44c96..fdb08e4 100644 ---- a/base/ca/shared/profiles/ca/caServerCert.cfg -+++ b/base/ca/shared/profiles/ca/caServerCert.cfg -@@ -10,7 +10,7 @@ input.i2.class_id=submitterInfoInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=serverCertSet --policyset.serverCertSet.list=1,2,3,4,5,6,7,8 -+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,12 - policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.serverCertSet.1.constraint.name=Subject Name Constraint - policyset.serverCertSet.1.constraint.params.pattern=.*CN=.* -@@ -83,3 +83,7 @@ policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA256withRSA,SHA - policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl - policyset.serverCertSet.8.default.name=Signing Alg - policyset.serverCertSet.8.default.params.signingAlg=- -+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl -+policyset.serverCertSet.12.constraint.name=No Constraint -+policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl -+policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name Extension --- -1.8.3.1 - - -From 1d70d69cc5e17be566867dd2c9e5176be0802e93 Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Wed, 16 May 2018 15:28:38 -0700 -Subject: [PATCH 7/7] Fix #2996 ECC installation for non CA subsystems needs - improvement. - -The problem is that the installation of say a KRA, which is ECC enabled fails out of the box. - -This is due to the fact that the internal cert profiles for the following certificates is incorrect: - -1. sslserver cert -2. subsystem cert -3. admin cert - -In the ECC case there is some hard coding that references the well known cert profiles for RSA versions of the above certs. - -What we need in the ECC case is a way to correctly select the ECC versions of the above profiles. -Therefore this fix does the following: - -1. Makes the selection of either the ECC version or the RSA version of the above internal cert profiles based on the key type, ecc or rsa. This solution relies upon well known profile names, but can be modified in the future to be more customizable , should the need arise. - -2. I found a related problem when trying to create a ECC enabled KRA in a SHARED instance scenario. There was some final cloning related config code that was grossly RSA specific and throws exceptions when ECC is involved. I altered this piece of code to skip over the bad things with ECC and let the RSA case run unimpeded. We may need further refinement for the ECC case, but I felt this was needed to allow something like an ECC kra to be installed in a shared instance scenario. - -Change-Id: I1493d63fd8ea0157adb8f47ec0d5aaadc2b88b26 -(cherry picked from commit 530634991d553b25dfe8d4cd861b7f4412ad06ca) ---- - .../certsrv/system/ConfigurationRequest.java | 63 +++++++++++++++++++++- - .../cms/servlet/csadmin/ConfigurationUtils.java | 18 +++++-- - .../dogtagpki/server/rest/SystemConfigService.java | 25 +++++++-- - 3 files changed, 97 insertions(+), 9 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java -index 5a65f3e..7ea24d2 100644 ---- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java -+++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java -@@ -43,6 +43,16 @@ public class ConfigurationRequest { - public static final String EXISTING_DOMAIN = "existingdomain"; - public static final String NEW_SUBDOMAIN = "newsubdomain"; - -+ // Hard coded values for ECC and RSA internal cert profile names -+ public static final String ECC_INTERNAL_SERVER_CERT_PROFILE = "caECInternalAuthServerCert"; -+ public static final String RSA_INTERNAL_SERVER_CERT_PROFILE = "caInternalAuthServerCert"; -+ -+ public static final String ECC_INTERNAL_SUBSYSTEM_CERT_PROFILE= "caECInternalAuthSubsystemCert"; -+ public static final String RSA_INTERNAL_SUBSYSTEM_CERT_PROFILE= "caInternalAuthSubsystemCert"; -+ -+ public static final String ECC_INTERNAL_ADMIN_CERT_PROFILE="caECAdminCert"; -+ public static final String RSA_INTERNAL_ADMIN_CERT_PROFILE="caAdminCert"; -+ - @XmlElement - protected String pin; - -@@ -605,6 +615,42 @@ public class ConfigurationRequest { - return null; - } - -+ public String getSystemCertKeyType(String tag) { -+ SystemCertData cert = getSystemCert(tag); -+ if(cert == null) -+ return null; -+ -+ return cert.getKeyType(); -+ } -+ -+ public String getSystemCertProfileID(String tag, String defaultName) { -+ String profileName = defaultName; -+ String keyType = getSystemCertKeyType(tag); -+ -+ System.out.println("getSystemCertProfileID tag: " + tag + " defaultName: " + defaultName + " keyType: " + keyType); -+ if (keyType == null) -+ return profileName; -+ -+ // Hard code for now based on key type. Method can be changed later to read pkispawn -+ // params sent over in the future. -+ if ("ecc".equalsIgnoreCase(keyType)) { -+ if ("sslserver".equalsIgnoreCase(tag)) { -+ profileName = ECC_INTERNAL_SERVER_CERT_PROFILE; -+ } else if ("subsystem".equalsIgnoreCase(tag)) { -+ profileName = ECC_INTERNAL_SUBSYSTEM_CERT_PROFILE; -+ } -+ } else if ("rsa".equalsIgnoreCase(keyType)) { -+ if ("sslserver".equalsIgnoreCase(tag)) { -+ profileName = RSA_INTERNAL_SERVER_CERT_PROFILE; -+ } else if ("subsystem".equalsIgnoreCase(tag)) { -+ profileName = RSA_INTERNAL_SUBSYSTEM_CERT_PROFILE; -+ } -+ } -+ -+ System.out.println("getSystemCertProfileID: returning: " + profileName); -+ return profileName; -+ } -+ - /** - * - * @param systemCerts -@@ -771,7 +817,22 @@ public class ConfigurationRequest { - * @return the adminProfileID - */ - public String getAdminProfileID() { -- return adminProfileID; -+ -+ // Modify the value returned based on key type of the -+ // subsystem cert. If keyType not found take the default -+ // sent over the server. In the future we can make sure -+ // the correct value is sent over the server. -+ String keyType = this.getSystemCertKeyType("subsystem"); -+ String actualAdminProfileID = adminProfileID; -+ if(keyType != null) { -+ if("ecc".equalsIgnoreCase(keyType)) { -+ actualAdminProfileID = ECC_INTERNAL_ADMIN_CERT_PROFILE; -+ } else if("rsa".equalsIgnoreCase(keyType)) { -+ actualAdminProfileID = RSA_INTERNAL_ADMIN_CERT_PROFILE; -+ } -+ } -+ -+ return actualAdminProfileID; - } - - /** -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -index 0a5cd2e..7f5341a 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -@@ -2568,7 +2568,9 @@ public class ConfigurationUtils { - config.putString("preop.cert.signing.type", "remote"); - config.putString("preop.cert.signing.profile", "caInstallCACert"); - config.putString("preop.cert.sslserver.type", "remote"); -- config.putString("preop.cert.sslserver.profile", "caInternalAuthServerCert"); -+ -+ config.putString("preop.cert.sslserver.profile", -+ request.getSystemCertProfileID("sslserver", "caInternalAuthServerCert")); - - // store original caType - original_caType = caType; -@@ -2650,6 +2652,8 @@ public class ConfigurationUtils { - String v = config.getString("preop.ca.type", ""); - - CMS.debug("configCert: remote CA"); -+ CMS.debug("confgCert: tag: " + certTag); -+ - PKCS10 pkcs10 = CertUtil.getPKCS10(config, PCERT_PREFIX, certObj, context); - byte[] binRequest = pkcs10.toByteArray(); - String b64Request = CryptoUtil.base64Encode(binRequest); -@@ -2671,7 +2675,10 @@ public class ConfigurationUtils { - - MultivaluedMap content = new MultivaluedHashMap(); - content.putSingle("requestor_name", sysType + "-" + machineName + "-" + securePort); -- content.putSingle("profileId", profileId); -+ CMS.debug("configRemoteCert: subsystemCert: setting profileId to: " + profileId); -+ String actualProfileId = request.getSystemCertProfileID(certTag, profileId); -+ CMS.debug("configRemoteCert: subsystemCert: calculated profileId: " + actualProfileId); -+ content.putSingle("profileId", actualProfileId); - content.putSingle("cert_request_type", "pkcs10"); - content.putSingle("cert_request", b64Request); - content.putSingle("xmlOutput", "true"); -@@ -2716,7 +2723,12 @@ public class ConfigurationUtils { - - MultivaluedMap content = new MultivaluedHashMap(); - content.putSingle("requestor_name", sysType + "-" + machineName + "-" + securePort); -- content.putSingle("profileId", profileId); -+ //Get the correct profile id to send in case it's sslserver type: -+ CMS.debug("configRemoteCert: tag: " + certTag + " : setting profileId to: " + profileId); -+ String actualProfileId = request.getSystemCertProfileID(certTag, profileId); -+ CMS.debug("configRemoteCert: tag: " + certTag + " calculated profileId: " + actualProfileId); -+ -+ content.putSingle("profileId", actualProfileId); - content.putSingle("cert_request_type", "pkcs10"); - content.putSingle("cert_request", b64Request); - content.putSingle("xmlOutput", "true"); -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -index 5130a1a..fbfaed2 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -@@ -524,14 +524,27 @@ public class SystemConfigService extends PKIService implements SystemConfigResou - nickname = cdata.getNickname(); - } - -+ boolean isECC = false; -+ String keyType = cdata.getKeyType(); -+ -+ CMS.debug("SystemConfigService:updateCloneConfiguration: keyType: " + keyType); -+ if("ecc".equalsIgnoreCase(keyType)) { -+ isECC = true; -+ } - X509Certificate cert = cryptoManager.findCertByNickname(nickname); - PublicKey pubk = cert.getPublicKey(); -- byte[] exponent = CryptoUtil.getPublicExponent(pubk); -- byte[] modulus = CryptoUtil.getModulus(pubk); -+ byte[] exponent = null; -+ byte[] modulus = null; -+ -+ if (isECC == false) { -+ exponent = CryptoUtil.getPublicExponent(pubk); -+ modulus = CryptoUtil.getModulus(pubk); -+ cs.putString("preop.cert." + tag + ".pubkey.modulus", CryptoUtil.byte2string(modulus)); -+ cs.putString("preop.cert." + tag + ".pubkey.exponent", CryptoUtil.byte2string(exponent)); -+ } -+ - PrivateKey privk = cryptoManager.findPrivKeyByCert(cert); - -- cs.putString("preop.cert." + tag + ".pubkey.modulus", CryptoUtil.byte2string(modulus)); -- cs.putString("preop.cert." + tag + ".pubkey.exponent", CryptoUtil.byte2string(exponent)); - cs.putString("preop.cert." + tag + ".privkey.id", CryptoUtil.encodeKeyID(privk.getUniqueID())); - cs.putString("preop.cert." + tag + ".keyalgorithm", cdata.getKeyAlgorithm()); - cs.putString("preop.cert." + tag + ".keytype", cdata.getKeyType()); -@@ -606,6 +619,8 @@ public class SystemConfigService extends PKIService implements SystemConfigResou - ca_hostname = cs.getString("securitydomain.host", ""); - ca_port = cs.getInteger("securitydomain.httpseeport"); - } -+ -+ CMS.debug("Calculated admin cert profile: " + data.getAdminProfileID()); - String b64 = ConfigurationUtils.submitAdminCertRequest(ca_hostname, ca_port, - data.getAdminProfileID(), data.getAdminCertRequestType(), - data.getAdminCertRequest(), adminSubjectDN); -@@ -859,7 +874,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou - cs.putString("preop.securitydomain.select", "existing"); - cs.putString("securitydomain.select", "existing"); - cs.putString("preop.cert.subsystem.type", "remote"); -- cs.putString("preop.cert.subsystem.profile", "caInternalAuthSubsystemCert"); -+ cs.putString("preop.cert.subsystem.profile", data.getSystemCertProfileID("subsystem", "caInternalAuthSubsystemCert")); - String securityDomainURL = data.getSecurityDomainUri(); - domainXML = logIntoSecurityDomain(data, securityDomainURL); - } --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.1-batch-2.1.patch b/SOURCES/pki-core-10.5.1-batch-2.1.patch deleted file mode 100644 index 43a12d6..0000000 --- a/SOURCES/pki-core-10.5.1-batch-2.1.patch +++ /dev/null @@ -1,1025 +0,0 @@ -From 95928ee1e268d242d8132c7bfefc60eb555afd9e Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 10 May 2018 02:19:01 +0200 -Subject: [PATCH 01/11] Added CA signing cert validations - -The configuration.py has been modified to validate the presence of -CA signing cert for existing/external CA installation. - -The CertificateAuthority.getCACert() has been modified to validate -the content of ca.signing.cert property in CS.cfg. - -https://pagure.io/dogtagpki/issue/2999 - -Change-Id: I56f5649b16ea98463bfa5e770b0c1dd7f00b7fcd -(cherry picked from commit 313c701957bedfd59f7f6368d0c37d2928d1a4a1) ---- - .../src/com/netscape/ca/CertificateAuthority.java | 28 +++++++++++++--------- - .../server/deployment/scriptlets/configuration.py | 16 ++++++++----- - 2 files changed, 27 insertions(+), 17 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java -index 9aaa9cb..90a8fba 100644 ---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java -+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java -@@ -52,6 +52,7 @@ import java.util.concurrent.CountDownLatch; - import javax.servlet.http.HttpServletRequest; - import javax.servlet.http.HttpSession; - -+import org.apache.commons.lang.StringUtils; - import org.dogtagpki.legacy.ca.CAPolicy; - import org.dogtagpki.legacy.policy.IPolicyProcessor; - import org.mozilla.jss.CryptoManager; -@@ -1603,25 +1604,30 @@ public class CertificateAuthority - } - - public X509CertImpl getCACert() throws EBaseException { -+ - if (mCaCert != null) { - return mCaCert; - } -- // during configuration -- try { -- String cert = mConfig.getString("signing.cert", null); -- if (cert != null) { -- return new X509CertImpl(Utils.base64decode(cert)); -- } - -- } catch (EBaseException e) { -- CMS.debug(e); -- throw e; -+ String cert = mConfig.getString("signing.cert"); -+ CMS.debug("CertificateAuthority: CA signing cert: " + cert); -+ -+ if (StringUtils.isEmpty(cert)) { -+ CMS.debug("CertificateAuthority: Missing CA signing certificate"); -+ throw new EBaseException("Missing CA signing certificate"); -+ } -+ -+ byte[] bytes = Utils.base64decode(cert); -+ CMS.debug("CertificateAuthority: size: " + bytes.length + " bytes"); -+ -+ try { -+ return new X509CertImpl(bytes); - - } catch (CertificateException e) { -+ CMS.debug("Unable to parse CA signing cert: " + e.getMessage()); -+ CMS.debug(e); - throw new EBaseException(e); - } -- -- return null; - } - - public org.mozilla.jss.crypto.X509Certificate getCaX509Cert() { -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index 2cda5e0..fd043a8 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -395,11 +395,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - self.import_system_cert_request(deployer, subsystem, 'subsystem') - self.import_system_cert_request(deployer, subsystem, 'sslserver') - -- def import_ca_signing_cert(self, deployer, nssdb): -+ def import_ca_signing_cert(self, deployer, nssdb, subsystem): - -- cert_file = deployer.mdict.get('pki_ca_signing_cert_path') -+ param = 'pki_ca_signing_cert_path' -+ cert_file = deployer.mdict.get(param) - if not cert_file or not os.path.exists(cert_file): -- return -+ if subsystem.name == 'ca': -+ raise Exception('Invalid certificate path: %s=%s' % (param, cert_file)) -+ else: -+ return - - nickname = deployer.mdict['pki_ca_signing_nickname'] - -@@ -589,14 +593,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - def import_system_certs(self, deployer, nssdb, subsystem): - - if subsystem.name == 'ca': -- self.import_ca_signing_cert(deployer, nssdb) -+ self.import_ca_signing_cert(deployer, nssdb, subsystem) - self.import_ca_ocsp_signing_cert(deployer, nssdb) - - if subsystem.name == 'kra': - # Always import cert chain into internal token. - internal_nssdb = subsystem.instance.open_nssdb() - try: -- self.import_ca_signing_cert(deployer, internal_nssdb) -+ self.import_ca_signing_cert(deployer, internal_nssdb, subsystem) - finally: - internal_nssdb.close() - -@@ -608,7 +612,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # Always import cert chain into internal token. - internal_nssdb = subsystem.instance.open_nssdb() - try: -- self.import_ca_signing_cert(deployer, internal_nssdb) -+ self.import_ca_signing_cert(deployer, internal_nssdb, subsystem) - finally: - internal_nssdb.close() - --- -1.8.3.1 - - -From 177a51b8f51c9beaf3dab6ba06174a07fdf9e3ca Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 4 Jun 2018 10:53:12 -0700 -Subject: [PATCH 04/11] Ticket 3028 CMC CRMF request results in - InvalidKeyFormatException when signing algorithm is ECC - -This patch fixes the issue where in case of CRMF request with ECC keys the -public key was encoded incorrectly previously. - -The fix was done in a way that RSA portion is unaffected. - -Fixes https://pagure.io/dogtagpki/issue/3028 - -Change-Id: I3eb62638f2970dc7a9df37abb19015bd287b383d -(cherry picked from commit f8da5db790777ab4c0bd8ab08c5d4932e2f25349) ---- - .../src/com/netscape/cms/authentication/CMCUserSignedAuth.java | 9 +++++++-- - base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 10 +++++++++- - 2 files changed, 16 insertions(+), 3 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index d92b33b..d5f6c34 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -697,15 +697,20 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - SubjectPublicKeyInfo pkinfo = template.getPublicKey(); - PrivateKey.Type keyType = null; - String alg = pkinfo.getAlgorithm(); -- BIT_STRING bitString = pkinfo.getSubjectPublicKey(); -- byte[] publicKeyData = bitString.getBits(); -+ byte[] publicKeyData = null; -+ - if (alg.equals("RSA")) { -+ BIT_STRING bitString = pkinfo.getSubjectPublicKey(); -+ publicKeyData = bitString.getBits(); - CMS.debug(method + "signing key alg=RSA"); - keyType = PrivateKey.RSA; - selfsign_pubK = PK11PubKey.fromRaw(keyType, publicKeyData); - } else if (alg.equals("EC")) { - CMS.debug(method + "signing key alg=EC"); - keyType = PrivateKey.EC; -+ X509Key pubKey = CryptoUtil.getX509KeyFromCRMFMsg(crm); -+ CMS.debug(method + "got X509Key "); -+ publicKeyData = (pubKey).getEncoded(); - selfsign_pubK = PK11ECPublicKey.fromSPKI(/*keyType,*/ publicKeyData); - } else { - msg = "unsupported signature algorithm: " + alg; -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index 0742f8e..7f8f11e 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -1398,7 +1398,13 @@ public class CryptoUtil { - throw new IOException("invalid certificate requests"); - } - CertReqMsg msg = (CertReqMsg) crmfMsgs.elementAt(0); -- CertRequest certreq = msg.getCertReq(); -+ return getX509KeyFromCRMFMsg(msg); -+ } -+ -+ public static X509Key getX509KeyFromCRMFMsg(CertReqMsg crmfMsg) -+ throws IOException, NoSuchAlgorithmException, -+ InvalidKeyException, InvalidKeyFormatException { -+ CertRequest certreq = crmfMsg.getCertReq(); - CertTemplate certTemplate = certreq.getCertTemplate(); - SubjectPublicKeyInfo spkinfo = certTemplate.getPublicKey(); - PublicKey pkey = spkinfo.toPublicKey(); -@@ -1904,9 +1910,11 @@ public class CryptoUtil { - System.out.println(method + "extension found"); - try { - if (jssOID.equals(SKIoid)) { -+ System.out.println(method + "SKIoid == jssOID"); - extn = - new SubjectKeyIdentifierExtension(false, jssext.getExtnValue().toByteArray()); - } else { -+ System.out.println(method + "SKIoid != jssOID"); - extn = - new netscape.security.x509.Extension(csOID, false, jssext.getExtnValue().toByteArray()); - } --- -1.8.3.1 - - -From 8f695ca9808f9060072b38b7d9b5bc79a6df4ab5 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 4 Jun 2018 11:03:20 -0700 -Subject: [PATCH 05/11] Ticket 3028 additional error checking - -Change-Id: If660fabd21b9992416dd1d5463b6ffd68fa1bf43 -(cherry picked from commit d7eca28b1d72804e1cfabeb6851aa393fafe39c7) ---- - base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index 7f8f11e..d3036f3 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -1382,6 +1382,9 @@ public class CryptoUtil { - - public static SEQUENCE parseCRMFMsgs(byte cert_request[]) - throws IOException, InvalidBERException { -+ if (cert_request == null) { -+ throw new IOException("invalid certificate requests: cert_request null"); -+ } - ByteArrayInputStream crmfBlobIn = - new ByteArrayInputStream(cert_request); - SEQUENCE crmfMsgs = (SEQUENCE) -@@ -1393,6 +1396,9 @@ public class CryptoUtil { - public static X509Key getX509KeyFromCRMFMsgs(SEQUENCE crmfMsgs) - throws IOException, NoSuchAlgorithmException, - InvalidKeyException, InvalidKeyFormatException { -+ if (crmfMsgs == null) { -+ throw new IOException("invalid certificate requests: crmfMsgs null"); -+ } - int nummsgs = crmfMsgs.size(); - if (nummsgs <= 0) { - throw new IOException("invalid certificate requests"); --- -1.8.3.1 - - -From 63035adc06628b4ce2be20457e6c569186e1832f Mon Sep 17 00:00:00 2001 -From: gkapoor -Date: Tue, 29 May 2018 19:52:15 +0530 -Subject: [PATCH 06/11] Fix for - https://bugzilla.redhat.com/show_bug.cgi?id=1544843 - -Change-Id: Id8d45bfc804a9f26a1a475cb928cf184975a8f5f -Signed-off-by: gkapoor -(cherry picked from commit b0f9a67f4ee61c5ca1f020b0a6accefceb9bbe0b) -(cherry picked from commit 0619c9e71cc0b98885739335f6c580f6b883fec2) ---- - base/common/python/pki/nssdb.py | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index 0f3c97a..f350255 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -322,6 +322,13 @@ class NSSDatabase(object): - if key_type: - cmd.extend(['-k', key_type]) - -+ if key_type.lower() == 'ec': -+ # This is fix for Bugzilla 1544843 -+ cmd.extend([ -+ '--keyOpFlagsOn', 'sign', -+ '--keyOpFlagsOff', 'derive' -+ ]) -+ - if key_size: - cmd.extend(['-g', str(key_size)]) - --- -1.8.3.1 - - -From 3b6edbcfd86ac0ca407f59f784a6f99dc6259504 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 14 Mar 2018 22:26:34 +1100 -Subject: [PATCH 07/11] Fix ACL evaluation in allow,deny mode - -When `authz.evaluateOrder=allow,deny', ACL evaluation returns the -wrong result: matching allow rules deny access, and matching deny -rules allow access. - -Fix the problem and improve type safety and readability by -introducing a couple of enums for ACLEntry.Type and EvaluationOrder. - -CVE-2018-1080 - -Fixes: https://pagure.io/freeipa/issue/7453 -Change-Id: Ic076ed4b90c305cda9da2c56ec90fc77b4dac039 -(cherry picked from commit b917819285bd03f5979f053f7d2bd43a2bb88e95) ---- - .../src/com/netscape/certsrv/acls/ACLEntry.java | 28 ++--- - .../com/netscape/cms/authorization/AAclAuthz.java | 124 ++++++++------------- - 2 files changed, 60 insertions(+), 92 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/acls/ACLEntry.java b/base/common/src/com/netscape/certsrv/acls/ACLEntry.java -index 5cca230..cab3f68 100644 ---- a/base/common/src/com/netscape/certsrv/acls/ACLEntry.java -+++ b/base/common/src/com/netscape/certsrv/acls/ACLEntry.java -@@ -33,9 +33,11 @@ public class ACLEntry implements IACLEntry, java.io.Serializable { - */ - private static final long serialVersionUID = 422656406529200393L; - -+ public enum Type { Allow , Deny }; -+ - protected Hashtable mPerms = new Hashtable(); - protected String expressions = null; -- protected boolean negative = false; -+ protected Type type = Type.Deny; - protected String aclEntryString = null; - - /** -@@ -45,20 +47,12 @@ public class ACLEntry implements IACLEntry, java.io.Serializable { - } - - /** -- * Checks if this ACL entry is set to negative. -+ * Get the Type of the ACL entry. - * -- * @return true if this ACL entry expression is for "deny"; -- * false if this ACL entry expression is for "allow" -- */ -- public boolean isNegative() { -- return negative; -- } -- -- /** -- * Sets this ACL entry negative. This ACL entry expression is for "deny". -+ * @return Allow or Deny - */ -- public void setNegative() { -- negative = true; -+ public Type getType() { -+ return type; - } - - /** -@@ -160,7 +154,7 @@ public class ACLEntry implements IACLEntry, java.io.Serializable { - // don't grant permission - if (mPerms.get(permission) == null) - return false; -- if (isNegative()) { -+ if (type == Type.Deny) { - return false; - } else { - return true; -@@ -195,9 +189,9 @@ public class ACLEntry implements IACLEntry, java.io.Serializable { - ACLEntry entry = new ACLEntry(); - - if (prefix.equals("allow")) { -- // do nothing -+ entry.type = Type.Allow; - } else if (prefix.equals("deny")) { -- entry.setNegative(); -+ entry.type = Type.Deny; - } else { - return null; - } -@@ -230,7 +224,7 @@ public class ACLEntry implements IACLEntry, java.io.Serializable { - public String toString() { - StringBuffer entry = new StringBuffer(); - -- if (isNegative()) { -+ if (type == Type.Deny) { - entry.append("deny ("); - } else { - entry.append("allow ("); -diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java -index 7b69ec4..2bef101 100644 ---- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java -+++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java -@@ -66,6 +66,8 @@ import com.netscape.cmsutil.util.Utils; - */ - public abstract class AAclAuthz implements IAuthzManager { - -+ public enum EvaluationOrder { DenyAllow , AllowDeny }; -+ - protected static final String PROP_CLASS = "class"; - protected static final String PROP_IMPL = "impl"; - protected static final String PROP_EVAL = "accessEvaluator"; -@@ -375,7 +377,7 @@ public abstract class AAclAuthz implements IAuthzManager { - log(ILogger.LL_SECURITY, " checkACLs(): permission denied"); - throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); - } -- } else if (!entry.isNegative()) { -+ } else if (entry.getType() == ACLEntry.Type.Allow) { - // didn't meet the access expression for "allow", failed - log(ILogger.LL_SECURITY, "checkACLs(): permission denied"); - throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); -@@ -503,46 +505,18 @@ public abstract class AAclAuthz implements IAuthzManager { - - CMS.debug("AAclAuthz.checkPermission(" + name + ", " + perm + ")"); - -- Vector nodev = getNodes(name); -- Enumeration nodes = nodev.elements(); -- String order = getOrder(); -- Enumeration entries = null; -- -- if (order.equals("deny")) { -- entries = getDenyEntries(nodes, perm); -- } else { -- entries = getAllowEntries(nodes, perm); -- } -- -- while (entries.hasMoreElements()) { -- ACLEntry entry = entries.nextElement(); -- -- CMS.debug("checkPermission(): expressions: " + entry.getAttributeExpressions()); -- if (evaluateExpressions(authToken, entry.getAttributeExpressions())) { -- log(ILogger.LL_SECURITY, "checkPermission(): permission denied"); -- throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); -- } -- } -- -- nodes = nodev.elements(); -- if (order.equals("deny")) { -- entries = getAllowEntries(nodes, perm); -- } else { -- entries = getDenyEntries(nodes, perm); -- } -+ Vector nodes = getNodes(name); -+ EvaluationOrder order = getOrder(); - - boolean permitted = false; -- -- while (entries.hasMoreElements()) { -- ACLEntry entry = entries.nextElement(); -- -- CMS.debug("checkPermission(): expressions: " + entry.getAttributeExpressions()); -- if (evaluateExpressions(authToken, entry.getAttributeExpressions())) { -- permitted = true; -- } -+ if (order == EvaluationOrder.DenyAllow) { -+ checkDenyEntries(authToken, nodes, perm); -+ permitted = checkAllowEntries(authToken, nodes, perm); -+ } else if (order == EvaluationOrder.AllowDeny) { -+ permitted = checkAllowEntries(authToken, nodes, perm); -+ checkDenyEntries(authToken, nodes, perm); - } - -- nodev = null; - if (!permitted) { - String[] params = new String[2]; - params[0] = name; -@@ -560,54 +534,57 @@ public abstract class AAclAuthz implements IAuthzManager { - log(ILogger.LL_INFO, infoMsg); - } - -- protected Enumeration getAllowEntries(Enumeration nodes, String operation) { -- String name = ""; -- ACL acl = null; -- Enumeration e = null; -- Vector v = new Vector(); -- -- while (nodes.hasMoreElements()) { -- name = nodes.nextElement(); -- acl = mACLs.get(name); -- if (acl == null) -- continue; -- e = acl.entries(); -- while (e.hasMoreElements()) { -- ACLEntry entry = e.nextElement(); -- -- if (!entry.isNegative() && -- entry.containPermission(operation)) { -- v.addElement(entry); -- } -+ protected boolean checkAllowEntries( -+ IAuthToken authToken, -+ Iterable nodes, -+ String perm) { -+ for (ACLEntry entry : getEntries(ACLEntry.Type.Allow, nodes, perm)) { -+ CMS.debug("checkAllowEntries(): expressions: " + entry.getAttributeExpressions()); -+ if (evaluateExpressions(authToken, entry.getAttributeExpressions())) { -+ return true; - } - } -+ return false; -+ } - -- return v.elements(); -+ /** throw EACLsException if a deny entry is matched */ -+ protected void checkDenyEntries( -+ IAuthToken authToken, -+ Iterable nodes, -+ String perm) -+ throws EACLsException { -+ for (ACLEntry entry : getEntries(ACLEntry.Type.Deny, nodes, perm)) { -+ CMS.debug("checkDenyEntries(): expressions: " + entry.getAttributeExpressions()); -+ if (evaluateExpressions(authToken, entry.getAttributeExpressions())) { -+ log(ILogger.LL_SECURITY, "checkPermission(): permission denied"); -+ throw new EACLsException(CMS.getUserMessage("CMS_ACL_PERMISSION_DENIED")); -+ } -+ } - } - -- protected Enumeration getDenyEntries(Enumeration nodes, String operation) { -- String name = ""; -- ACL acl = null; -- Enumeration e = null; -+ protected Iterable getEntries( -+ ACLEntry.Type entryType, -+ Iterable nodes, -+ String operation -+ ) { - Vector v = new Vector(); - -- while (nodes.hasMoreElements()) { -- name = nodes.nextElement(); -- acl = mACLs.get(name); -+ for (String name : nodes) { -+ ACL acl = mACLs.get(name); - if (acl == null) - continue; -- e = acl.entries(); -+ Enumeration e = acl.entries(); - while (e.hasMoreElements()) { - ACLEntry entry = e.nextElement(); - -- if (entry.isNegative() && -+ if (entry.getType() == entryType && - entry.containPermission(operation)) { - v.addElement(entry); - } - } - } - -- return v.elements(); -+ return v; - } - - /** -@@ -897,19 +874,16 @@ public abstract class AAclAuthz implements IAuthzManager { - } - } - -- public String getOrder() { -- IConfigStore mainConfig = CMS.getConfigStore(); -- String order = ""; -- -+ public static EvaluationOrder getOrder() { - try { -- order = mainConfig.getString("authz.evaluateOrder", ""); -+ String order = CMS.getConfigStore().getString("authz.evaluateOrder", ""); - if (order.startsWith("allow")) -- return "allow"; -+ return EvaluationOrder.AllowDeny; - else -- return "deny"; -+ return EvaluationOrder.DenyAllow; - } catch (Exception e) { -+ return EvaluationOrder.DenyAllow; - } -- return "deny"; - } - - public boolean evaluateACLs(IAuthToken authToken, String exp) { --- -1.8.3.1 - - -From 71d74c61e841fbe82aac7293de28f4fc0ed05258 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Tue, 29 May 2018 15:07:30 +1000 -Subject: [PATCH 08/11] Handle empty NameConstraints subtrees when reading - extension - -When reading stored NameConstraints extension data on a request, if -includedSubtrees or excludedSubtrees is empty, an exception is -thrown. But these are valid cases, so do not thrown an exception. - -Also perform some minor drive-by refactors and add the 'static' -qualifier to a few methods to improve readability. - -Part of: https://pagure.io/dogtagpki/issue/2922 - -Change-Id: I925d8a64b96dd0f45b0548ceb11dbee4223cd64c -(cherry picked from commit adb1810ddbeb30014b9ad192118bbf7ee1efd595) ---- - .../netscape/cms/profile/def/EnrollDefault.java | 7 +++--- - .../cms/profile/def/NameConstraintsExtDefault.java | 29 +++++++--------------- - 2 files changed, 13 insertions(+), 23 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java -index 173ff83..f4ed98b 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java -@@ -672,7 +672,7 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe - return true; - } - -- protected String buildRecords(Vector recs) throws EPropertyException { -+ protected static String buildRecords(Vector recs) { - StringBuffer sb = new StringBuffer(); - - for (int i = 0; i < recs.size(); i++) { -@@ -739,7 +739,7 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe - return v; - } - -- protected String getGeneralNameType(GeneralName gn) -+ protected static String getGeneralNameType(GeneralName gn) - throws EPropertyException { - int type = gn.getType(); - -@@ -763,7 +763,8 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe - throw new EPropertyException("Unsupported type: " + type); - } - -- protected String getGeneralNameValue(GeneralName gn) throws EPropertyException { -+ protected static String getGeneralNameValue(GeneralName gn) -+ throws EPropertyException { - String s = gn.toString(); - int type = gn.getType(); - -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java -index a3d41b7..eb87d1c 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/NameConstraintsExtDefault.java -@@ -478,12 +478,7 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { - CMS.debug("NameConstraintExtDefault: getValue " + e.toString()); - } - -- if (subtrees == null) { -- CMS.debug("NameConstraintsExtDefault::getValue() VAL_PERMITTED_SUBTREES is null!"); -- throw new EPropertyException("subtrees is null"); -- } -- -- return getSubtreesInfo(ext, subtrees); -+ return getSubtreesInfo(subtrees); - } else if (name.equals(VAL_EXCLUDED_SUBTREES)) { - ext = (NameConstraintsExtension) - getExtension(PKIXExtensions.NameConstraints_Id.toString(), info); -@@ -500,28 +495,22 @@ public class NameConstraintsExtDefault extends EnrollExtDefault { - CMS.debug("NameConstraintExtDefault: getValue " + e.toString()); - } - -- if (subtrees == null) { -- CMS.debug("NameConstraintsExtDefault::getValue() VAL_EXCLUDED_SUBTREES is null!"); -- throw new EPropertyException("subtrees is null"); -- } -- -- return getSubtreesInfo(ext, subtrees); -+ return getSubtreesInfo(subtrees); - } else { - throw new EPropertyException(CMS.getUserMessage( - locale, "CMS_INVALID_PROPERTY", name)); - } - } - -- private String getSubtreesInfo(NameConstraintsExtension ext, -- GeneralSubtrees subtrees) throws EPropertyException { -- Vector trees = subtrees.getSubtrees(); -- int size = trees.size(); -- -- Vector recs = new Vector(); -+ private static String getSubtreesInfo(GeneralSubtrees subtrees) -+ throws EPropertyException { -+ if (subtrees == null) -+ return ""; - -- for (int i = 0; i < size; i++) { -- GeneralSubtree tree = trees.elementAt(i); -+ Vector trees = subtrees.getSubtrees(); -+ Vector recs = new Vector<>(); - -+ for (GeneralSubtree tree : trees) { - GeneralName gn = tree.getGeneralName(); - String type = getGeneralNameType(gn); - int max = tree.getMaxValue(); --- -1.8.3.1 - - -From a0cca30d5b42355e559d38cfe11b03bfb00c8b4c Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Tue, 29 May 2018 15:39:48 +1000 -Subject: [PATCH 09/11] IPAddressName: fix toString method - -IPAddressName.toString() is invoked when saving -NameConstraintDefault configurations. Its implementation was wrong; -it produced bogus output for the netmasked variants used for -NameConstraints. This resulted in issuance failures. Update the -method to produce correct output for both netmasked and -non-netmasked addresses. - -Fixes: https://pagure.io/dogtagpki/issue/2922 -Change-Id: I3012565379961add5ac8286043f55c8e30520ddd -(cherry picked from commit a796f490b4c8aeea228195dacc3843cabe56b3ac) ---- - .../src/netscape/security/x509/IPAddressName.java | 60 ++++++++++++++-------- - 1 file changed, 38 insertions(+), 22 deletions(-) - -diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java -index 1c01f58..a343a5f 100644 ---- a/base/util/src/netscape/security/x509/IPAddressName.java -+++ b/base/util/src/netscape/security/x509/IPAddressName.java -@@ -156,30 +156,46 @@ public class IPAddressName implements GeneralNameInterface { - * Return a printable string of IPaddress - */ - public String toString() { -- if (address.length == 4) { -- return ("IPAddress: " + (address[0] & 0xff) + "." -- + (address[1] & 0xff) + "." -- + (address[2] & 0xff) + "." + (address[3] & 0xff)); -+ StringBuilder r = new StringBuilder("IPAddress: "); -+ ByteBuffer buf = ByteBuffer.wrap(address); -+ if (address.length == IPv4_LEN) { -+ writeIPv4(r, buf); -+ } else if (address.length == IPv4_LEN * 2) { -+ writeIPv4(r, buf); -+ r.append(","); -+ writeIPv4(r, buf); -+ } else if (address.length == IPv6_LEN) { -+ writeIPv6(r, buf); -+ } else if (address.length == IPv6_LEN * 2) { -+ writeIPv6(r, buf); -+ r.append(","); -+ writeIPv6(r, buf); - } else { -- StringBuffer r = new StringBuffer("IPAddress: " + Integer.toHexString(address[0] & 0xff)); -- String hexString = Integer.toHexString(address[1] & 0xff); -- if (hexString.length() == 1) { -- r.append("0" + hexString); -- } else { -- r.append(hexString); -- } -- for (int i = 2; i < address.length;) { -- r.append(":" + Integer.toHexString(address[i] & 0xff)); -- hexString = Integer.toHexString(address[i + 1] & 0xff); -- if (hexString.length() == 1) { -- r.append("0" + hexString); -- } else { -- r.append(hexString); -- } -- i += 2; -- } -- return r.toString(); -+ // shouldn't be possible -+ r.append("0.0.0.0"); - } -+ return r.toString(); -+ } -+ -+ private static void writeIPv4(StringBuilder r, ByteBuffer buf) { -+ for (int i = 0; i < 4; i++) { -+ if (i > 0) r.append("."); -+ r.append(buf.get() & 0xff); -+ } -+ } -+ -+ private static void writeIPv6(StringBuilder r, ByteBuffer buf) { -+ for (int i = 0; i < 8; i++) { -+ if (i > 0) r.append(":"); -+ r.append(Integer.toHexString(read16BitInt(buf))); -+ } -+ } -+ -+ /** -+ * Read big-endian 16-bit int from buffer (advancing cursor) -+ */ -+ private static int read16BitInt(ByteBuffer buf) { -+ return ((buf.get() & 0xff) << 8) + (buf.get() & 0xff); - } - - /** --- -1.8.3.1 - - -From 943bc3e77f630465906cfcd11812b917f06d1478 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 4 Jun 2018 16:47:57 -0700 -Subject: [PATCH 10/11] Ticket 3033 CRMFPopClient tool - should allow option to - do no key archival - -This patch allows key transport cert file to not be specified, which would -then not include key archive option in the CRMF request. - -fixes https://pagure.io/dogtagpki/issue/3033 - -Change-Id: Ib8c585c15057684aa049632d8eb67c2827d7e774 -(cherry picked from commit 8cf6b5b2ac6da169f1c63341159faebc09580798) ---- - .../src/com/netscape/cmstools/CRMFPopClient.java | 83 +++++++++++++--------- - 1 file changed, 48 insertions(+), 35 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index bc95983..747b7d6 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -309,7 +309,8 @@ public class CRMFPopClient { - String subjectDN = cmd.getOptionValue("n"); - boolean encodingEnabled = Boolean.parseBoolean(cmd.getOptionValue("k", "false")); - -- String transportCertFilename = cmd.getOptionValue("b", "transport.txt"); -+ // if transportCertFilename is not specified then assume no key archival -+ String transportCertFilename = cmd.getOptionValue("b"); - - String popOption = cmd.getOptionValue("q", "POP_SUCCESS"); - -@@ -444,11 +445,18 @@ public class CRMFPopClient { - CRMFPopClient client = new CRMFPopClient(); - client.setVerbose(verbose); - -- if (verbose) System.out.println("Loading transport certificate"); -- String encoded = new String(Files.readAllBytes(Paths.get(transportCertFilename))); -- byte[] transportCertData = Cert.parseCertificate(encoded); -+ String encoded = null; -+ X509Certificate transportCert = null; -+ if (transportCertFilename != null) { -+ if (verbose) System.out.println("archival option enabled"); -+ if (verbose) System.out.println("Loading transport certificate"); -+ encoded = new String(Files.readAllBytes(Paths.get(transportCertFilename))); -+ byte[] transportCertData = Cert.parseCertificate(encoded); -+ transportCert = manager.importCACertPackage(transportCertData); -+ } else { -+ if (verbose) System.out.println("archival option not enabled"); -+ } - -- X509Certificate transportCert = manager.importCACertPackage(transportCertData); - - if (verbose) System.out.println("Parsing subject DN"); - Name subject = client.createName(subjectDN, encodingEnabled); -@@ -478,7 +486,7 @@ public class CRMFPopClient { - String kid = CryptoUtil.encodeKeyID(id); - System.out.println("Keypair private key id: " + kid); - -- if (hostPort != null) { -+ if ((transportCert != null) && (hostPort != null)) { - // check the CA for the required key wrap algorithm - // if found, override whatever has been set by the command line - // options for the key wrap algorithm -@@ -492,8 +500,10 @@ public class CRMFPopClient { - kwAlg = getKeyWrapAlgotihm(pkiclient); - } - -- if (verbose) System.out.println("Using key wrap algorithm: " + kwAlg); -- keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg); -+ if (verbose && (transportCert != null)) System.out.println("Using key wrap algorithm: " + kwAlg); -+ if (transportCert != null) { -+ keyWrapAlgorithm = KeyWrapAlgorithm.fromString(kwAlg); -+ } - - if (verbose) System.out.println("Creating certificate request"); - CertRequest certRequest = client.createCertRequest( -@@ -652,36 +662,39 @@ public class CRMFPopClient { - KeyPair keyPair, - Name subject, - KeyWrapAlgorithm keyWrapAlgorithm) throws Exception { -- byte[] iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize()); -- OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm); -- -- /* TODO(alee) -- * -- * HACK HACK! -- * algorithms like AES KeyWrap do not require an IV, but we need to include one -- * in the AlgorithmIdentifier above, or the creation and parsing of the -- * PKIArchiveOptions options will fail. So we include an IV in aid, but null it -- * later to correctly encrypt the data -- */ -- AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv)); -- -- Class[] iv_classes = keyWrapAlgorithm.getParameterClasses(); -- if (iv_classes == null || iv_classes.length == 0) -- iv = null; -- -- WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv); -- -- PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( -- token, -- transportCert.getPublicKey(), -- (PrivateKey) keyPair.getPrivate(), -- params, -- aid); - - CertTemplate certTemplate = createCertTemplate(subject, keyPair.getPublic()); -- - SEQUENCE seq = new SEQUENCE(); -- seq.addElement(new AVA(new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.5.1.4"), opts)); -+ -+ if (transportCert != null) { // add key archive Option -+ byte[] iv = CryptoUtil.getNonceData(keyWrapAlgorithm.getBlockSize()); -+ OBJECT_IDENTIFIER kwOID = CryptoUtil.getOID(keyWrapAlgorithm); -+ -+ /* TODO(alee) -+ * -+ * HACK HACK! -+ * algorithms like AES KeyWrap do not require an IV, but we need to include one -+ * in the AlgorithmIdentifier above, or the creation and parsing of the -+ * PKIArchiveOptions options will fail. So we include an IV in aid, but null it -+ * later to correctly encrypt the data -+ */ -+ AlgorithmIdentifier aid = new AlgorithmIdentifier(kwOID, new OCTET_STRING(iv)); -+ -+ Class[] iv_classes = keyWrapAlgorithm.getParameterClasses(); -+ if (iv_classes == null || iv_classes.length == 0) -+ iv = null; -+ -+ WrappingParams params = getWrappingParams(keyWrapAlgorithm, iv); -+ -+ PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions( -+ token, -+ transportCert.getPublicKey(), -+ (PrivateKey) keyPair.getPrivate(), -+ params, -+ aid); -+ -+ seq.addElement(new AVA(new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.5.1.4"), opts)); -+ } // key archival option - - /* - OCTET_STRING ostr = createIDPOPLinkWitness(); --- -1.8.3.1 - - -From 13f571329219958d573ba2194e58adce1239a14f Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 6 Jun 2018 11:28:55 -0700 -Subject: [PATCH 11/11] Bugzilla #1580527 CMCAuth Authorization for agents. - -This patch adds proper authz entries to enrollment profiles using CMCAuth; -It also adds proper acl check inside ProfileSubmitCMCServlet for CMCAuth. - -Fixes 2nd part of Bugzilla #1580527 - -Change-Id: I61fa1613f752c5bc203ab18d6a073eb7a13c966b -(cherry picked from commit 405b31bbbc8940354da22e2ab90215d8a19ff86e) ---- - base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg | 1 + - base/ca/shared/profiles/ca/caFullCMCUserCert.cfg | 1 + - .../servlet/profile/ProfileSubmitCMCServlet.java | 23 ++++++++++++++++++---- - 3 files changed, 21 insertions(+), 4 deletions(-) - -diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg -index 469dbb0..b24cb03 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCUserCert.cfg -@@ -4,6 +4,7 @@ enableBy=admin - name=Agent-Signed CMC-Authenticated User Certificate Enrollment - visible=false - auth.instance_id=CMCAuth -+authz.acl=group="Certificate Manager Agents" - input.list=i1 - input.i1.class_id=cmcCertReqInputImpl - output.list=o1 -diff --git a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg -index dd336ad..c15b002 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCUserCert.cfg -@@ -4,6 +4,7 @@ enableBy=admin - name=Agent-Signed CMC-Authenticated User Certificate Enrollment - visible=false - auth.instance_id=CMCAuth -+authz.acl=group="Certificate Manager Agents" - input.list=i1 - input.i1.class_id=cmcCertReqInputImpl - output.list=o1 -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index a0bcfb5..7d75e31 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -438,10 +438,15 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - context.put("sslClientCertProvider", - new SSLClientCertProvider(request)); - CMS.debug("ProfileSubmitCMCServlet: set sslClientCertProvider"); -+ -+ String auditSubjectID = auditSubjectID(); - if (authenticator != null) { - try { - authToken = authenticate(authenticator, request); - // authentication success -+ if (authToken != null) { -+ auditSubjectID = authToken.getInString(IAuthToken.USER_ID); -+ } - } catch (EBaseException e) { - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); -@@ -468,6 +473,20 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } catch (Exception e) { - CMS.debug("ProfileSubmitCMCServlet authorization failure: " + e.toString()); - } -+ -+ // CMCAuth should pair with additional authz check as it counts -+ // as pre-approved -+ String authMgrID = authenticator.getName(); -+ if (authMgrID.equals("CMCAuth")) { -+ authzToken = null; // reset authzToken -+ CMS.debug("ProfileSubmitCMCServlet CMCAuth requires additional authz check"); -+ try { -+ authzToken = authorize(mAclMethod, authToken, -+ "certServer.ca.certrequests", "execute"); -+ } catch (Exception e) { -+ CMS.debug("ProfileSubmitCMCServlet authorization failure: " + e.toString()); -+ } -+ } - } - - if (authzToken == null) { -@@ -486,10 +505,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - } - -- String auditSubjectID = auditSubjectID(); -- if (authToken != null) { -- auditSubjectID = authToken.getInString(IAuthToken.USER_ID); -- } - String auditMessage = CMS.getLogMessage( - AuditEvent.CMC_REQUEST_RECEIVED, - auditSubjectID, --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.1-batch-3.0.patch b/SOURCES/pki-core-10.5.1-batch-3.0.patch deleted file mode 100644 index f805723..0000000 --- a/SOURCES/pki-core-10.5.1-batch-3.0.patch +++ /dev/null @@ -1,1535 +0,0 @@ -From 2d40c57887f7801f2ab0a8065b3b471bb7eafe80 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 19 Jun 2018 15:21:54 -0700 -Subject: [PATCH 1/7] Ticket 3037 CMC SharedToken SubjectDN default - -This patch adds proper subjectDN to CMC requests authenticated via ShardToken. -Specifically, the AuthTokenSubjectNameDefault profile default is added to -the default CMC profiles that authenticates via SharedToken. -Code were added to ensure that the proper subjectDN retrieved from the -mapped user entry is added to the AuthToken for such utilization. - -Fixes https://pagure.io/dogtagpki/issue/3037 - -Change-Id: Id92d9496ab5b41ea7b5dcffb8d73d3ffe8b29fbc ---- - .../ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 4 ++-- - .../netscape/certsrv/authentication/ISharedToken.java | 2 +- - .../com/netscape/cms/authentication/SharedSecret.java | 17 ++++++++++++++--- - .../com/netscape/cms/profile/common/EnrollProfile.java | 12 ++++++++++-- - .../cms/servlet/profile/ProfileSubmitCMCServlet.java | 1 + - 6 files changed, 30 insertions(+), 10 deletions(-) - -diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -index d0a3c25..144c05c 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -@@ -13,8 +13,8 @@ policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 - policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint - policyset.cmcUserCertSet.1.constraint.params.accept=true --policyset.cmcUserCertSet.1.constraint.params.pattern=.* --policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* -+policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl - policyset.cmcUserCertSet.1.default.name=Subject Name Default - policyset.cmcUserCertSet.1.default.params.name= - policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -index 6b2da33..bdcdc24 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -@@ -12,9 +12,9 @@ policyset.list=cmcUserCertSet - policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 - policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl - policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint -+policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* - policyset.cmcUserCertSet.1.constraint.params.accept=true --policyset.cmcUserCertSet.1.constraint.params.pattern=.* --policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl -+policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl - policyset.cmcUserCertSet.1.default.name=Subject Name Default - policyset.cmcUserCertSet.1.default.params.name= - policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl -diff --git a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java -index 761c344..13f2286 100644 ---- a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java -+++ b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java -@@ -28,7 +28,7 @@ import com.netscape.certsrv.base.EBaseException; - public interface ISharedToken { - - // support for id_cmc_identification -- public char[] getSharedToken(String identification) -+ public char[] getSharedToken(String identification, IAuthToken authToken) - throws EBaseException; - - public char[] getSharedToken(PKIData cmcData) -diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -index 1a3d877..e304b74 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -@@ -33,6 +33,7 @@ import com.netscape.certsrv.apps.CMS; - import com.netscape.certsrv.authentication.AuthToken; - import com.netscape.certsrv.authentication.EInvalidCredentials; - import com.netscape.certsrv.authentication.IAuthCredentials; -+import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authentication.ISharedToken; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; -@@ -233,18 +234,25 @@ public class SharedSecret extends DirBasedAuthentication - } - - /** -- * getSharedToken(String identification) provides -+ * getSharedToken(String identification, IAuthToken authToken) provides - * support for id_cmc_identification shared secret based enrollment - * -+ * @param identification maps to the uid in user's ldap record -+ * @param authToken the IAuthToken that will be filled with the DN -+ * in user's ldap record -+ * - * Note: caller should clear the memory for the returned token - * after each use - */ -- public char[] getSharedToken(String identification) -+ public char[] getSharedToken(String identification, IAuthToken authToken) - throws EBaseException { -- String method = "SharedSecret.getSharedToken(String identification): "; -+ String method = "SharedSecret.getSharedToken(String identification, IAuthToken authToken): "; - String msg = ""; - CMS.debug(method + "begins."); - -+ if ((identification == null) || (authToken == null)) { -+ throw new EBaseException(method + "paramsters identification or authToken cannot be null"); -+ } - LDAPConnection shrTokLdapConnection = null; - LDAPSearchResults res = null; - LDAPEntry entry = null; -@@ -287,6 +295,9 @@ public class SharedSecret extends DirBasedAuthentication - throw new EBaseException(msg); - } - -+ CMS.debug(method + "found user ldap entry: userdn = " + userdn); -+ authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn); -+ - res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE, - "(objectclass=*)", new String[] { mShrTokAttr }, false); - if (res != null && res.hasMoreElements()) { -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index caa466c..929e629 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -1412,10 +1412,14 @@ public abstract class EnrollProfile extends BasicProfile - CMS.debug(method + " Failed to retrieve shared secret authentication plugin class"); - sharedSecretFound = false; - } -+ -+ IAuthToken authToken = (IAuthToken) -+ context.get(SessionContext.AUTH_TOKEN); -+ - ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; - - if (ident_string != null) { -- sharedSecret = tokenClass.getSharedToken(ident_string); -+ sharedSecret = tokenClass.getSharedToken(ident_string, authToken); - } else { - sharedSecret = tokenClass.getSharedToken(mCMCData); - } -@@ -1709,12 +1713,16 @@ public abstract class EnrollProfile extends BasicProfile - signedAuditLogger.log(auditMessage); - return false; - } -+ -+ IAuthToken authToken = (IAuthToken) -+ sessionContext.get(SessionContext.AUTH_TOKEN); -+ - ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; - - char[] token = null; - if (ident_string != null) { - auditAttemptedCred = ident_string; -- token = tokenClass.getSharedToken(ident_string); -+ token = tokenClass.getSharedToken(ident_string, authToken); - } else - token = tokenClass.getSharedToken(mCMCData); - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 7d75e31..f469a66 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -446,6 +446,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - // authentication success - if (authToken != null) { - auditSubjectID = authToken.getInString(IAuthToken.USER_ID); -+ context.put(SessionContext.AUTH_TOKEN, authToken); - } - } catch (EBaseException e) { - CMCOutputTemplate template = new CMCOutputTemplate(); --- -1.8.3.1 - - -From 2a228b4a8e1af920e577d007be87291831c635d5 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 20 Jun 2018 18:59:28 -0700 -Subject: [PATCH 2/7] Ticket 2920 Part2 of SharedToken Audit - -This patch addresses the issue that the original audit message for failure -got overwritten for SharedToken. - -fixes https://pagure.io/dogtagpki/issue/2920 - -Change-Id: I0c09fbcc39135dc9aeee8a49a40772565af996c4 ---- - .../netscape/cms/authentication/SharedSecret.java | 5 ++ - .../def/CMCUserSignedSubjectNameDefault.java | 7 ++- - .../cms/servlet/common/CMCOutputTemplate.java | 9 ++-- - .../servlet/profile/ProfileSubmitCMCServlet.java | 63 ++++++++++++++-------- - 4 files changed, 57 insertions(+), 27 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -index e304b74..5ebc213 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -@@ -406,6 +406,11 @@ public class SharedSecret extends DirBasedAuthentication - String method = "SharedSecret.getSharedToken(BigInteger serial): "; - String msg = ""; - -+ if (serial == null) { -+ throw new EBaseException(method + "paramster serial cannot be null"); -+ } -+ CMS.debug(method + serial.toString()); -+ - ICertRecord record = null; - try { - record = certRepository.readCertificateRecord(serial); -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java -index a0816ea..f1810b0 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java -@@ -137,12 +137,17 @@ public class CMCUserSignedSubjectNameDefault extends EnrollDefault { - String msg = ""; - CMS.debug(method + "begins"); - -- String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); - if (info == null) { - msg = method + "info null"; - CMS.debug(msg); - throw new EProfileException(msg); - } -+ String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); -+ if (signingUserSerial == null) { -+ msg = method + "signing user serial not found; request was unsigned?"; -+ CMS.debug(msg); -+ throw new EProfileException(msg); -+ } - - CertificateSubjectName certSN = null; - try { -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -index a0a946d..154cd33 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -@@ -1103,14 +1103,15 @@ public class CMCOutputTemplate { - - char[] sharedSecret = null; - try { -- sharedSecret = tokenClass.getSharedToken(revokeSerial); -+ sharedSecret = tokenClass.getSharedToken(revokeSerial); - } catch (Exception eShrTok) { -- CMS.debug("CMCOutputTemplate: " + eShrTok.toString()); -+ msg = "CMCOutputTemplate: " + eShrTok.toString(); - } - - if (sharedSecret == null) { -- msg = " shared secret not found"; -- CMS.debug(method + msg); -+ if (msg.equals("")) // don't overwrite the msg -+ msg = " shared secret not found"; -+ CMS.debug(msg); - audit(new CertStatusChangeRequestProcessedEvent( - auditSubjectID, - ILogger.FAILURE, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index f469a66..12fd294 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -533,10 +533,16 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth"); - ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); - } -+ -+ String errorCode = null; -+ String errorReason = null; -+ String auditRequesterID = ILogger.UNIDENTIFIED; -+ - try { - reqs = profile.createRequests(ctx, locale); - } catch (ECMCBadMessageCheckException e) { -- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -547,9 +553,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.BAD_MESSAGE_CHECK, s); -- return; - } catch (ECMCBadIdentityException e) { -- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -560,9 +566,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.BAD_IDENTITY, s); -- return; - } catch (ECMCPopFailedException e) { -- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -573,9 +579,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.POP_FAILED, s); -- return; - } catch (ECMCBadRequestException e) { -- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -586,9 +592,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.BAD_REQUEST, s); -- return; - } catch (EProfileException e) { -- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -599,9 +605,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.INTERNAL_CA_ERROR, s); -- return; - } catch (Throwable e) { -- CMS.debug("ProfileSubmitCMCServlet: createRequests - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: createRequests - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -612,7 +618,15 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.INTERNAL_CA_ERROR, s); -- return; -+ } -+ -+ if (errorReason != null) { -+ audit(CertRequestProcessedEvent.createFailureEvent( -+ auditSubjectID, -+ auditRequesterID, -+ ILogger.SIGNED_AUDIT_REJECTION, -+ errorReason)); -+ return; - } - - TaggedAttribute attr = -@@ -684,13 +698,11 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - } - -- String errorCode = null; -- String errorReason = null; -- - /////////////////////////////////////////////// - // populate request - /////////////////////////////////////////////// - for (int k = 0; (!isRevoke) && (provedReq == null) &&(k < reqs.length); k++) { -+ auditRequesterID = auditRequesterID(reqs[k]); - // adding parameters to request - setInputsIntoRequest(request, profile, reqs[k]); - -@@ -769,7 +781,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - profile.populateInput(ctx, reqs[k]); - profile.populate(reqs[k]); - } catch (ECMCPopFailedException e) { -- CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -780,9 +793,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.POP_FAILED, s); -- return; - } catch (EProfileException e) { -- CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason); - CMCOutputTemplate template = new CMCOutputTemplate(); - SEQUENCE seq = new SEQUENCE(); - seq.addElement(new INTEGER(0)); -@@ -793,9 +806,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.BAD_REQUEST, s); -- return; - } catch (Throwable e) { -- CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); -+ errorReason = e.toString(); -+ CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason); - // throw new IOException("Profile " + profileId + - // " cannot populate"); - CMCOutputTemplate template = new CMCOutputTemplate(); -@@ -808,12 +821,18 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - template.createFullResponseWithFailedStatus(response, seq, - OtherInfo.INTERNAL_CA_ERROR, s); -+ } -+ -+ if (errorReason != null) { -+ audit(CertRequestProcessedEvent.createFailureEvent( -+ auditSubjectID, -+ auditRequesterID, -+ ILogger.SIGNED_AUDIT_REJECTION, -+ errorReason)); - return; - } - } //for - -- String auditRequesterID = ILogger.UNIDENTIFIED; -- - try { - /////////////////////////////////////////////// - // submit request --- -1.8.3.1 - - -From a85486cfc7644b6a1caac6f5a2b34c4516ea1288 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 15 Jun 2018 00:28:43 +1000 -Subject: [PATCH 3/7] IPAddressName: fix construction from String - -The IPAddressName(String) constructor (the non-netmask case) was -broken by commit 628ace0c90073a8a1d90e96fae0aab9e43903fd6. Fix it, -and rename one of the helper methods to clarify its behaviour. - -Fixes: https://pagure.io/dogtagpki/issue/2922 -Change-Id: I711cf6845496f54c86b10d2d01368912084f96ea ---- - base/util/src/netscape/security/x509/IPAddressName.java | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java -index a343a5f..b227af0 100644 ---- a/base/util/src/netscape/security/x509/IPAddressName.java -+++ b/base/util/src/netscape/security/x509/IPAddressName.java -@@ -76,7 +76,7 @@ public class IPAddressName implements GeneralNameInterface { - * @param netmask the netmask address in the format: n.n.n.n or x:x:x:x:x:x:x:x (RFC 1884) - */ - public IPAddressName(String s, String netmask) { -- address = initAddress(true, s); -+ address = parseAddress(true, s); - if (address.length == IPv4_LEN * 2) - fillIPv4Address(netmask, address, address.length / 2); - else -@@ -90,7 +90,7 @@ public class IPAddressName implements GeneralNameInterface { - * @param mask a CIDR netmask - */ - public IPAddressName(String s, CIDRNetmask mask) { -- address = initAddress(true, s); -+ address = parseAddress(true, s); - mask.write(ByteBuffer.wrap( - address, address.length / 2, address.length / 2)); - } -@@ -102,7 +102,7 @@ public class IPAddressName implements GeneralNameInterface { - * @param s the ip address in the format: n.n.n.n or x:x:x:x:x:x:x:x - */ - public IPAddressName(String s) { -- initAddress(false, s); -+ address = parseAddress(false, s); - } - - /** -@@ -113,7 +113,7 @@ public class IPAddressName implements GeneralNameInterface { - * @return byte[] of length 4 or 16 if withNetmask == false, - * or length 8 or 32 if withNetmask == true. - */ -- private static byte[] initAddress(boolean withNetmask, String s) { -+ private static byte[] parseAddress(boolean withNetmask, String s) { - if (s.indexOf(':') != -1) { - byte[] address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)]; - fillIPv6Address(s, address, 0); --- -1.8.3.1 - - -From 1f5e857759cb822093cdc20125fa4d0990432356 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 25 Jun 2018 16:46:36 -0700 -Subject: [PATCH 4/7] Ticket 3003 AuditVerify failure due to line breaks - -This patch normalizes the CONFIG_ROLE audit event params to eliminate line breaks -in audit entry from running pki ca-user-cert-add which would cause AuditVerify -to fail. (note: adding user cert via the java console does not have such issue) - -fixes https://pagure.io/dogtagpki/issue/3003 - -Change-Id: I52814714acebd29774abf0eb66aef3655ef2adb9 ---- - .../com/netscape/certsrv/logging/event/ConfigRoleEvent.java | 3 ++- - base/util/src/com/netscape/cmsutil/util/Utils.java | 12 +++++++++++- - 2 files changed, 13 insertions(+), 2 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java -index cc5f0b7..0ac71a8 100644 ---- a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java -@@ -18,6 +18,7 @@ - package com.netscape.certsrv.logging.event; - - import com.netscape.certsrv.logging.SignedAuditEvent; -+import com.netscape.cmsutil.util.Utils; - - public class ConfigRoleEvent extends SignedAuditEvent { - -@@ -35,6 +36,6 @@ public class ConfigRoleEvent extends SignedAuditEvent { - - setAttribute("SubjectID", subjectID); - setAttribute("Outcome", outcome); -- setAttribute("ParamNameValPairs", params); -+ setAttribute("ParamNameValPairs", Utils.normalizeString(params, true /*keep space*/)); - } - } -diff --git a/base/util/src/com/netscape/cmsutil/util/Utils.java b/base/util/src/com/netscape/cmsutil/util/Utils.java -index 5ff78ad..9d0f9eb 100644 ---- a/base/util/src/com/netscape/cmsutil/util/Utils.java -+++ b/base/util/src/com/netscape/cmsutil/util/Utils.java -@@ -336,15 +336,24 @@ public class Utils { - * Normalize B64 input String - * - * @pram string base-64 string -+ * @param keepspace a boolean variable to control whether to keep spaces or not - * @return normalized string - */ - public static String normalizeString(String string) { -+ return normalizeString(string, false /*keepSpace*/); -+ } -+ -+ public static String normalizeString(String string, Boolean keepSpace) { - if (string == null) { - return string; - } - - StringBuffer sb = new StringBuffer(); -- StringTokenizer st = new StringTokenizer(string, "\r\n "); -+ StringTokenizer st = null; -+ if (keepSpace) -+ st = new StringTokenizer(string, "\r\n"); -+ else -+ st = new StringTokenizer(string, "\r\n "); - - while (st.hasMoreTokens()) { - String nextLine = st.nextToken(); -@@ -353,4 +362,5 @@ public class Utils { - } - return sb.toString(); - } -+ - } --- -1.8.3.1 - - -From cf1b83ed6e7be07636c3deac770d586433d80f9e Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 26 Jun 2018 15:16:53 -0700 -Subject: [PATCH 5/7] Ticket 2992 CMC Simple request profiles and CMCResponse - to support simple response - -This patch fixes the broken profiles resulted from https://pagure.io/dogtagpki/issue/3018. - -In addition, CMCResponse has been improved to handle CMC simple response. - -fixes https://pagure.io/dogtagpki/issue/2992 - -Change-Id: If72aa08f044c96e4e5bd5ed98512d2936fe0d50a ---- - .../shared/profiles/ca/caECSimpleCMCUserCert.cfg | 6 +-- - base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 6 +-- - .../src/com/netscape/cmstools/CMCResponse.java | 46 +++++++++++++--------- - 3 files changed, 34 insertions(+), 24 deletions(-) - -diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -index 64a6ad9..8df3576 100644 ---- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg -@@ -1,11 +1,11 @@ --desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. -+desc=This certificate profile is for enrolling user certificates by using the CMC simple certificate request with agent authentication. - enable=true - enableBy=admin - name=Simple CMC Enrollment Request for User Certificate - visible=false --auth.instance_id= -+auth.instance_id=AgentCertAuth - input.list=i1 --input.i1.class_id=cmcCertReqInputImpl -+input.i1.class_id=certReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -index 0628a36..a55873f 100644 ---- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg -@@ -1,11 +1,11 @@ --desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. -+desc=This certificate profile is for enrolling user certificates by using the CMC Simple certificate request with agent authentication. - enable=true - enableBy=admin - name=Simple CMC Enrollment Request for User Certificate - visible=false --auth.instance_id= -+auth.instance_id=AgentCertAuth - input.list=i1 --input.i1.class_id=cmcCertReqInputImpl -+input.i1.class_id=certReqInputImpl - output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java -index 945f09f..5d4f6c6 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java -@@ -82,14 +82,20 @@ public class CMCResponse { - - public Collection getStatusInfos() throws IOException, InvalidBERException { - -- Collection list = new ArrayList<>(); -- -- // assume full CMC response -- - SignedData signedData = (SignedData) contentInfo.getInterpretedContent(); - EncapsulatedContentInfo eci = signedData.getContentInfo(); - -+ Collection list = new ArrayList<>(); -+ - OCTET_STRING content = eci.getContent(); -+ if (content == null) { -+ System.out.println("CMC Simple Response."); -+ // No EncapsulatedContentInfo content; Assume simple response; -+ return null; -+ } -+ // assume full CMC response -+ System.out.println("CMC Full Response."); -+ - ByteArrayInputStream is = new ByteArrayInputStream(content.toByteArray()); - ResponseBody responseBody = (ResponseBody) (new ResponseBody.Template()).decode(is); - -@@ -166,8 +172,10 @@ public class CMCResponse { - System.out.println("Invalid CMC Response Format"); - } - -- if (!ci.hasContent()) -+ if (!ci.hasContent()) { -+ // No EncapsulatedContentInfo content; Assume simple response - return; -+ } - - OCTET_STRING content1 = ci.getContent(); - ByteArrayInputStream bbis = new ByteArrayInputStream(content1.toByteArray()); -@@ -371,23 +379,25 @@ public class CMCResponse { - - // terminate if any of the statuses is not a SUCCESS - Collection statusInfos = response.getStatusInfos(); -- for (CMCStatusInfoV2 statusInfo : statusInfos) { -+ if (statusInfos != null) { // full response -+ for (CMCStatusInfoV2 statusInfo : statusInfos) { - -- int status = statusInfo.getStatus(); -- if (status == CMCStatusInfoV2.SUCCESS) { -- continue; -- } -+ int status = statusInfo.getStatus(); -+ if (status == CMCStatusInfoV2.SUCCESS) { -+ continue; -+ } - -- SEQUENCE bodyList = statusInfo.getBodyList(); -+ SEQUENCE bodyList = statusInfo.getBodyList(); - -- Collection list = new ArrayList<>(); -- for (int i = 0; i < bodyList.size(); i++) { -- INTEGER n = (INTEGER) bodyList.elementAt(i); -- list.add(n); -- } -+ Collection list = new ArrayList<>(); -+ for (int i = 0; i < bodyList.size(); i++) { -+ INTEGER n = (INTEGER) bodyList.elementAt(i); -+ list.add(n); -+ } - -- System.err.println("ERROR: CMC status for " + list + ": " + CMCStatusInfoV2.STATUS[status]); -- System.exit(1); -+ System.err.println("ERROR: CMC status for " + list + ": " + CMCStatusInfoV2.STATUS[status]); -+ System.exit(1); -+ } - } - - // export PKCS #7 if requested --- -1.8.3.1 - - -From 3ad054342a08719cd80c618c2aa260210b418113 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 27 Jun 2018 15:04:57 -0700 -Subject: [PATCH 6/7] Ticket #2959 Address pkispawn ECC profile overrides - -This patch enables proper ECC profiles to be automatically applied during -pkispawn. - -This patch would eliminate the need for the workaround documented here: -http://www.dogtagpki.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround - -The idea is to use the % replacement strings as part of the profile names -in the default.cfg file for pkispawn, -and change the profile names to mach the format. So for example: - -%(pki_admin_key_type)AdminCert.profile - -would either be translated to rsaAdminCert.profile or eccAdminCert.profile -depending on the value in pki_admin_key_type - -All 6 relevant profiles have been renamed per new convention. - -fixes https://pagure.io/dogtagpki/issue/2959 - -Change-Id: I9a9f70e415438e0b4130294abb725c74fd6e1b95 ---- - base/ca/shared/conf/ECadminCert.profile | 39 -------------------------- - base/ca/shared/conf/ECserverCert.profile | 39 -------------------------- - base/ca/shared/conf/ECsubsystemCert.profile | 39 -------------------------- - base/ca/shared/conf/adminCert.profile | 39 -------------------------- - base/ca/shared/conf/eccAdminCert.profile | 39 ++++++++++++++++++++++++++ - base/ca/shared/conf/eccServerCert.profile | 39 ++++++++++++++++++++++++++ - base/ca/shared/conf/eccSubsystemCert.profile | 39 ++++++++++++++++++++++++++ - base/ca/shared/conf/rsaAdminCert.profile | 39 ++++++++++++++++++++++++++ - base/ca/shared/conf/rsaServerCert.profile | 41 ++++++++++++++++++++++++++++ - base/ca/shared/conf/rsaSubsystemCert.profile | 39 ++++++++++++++++++++++++++ - base/ca/shared/conf/serverCert.profile | 41 ---------------------------- - base/ca/shared/conf/subsystemCert.profile | 39 -------------------------- - base/server/etc/default.cfg | 6 ++-- - 13 files changed, 239 insertions(+), 239 deletions(-) - delete mode 100644 base/ca/shared/conf/ECadminCert.profile - delete mode 100644 base/ca/shared/conf/ECserverCert.profile - delete mode 100644 base/ca/shared/conf/ECsubsystemCert.profile - delete mode 100644 base/ca/shared/conf/adminCert.profile - create mode 100644 base/ca/shared/conf/eccAdminCert.profile - create mode 100644 base/ca/shared/conf/eccServerCert.profile - create mode 100644 base/ca/shared/conf/eccSubsystemCert.profile - create mode 100644 base/ca/shared/conf/rsaAdminCert.profile - create mode 100644 base/ca/shared/conf/rsaServerCert.profile - create mode 100644 base/ca/shared/conf/rsaSubsystemCert.profile - delete mode 100644 base/ca/shared/conf/serverCert.profile - delete mode 100644 base/ca/shared/conf/subsystemCert.profile - -diff --git a/base/ca/shared/conf/ECadminCert.profile b/base/ca/shared/conf/ECadminCert.profile -deleted file mode 100644 -index 46d157a..0000000 ---- a/base/ca/shared/conf/ECadminCert.profile -+++ /dev/null -@@ -1,39 +0,0 @@ --# --# Admin Certificate --# --id=adminCert.profile --name=All Purpose admin cert with ECC keys Profile --description=This profile creates an administrator's certificate with ECC keys --profileIDMapping=caAdminCert --profileSetIDMapping=adminCertSet --list=2,4,5,6,7 --2.default.class=com.netscape.cms.profile.def.ValidityDefault --2.default.name=Validity Default --2.default.params.range=720 --2.default.params.startTime=0 --4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault --4.default.name=Authority Key Identifier Default --5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault --5.default.name=AIA Extension Default --5.default.params.authInfoAccessADEnable_0=true --5.default.params.authInfoAccessADLocationType_0=URIName --5.default.params.authInfoAccessADLocation_0= --5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --5.default.params.authInfoAccessCritical=false --5.default.params.authInfoAccessNumADs=1 --6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault --6.default.name=Key Usage Default --6.default.params.keyUsageCritical=true --6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=true --6.default.params.keyUsageDataEncipherment=true --6.default.params.keyUsageKeyEncipherment=false --6.default.params.keyUsageKeyAgreement=true --6.default.params.keyUsageKeyCertSign=false --6.default.params.keyUsageCrlSign=false --6.default.params.keyUsageEncipherOnly=false --6.default.params.keyUsageDecipherOnly=false --7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault --7.default.name=Extended Key Usage Extension Default --7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -diff --git a/base/ca/shared/conf/ECserverCert.profile b/base/ca/shared/conf/ECserverCert.profile -deleted file mode 100644 -index 8c679f7..0000000 ---- a/base/ca/shared/conf/ECserverCert.profile -+++ /dev/null -@@ -1,39 +0,0 @@ --# --# ECC Server Certificate --# --id=serverCert.profile --name=All Purpose SSL server cert with ECC keys Profile --description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers --profileIDMapping=caECServerCert --profileSetIDMapping=serverCertSet --list=2,4,5,6,7 --2.default.class=com.netscape.cms.profile.def.ValidityDefault --2.default.name=Validity Default --2.default.params.range=720 --2.default.params.startTime=0 --4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault --4.default.name=Authority Key Identifier Default --5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault --5.default.name=AIA Extension Default --5.default.params.authInfoAccessADEnable_0=true --5.default.params.authInfoAccessADLocationType_0=URIName --5.default.params.authInfoAccessADLocation_0= --5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --5.default.params.authInfoAccessCritical=false --5.default.params.authInfoAccessNumADs=1 --6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault --6.default.name=Key Usage Default --6.default.params.keyUsageCritical=true --6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=false --6.default.params.keyUsageDataEncipherment=true --6.default.params.keyUsageKeyEncipherment=false --6.default.params.keyUsageKeyAgreement=true --6.default.params.keyUsageKeyCertSign=false --6.default.params.keyUsageCrlSign=false --6.default.params.keyUsageEncipherOnly=false --6.default.params.keyUsageDecipherOnly=false --7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault --7.default.name=Extended Key Usage Extension Default --7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 -diff --git a/base/ca/shared/conf/ECsubsystemCert.profile b/base/ca/shared/conf/ECsubsystemCert.profile -deleted file mode 100644 -index d11dabb..0000000 ---- a/base/ca/shared/conf/ECsubsystemCert.profile -+++ /dev/null -@@ -1,39 +0,0 @@ --# --# ECC Subsystem Certificate --# --id=subsystemCert.profile --name=Subsystem cert with ECC keys Profile --description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients --profileIDMapping=caECSubsystemCert --profileSetIDMapping=serverCertSet --list=2,4,5,6,7 --2.default.class=com.netscape.cms.profile.def.ValidityDefault --2.default.name=Validity Default --2.default.params.range=720 --2.default.params.startTime=0 --4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault --4.default.name=Authority Key Identifier Default --5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault --5.default.name=AIA Extension Default --5.default.params.authInfoAccessADEnable_0=true --5.default.params.authInfoAccessADLocationType_0=URIName --5.default.params.authInfoAccessADLocation_0= --5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --5.default.params.authInfoAccessCritical=false --5.default.params.authInfoAccessNumADs=1 --6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault --6.default.name=Key Usage Default --6.default.params.keyUsageCritical=true --6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=false --6.default.params.keyUsageDataEncipherment=true --6.default.params.keyUsageKeyEncipherment=false --6.default.params.keyUsageKeyAgreement=true --6.default.params.keyUsageKeyCertSign=false --6.default.params.keyUsageCrlSign=false --6.default.params.keyUsageEncipherOnly=false --6.default.params.keyUsageDecipherOnly=false --7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault --7.default.name=Extended Key Usage Extension Default --7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -diff --git a/base/ca/shared/conf/adminCert.profile b/base/ca/shared/conf/adminCert.profile -deleted file mode 100644 -index 5e84d74..0000000 ---- a/base/ca/shared/conf/adminCert.profile -+++ /dev/null -@@ -1,39 +0,0 @@ --# --# Server Certificate --# --id=adminCert.profile --name=All Purpose admin server cert Profile --description=This profile creates an administrator's certificate --profileIDMapping=caAdminCert --profileSetIDMapping=adminCertSet --list=2,4,5,6,7 --2.default.class=com.netscape.cms.profile.def.ValidityDefault --2.default.name=Validity Default --2.default.params.range=720 --2.default.params.startTime=0 --4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault --4.default.name=Authority Key Identifier Default --5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault --5.default.name=AIA Extension Default --5.default.params.authInfoAccessADEnable_0=true --5.default.params.authInfoAccessADLocationType_0=URIName --5.default.params.authInfoAccessADLocation_0= --5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --5.default.params.authInfoAccessCritical=false --5.default.params.authInfoAccessNumADs=1 --6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault --6.default.name=Key Usage Default --6.default.params.keyUsageCritical=true --6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=true --6.default.params.keyUsageDataEncipherment=true --6.default.params.keyUsageKeyEncipherment=true --6.default.params.keyUsageKeyAgreement=false --6.default.params.keyUsageKeyCertSign=false --6.default.params.keyUsageCrlSign=false --6.default.params.keyUsageEncipherOnly=false --6.default.params.keyUsageDecipherOnly=false --7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault --7.default.name=Extended Key Usage Extension Default --7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -diff --git a/base/ca/shared/conf/eccAdminCert.profile b/base/ca/shared/conf/eccAdminCert.profile -new file mode 100644 -index 0000000..46d157a ---- /dev/null -+++ b/base/ca/shared/conf/eccAdminCert.profile -@@ -0,0 +1,39 @@ -+# -+# Admin Certificate -+# -+id=adminCert.profile -+name=All Purpose admin cert with ECC keys Profile -+description=This profile creates an administrator's certificate with ECC keys -+profileIDMapping=caAdminCert -+profileSetIDMapping=adminCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=true -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=false -+6.default.params.keyUsageKeyAgreement=true -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -diff --git a/base/ca/shared/conf/eccServerCert.profile b/base/ca/shared/conf/eccServerCert.profile -new file mode 100644 -index 0000000..8c679f7 ---- /dev/null -+++ b/base/ca/shared/conf/eccServerCert.profile -@@ -0,0 +1,39 @@ -+# -+# ECC Server Certificate -+# -+id=serverCert.profile -+name=All Purpose SSL server cert with ECC keys Profile -+description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers -+profileIDMapping=caECServerCert -+profileSetIDMapping=serverCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=false -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=false -+6.default.params.keyUsageKeyAgreement=true -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 -diff --git a/base/ca/shared/conf/eccSubsystemCert.profile b/base/ca/shared/conf/eccSubsystemCert.profile -new file mode 100644 -index 0000000..d11dabb ---- /dev/null -+++ b/base/ca/shared/conf/eccSubsystemCert.profile -@@ -0,0 +1,39 @@ -+# -+# ECC Subsystem Certificate -+# -+id=subsystemCert.profile -+name=Subsystem cert with ECC keys Profile -+description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients -+profileIDMapping=caECSubsystemCert -+profileSetIDMapping=serverCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=false -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=false -+6.default.params.keyUsageKeyAgreement=true -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -diff --git a/base/ca/shared/conf/rsaAdminCert.profile b/base/ca/shared/conf/rsaAdminCert.profile -new file mode 100644 -index 0000000..5e84d74 ---- /dev/null -+++ b/base/ca/shared/conf/rsaAdminCert.profile -@@ -0,0 +1,39 @@ -+# -+# Server Certificate -+# -+id=adminCert.profile -+name=All Purpose admin server cert Profile -+description=This profile creates an administrator's certificate -+profileIDMapping=caAdminCert -+profileSetIDMapping=adminCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=true -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=true -+6.default.params.keyUsageKeyAgreement=false -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 -diff --git a/base/ca/shared/conf/rsaServerCert.profile b/base/ca/shared/conf/rsaServerCert.profile -new file mode 100644 -index 0000000..e740760 ---- /dev/null -+++ b/base/ca/shared/conf/rsaServerCert.profile -@@ -0,0 +1,41 @@ -+# -+# Server Certificate -+# -+id=serverCert.profile -+name=All Purpose SSL server cert Profile -+description=This profile creates an SSL server certificate that is valid for SSL servers -+profileIDMapping=caServerCert -+profileSetIDMapping=serverCertSet -+list=2,4,5,6,7,8 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=false -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=true -+6.default.params.keyUsageKeyAgreement=false -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 -+8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault -+8.default.name=Copy Common Name to Subjec Alternative Name Extension -diff --git a/base/ca/shared/conf/rsaSubsystemCert.profile b/base/ca/shared/conf/rsaSubsystemCert.profile -new file mode 100644 -index 0000000..fa8f84e ---- /dev/null -+++ b/base/ca/shared/conf/rsaSubsystemCert.profile -@@ -0,0 +1,39 @@ -+# -+# Subsystem Certificate -+# -+id=subsystemCert.profile -+name=All Purpose SSL server cert Profile -+description=This profile creates a subsystem certificate that is valid for SSL client -+profileIDMapping=caSubsystemCert -+profileSetIDMapping=serverCertSet -+list=2,4,5,6,7 -+2.default.class=com.netscape.cms.profile.def.ValidityDefault -+2.default.name=Validity Default -+2.default.params.range=720 -+2.default.params.startTime=0 -+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault -+4.default.name=Authority Key Identifier Default -+5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault -+5.default.name=AIA Extension Default -+5.default.params.authInfoAccessADEnable_0=true -+5.default.params.authInfoAccessADLocationType_0=URIName -+5.default.params.authInfoAccessADLocation_0= -+5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 -+5.default.params.authInfoAccessCritical=false -+5.default.params.authInfoAccessNumADs=1 -+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault -+6.default.name=Key Usage Default -+6.default.params.keyUsageCritical=true -+6.default.params.keyUsageDigitalSignature=true -+6.default.params.keyUsageNonRepudiation=true -+6.default.params.keyUsageDataEncipherment=true -+6.default.params.keyUsageKeyEncipherment=true -+6.default.params.keyUsageKeyAgreement=false -+6.default.params.keyUsageKeyCertSign=false -+6.default.params.keyUsageCrlSign=false -+6.default.params.keyUsageEncipherOnly=false -+6.default.params.keyUsageDecipherOnly=false -+7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault -+7.default.name=Extended Key Usage Extension Default -+7.default.params.exKeyUsageCritical=false -+7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile -deleted file mode 100644 -index e740760..0000000 ---- a/base/ca/shared/conf/serverCert.profile -+++ /dev/null -@@ -1,41 +0,0 @@ --# --# Server Certificate --# --id=serverCert.profile --name=All Purpose SSL server cert Profile --description=This profile creates an SSL server certificate that is valid for SSL servers --profileIDMapping=caServerCert --profileSetIDMapping=serverCertSet --list=2,4,5,6,7,8 --2.default.class=com.netscape.cms.profile.def.ValidityDefault --2.default.name=Validity Default --2.default.params.range=720 --2.default.params.startTime=0 --4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault --4.default.name=Authority Key Identifier Default --5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault --5.default.name=AIA Extension Default --5.default.params.authInfoAccessADEnable_0=true --5.default.params.authInfoAccessADLocationType_0=URIName --5.default.params.authInfoAccessADLocation_0= --5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --5.default.params.authInfoAccessCritical=false --5.default.params.authInfoAccessNumADs=1 --6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault --6.default.name=Key Usage Default --6.default.params.keyUsageCritical=true --6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=false --6.default.params.keyUsageDataEncipherment=true --6.default.params.keyUsageKeyEncipherment=true --6.default.params.keyUsageKeyAgreement=false --6.default.params.keyUsageKeyCertSign=false --6.default.params.keyUsageCrlSign=false --6.default.params.keyUsageEncipherOnly=false --6.default.params.keyUsageDecipherOnly=false --7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault --7.default.name=Extended Key Usage Extension Default --7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 --8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault --8.default.name=Copy Common Name to Subjec Alternative Name Extension -diff --git a/base/ca/shared/conf/subsystemCert.profile b/base/ca/shared/conf/subsystemCert.profile -deleted file mode 100644 -index fa8f84e..0000000 ---- a/base/ca/shared/conf/subsystemCert.profile -+++ /dev/null -@@ -1,39 +0,0 @@ --# --# Subsystem Certificate --# --id=subsystemCert.profile --name=All Purpose SSL server cert Profile --description=This profile creates a subsystem certificate that is valid for SSL client --profileIDMapping=caSubsystemCert --profileSetIDMapping=serverCertSet --list=2,4,5,6,7 --2.default.class=com.netscape.cms.profile.def.ValidityDefault --2.default.name=Validity Default --2.default.params.range=720 --2.default.params.startTime=0 --4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault --4.default.name=Authority Key Identifier Default --5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault --5.default.name=AIA Extension Default --5.default.params.authInfoAccessADEnable_0=true --5.default.params.authInfoAccessADLocationType_0=URIName --5.default.params.authInfoAccessADLocation_0= --5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 --5.default.params.authInfoAccessCritical=false --5.default.params.authInfoAccessNumADs=1 --6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault --6.default.name=Key Usage Default --6.default.params.keyUsageCritical=true --6.default.params.keyUsageDigitalSignature=true --6.default.params.keyUsageNonRepudiation=true --6.default.params.keyUsageDataEncipherment=true --6.default.params.keyUsageKeyEncipherment=true --6.default.params.keyUsageKeyAgreement=false --6.default.params.keyUsageKeyCertSign=false --6.default.params.keyUsageCrlSign=false --6.default.params.keyUsageEncipherOnly=false --6.default.params.keyUsageDecipherOnly=false --7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault --7.default.name=Extended Key Usage Extension Default --7.default.params.exKeyUsageCritical=false --7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 -diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg -index e727648..c575e68 100644 ---- a/base/server/etc/default.cfg -+++ b/base/server/etc/default.cfg -@@ -400,12 +400,12 @@ pki_source_flatfile_txt=%(pki_source_conf_path)s/flatfile.txt - pki_source_profiles=/usr/share/pki/ca/profiles - pki_source_proxy_conf=%(pki_source_conf_path)s/proxy.conf - pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg --pki_source_admincert_profile=%(pki_source_conf_path)s/adminCert.profile -+pki_source_admincert_profile=%(pki_source_conf_path)s/%(pki_admin_key_type)sAdminCert.profile - pki_source_caauditsigningcert_profile=%(pki_source_conf_path)s/caAuditSigningCert.profile - pki_source_cacert_profile=%(pki_source_conf_path)s/caCert.profile - pki_source_caocspcert_profile=%(pki_source_conf_path)s/caOCSPCert.profile --pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile --pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile -+pki_source_servercert_profile=%(pki_source_conf_path)s/%(pki_sslserver_key_type)sServerCert.profile -+pki_source_subsystemcert_profile=%(pki_source_conf_path)s/%(pki_subsystem_key_type)sSubsystemCert.profile - pki_subsystem_emails_path=%(pki_subsystem_path)s/emails - pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles - --- -1.8.3.1 - - -From 2a9c2022d39e293269c49d806fa142992bef8abd Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 12 Jun 2018 11:47:57 -0700 -Subject: [PATCH 7/7] Ticket 2865 X500Name.directoryStringEncodingOrder - overridden by CSR encoding - -This patch allows profile to have control over whether to override the subjectDN -encoding in the CSR with the encoding set by the system. - -New parameter in profile: -policyset..<#>.default.params.useSysEncoding=true - -where "true" means to override the subjectdn with the system default order or -the order set by X500Name.directoryStringEncodingOrder in CS.cfg - -by default, without useSysEncoding in profile, it is treated as false. - -fixes https://pagure.io/dogtagpki/issue/2865 - -Change-Id: I41f8f5371f26668909624f056a77ffbf66f0f5e1 ---- - .../cms/profile/def/UserSubjectNameDefault.java | 83 +++++++++++++++++----- - base/server/cmsbundle/src/UserMessages.properties | 1 + - .../netscape/cmscore/cert/X500NameSubsystem.java | 7 +- - 3 files changed, 72 insertions(+), 19 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java -index 9064bc1..636b045 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java -@@ -44,9 +44,11 @@ import com.netscape.certsrv.request.IRequest; - public class UserSubjectNameDefault extends EnrollDefault { - - public static final String VAL_NAME = "name"; -+ public static final String CONFIG_USE_SYS_ENCODING = "useSysEncoding"; - - public UserSubjectNameDefault() { - super(); -+ addConfigName(CONFIG_USE_SYS_ENCODING); - addValueName(VAL_NAME); - } - -@@ -55,6 +57,16 @@ public class UserSubjectNameDefault extends EnrollDefault { - super.init(profile, config); - } - -+ public IDescriptor getConfigDescriptor(Locale locale, String name) { -+ if (name.equals(CONFIG_USE_SYS_ENCODING)) { -+ return new Descriptor(IDescriptor.BOOLEAN, null, -+ "false", -+ CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_USE_SYS_ENCODING")); -+ } else { -+ return null; -+ } -+ } -+ - public IDescriptor getValueDescriptor(Locale locale, String name) { - if (name.equals(VAL_NAME)) { - return new Descriptor(IDescriptor.STRING, null, null, -@@ -64,52 +76,79 @@ public class UserSubjectNameDefault extends EnrollDefault { - } - } - -- public void setValue(String name, Locale locale, -- X509CertInfo info, String value) -- throws EPropertyException { -- if (name == null) { -- throw new EPropertyException(CMS.getUserMessage( -- locale, "CMS_INVALID_PROPERTY", name)); -- } -- if (name.equals(VAL_NAME)) { -+ private X500Name getX500Name(X509CertInfo info, String value) { -+ String method = "UserSubjectNameDefault: getX500Name: "; - X500Name x500name = null; -+ /* -+ * useSysEencoding default is false -+ * To change that, add the following in the affected profile: -+ * policyset..<#>.default.params.useSysEncoding=true -+ */ -+ boolean useSysEncoding = getConfigBoolean(CONFIG_USE_SYS_ENCODING); -+ CMS.debug(method + -+ "use system encoding: " + useSysEncoding); - - try { -- x500name = new X500Name(value); -+ if (value != null) -+ x500name = new X500Name(value); - -+ // oldName is what comes with the CSR - CertificateSubjectName oldName = info.getSubjectObj(); - if (oldName != null) { -+ CMS.debug(method + "subjectDN exists in CSR. "); -+ } else { -+ CMS.debug(method + "subjectDN does not exist in CSR. "); -+ } -+ if ((useSysEncoding == false) && (oldName != null)) { - /* If the canonical string representations of - * existing Subject DN and new DN are equal, - * keep the old name so that the attribute - * encodings are preserved. */ - X500Name oldX500name = oldName.getX500Name(); - if (x500name.toString().equals(oldX500name.toString())) { -- CMS.debug( -- "UserSubjectNameDefault: setValue: " -+ CMS.debug( method - + "new Subject DN has same string representation " - + "as current value; retaining current value." - ); - x500name = oldX500name; - } else { -- CMS.debug( -- "UserSubjectNameDefault: setValue: " -+ CMS.debug(method - + "replacing current value `" + oldX500name.toString() + "` " - + "with new value `" + x500name.toString() + "`" - ); - } - } - } catch (IOException e) { -- CMS.debug(e.toString()); -+ CMS.debug(method + e.toString()); - // failed to build x500 name - } -- CMS.debug("UserSubjectNameDefault: setValue name=" + x500name); -+ return x500name; -+ } -+ -+ public void setValue(String name, Locale locale, -+ X509CertInfo info, String value) -+ throws EPropertyException { -+ String method = "UserSubjectNameDefault: setValue: "; -+ if (name == null) { -+ CMS.debug(name + "name null"); -+ throw new EPropertyException(CMS.getUserMessage( -+ locale, "CMS_INVALID_PROPERTY", name)); -+ } -+ CMS.debug(method + "name = " + name); -+ if (value != null) -+ CMS.debug(method + "value = " + value); -+ else -+ CMS.debug(method + "value = null"); -+ -+ if (name.equals(VAL_NAME)) { -+ X500Name x500name = getX500Name(info, value); -+ CMS.debug(method + "setting name=" + x500name); - try { - info.set(X509CertInfo.SUBJECT, - new CertificateSubjectName(x500name)); - } catch (Exception e) { - // failed to insert subject name -- CMS.debug("UserSubjectNameDefault: setValue " + e.toString()); -+ CMS.debug(method + e.toString()); - throw new EPropertyException(CMS.getUserMessage( - locale, "CMS_INVALID_PROPERTY", name)); - } -@@ -155,9 +194,17 @@ public class UserSubjectNameDefault extends EnrollDefault { - throws EProfileException { - // authenticate the subject name and populate it - // to the certinfo -+ CertificateSubjectName req_sbj = request.getExtDataInCertSubjectName( -+ IEnrollProfile.REQUEST_SUBJECT_NAME); - try { -- info.set(X509CertInfo.SUBJECT, request.getExtDataInCertSubjectName( -- IEnrollProfile.REQUEST_SUBJECT_NAME)); -+ info.set(X509CertInfo.SUBJECT, req_sbj); -+ -+ // see if the encoding needs changing -+ X500Name x500name = getX500Name(info, req_sbj.toString()); -+ if (x500name != null) { -+ info.set(X509CertInfo.SUBJECT, -+ new CertificateSubjectName(x500name)); -+ } - } catch (Exception e) { - // failed to insert subject name - CMS.debug("UserSubjectNameDefault: populate " + e.toString()); -diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties -index 9c324f5..208632d 100644 ---- a/base/server/cmsbundle/src/UserMessages.properties -+++ b/base/server/cmsbundle/src/UserMessages.properties -@@ -754,6 +754,7 @@ CMS_PROFILE_ENCODING_ERROR=Error in BER encoding - CMS_PROFILE_REVOKE_DUPKEY_CERT=Revoke certificate with duplicate key - CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL=Allow renewal of certification with same keys - CMS_PROFILE_CONFIG_KEY_USAGE_EXTENSION_CHECKING=Allow duplicate subject names with different key usage for agent approved requests -+CMS_PROFILE_CONFIG_USE_SYS_ENCODING=Use subject DN encoding from system-defined order - CMS_PROFILE_INTERNAL_ERROR=Profile internal error: {0} - CMS_PROFILE_DENY_OPERATION=Not authorized to do this operation. - CMS_PROFILE_DELETE_ENABLEPROFILE=Cannot delete enabled profile: {0} -diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java -index 7accf2b..f1b3eb6 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java -@@ -185,10 +185,15 @@ public class X500NameSubsystem implements ISubsystem { - */ - private void setDirStrEncodingOrder() - throws EBaseException { -+ String method = "X500NameSubsystem: setDirStrEncodingOrder: "; - String order = mConfig.getString(PROP_DIR_STR_ENCODING_ORDER, null); - -- if (order == null || order.length() == 0) // nothing. -+ if (order == null || order.length() == 0) { // nothing. -+ CMS.debug(method + "X500Name.directoryStringEncodingOrder not specified in config; Using default order in DirStrConverter."); - return; -+ } -+ CMS.debug(method + "X500Name.directoryStringEncodingOrder specified in config: " + order); -+ - StringTokenizer toker = new StringTokenizer(order, ", \t"); - int numTokens = toker.countTokens(); - --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.1-batch-4.0.patch b/SOURCES/pki-core-10.5.1-batch-4.0.patch deleted file mode 100644 index 8c32da6..0000000 --- a/SOURCES/pki-core-10.5.1-batch-4.0.patch +++ /dev/null @@ -1,1145 +0,0 @@ -From a44118f657f570493bbcc7af4ed347f638031905 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 12 Jul 2018 10:24:33 -0700 -Subject: [PATCH 1/9] Bugzilla 1548203 LDAP password from console update in - audit - -This patch replace ldap passwords with "(sensitive)" in audit log. - -fixes https://bugzilla.redhat.com/show_bug.cgi?id=1548203 - -Change-Id: I6271ec1da4164f731dd3a61534b0e511097a845a -(cherry picked from commit cf9c23a842000755d872202777b0a280bda7f1a1) ---- - .../server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -index 769e8e4..2b8cec7 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -@@ -991,7 +991,11 @@ public class AdminServlet extends HttpServlet { - if (name.equals(Constants.OP_TYPE)) continue; - if (name.equals(Constants.RS_ID)) continue; - -- String value = req.getParameter(name); -+ String value = null; -+ if (name.equalsIgnoreCase("PASSWORD_CACHE_ADD")) -+ value = "(sensitive)"; -+ else -+ value = req.getParameter(name); - params.put(name, value); - } - --- -1.8.3.1 - - -From 3210233343ae0d837855ac35884ea0d74450dc01 Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Mon, 15 Jan 2018 13:59:33 -0800 -Subject: [PATCH 2/9] Test fix for TPS server side key gen for only identity - cert problem. - -Change-Id: I15fc1b8a3fa92568aca853f0e89b9e87bbad463d -(cherry picked from commit c87d7820f7b1af97134197a23543e9fc4be1aa39) -(cherry picked from commit c1314749b7b3a2a6647aadd6945186833e539da8) ---- - .../server/tps/cms/TKSRemoteRequestHandler.java | 26 +++++++++++++++++----- - 1 file changed, 21 insertions(+), 5 deletions(-) - -diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java -index 65d0ed0..8155f90 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java -+++ b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java -@@ -103,7 +103,8 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler - String tokenType) - throws EBaseException { - -- CMS.debug("TKSRemoteRequestHandler: computeSessionKey(): begins."); -+ String method = "TKSRemoteRequestHandler: computeSessionKey(): "; -+ CMS.debug(method + " begins."); - if (cuid == null || kdd == null || keyInfo == null || card_challenge == null - || card_cryptogram == null || host_challenge == null) { - throw new EBaseException("TKSRemoteRequestHandler: computeSessionKey(): input parameter null."); -@@ -111,10 +112,25 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler - - IConfigStore conf = CMS.getConfigStore(); - -- boolean serverKeygen = -- conf.getBoolean("op.enroll." + -- tokenType + ".keyGen.encryption.serverKeygen.enable", -- false); -+ boolean serverKeygen = false; -+ -+ //Try out all the currently supported cert types to see if we are doing server side keygen here -+ String[] keygenStrings = { "identity", "signing", "encryption", "authentication", "auth"}; -+ for (String keygenString : keygenStrings) { -+ boolean enabled = conf.getBoolean("op.enroll." + -+ tokenType + ".keyGen." + -+ keygenString + ".serverKeygen.enable", false); -+ -+ CMS.debug(method + " serverkegGen enabled for " + keygenString + " : " + enabled); -+ if (enabled) { -+ serverKeygen = true; -+ break; -+ } -+ } -+ -+ -+ -+ - if (keySet == null) - keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet"); - --- -1.8.3.1 - - -From 6e4ad81a8f65c015f23cbd3716564c6755bbbdf1 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Mon, 30 Jul 2018 17:15:09 -0700 -Subject: [PATCH 4/9] Bug 1601071 Certificate generation happens with partial - attributes in CMCRequest file - -This patch addresses the issue where when a cmcSelfSisnged profile is used -in a cmcUserSigned case, the certificate is issued. -A new authToken variable TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT has -been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case. -A new constraint CMCSelfSignedSubjectNameConstraint has been introduced -to verify. -In additional, all profiles that authenticate through CMCUserSignedAuth are -turned off by default to allow site administrators to make conscious decision -on their own for these features. -Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default. - -Change-Id: I275118d31b966494411888beb37032bb022c29ce -(cherry picked from commit 50b881b7ec1d4856d4bfcc182a22bf1c131cd536) ---- - base/ca/shared/conf/CS.cfg | 2 +- - base/ca/shared/conf/registry.cfg | 9 +- - .../profiles/ca/caECFullCMCSelfSignedCert.cfg | 8 +- - .../profiles/ca/caECFullCMCUserSignedCert.cfg | 2 +- - .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 8 +- - .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 2 +- - .../certsrv/authentication/IAuthToken.java | 7 +- - .../com/netscape/cms/authentication/CMCAuth.java | 5 +- - .../cms/authentication/CMCUserSignedAuth.java | 16 ++- - .../netscape/cms/authentication/SharedSecret.java | 4 +- - .../netscape/cms/profile/common/EnrollProfile.java | 18 +++ - .../CMCSelfSignedSubjectNameConstraint.java | 129 +++++++++++++++++++++ - .../profile/def/AuthTokenSubjectNameDefault.java | 2 +- - .../servlet/profile/ProfileSubmitCMCServlet.java | 29 ++++- - base/server/cmsbundle/src/UserMessages.properties | 3 +- - 15 files changed, 216 insertions(+), 28 deletions(-) - create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 1d65835..fcd85a2 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED - log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) - log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) - log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) -diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg -index 54e4d95..4fe6e93 100644 ---- a/base/ca/shared/conf/registry.cfg -+++ b/base/ca/shared/conf/registry.cfg -@@ -1,5 +1,5 @@ - types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater --constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl -+constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl - constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint - constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint - constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint -@@ -36,9 +36,12 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr - constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint - constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint - constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint -+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint -+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint -+constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint - constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint --constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint --constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint -+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint -+constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint - constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint - constraintPolicy.validityConstraintImpl.desc=Validity Constraint - constraintPolicy.validityConstraintImpl.name=Validity Constraint -diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -index 144c05c..48e6499 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg -@@ -1,5 +1,5 @@ - desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request --enable=true -+enable=false - enableBy=admin - name=Self-Signed CMC User Certificate Enrollment - visible=false -@@ -10,10 +10,8 @@ output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet - policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 --policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl --policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint --policyset.cmcUserCertSet.1.constraint.params.accept=true --policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* -+policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint - policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl - policyset.cmcUserCertSet.1.default.name=Subject Name Default - policyset.cmcUserCertSet.1.default.params.name= -diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -index d2286de..e7b60ee 100644 ---- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg -@@ -1,5 +1,5 @@ - desc=This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication. --enable=true -+enable=false - enableBy=admin - name=User-Signed CMC-Authenticated User Certificate Enrollment - visible=false -diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -index bdcdc24..538b16a 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg -@@ -1,5 +1,5 @@ - desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request --enable=true -+enable=false - enableBy=admin - name=Self-Signed CMC User Certificate Enrollment - visible=false -@@ -10,10 +10,8 @@ output.list=o1 - output.o1.class_id=certOutputImpl - policyset.list=cmcUserCertSet - policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 --policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl --policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint --policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* --policyset.cmcUserCertSet.1.constraint.params.accept=true -+policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl -+policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint - policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl - policyset.cmcUserCertSet.1.default.name=Subject Name Default - policyset.cmcUserCertSet.1.default.params.name= -diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -index 9b5d3e9..b0ff8af 100644 ---- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -+++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg -@@ -1,5 +1,5 @@ - desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication. --enable=true -+enable=false - enableBy=admin - name=User-Signed CMC-Authenticated User Certificate Enrollment - visible=false -diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java -index 59c6af2..d5d03b4 100644 ---- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java -+++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java -@@ -44,9 +44,14 @@ public interface IAuthToken { - public static final String GROUP = "group"; - public static final String GROUPS = "groups"; - -- /* Subject name of the certificate in the authenticating entry */ -+ /* Subject name of the certificate request in the authenticating entry */ - public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject"; - -+ /* Subject name of the authenticated cert */ -+ public static final String TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenAuthenticatedCertSubject"; -+ /* Subject DN of the Shared Token authenticated entry */ -+ public static final String TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenSharedTokenAuthenticatedCertSubject"; -+ - /* NotBefore value of the certificate in the authenticating entry */ - public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore"; - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -index 86ffa2f..9b6a819 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java -@@ -959,8 +959,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - - IAuthToken tempToken = agentAuth.authenticate(agentCred); - netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); -- String ID = tempPrincipal.toString(); -+ String ID = tempPrincipal.getName(); - CMS.debug(method + " Principal name = " + ID); -+ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID); - - BigInteger agentCertSerial = x509Certs[0].getSerialNumber(); - authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, agentCertSerial.toString()); -@@ -1047,7 +1048,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, - public void populate(IAuthToken token, IRequest request) - throws EProfileException { - request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, -- token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); -+ token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT)); - } - - public boolean isSSLClientRequired() { -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index d5f6c34..a9a7ade 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -674,7 +674,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - if (requestCertSubject.equals("")) { - requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; - } -- - authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); - auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject); - //authToken.set("uid", uid); -@@ -1160,8 +1159,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - IAuthToken tempToken = new AuthToken(null); - netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); -- String ID = tempPrincipal.toString(); //tempToken.get("userid"); -+ String ID = tempPrincipal.getName(); //tempToken.get("userid"); - CMS.debug(method + " Principal name = " + ID); -+ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID); - - BigInteger certSerial = x509Certs[0].getSerialNumber(); - CMS.debug(method + " verified cert serial=" + certSerial.toString()); -@@ -1276,8 +1276,16 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - - public void populate(IAuthToken token, IRequest request) - throws EProfileException { -- request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, -- token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); -+ String method = "CMCUserSignedAuth: populate: "; -+ String authenticatedDN = token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ if (authenticatedDN != null) { -+ request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, -+ authenticatedDN); -+ CMS.debug(method + "IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is: "+ -+ authenticatedDN); -+ } else { -+ CMS.debug(method + "AuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is null; self-signed?"); -+ } - } - - public boolean isSSLClientRequired() { -diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -index 5ebc213..2d8679c 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -@@ -30,9 +30,9 @@ import org.mozilla.jss.crypto.SymmetricKey; - import org.mozilla.jss.pkix.cmc.PKIData; - - import com.netscape.certsrv.apps.CMS; --import com.netscape.certsrv.authentication.AuthToken; - import com.netscape.certsrv.authentication.EInvalidCredentials; - import com.netscape.certsrv.authentication.IAuthCredentials; -+import com.netscape.certsrv.authentication.AuthToken; - import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authentication.ISharedToken; - import com.netscape.certsrv.base.EBaseException; -@@ -296,7 +296,7 @@ public class SharedSecret extends DirBasedAuthentication - } - - CMS.debug(method + "found user ldap entry: userdn = " + userdn); -- authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn); -+ authToken.set(IAuthToken.TOKEN_CERT_SUBJECT, userdn); - - res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE, - "(objectclass=*)", new String[] { mShrTokAttr }, false); -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 929e629..f9903c6 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -209,6 +209,14 @@ public abstract class EnrollProfile extends BasicProfile - - // catch for invalid request - cmc_msgs = parseCMC(locale, cert_request, donePOI); -+ SessionContext sessionContext = SessionContext.getContext(); -+ String authenticatedSubject = -+ (String) sessionContext.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ -+ if (authenticatedSubject != null) { -+ ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, authenticatedSubject); -+ } -+ - if (cmc_msgs == null) { - CMS.debug(method + "parseCMC returns cmc_msgs null"); - return null; -@@ -1795,6 +1803,16 @@ public abstract class EnrollProfile extends BasicProfile - auditSubjectID = ident_string; - sessionContext.put(SessionContext.USER_ID, auditSubjectID); - -+ // subjectdn from SharedSecret ldap auth -+ // set in context and authToken to be used by profile -+ // default and constraints plugins -+ authToken.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, -+ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT)); -+ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, -+ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT)); -+ sessionContext.put(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, -+ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT)); -+ - auditMessage = CMS.getLogMessage( - AuditEvent.CMC_PROOF_OF_IDENTIFICATION, - auditSubjectID, -diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java -new file mode 100644 -index 0000000..d4554ca ---- /dev/null -+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java -@@ -0,0 +1,129 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2013 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.cms.profile.constraint; -+ -+import java.util.Locale; -+ -+import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.authentication.IAuthToken; -+import com.netscape.certsrv.authentication.IAuthManager; -+import com.netscape.certsrv.base.IConfigStore; -+import com.netscape.certsrv.profile.EProfileException; -+import com.netscape.certsrv.profile.ERejectException; -+import com.netscape.certsrv.profile.IPolicyDefault; -+import com.netscape.certsrv.profile.IProfile; -+import com.netscape.certsrv.property.IDescriptor; -+import com.netscape.certsrv.request.IRequest; -+import com.netscape.cms.profile.common.EnrollProfile; -+import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault; -+ -+import netscape.security.x509.CertificateSubjectName; -+import netscape.security.x509.X500Name; -+import netscape.security.x509.X509CertInfo; -+ -+/** -+ * This class implements the user subject name constraint for self-signed cmc requests. -+ * It makes sure the SharedSecret authenticated subjectDN and the rsulting cert match -+ * -+ * @author cfu -+ * @version $Revision$, $Date$ -+ */ -+public class CMCSelfSignedSubjectNameConstraint extends EnrollConstraint { -+ -+ public CMCSelfSignedSubjectNameConstraint() { -+ } -+ -+ public void init(IProfile profile, IConfigStore config) -+ throws EProfileException { -+ super.init(profile, config); -+ } -+ -+ public IDescriptor getConfigDescriptor(Locale locale, String name) { -+ return null; -+ } -+ -+ public String getDefaultConfig(String name) { -+ return null; -+ } -+ -+ /** -+ * Validates the request. The request is not modified -+ * during the validation. User encoded subject name -+ * is copied into the certificate template. -+ */ -+ public void validate(IRequest request, X509CertInfo info) -+ throws ERejectException { -+ String method = "CMCSelfSignedSubjectNameConstraint: "; -+ String msg = ""; -+ -+ CertificateSubjectName infoCertSN = null; -+ String authTokenSharedTokenSN = null; -+ -+ try { -+ infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); -+ if (infoCertSN == null) { -+ msg = method + "infoCertSN null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ CMS.debug(method + "validate user subject ="+ -+ infoCertSN.toString()); -+ X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME); -+ if (infoCertName == null) { -+ msg = method + "infoCertName null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ -+ authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ if (authTokenSharedTokenSN == null) { -+ msg = method + "authTokenSharedTokenSN null"; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) { -+ CMS.debug(method + "names matched"); -+ } else { -+ msg = method + "names do not match; authTokenSharedTokenSN =" + -+ authTokenSharedTokenSN; -+ CMS.debug(msg); -+ throw new Exception(msg); -+ } -+ -+ } catch (Exception e) { -+ throw new ERejectException( -+ CMS.getUserMessage(getLocale(request), -+ "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e); -+ } -+ } -+ -+ public String getText(Locale locale) { -+ return CMS.getUserMessage(locale, -+ "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT"); -+ } -+ -+ public boolean isApplicable(IPolicyDefault def) { -+ String method = "CMCSelfSignedSubjectNameConstraint: isApplicable: "; -+ if (def instanceof AuthTokenSubjectNameDefault) { -+ CMS.debug(method + "true"); -+ return true; -+ } -+ CMS.debug(method + "false"); -+ return false; -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java -index e789625..85bf241 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java -+++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java -@@ -140,7 +140,7 @@ public class AuthTokenSubjectNameDefault extends EnrollDefault { - X500Name name = new X500Name( - request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME)); - -- CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.toString()); -+ CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.getName()); - info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name)); - } catch (Exception e) { - // failed to insert subject name -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 12fd294..03e94a8 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -525,6 +525,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - CMS.debug("ProfileSubmitCMCServlet: null it out"); - ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); - } -+ - String signingCertSerialS = null; - if (authToken != null) { - signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT); -@@ -534,6 +535,14 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); - } - -+ String tmpSharedTokenAuthenticatedCertSubject = ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ if (tmpSharedTokenAuthenticatedCertSubject != null) { -+ // unlikely to happen, but do this just in case -+ CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in ctx for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject); -+ CMS.debug("ProfileSubmitCMCServlet: null it out"); -+ ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, ""); -+ } -+ - String errorCode = null; - String errorReason = null; - String auditRequesterID = ILogger.UNIDENTIFIED; -@@ -731,13 +740,31 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - - tmpCertSerialS = reqs[k].getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); - if (tmpCertSerialS != null) { -- // unlikely to happenm, but do this just in case -+ // unlikely to happen, but do this just in case - CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth:" + tmpCertSerialS); - CMS.debug("ProfileSubmitCMCServlet: null it out"); - reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, ""); - } - // put CMCUserSignedAuth authToken in request - if (signingCertSerialS != null) { -+ CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth"); -+ reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); -+ } -+ -+ tmpSharedTokenAuthenticatedCertSubject = reqs[k].getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ if (tmpSharedTokenAuthenticatedCertSubject != null) { -+ // unlikely to happen, but do this just in case -+ CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in request for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject); -+ CMS.debug("ProfileSubmitCMCServlet: null it out"); -+ reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, ""); -+ } -+ // put Shared Token authToken in request -+ String st_sbj = (String) ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); -+ if (st_sbj != null) { -+ CMS.debug("ProfileSubmitCMCServlet: setting IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in req for CMCUserSignedAuth"); -+ reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, st_sbj); -+ } -+ if (tmpSharedTokenAuthenticatedCertSubject != null) { - CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth"); - reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); - } -diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties -index 208632d..e5e6ecc 100644 ---- a/base/server/cmsbundle/src/UserMessages.properties -+++ b/base/server/cmsbundle/src/UserMessages.properties -@@ -956,7 +956,8 @@ CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing - CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0} - CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only - CMS_PROFILE_CONSTRAINT_USER_SUBJECT_NAME_TEXT=This constraint accepts user subject name only --CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the CMC request siging cert only -+CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of user-signed CMC request only -+CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the self-signed CMC request only - CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days. - CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0} - CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate. --- -1.8.3.1 - - -From cc94db7c4c960e2f752a3d1b8687d075187f4e3d Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 1 Aug 2018 13:35:53 -0700 -Subject: [PATCH 5/9] Bug 1593805 Better understanding of - NSS_USE_DECODED_CKA_EC_POINT for ECC - -This patch removes the outdated reference to EC environment variable -NSS_USE_DECODED_CKA_EC_POINT for ECC in the HttpClient command line usage. - -More info in the usage are updated as well for correctness and clarity. - -Change-Id: I562e2c0cd86f91369f347b38cc660cc3cee585b9 -(cherry picked from commit 6eef4f5cb83cd4b7e2c45ad6a44ba453392ec051) ---- - .../src/com/netscape/cmstools/HttpClient.java | 32 ++++++++++++---------- - 1 file changed, 18 insertions(+), 14 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java -index fcaf210..28934ab 100644 ---- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java -@@ -251,43 +251,47 @@ public class HttpClient { - System.out.println("The configuration file should look like as follows:"); - System.out.println(""); - System.out.println("#host: host name for the http server"); -- System.out.println("host=host1.a.com"); -+ System.out.println("host=host.example.com"); - System.out.println(""); - System.out.println("#port: port number"); -- System.out.println("port=1025"); -+ System.out.println("port=8443"); - System.out.println(""); - System.out.println("#secure: true for secure connection, false for nonsecure connection"); -- System.out.println("#For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command"); - System.out.println("secure=false"); - System.out.println(""); - System.out.println("#input: full path for the enrollment request, the content must be in binary format"); -- System.out.println("input=/u/doc/cmcReqCRMFBin"); -+ System.out.println("input=~/cmcReqCRMFBin"); - System.out.println(""); - System.out.println("#output: full path for the response in binary format"); -- System.out.println("output=/u/doc/cmcResp"); -+ System.out.println("#output could be parsed by running CMCResponse"); -+ System.out.println("output=~/cmcResp"); - System.out.println(""); -- System.out.println("#tokenname: name of token where SSL client authentication cert can be found (default is internal)"); -+ System.out.println("#dbdir: directory for NSS certificate/key databases"); - System.out.println("#This parameter will be ignored if secure=false"); -- System.out.println("tokenname=hsmname"); -+ System.out.println("dbdir=/.dogtag/nssdb"); - System.out.println(""); -- System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db"); -+ System.out.println("#password: password for NSS database"); -+ System.out.println("#This parameter will be ignored if secure=false and clientmode=false"); -+ System.out.println("password="); -+ System.out.println(""); -+ System.out.println("#tokenname: name of token where SSL client authentication cert for nickname can be found (default is internal)"); - System.out.println("#This parameter will be ignored if secure=false"); -- System.out.println("dbdir=/u/smith/.netscape"); -+ System.out.println("tokenname=internal"); - System.out.println(""); - System.out.println("#clientmode: true for client authentication, false for no client authentication"); - System.out.println("#This parameter will be ignored if secure=false"); - System.out.println("clientmode=false"); - System.out.println(""); -- System.out.println("#password: password for cert8.db"); -- System.out.println("#This parameter will be ignored if secure=false and clientauth=false"); -- System.out.println("password="); -- System.out.println(""); - System.out.println("#nickname: nickname for client certificate"); - System.out.println("#This parameter will be ignored if clientmode=false"); - System.out.println("nickname="); - System.out.println(""); - System.out.println("#servlet: target URL"); -- System.out.println("#This parameter may include query parameters"); -+ System.out.println("#This parameter may include query parameters;"); -+ System.out.println("# - reminder: profileId should be a profile that matches"); -+ System.out.println("# the intended certificate; for certificates intended"); -+ System.out.println("# for SSL (client or server), profiles should match"); -+ System.out.println("# the key type (RSA or EC) of the keys generated for CSR;"); - System.out.println("servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert"); - System.out.println(""); - System.exit(0); --- -1.8.3.1 - - -From 70b933bc570ec288037c2b5e853dbe8f9ab83571 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Thu, 2 Aug 2018 10:33:08 +0300 -Subject: [PATCH 6/9] ConfigurationUtil: support new format for - nsds5replicaLastInitStatus value - -pkispawn is reading the attribute nsds5replicaLastInitStatus in -cn=masterAgreement1-$hostname-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping -tree,cn=config in order to find the replication status. The new format -(in 389-ds-base-1.3.7) for this attribute is "Error (0) Total update -succeeded" but pkispawn is expecting "0 Total update succeeded" - -389-ds-base introduced this change with https://pagure.io/389-ds-base/issue/49599 - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1596629 -(cherry picked from commit 151ecf63106425cada104d141a81722570ba2b28) ---- - .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -index 7f5341a..d8b4965 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -@@ -2053,7 +2053,7 @@ public class ConfigurationUtils { - } - - String status = replicationStatus(replicadn, masterConn, masterAgreementName); -- if (!status.startsWith("0 ")) { -+ if (!(status.startsWith("Error (0) ") || status.startsWith("0 "))) { - CMS.debug("setupReplication: consumer initialization failed. " + status); - throw new IOException("consumer initialization failed. " + status); - } --- -1.8.3.1 - - -From 3ad4c2b779a4bb9f993e6886597812904353d2b0 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 2 Aug 2018 09:31:50 -0700 -Subject: [PATCH 7/9] Bug1608375 - CMC Revocations throws exception with same - reqIssuer & certissuer - -This patch resolves the possible encoding mismatch between the actual CA cert -and the X500Name gleaned from the CMC revocation request. - -Change-Id: I220f5d656a69c90fa02ba38fa21b069ed7d15a9d -(cherry picked from commit 4a085b2ea3ee0f89ef2e49e1c0dbee2e36abd248) ---- - .../cms/authentication/CMCUserSignedAuth.java | 21 ++++++++++++++++++--- - 1 file changed, 18 insertions(+), 3 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index a9a7ade..97971dd 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -83,6 +83,7 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.IExtendedPluginInfo; - import com.netscape.certsrv.base.SessionContext; -+import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.CMCUserSignedRequestSigVerifyEvent; - import com.netscape.certsrv.profile.EProfileException; -@@ -497,13 +498,27 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - // to CMCOutputTemplate so that we can - // have a chance to capture user identification info - if (issuerANY != null) { -+ // get CA signing cert -+ ICertificateAuthority ca = null; -+ ca = (ICertificateAuthority) CMS.getSubsystem("ca"); -+ X500Name caName = ca.getX500Name(); -+ - try { - byte[] issuerBytes = issuerANY.getEncoded(); -- X500Name issuerName = new X500Name(issuerBytes); -- CMS.debug(method + "revRequest issuer name = " + issuerName.toString()); -+ X500Name reqIssuerName = new X500Name(issuerBytes); -+ String reqIssuerNameStr = reqIssuerName.getName(); -+ CMS.debug(method + "revRequest issuer name = " + reqIssuerNameStr); -+ if (reqIssuerNameStr.equalsIgnoreCase(caName.getName())) { -+ // making sure it's identical, even in encoding -+ reqIssuerName = caName; -+ } else { -+ // not this CA; will be bumped off later; -+ // make a note in debug anyway -+ CMS.debug(method + "revRequest issuer name doesn't match our CA; will be bumped off later;"); -+ } - // capture issuer principal to be checked against - // cert issuer principal later in CMCOutputTemplate -- auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, issuerName); -+ auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, reqIssuerName); - } catch (Exception e) { - CMS.debug(method + "failed getting issuer from RevokeRequest:" + e.toString()); - } --- -1.8.3.1 - - -From a1130e298048b106fb6febcfe9f88fea0d733e6a Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 8 Aug 2018 18:41:52 -0700 -Subject: [PATCH 8/9] Ticket #3041 Enable all config audit events - -This patch enables the audit events concerning role actions (mostly config) -by default. - -Two additional minor issues are also addressed: -1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert - (bugzilla #1610718) -2. removing unrecommended signing algorithms - -fixes: https://pagure.io/dogtagpki/issue/3041 -Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d -(cherry picked from commit 5e9876da3fa7c1587b96e983f36ee2830398c099) ---- - base/ca/shared/conf/CS.cfg | 2 +- - base/ca/shared/profiles/ca/caDirUserCert.cfg | 2 +- - base/ca/shared/profiles/ca/caECDirUserCert.cfg | 2 +- - base/kra/shared/conf/CS.cfg | 2 +- - base/ocsp/shared/conf/CS.cfg | 2 +- - .../netscape/cms/profile/common/ServerCertCAEnrollProfile.java | 2 +- - .../com/netscape/cms/profile/common/UserCertCAEnrollProfile.java | 2 +- - base/server/cmsbundle/src/LogMessages.properties | 2 +- - base/tks/shared/conf/CS.cfg | 2 +- - base/tps/shared/conf/CS.cfg | 2 +- - base/util/src/netscape/security/x509/AlgorithmId.java | 8 ++++---- - 11 files changed, 14 insertions(+), 14 deletions(-) - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index fcd85a2..6158d5a 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG - log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) - log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) - log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) -diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg -index f12c7ed..0b7f6b7 100644 ---- a/base/ca/shared/profiles/ca/caDirUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg -@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180 - policyset.userCertSet.2.default.params.startTime=0 - policyset.userCertSet.3.constraint.class_id=keyConstraintImpl - policyset.userCertSet.3.constraint.name=Key Constraint --policyset.userCertSet.3.constraint.params.keyType=EC -+policyset.userCertSet.3.constraint.params.keyType=RSA - policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 - policyset.userCertSet.3.default.class_id=userKeyDefaultImpl - policyset.userCertSet.3.default.name=Key Default -diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg -index 0663b40..b65999e 100644 ---- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg -+++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg -@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180 - policyset.userCertSet.2.default.params.startTime=0 - policyset.userCertSet.3.constraint.class_id=keyConstraintImpl - policyset.userCertSet.3.constraint.name=Key Constraint --policyset.userCertSet.3.constraint.params.keyType=- -+policyset.userCertSet.3.constraint.params.keyType=EC - policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 - policyset.userCertSet.3.default.class_id=userKeyDefaultImpl - policyset.userCertSet.3.default.name=Key Default -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index f314234..878e5f8 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -304,7 +304,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL - log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure) - log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) - log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure) -diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg -index dc993b0..b412e5e 100644 ---- a/base/ocsp/shared/conf/CS.cfg -+++ b/base/ocsp/shared/conf/CS.cfg -@@ -220,7 +220,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) - log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) - log.instance.SignedAudit.expirationTime=0 -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java -index a1a83a4..2dcf9c1 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java -@@ -77,7 +77,7 @@ public class ServerCertCAEnrollProfile extends CAEnrollProfile - defConfig4 - .putString( - "params.signingAlgsAllowed", -- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); -+ "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); - - IProfilePolicy policy5 = - createProfilePolicy("set1", "p5", -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java -index 710a461..9b1eacb 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java -@@ -79,7 +79,7 @@ public class UserCertCAEnrollProfile extends CAEnrollProfile - defConfig4 - .putString( - "params.signingAlgsAllowed", -- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); -+ "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); - - IProfilePolicy policy5 = - createProfilePolicy("set1", "p5", -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 7963f6f..d534506 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2133,7 +2133,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=:[AuditEvent=AUTH]{0} authenticatio - # and to be approved by an agent - # Op must be "approve" or "disapprove" - # --LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval -+LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval - # - # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION - # - used for proof of possession during certificate enrollment processing -diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg -index d1da996..e9bf03e 100644 ---- a/base/tks/shared/conf/CS.cfg -+++ b/base/tks/shared/conf/CS.cfg -@@ -212,7 +212,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) - log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) - log.instance.SignedAudit.expirationTime=0 -diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg -index c44bc75..3671100 100644 ---- a/base/tps/shared/conf/CS.cfg -+++ b/base/tps/shared/conf/CS.cfg -@@ -229,7 +229,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER,CONFIG_ACL - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) - log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) - log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure) -diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java -index ae5975a..012575c 100644 ---- a/base/util/src/netscape/security/x509/AlgorithmId.java -+++ b/base/util/src/netscape/security/x509/AlgorithmId.java -@@ -798,17 +798,17 @@ public class AlgorithmId implements Serializable, DerEncoder { - * Supported signing algorithms for a RSA key. - */ - public static final String[] RSA_SIGNING_ALGORITHMS = new String[] -- { "SHA1withRSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "MD5withRSA", "MD2withRSA" }; -+ { "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA" }; - - public static final String[] EC_SIGNING_ALGORITHMS = new String[] -- { "SHA1withEC", "SHA256withEC", "SHA384withEC", "SHA512withEC" }; -+ { "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" }; - - /** - * All supported signing algorithms. - */ - public static final String[] ALL_SIGNING_ALGORITHMS = new String[] - { -- "SHA1withRSA", "MD5withRSA", "MD2withRSA", "SHA1withDSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withEC", -- "SHA256withEC", "SHA384withEC", "SHA512withEC" }; -+ "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA", -+ "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" }; - - } --- -1.8.3.1 - - -From a7df5434dd8b32d549abff80173653350fd9a7c4 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Fri, 10 Aug 2018 14:04:14 -0700 -Subject: [PATCH 9/9] Ticket #2481 ECC keys not supported for signing audit - logs - -This patch addes support for ECC audit log signing key. -All enrollment profiles for audit signing certificate are updated to allow that. - -fixes https://pagure.io/dogtagpki/issue/2481 - -Change-Id: Idedd3cc2ed7655e73ee87ebcd0087ea17fb57f3f -(cherry picked from commit 435ede04d525d8816345271a887753a620795d56) ---- - base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg | 4 ++-- - base/ca/shared/profiles/ca/caSignedLogCert.cfg | 8 ++++---- - base/java-tools/src/com/netscape/cmstools/AuditVerify.java | 6 +++--- - base/server/cms/src/com/netscape/cms/logging/LogFile.java | 8 +++----- - 5 files changed, 14 insertions(+), 16 deletions(-) - -diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -index ff4856c..642e67b 100644 ---- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg -@@ -29,8 +29,8 @@ policyset.auditSigningCertSet.2.default.params.range=720 - policyset.auditSigningCertSet.2.default.params.startTime=0 - policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl - policyset.auditSigningCertSet.3.constraint.name=Key Constraint --policyset.auditSigningCertSet.3.constraint.params.keyType=RSA --policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.auditSigningCertSet.3.constraint.params.keyType=- -+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 - policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl - policyset.auditSigningCertSet.3.default.name=Key Default - policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl -diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg -index b850f1c..4acaab7 100644 ---- a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg -+++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg -@@ -31,7 +31,7 @@ policyset.auditSigningCertSet.2.default.params.startTime=0 - policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl - policyset.auditSigningCertSet.3.constraint.name=Key Constraint - policyset.auditSigningCertSet.3.constraint.params.keyType=- --policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 - policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl - policyset.auditSigningCertSet.3.default.name=Key Default - policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl -@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false - policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false - policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.auditSigningCertSet.9.constraint.name=No Constraint --policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl - policyset.auditSigningCertSet.9.default.name=Signing Alg - policyset.auditSigningCertSet.9.default.params.signingAlg=- -diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg -index 6fdb8b5..c568572 100644 ---- a/base/ca/shared/profiles/ca/caSignedLogCert.cfg -+++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg -@@ -3,7 +3,7 @@ visible=true - enable=true - enableBy=admin - auth.class_id= --name=Manual Log Signing Certificate Enrollment -+name=Manual Audit Log Signing Certificate Enrollment - input.list=i1,i2 - input.i1.class_id=certReqInputImpl - input.i2.class_id=submitterInfoInputImpl -@@ -29,8 +29,8 @@ policyset.caLogSigningSet.2.default.params.range=720 - policyset.caLogSigningSet.2.default.params.startTime=0 - policyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl - policyset.caLogSigningSet.3.constraint.name=Key Constraint --policyset.caLogSigningSet.3.constraint.params.keyType=RSA --policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096 -+policyset.caLogSigningSet.3.constraint.params.keyType=- -+policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 - policyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl - policyset.caLogSigningSet.3.default.name=Key Default - policyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl -@@ -68,7 +68,7 @@ policyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Defaul - policyset.caLogSigningSet.8.default.params.critical=false - policyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl - policyset.caLogSigningSet.9.constraint.name=No Constraint --policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC -+policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC - policyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl - policyset.caLogSigningSet.9.default.name=Signing Alg - policyset.caLogSigningSet.9.default.params.signingAlg=- -diff --git a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java -index 7693ba3..be9c0ed 100644 ---- a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java -+++ b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java -@@ -25,7 +25,6 @@ import java.io.FilenameFilter; - import java.io.IOException; - import java.security.PublicKey; - import java.security.Signature; --import java.security.interfaces.DSAPublicKey; - import java.security.interfaces.RSAPublicKey; - import java.util.List; - import java.util.StringTokenizer; -@@ -34,6 +33,7 @@ import java.util.Vector; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.crypto.ObjectNotFoundException; - import org.mozilla.jss.crypto.X509Certificate; -+import org.mozilla.jss.pkcs11.PK11ECPublicKey; - - import com.netscape.cmsutil.util.Utils; - -@@ -159,8 +159,8 @@ public class AuditVerify { - String sigAlgorithm = null; - if (pubk instanceof RSAPublicKey) { - sigAlgorithm = "SHA-256/RSA"; -- } else if (pubk instanceof DSAPublicKey) { -- sigAlgorithm = "SHA-256/DSA"; -+ } else if (pubk instanceof PK11ECPublicKey) { -+ sigAlgorithm = "SHA-256/EC"; - } else { - throw new Exception("Unknown signing certificate key type: " + pubk.getAlgorithm()); - } -diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -index 74a8ada..b04f70d 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -@@ -41,8 +41,6 @@ import java.security.PrivateKey; - import java.security.Provider; - import java.security.Signature; - import java.security.SignatureException; --import java.security.interfaces.DSAPrivateKey; --import java.security.interfaces.RSAPrivateKey; - import java.text.ParseException; - import java.text.SimpleDateFormat; - import java.util.Date; -@@ -611,10 +609,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - mSigningKey = cm.findPrivKeyByCert(cert); - - String sigAlgorithm; -- if (mSigningKey instanceof RSAPrivateKey) { -+ if (mSigningKey.getAlgorithm().equalsIgnoreCase("RSA")) { - sigAlgorithm = "SHA-256/RSA"; -- } else if (mSigningKey instanceof DSAPrivateKey) { -- sigAlgorithm = "SHA-256/DSA"; -+ } else if (mSigningKey.getAlgorithm().equalsIgnoreCase("EC")) { -+ sigAlgorithm = "SHA-256/EC"; - } else { - throw new NoSuchAlgorithmException("Unknown private key type"); - } --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.1-beta.patch b/SOURCES/pki-core-10.5.1-beta.patch deleted file mode 100644 index 1349653..0000000 --- a/SOURCES/pki-core-10.5.1-beta.patch +++ /dev/null @@ -1,2236 +0,0 @@ -From 073b60fe200768ca56ef53f9b24cf6ba9225cc52 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Mon, 27 Nov 2017 22:42:00 -0700 -Subject: Fix seobject pylint issues - -dogtagpki Pagure Issue #2856 - Pylint flags seobject failures - -Change-Id: Ied117961e8212ac0a73e78b9857282de91aa7cf7 -(cherry picked from commit c3b69ae92c884e7f230766b37a8723c2ce905eca) ---- - base/server/python/pki/server/deployment/pkihelper.py | 5 ++++- - .../python/pki/server/deployment/scriptlets/selinux_setup.py | 8 ++++---- - 2 files changed, 8 insertions(+), 5 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index c6e1597..49945b9 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -801,7 +801,9 @@ class ConfigurationFile: - extra=config.PKI_INDENTATION_LEVEL_2) - return - -- portrecs = seobject.portRecords().get_all() -+ trans = seobject.semanageRecords("targeted") -+ trans.start() -+ portrecs = seobject.portRecords(trans).get_all() - portlist = ports[:] - for port in portlist: - context = "" -@@ -829,6 +831,7 @@ class ConfigurationFile: - raise Exception( - log.PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT % - (port, context)) -+ trans.finish() - return - - def verify_ds_secure_connection_data(self): -diff --git a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py -index 9c926d1..d5e4b0c 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py -+++ b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py -@@ -83,7 +83,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - if deployer.mdict['pki_instance_name'] != \ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: - -- fcon = seobject.fcontextRecords() -+ fcon = seobject.fcontextRecords(trans) - - config.pki_log.info( - "adding selinux fcontext \"%s\"", -@@ -121,7 +121,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.mdict['pki_database_path'] + self.suffix, - config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") - -- port_records = seobject.portRecords() -+ port_records = seobject.portRecords(trans) - for port in ports: - config.pki_log.info( - "adding selinux port %s", port, -@@ -176,7 +176,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - if deployer.mdict['pki_instance_name'] != \ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: - -- fcon = seobject.fcontextRecords() -+ fcon = seobject.fcontextRecords(trans) - - config.pki_log.info( - "deleting selinux fcontext \"%s\"", -@@ -212,7 +212,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.mdict['pki_database_path'] + - self.suffix, "") - -- port_records = seobject.portRecords() -+ port_records = seobject.portRecords(trans) - for port in ports: - config.pki_log.info( - "deleting selinux port %s", port, --- -1.8.3.1 - - -From d70d4af983bd78444e8779c24e105c13c66ab502 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 30 Nov 2017 15:28:38 -0800 -Subject: =?UTF-8?q?Ticket=20#2861=20ExternalCA:=20Failures=20in=20External?= - =?UTF-8?q?CA=20when=20tried=20to=20setup=20with=20CMC=20signed=20certific?= - =?UTF-8?q?ates=0AThe=20issue=20was=20found=20when=20the=20ValidityConstra?= - =?UTF-8?q?int=20does=20not=20restrict=20the=20cert=20signed=20to=20not=20?= - =?UTF-8?q?exceed=20the=20CA=20signing=20cert's=20expiry=20date.=20=20Upon?= - =?UTF-8?q?=20close=20examination,=20it=20appears=20that=20the=20CAValidit?= - =?UTF-8?q?yConstraint=20was=20not=20registered=20by=20default.=20=20By=20?= - =?UTF-8?q?registering=20this=20constraint=20and=20replacing=20the=20Valid?= - =?UTF-8?q?ityConstraint=20in=20the=20caCMCcaCert=20profile,=20it=20effect?= - =?UTF-8?q?ively=20sets=20the=20restriction.?= - -Change-Id: I557894cfffacc656e3b3a453fe7e7c98f0b61d87 -(cherry picked from commit a6a9576d506fbe6944b3dca32258c8661c2a800a) ---- - base/ca/shared/conf/registry.cfg | 5 ++++- - base/ca/shared/profiles/ca/caCMCcaCert.cfg | 6 ++---- - .../cms/profile/constraint/CAValidityConstraint.java | 19 +++++++++++++------ - 3 files changed, 19 insertions(+), 11 deletions(-) - -diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg -index 519d854..54e4d95 100644 ---- a/base/ca/shared/conf/registry.cfg -+++ b/base/ca/shared/conf/registry.cfg -@@ -1,5 +1,5 @@ - types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater --constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl -+constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl - constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint - constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint - constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint -@@ -42,6 +42,9 @@ constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Na - constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint - constraintPolicy.validityConstraintImpl.desc=Validity Constraint - constraintPolicy.validityConstraintImpl.name=Validity Constraint -+constraintPolicy.caValidityConstraintImpl.class=com.netscape.cms.profile.constraint.CAValidityConstraint -+constraintPolicy.caValidityConstraintImpl.desc=CA Validity Constraint -+constraintPolicy.caValidityConstraintImpl.name=CA Validity Constraint - constraintPolicy.renewGracePeriodConstraintImpl.class=com.netscape.cms.profile.constraint.RenewGracePeriodConstraint - constraintPolicy.renewGracePeriodConstraintImpl.desc=Renewal Grace Period Constraint - constraintPolicy.renewGracePeriodConstraintImpl.name=Renewal Grace Period Constraint -diff --git a/base/ca/shared/profiles/ca/caCMCcaCert.cfg b/base/ca/shared/profiles/ca/caCMCcaCert.cfg -index f6df36f..9c95182 100644 ---- a/base/ca/shared/profiles/ca/caCMCcaCert.cfg -+++ b/base/ca/shared/profiles/ca/caCMCcaCert.cfg -@@ -19,11 +19,9 @@ policyset.caCertSet.1.constraint.params.accept=true - policyset.caCertSet.1.default.class_id=userSubjectNameDefaultImpl - policyset.caCertSet.1.default.name=Subject Name Default - policyset.caCertSet.1.default.params.name= --policyset.caCertSet.2.constraint.class_id=validityConstraintImpl --policyset.caCertSet.2.constraint.name=Validity Constraint -+policyset.caCertSet.2.constraint.class_id=caValidityConstraintImpl -+policyset.caCertSet.2.constraint.name=CA Validity Constraint - policyset.caCertSet.2.constraint.params.range=7305 --policyset.caCertSet.2.constraint.params.notBeforeCheck=false --policyset.caCertSet.2.constraint.params.notAfterCheck=false - policyset.caCertSet.2.default.class_id=caValidityDefaultImpl - policyset.caCertSet.2.default.name=CA Certificate Validity Default - policyset.caCertSet.2.default.params.range=7305 -diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java -index 77585c0..0e55f2b 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java -+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CAValidityConstraint.java -@@ -74,7 +74,8 @@ public class CAValidityConstraint extends CAEnrollConstraint { - */ - public void validate(IRequest request, X509CertInfo info) - throws ERejectException { -- CMS.debug("CAValidityConstraint: validate start"); -+ String method = "CAValidityConstraint: validate: "; -+ CMS.debug(method + "validate start"); - CertificateValidity v = null; - - try { -@@ -88,7 +89,7 @@ public class CAValidityConstraint extends CAEnrollConstraint { - try { - notBefore = (Date) v.get(CertificateValidity.NOT_BEFORE); - } catch (IOException e) { -- CMS.debug("CAValidity: not before " + e.toString()); -+ CMS.debug(method + "not before " + e.toString()); - throw new ERejectException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE")); - } -@@ -97,27 +98,33 @@ public class CAValidityConstraint extends CAEnrollConstraint { - try { - notAfter = (Date) v.get(CertificateValidity.NOT_AFTER); - } catch (IOException e) { -- CMS.debug("CAValidity: not after " + e.toString()); -+ CMS.debug(method + "not after " + e.toString()); - throw new ERejectException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_INVALID_NOT_AFTER")); - } - - if (mDefNotBefore != null) { -- CMS.debug("ValidtyConstraint: notBefore=" + notBefore + -+ CMS.debug(method + "notBefore=" + notBefore + - " defNotBefore=" + mDefNotBefore); - if (notBefore.before(mDefNotBefore)) { - throw new ERejectException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_INVALID_NOT_BEFORE")); - } - } -- CMS.debug("ValidtyConstraint: notAfter=" + notAfter + -+ CMS.debug(method + "notAfter=" + notAfter + - " defNotAfter=" + mDefNotAfter); - if (notAfter.after(mDefNotAfter)) { - throw new ERejectException(CMS.getUserMessage( - getLocale(request), "CMS_PROFILE_INVALID_NOT_AFTER")); - } - -- CMS.debug("CAValidtyConstraint: validate end"); -+ if (notAfter.getTime() < notBefore.getTime()) { -+ CMS.debug(method + "notAfter (" + notAfter + ") < notBefore (" + notBefore + ")"); -+ throw new ERejectException(CMS.getUserMessage(getLocale(request), -+ "CMS_PROFILE_NOT_AFTER_BEFORE_NOT_BEFORE")); -+ } -+ -+ CMS.debug(method + "validate end"); - } - - public String getText(Locale locale) { --- -1.8.3.1 - - -From 28319a47ffa02b7dc2d02364dedde36e8738f2b6 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 4 Dec 2017 22:05:06 +0100 -Subject: Cleaned up CMake scripts. - -The CMake scripts in Tomcat folders have been cleaned up to remove -redundant find_file() invocations. - -https://pagure.io/dogtagpki/issue/2560 - -Change-Id: Idf7c21e9c55c6113111ac43cc2e3ea4239076164 -(cherry picked from commit 3a179d961561c3cbb51d19e358d7eae4b7d067a7) ---- - base/CMakeLists.txt | 7 ++ - base/server/tomcat/src/CMakeLists.txt | 118 ++------------------------------- - base/server/tomcat7/src/CMakeLists.txt | 89 ------------------------- - base/server/tomcat8/src/CMakeLists.txt | 92 +------------------------ - 4 files changed, 13 insertions(+), 293 deletions(-) - -diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt -index 0b93c51..4ece8e0 100644 ---- a/base/CMakeLists.txt -+++ b/base/CMakeLists.txt -@@ -152,6 +152,13 @@ find_file(TOMCAT_CATALINA_JAR - /usr/share/java/tomcat - ) - -+find_file(TOMCAT_COYOTE_JAR -+ NAMES -+ tomcat-coyote.jar -+ PATHS -+ /usr/share/java/tomcat -+) -+ - find_file(TOMCAT_UTIL_JAR - NAMES - tomcat-util.jar -diff --git a/base/server/tomcat/src/CMakeLists.txt b/base/server/tomcat/src/CMakeLists.txt -index b9a3b4c..ebbf696 100644 ---- a/base/server/tomcat/src/CMakeLists.txt -+++ b/base/server/tomcat/src/CMakeLists.txt -@@ -1,125 +1,15 @@ - project(pki-tomcat) - --find_file(JSS_JAR -- NAMES -- jss4.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(LDAPJDK_JAR -- NAMES -- ldapjdk.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(COMMONS_CODEC_JAR -- NAMES -- commons-codec.jar -- PATHS -- /usr/share/java --) -- --find_file(COMMONS_HTTPCLIENT_JAR -- NAMES -- commons-httpclient.jar -- PATHS -- /usr/share/java --) -- --find_file(APACHE_COMMONS_LANG_JAR -- NAMES -- apache-commons-lang.jar -- PATHS -- /usr/share/java --) -- --find_file(VELOCITY_JAR -- NAMES -- velocity.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(XALAN_JAR -- NAMES -- xalan-j2.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(XERCES_JAR -- NAMES -- xerces-j2.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(RESTEASY_JAXRS_JAR -- NAMES -- resteasy-jaxrs.jar -- PATHS -- ${RESTEASY_LIB} --) -- --find_file(RESTEASY_ATOM_PROVIDER_JAR -- NAMES -- resteasy-atom-provider.jar -- PATHS -- ${RESTEASY_LIB} --) -- --find_file(HTTPCLIENT_JAR -- NAMES -- httpclient.jar -- PATHS -- /usr/share/java/httpcomponents --) -- --find_file(HTTPCORE_JAR -- NAMES -- httpcore.jar -- PATHS -- /usr/share/java/httpcomponents --) -- --find_file(TOMCATJSS_JAR -- NAMES -- tomcatjss.jar -- PATHS -- /usr/share/java --) -- --find_file(NUXWDOG_JAR -- NAMES -- nuxwdog.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(TOMCAT_COYOTE_JAR -- NAMES -- tomcat-coyote.jar -- PATHS -- /usr/share/java/tomcat --) -- - # build pki-tomcat - javac(pki-tomcat-classes - SOURCES - *.java - CLASSPATH -- ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR} -- ${NUXWDOG_JAR} ${APACHE_COMMONS_LANG_JAR} ${TOMCATJSS_JAR} -- ${TOMCAT_COYOTE_JAR} -+ ${SERVLET_JAR} -+ ${TOMCAT_CATALINA_JAR} ${TOMCAT_COYOTE_JAR} ${TOMCAT_UTIL_SCAN_JAR} -+ ${NUXWDOG_JAR} ${APACHE_COMMONS_LANG_JAR} ${TOMCATJSS_JAR} - OUTPUT_DIR - ${CMAKE_BINARY_DIR}/../../tomcat - DEPENDS -+ pki-tools-jar - ) -diff --git a/base/server/tomcat7/src/CMakeLists.txt b/base/server/tomcat7/src/CMakeLists.txt -index 0293abf..58c9d87 100644 ---- a/base/server/tomcat7/src/CMakeLists.txt -+++ b/base/server/tomcat7/src/CMakeLists.txt -@@ -1,94 +1,5 @@ - project(pki-tomcat7) - --find_file(JSS_JAR -- NAMES -- jss4.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(LDAPJDK_JAR -- NAMES -- ldapjdk.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(COMMONS_CODEC_JAR -- NAMES -- commons-codec.jar -- PATHS -- /usr/share/java --) -- --find_file(COMMONS_HTTPCLIENT_JAR -- NAMES -- commons-httpclient.jar -- PATHS -- /usr/share/java --) -- --find_file(APACHE_COMMONS_LANG_JAR -- NAMES -- apache-commons-lang.jar -- PATHS -- /usr/share/java --) -- --find_file(VELOCITY_JAR -- NAMES -- velocity.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(XALAN_JAR -- NAMES -- xalan-j2.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(XERCES_JAR -- NAMES -- xerces-j2.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(RESTEASY_JAXRS_JAR -- NAMES -- resteasy-jaxrs.jar -- PATHS -- ${RESTEASY_LIB} --) -- --find_file(RESTEASY_ATOM_PROVIDER_JAR -- NAMES -- resteasy-atom-provider.jar -- PATHS -- ${RESTEASY_LIB} --) -- --find_file(HTTPCLIENT_JAR -- NAMES -- httpclient.jar -- PATHS -- /usr/share/java/httpcomponents --) -- --find_file(HTTPCORE_JAR -- NAMES -- httpcore.jar -- PATHS -- /usr/share/java/httpcomponents --) -- - # build pki-tomcat - javac(pki-tomcat7-classes - SOURCES -diff --git a/base/server/tomcat8/src/CMakeLists.txt b/base/server/tomcat8/src/CMakeLists.txt -index 110ad20..70d0ef6 100644 ---- a/base/server/tomcat8/src/CMakeLists.txt -+++ b/base/server/tomcat8/src/CMakeLists.txt -@@ -1,100 +1,12 @@ - project(pki-tomcat8) - --find_file(JSS_JAR -- NAMES -- jss4.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(LDAPJDK_JAR -- NAMES -- ldapjdk.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(COMMONS_CODEC_JAR -- NAMES -- commons-codec.jar -- PATHS -- /usr/share/java --) -- --find_file(COMMONS_HTTPCLIENT_JAR -- NAMES -- commons-httpclient.jar -- PATHS -- /usr/share/java --) -- --find_file(APACHE_COMMONS_LANG_JAR -- NAMES -- apache-commons-lang.jar -- PATHS -- /usr/share/java --) -- --find_file(VELOCITY_JAR -- NAMES -- velocity.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(XALAN_JAR -- NAMES -- xalan-j2.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(XERCES_JAR -- NAMES -- xerces-j2.jar -- PATHS -- ${JAVA_LIB_INSTALL_DIR} -- /usr/share/java --) -- --find_file(RESTEASY_JAXRS_JAR -- NAMES -- resteasy-jaxrs.jar -- PATHS -- ${RESTEASY_LIB} --) -- --find_file(RESTEASY_ATOM_PROVIDER_JAR -- NAMES -- resteasy-atom-provider.jar -- PATHS -- ${RESTEASY_LIB} --) -- --find_file(HTTPCLIENT_JAR -- NAMES -- httpclient.jar -- PATHS -- /usr/share/java/httpcomponents --) -- --find_file(HTTPCORE_JAR -- NAMES -- httpcore.jar -- PATHS -- /usr/share/java/httpcomponents --) -- - # build pki-tomcat - javac(pki-tomcat8-classes - SOURCES - *.java - CLASSPATH -- ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR} ${TOMCAT_API_JAR} -+ ${SERVLET_JAR} -+ ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR} ${TOMCAT_API_JAR} - ${JAXRS_API_JAR} - ${CMAKE_BINARY_DIR}/../../tomcat - OUTPUT_DIR --- -1.8.3.1 - - -From 02694bab7fdc18e08f559b7a8fa219bbb39b97ae Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 5 Dec 2017 01:18:43 +0100 -Subject: Refactored instance_layout.py. - -The methods in instance_layout.py has been modified to return early. -The code has been reformatted to reduce indentations. - -https://pagure.io/dogtagpki/issue/2560 - -Change-Id: Icfac8d4b1af2b09f9df82befbc5714f9d1af38aa -(cherry picked from commit a60d4d987f1bf9dc9d72031994a6aa2fb7b9f7e4) ---- - .../deployment/scriptlets/instance_layout.py | 281 +++++++++++---------- - 1 file changed, 142 insertions(+), 139 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -index a9a2840..fc08fe1 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -@@ -41,159 +41,162 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - config.pki_log.info(log.INSTANCE_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - -- # if this is the first subsystem -- if len(deployer.instance.tomcat_instance_subsystems()) == 1: -- -- # establish instance logs -- deployer.directory.create(deployer.mdict['pki_instance_log_path']) -+ # if this is not the first subsystem, skip -+ if len(deployer.instance.tomcat_instance_subsystems()) != 1: -+ return - -- # copy /usr/share/pki/server/conf tree into -- # /var/lib/pki//conf -- # except common ldif files and theme deployment descriptor -- deployer.directory.copy( -+ # establish instance logs -+ deployer.directory.create(deployer.mdict['pki_instance_log_path']) -+ -+ # copy /usr/share/pki/server/conf tree into -+ # /var/lib/pki//conf -+ # except common ldif files and theme deployment descriptor -+ deployer.directory.copy( -+ deployer.mdict['pki_source_server_path'], -+ deployer.mdict['pki_instance_configuration_path'], -+ ignore_cb=file_ignore_callback_src_server) -+ -+ # Link /etc/pki//logging.properties -+ # to /usr/share/pki/server/conf/logging.properties. -+ deployer.symlink.create( -+ os.path.join(deployer.mdict['pki_source_server_path'], "logging.properties"), -+ os.path.join(deployer.mdict['pki_instance_configuration_path'], -+ "logging.properties")) -+ -+ # create /etc/sysconfig/ -+ deployer.file.copy_with_slot_substitution( -+ deployer.mdict['pki_source_tomcat_conf'], -+ deployer.mdict['pki_target_tomcat_conf_instance_id'], -+ uid=0, gid=0, overwrite_flag=True) -+ -+ # create /var/lib/pki//conf/tomcat.conf -+ deployer.file.copy_with_slot_substitution( -+ deployer.mdict['pki_source_tomcat_conf'], -+ deployer.mdict['pki_target_tomcat_conf'], -+ overwrite_flag=True) -+ -+ # Deploy ROOT web application -+ deployer.deploy_webapp( -+ "ROOT", -+ os.path.join( -+ config.PKI_DEPLOYMENT_SOURCE_ROOT, -+ "server", -+ "webapps", -+ "ROOT"), -+ os.path.join( -+ deployer.mdict['pki_source_server_path'], -+ "Catalina", -+ "localhost", -+ "ROOT.xml")) -+ -+ # Deploy pki web application which includes themes, -+ # admin templates, and JS libraries -+ deployer.deploy_webapp( -+ "pki", -+ os.path.join( -+ config.PKI_DEPLOYMENT_SOURCE_ROOT, -+ "server", -+ "webapps", -+ "pki"), -+ os.path.join( - deployer.mdict['pki_source_server_path'], -- deployer.mdict['pki_instance_configuration_path'], -- ignore_cb=file_ignore_callback_src_server) -+ "Catalina", -+ "localhost", -+ "pki.xml")) - -- # Link /etc/pki//logging.properties -- # to /usr/share/pki/server/conf/logging.properties. -+ # Create Tomcat instance library -+ deployer.directory.create(deployer.mdict['pki_instance_lib']) -+ for name in os.listdir(deployer.mdict['pki_tomcat_lib_path']): - deployer.symlink.create( -- os.path.join(deployer.mdict['pki_source_server_path'], "logging.properties"), -- os.path.join(deployer.mdict['pki_instance_configuration_path'], -- "logging.properties")) -- -- # create /etc/sysconfig/ -- deployer.file.copy_with_slot_substitution( -- deployer.mdict['pki_source_tomcat_conf'], -- deployer.mdict['pki_target_tomcat_conf_instance_id'], -- uid=0, gid=0, overwrite_flag=True) -- -- # create /var/lib/pki//conf/tomcat.conf -- deployer.file.copy_with_slot_substitution( -- deployer.mdict['pki_source_tomcat_conf'], -- deployer.mdict['pki_target_tomcat_conf'], -- overwrite_flag=True) -- -- # Deploy ROOT web application -- deployer.deploy_webapp( -- "ROOT", -- os.path.join( -- config.PKI_DEPLOYMENT_SOURCE_ROOT, -- "server", -- "webapps", -- "ROOT"), -- os.path.join( -- deployer.mdict['pki_source_server_path'], -- "Catalina", -- "localhost", -- "ROOT.xml")) -- -- # Deploy pki web application which includes themes, -- # admin templates, and JS libraries -- deployer.deploy_webapp( -- "pki", - os.path.join( -- config.PKI_DEPLOYMENT_SOURCE_ROOT, -- "server", -- "webapps", -- "pki"), -+ deployer.mdict['pki_tomcat_lib_path'], -+ name), - os.path.join( -- deployer.mdict['pki_source_server_path'], -- "Catalina", -- "localhost", -- "pki.xml")) -- -- # Create Tomcat instance library -- deployer.directory.create(deployer.mdict['pki_instance_lib']) -- for name in os.listdir(deployer.mdict['pki_tomcat_lib_path']): -- deployer.symlink.create( -- os.path.join( -- deployer.mdict['pki_tomcat_lib_path'], -- name), -- os.path.join( -- deployer.mdict['pki_instance_lib'], -- name)) -- -- # Link /var/lib/pki//lib/log4j.properties -- # to /usr/share/pki/server/conf/log4j.properties. -- deployer.symlink.create( -- os.path.join(deployer.mdict['pki_source_server_path'], -- "log4j.properties"), -- deployer.mdict['pki_instance_lib_log4j_properties']) -- -- # Link /var/lib/pki//common to /usr/share/pki/server/common -- deployer.symlink.create( -- '/usr/share/pki/server/common', -- deployer.mdict['pki_tomcat_common_path']) -- -- deployer.directory.create(deployer.mdict['pki_tomcat_tmpdir_path']) -- -- deployer.directory.create(deployer.mdict['pki_tomcat_work_path']) -- deployer.directory.create( -- deployer.mdict['pki_tomcat_work_catalina_path']) -- deployer.directory.create( -- deployer.mdict['pki_tomcat_work_catalina_host_path']) -- deployer.directory.create( -- deployer.mdict['pki_tomcat_work_catalina_host_run_path']) -- deployer.directory.create( -- deployer.mdict['pki_tomcat_work_catalina_host_subsystem_path']) -- # establish Tomcat instance logs -- # establish Tomcat instance registry -- # establish Tomcat instance convenience symbolic links -- deployer.symlink.create( -- deployer.mdict['pki_tomcat_bin_path'], -- deployer.mdict['pki_tomcat_bin_link']) -- deployer.symlink.create( -- deployer.mdict['pki_tomcat_systemd'], -- deployer.mdict['pki_instance_systemd_link'], -- uid=0, gid=0) -- -- # establish shared NSS security databases for this instance -- deployer.directory.create(deployer.mdict['pki_database_path']) -- # establish instance convenience symbolic links -- deployer.symlink.create( -- deployer.mdict['pki_database_path'], -- deployer.mdict['pki_instance_database_link']) -- deployer.symlink.create( -- deployer.mdict['pki_instance_configuration_path'], -- deployer.mdict['pki_instance_conf_link']) -- deployer.symlink.create( -- deployer.mdict['pki_instance_log_path'], -- deployer.mdict['pki_instance_logs_link']) -- -- # create Tomcat instance systemd service link -- deployer.symlink.create(deployer.mdict['pki_systemd_service'], -- deployer.mdict['pki_systemd_service_link']) -+ deployer.mdict['pki_instance_lib'], -+ name)) -+ -+ # Link /var/lib/pki//lib/log4j.properties -+ # to /usr/share/pki/server/conf/log4j.properties. -+ deployer.symlink.create( -+ os.path.join(deployer.mdict['pki_source_server_path'], -+ "log4j.properties"), -+ deployer.mdict['pki_instance_lib_log4j_properties']) -+ -+ # Link /var/lib/pki//common to /usr/share/pki/server/common -+ deployer.symlink.create( -+ '/usr/share/pki/server/common', -+ deployer.mdict['pki_tomcat_common_path']) -+ -+ deployer.directory.create(deployer.mdict['pki_tomcat_tmpdir_path']) -+ -+ deployer.directory.create(deployer.mdict['pki_tomcat_work_path']) -+ deployer.directory.create( -+ deployer.mdict['pki_tomcat_work_catalina_path']) -+ deployer.directory.create( -+ deployer.mdict['pki_tomcat_work_catalina_host_path']) -+ deployer.directory.create( -+ deployer.mdict['pki_tomcat_work_catalina_host_run_path']) -+ deployer.directory.create( -+ deployer.mdict['pki_tomcat_work_catalina_host_subsystem_path']) -+ # establish Tomcat instance logs -+ # establish Tomcat instance registry -+ # establish Tomcat instance convenience symbolic links -+ deployer.symlink.create( -+ deployer.mdict['pki_tomcat_bin_path'], -+ deployer.mdict['pki_tomcat_bin_link']) -+ deployer.symlink.create( -+ deployer.mdict['pki_tomcat_systemd'], -+ deployer.mdict['pki_instance_systemd_link'], -+ uid=0, gid=0) -+ -+ # establish shared NSS security databases for this instance -+ deployer.directory.create(deployer.mdict['pki_database_path']) -+ # establish instance convenience symbolic links -+ deployer.symlink.create( -+ deployer.mdict['pki_database_path'], -+ deployer.mdict['pki_instance_database_link']) -+ deployer.symlink.create( -+ deployer.mdict['pki_instance_configuration_path'], -+ deployer.mdict['pki_instance_conf_link']) -+ deployer.symlink.create( -+ deployer.mdict['pki_instance_log_path'], -+ deployer.mdict['pki_instance_logs_link']) -+ -+ # create Tomcat instance systemd service link -+ deployer.symlink.create(deployer.mdict['pki_systemd_service'], -+ deployer.mdict['pki_systemd_service_link']) - - def destroy(self, deployer): - - config.pki_log.info(log.INSTANCE_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - -- if len(deployer.instance.tomcat_instance_subsystems()) == 0: -- -- # remove Tomcat instance systemd service link -- deployer.symlink.delete(deployer.mdict['pki_systemd_service_link']) -+ # if this is not the last subsystem, skip -+ if len(deployer.instance.tomcat_instance_subsystems()) != 0: -+ return - -- # remove Tomcat instance base -- deployer.directory.delete(deployer.mdict['pki_instance_path']) -- # remove Tomcat instance logs -- deployer.directory.delete(deployer.mdict['pki_instance_log_path']) -- # remove shared NSS security database path for this instance -- deployer.directory.delete(deployer.mdict['pki_database_path']) -- # remove Tomcat instance configuration -- deployer.directory.delete( -- deployer.mdict['pki_instance_configuration_path']) -- # remove PKI 'tomcat.conf' instance file -- deployer.file.delete( -- deployer.mdict['pki_target_tomcat_conf_instance_id']) -- # remove Tomcat instance registry -+ # remove Tomcat instance systemd service link -+ deployer.symlink.delete(deployer.mdict['pki_systemd_service_link']) -+ -+ # remove Tomcat instance base -+ deployer.directory.delete(deployer.mdict['pki_instance_path']) -+ # remove Tomcat instance logs -+ deployer.directory.delete(deployer.mdict['pki_instance_log_path']) -+ # remove shared NSS security database path for this instance -+ deployer.directory.delete(deployer.mdict['pki_database_path']) -+ # remove Tomcat instance configuration -+ deployer.directory.delete( -+ deployer.mdict['pki_instance_configuration_path']) -+ # remove PKI 'tomcat.conf' instance file -+ deployer.file.delete( -+ deployer.mdict['pki_target_tomcat_conf_instance_id']) -+ # remove Tomcat instance registry -+ deployer.directory.delete( -+ deployer.mdict['pki_instance_registry_path']) -+ # remove Tomcat PKI registry (if empty) -+ if deployer.instance.tomcat_instances() == 0: - deployer.directory.delete( -- deployer.mdict['pki_instance_registry_path']) -- # remove Tomcat PKI registry (if empty) -- if deployer.instance.tomcat_instances() == 0: -- deployer.directory.delete( -- deployer.mdict['pki_instance_type_registry_path']) -+ deployer.mdict['pki_instance_type_registry_path']) - - - # Callback only when the /usr/share/pki/server/conf directory --- -1.8.3.1 - - -From 658264176174a011c5ed5bdbad763554bdc6853d Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 5 Dec 2017 18:09:57 +0100 -Subject: Refactored configuration.py. - -The code that updates the cert parameter in configure_system_cert() -has been moved into a separate update_system_cert() method to -allow reusability. - -https://pagure.io/dogtagpki/issue/2560 - -Change-Id: Ic59edf2398eca1f46037746954ced20343602580 -(cherry picked from commit a490c258c5ba5c5f3995a9bf21fe7a46b5a63002) ---- - .../server/deployment/scriptlets/configuration.py | 96 ++++++++++++++-------- - 1 file changed, 60 insertions(+), 36 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index 1870505..0fe4191 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -619,69 +619,75 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - - self.import_cert_chain(deployer, nssdb) - -- def configure_system_cert(self, deployer, nssdb, subsystem, tag): -+ def configure_system_cert(self, deployer, subsystem, tag): - - cert_id = self.get_cert_id(subsystem, tag) -- - nickname = deployer.mdict['pki_%s_nickname' % cert_id] -- cert_data = nssdb.get_cert( -- nickname=nickname, -- output_format='base64') - - subsystem.config['%s.%s.nickname' % (subsystem.name, tag)] = nickname - subsystem.config['%s.%s.tokenname' % (subsystem.name, tag)] = \ - deployer.mdict['pki_%s_token' % cert_id] -- subsystem.config['%s.%s.cert' % (subsystem.name, tag)] = cert_data - subsystem.config['%s.%s.defaultSigningAlgorithm' % (subsystem.name, tag)] = \ - deployer.mdict['pki_%s_key_algorithm' % cert_id] - -- def configure_ca_signing_cert(self, deployer, nssdb, subsystem): -+ def update_system_cert(self, deployer, nssdb, subsystem, tag): -+ -+ cert_id = self.get_cert_id(subsystem, tag) -+ nickname = deployer.mdict['pki_%s_nickname' % cert_id] -+ -+ cert_data = nssdb.get_cert( -+ nickname=nickname, -+ output_format='base64') -+ -+ subsystem.config['%s.%s.cert' % (subsystem.name, tag)] = cert_data -+ -+ def configure_ca_signing_cert(self, deployer, subsystem): - - config.pki_log.info( - "configuring ca_signing certificate", - extra=config.PKI_INDENTATION_LEVEL_2) - -- self.configure_system_cert(deployer, nssdb, subsystem, 'signing') -+ self.configure_system_cert(deployer, subsystem, 'signing') - - nickname = deployer.mdict['pki_ca_signing_nickname'] - subsystem.config['ca.signing.cacertnickname'] = nickname - -- def configure_ca_ocsp_signing_cert(self, deployer, nssdb, subsystem): -+ def configure_ca_ocsp_signing_cert(self, deployer, subsystem): - - config.pki_log.info( - "configuring ca_ocsp_signing certificate", - extra=config.PKI_INDENTATION_LEVEL_2) - -- self.configure_system_cert(deployer, nssdb, subsystem, 'ocsp_signing') -+ self.configure_system_cert(deployer, subsystem, 'ocsp_signing') - -- def configure_sslserver_cert(self, deployer, nssdb, subsystem): -+ def configure_sslserver_cert(self, deployer, subsystem): - - config.pki_log.info( - "configuring sslserver certificate", - extra=config.PKI_INDENTATION_LEVEL_2) - -- self.configure_system_cert(deployer, nssdb, subsystem, 'sslserver') -+ self.configure_system_cert(deployer, subsystem, 'sslserver') - -- def configure_subsystem_cert(self, deployer, nssdb, subsystem): -+ def configure_subsystem_cert(self, deployer, subsystem): - - config.pki_log.info( - "configuring subsystem certificate", - extra=config.PKI_INDENTATION_LEVEL_2) - -- self.configure_system_cert(deployer, nssdb, subsystem, 'subsystem') -+ self.configure_system_cert(deployer, subsystem, 'subsystem') - -- def configure_audit_signing_cert(self, deployer, nssdb, subsystem): -+ def configure_audit_signing_cert(self, deployer, subsystem): - - config.pki_log.info( - "configuring audit_signing certificate", - extra=config.PKI_INDENTATION_LEVEL_2) - -- self.configure_system_cert(deployer, nssdb, subsystem, 'audit_signing') -+ self.configure_system_cert(deployer, subsystem, 'audit_signing') - -- def configure_admin_cert(self, deployer, subsystem): -+ def update_admin_cert(self, deployer, subsystem): - - config.pki_log.info( -- "configuring admin certificate", -+ "updating admin certificate", - extra=config.PKI_INDENTATION_LEVEL_2) - - client_nssdb = pki.nssdb.NSSDatabase( -@@ -699,48 +705,65 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - finally: - client_nssdb.close() - -- def configure_kra_storage_cert(self, deployer, nssdb, subsystem): -+ def configure_kra_storage_cert(self, deployer, subsystem): - - config.pki_log.info( - "configuring kra_storage certificate", - extra=config.PKI_INDENTATION_LEVEL_2) - -- self.configure_system_cert(deployer, nssdb, subsystem, 'storage') -+ self.configure_system_cert(deployer, subsystem, 'storage') - -- def configure_kra_transport_cert(self, deployer, nssdb, subsystem): -+ def configure_kra_transport_cert(self, deployer, subsystem): - - config.pki_log.info( - "configuring kra_transport certificate", - extra=config.PKI_INDENTATION_LEVEL_2) - -- self.configure_system_cert(deployer, nssdb, subsystem, 'transport') -+ self.configure_system_cert(deployer, subsystem, 'transport') - -- def configure_ocsp_signing_cert(self, deployer, nssdb, subsystem): -+ def configure_ocsp_signing_cert(self, deployer, subsystem): - - config.pki_log.info( - "configuring ocsp_signing certificate", - extra=config.PKI_INDENTATION_LEVEL_2) - -- self.configure_system_cert(deployer, nssdb, subsystem, 'signing') -+ self.configure_system_cert(deployer, subsystem, 'signing') -+ -+ def configure_system_certs(self, deployer, subsystem): -+ -+ if subsystem.name == 'ca': -+ self.configure_ca_signing_cert(deployer, subsystem) -+ self.configure_ca_ocsp_signing_cert(deployer, subsystem) -+ -+ if subsystem.name == 'kra': -+ self.configure_kra_storage_cert(deployer, subsystem) -+ self.configure_kra_transport_cert(deployer, subsystem) -+ -+ if subsystem.name == 'ocsp': -+ self.configure_ocsp_signing_cert(deployer, subsystem) -+ -+ self.configure_sslserver_cert(deployer, subsystem) -+ self.configure_subsystem_cert(deployer, subsystem) -+ self.configure_audit_signing_cert(deployer, subsystem) - -- def configure_system_certs(self, deployer, nssdb, subsystem): -+ def update_system_certs(self, deployer, nssdb, subsystem): - - if subsystem.name == 'ca': -- self.configure_ca_signing_cert(deployer, nssdb, subsystem) -- self.configure_ca_ocsp_signing_cert(deployer, nssdb, subsystem) -+ self.update_system_cert(deployer, nssdb, subsystem, 'signing') -+ self.update_system_cert(deployer, nssdb, subsystem, 'ocsp_signing') - - if subsystem.name == 'kra': -- self.configure_kra_storage_cert(deployer, nssdb, subsystem) -- self.configure_kra_transport_cert(deployer, nssdb, subsystem) -- self.configure_admin_cert(deployer, subsystem) -+ self.update_system_cert(deployer, nssdb, subsystem, 'storage') -+ self.update_system_cert(deployer, nssdb, subsystem, 'transport') -+ self.update_admin_cert(deployer, subsystem) - - if subsystem.name == 'ocsp': -- self.configure_ocsp_signing_cert(deployer, nssdb, subsystem) -- self.configure_admin_cert(deployer, subsystem) -+ self.update_system_cert(deployer, nssdb, subsystem, 'signing') -+ self.update_admin_cert(deployer, subsystem) - -- self.configure_sslserver_cert(deployer, nssdb, subsystem) -- self.configure_subsystem_cert(deployer, nssdb, subsystem) -- self.configure_audit_signing_cert(deployer, nssdb, subsystem) -+ self.update_system_cert(deployer, nssdb, subsystem, 'sslserver') -+ self.update_system_cert(deployer, nssdb, subsystem, 'subsystem') -+ self.update_system_cert(deployer, nssdb, subsystem, 'audit_signing') - - def validate_system_cert(self, deployer, nssdb, subsystem, tag): - -@@ -1007,7 +1030,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - self.import_system_cert_requests(deployer, subsystem) - self.import_system_certs(deployer, nssdb, subsystem) - -- self.configure_system_certs(deployer, nssdb, subsystem) -+ self.configure_system_certs(deployer, subsystem) -+ self.update_system_certs(deployer, nssdb, subsystem) - subsystem.save() - - self.validate_system_certs(deployer, nssdb, subsystem) --- -1.8.3.1 - - -From f9dc3ed48ec7ce33b1160df7de49032e53db54a0 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 5 Dec 2017 02:20:18 +0100 -Subject: Removed obsolete JSS connector parameters. - -The following JSS connector parameters are obsolete: -* sslOptions -* ssl2Ciphers -* ssl3Ciphers -* tlsCiphers - -They are ignored when the "range" parameters are present, so they -have been removed from server.xml templates. - -https://pagure.io/dogtagpki/issue/2630 - -Change-Id: I966add1d919a26317929a69a53b9e56cb0134b29 -(cherry picked from commit bfaa447d9ecaaf5fd7156cc1bcbdf36036122de2) ---- - base/server/config/pkislots.cfg | 4 -- - .../python/pki/server/deployment/pkiparser.py | 48 ---------------------- - base/server/tomcat7/conf/server.xml | 8 ---- - base/server/tomcat8/conf/server.xml | 8 ---- - 4 files changed, 68 deletions(-) - -diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg -index d806c1f..0f07e19 100644 ---- a/base/server/config/pkislots.cfg -+++ b/base/server/config/pkislots.cfg -@@ -74,10 +74,6 @@ TOMCAT_INSTANCE_COMMON_LIB_SLOT=[TOMCAT_INSTANCE_COMMON_LIB] - TOMCAT_LOG_DIR_SLOT=[TOMCAT_LOG_DIR] - TOMCAT_PIDFILE_SLOT=[TOMCAT_PIDFILE] - TOMCAT_SERVER_PORT_SLOT=[TOMCAT_SERVER_PORT] --TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS] --TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS] --TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS] --TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS] - TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_STREAM] - TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT=[TOMCAT_SSL_VERSION_RANGE_DATAGRAM] - TOMCAT_SSL_RANGE_CIPHERS_SLOT=[TOMCAT_SSL_RANGE_CIPHERS] -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index c95fed1..e924908 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -1148,54 +1148,6 @@ class PKIConfigParser: - "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ - "+TLS_RSA_WITH_AES_256_CBC_SHA" -- self.mdict['TOMCAT_SSL2_CIPHERS_SLOT'] = \ -- "-SSL2_RC4_128_WITH_MD5," + \ -- "-SSL2_RC4_128_EXPORT40_WITH_MD5," + \ -- "-SSL2_RC2_128_CBC_WITH_MD5," + \ -- "-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5," + \ -- "-SSL2_DES_64_CBC_WITH_MD5," + \ -- "-SSL2_DES_192_EDE3_CBC_WITH_MD5" -- self.mdict['TOMCAT_SSL3_CIPHERS_SLOT'] = \ -- "-SSL3_FORTEZZA_DMS_WITH_NULL_SHA," + \ -- "-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA," + \ -- "+SSL3_RSA_WITH_RC4_128_SHA," + \ -- "-SSL3_RSA_EXPORT_WITH_RC4_40_MD5," + \ -- "-SSL3_RSA_WITH_3DES_EDE_CBC_SHA," + \ -- "-SSL3_RSA_WITH_DES_CBC_SHA," + \ -- "-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5," + \ -- "-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA," + \ -- "-SSL_RSA_FIPS_WITH_DES_CBC_SHA," + \ -- "-SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA," + \ -- "-SSL3_RSA_WITH_NULL_MD5," + \ -- "-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA," + \ -- "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ -- "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" -- self.mdict['TOMCAT_SSL_OPTIONS_SLOT'] = \ -- "ssl2=false," + \ -- "ssl3=false," + \ -- "tls=true" -- self.mdict['TOMCAT_TLS_CIPHERS_SLOT'] = \ -- "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," + \ -- "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ -- "-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," + \ -- "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," + \ -- "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," + \ -- "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," + \ -- "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," + \ -- "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ -- "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ -- "+TLS_RSA_WITH_AES_256_CBC_SHA," + \ -- "-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," + \ -- "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," + \ -- "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ -- "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," + \ -- "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," + \ -- "-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," + \ -- "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ -- "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ -- "-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ -- "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ -- "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" - - if self.deployer.architecture == 64: - self.mdict['NUXWDOG_JNI_PATH_SLOT'] = ( -diff --git a/base/server/tomcat7/conf/server.xml b/base/server/tomcat7/conf/server.xml -index 2db8bca..dae513d 100644 ---- a/base/server/tomcat7/conf/server.xml -+++ b/base/server/tomcat7/conf/server.xml -@@ -143,10 +143,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) - 'ocspTimeout' - 'strictCiphers' - 'clientauth' (ALL lowercase) -- 'sslOptions' -- 'ssl2Ciphers' -- 'ssl3Ciphers' -- 'tlsCiphers' - 'sslVersionRangeStream' - 'sslVersionRangeDatagram' - 'sslRangeCiphers' -@@ -201,10 +197,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) - ocspTimeout="10" - strictCiphers="true" - clientAuth="[PKI_AGENT_CLIENTAUTH]" -- sslOptions="[TOMCAT_SSL_OPTIONS]" -- ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" -- ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" -- tlsCiphers="[TOMCAT_TLS_CIPHERS]" - sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" - sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" - sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" -diff --git a/base/server/tomcat8/conf/server.xml b/base/server/tomcat8/conf/server.xml -index 64b1b00..d08e3b1 100644 ---- a/base/server/tomcat8/conf/server.xml -+++ b/base/server/tomcat8/conf/server.xml -@@ -162,10 +162,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) - 'ocspTimeout' - 'strictCiphers' - 'clientauth' (ALL lowercase) -- 'sslOptions' -- 'ssl2Ciphers' -- 'ssl3Ciphers' -- 'tlsCiphers' - 'sslVersionRangeStream' - 'sslVersionRangeDatagram' - 'sslRangeCiphers' -@@ -227,10 +223,6 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) - ocspTimeout="10" - strictCiphers="true" - clientAuth="[PKI_AGENT_CLIENTAUTH]" -- sslOptions="[TOMCAT_SSL_OPTIONS]" -- ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" -- ssl3Ciphers="[TOMCAT_SSL3_CIPHERS]" -- tlsCiphers="[TOMCAT_TLS_CIPHERS]" - sslVersionRangeStream="[TOMCAT_SSL_VERSION_RANGE_STREAM]" - sslVersionRangeDatagram="[TOMCAT_SSL_VERSION_RANGE_DATAGRAM]" - sslRangeCiphers="[TOMCAT_SSL_RANGE_CIPHERS]" --- -1.8.3.1 - - -From 5d79128fc6834737bf2f93b8d9e95296154e184f Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 5 Dec 2017 08:15:51 +0100 -Subject: Added pki-server cert-export CLI. - -A new pki-server cert-export CLI has been added to export a system -certificate with its key and certificate chain into a PKCS #12 file. -This is needed to export the SSL server certificate to be used by -Tomcat's built-in SSL connector. - -https://pagure.io/dogtagpki/issue/2560 - -Change-Id: Ic10af305bfb25c21641e78ef615533f70f9799b1 -(cherry picked from commit 33529f21f650a18d0ef80333158a6fd63812f770) ---- - base/server/python/pki/server/cli/cert.py | 201 ++++++++++++++++++++++++++++++ - 1 file changed, 201 insertions(+) - -diff --git a/base/server/python/pki/server/cli/cert.py b/base/server/python/pki/server/cli/cert.py -index 0757b36..0885348 100644 ---- a/base/server/python/pki/server/cli/cert.py -+++ b/base/server/python/pki/server/cli/cert.py -@@ -22,6 +22,7 @@ from __future__ import absolute_import - from __future__ import print_function - - import getopt -+import getpass - import sys - import tempfile - import os -@@ -45,6 +46,7 @@ class CertCLI(pki.cli.CLI): - self.add_module(CertUpdateCLI()) - self.add_module(CertCreateCLI()) - self.add_module(CertImportCLI()) -+ self.add_module(CertExportCLI()) - - @staticmethod - def print_system_cert(cert, show_all=False): -@@ -870,3 +872,202 @@ class CertImportCLI(pki.cli.CLI): - - finally: - nssdb.close() -+ -+ -+class CertExportCLI(pki.cli.CLI): -+ def __init__(self): -+ super(CertExportCLI, self).__init__( -+ 'export', 'Export system certificate.') -+ -+ def usage(self): # flake8: noqa -+ print('Usage: pki-server cert-export [OPTIONS] ') -+ print() -+ print('Specify at least one output file: certificate, CSR, or PKCS #12.') -+ print() -+ print(' -i, --instance Instance ID (default: pki-tomcat).') -+ print(' --cert-file Output file to store the exported certificate in PEM format.') -+ print(' --csr-file Output file to store the exported CSR in PEM format.') -+ print(' --pkcs12-file Output file to store the exported certificate and key in PKCS #12 format.') -+ print(' --pkcs12-password Password for the PKCS #12 file.') -+ print(' --pkcs12-password-file Input file containing the password for the PKCS #12 file.') -+ print(' --append Append into an existing PKCS #12 file.') -+ print(' --no-trust-flags Do not include trust flags') -+ print(' --no-key Do not include private key') -+ print(' --no-chain Do not include certificate chain') -+ print(' -v, --verbose Run in verbose mode.') -+ print(' --help Show help message.') -+ print() -+ -+ def execute(self, argv): -+ try: -+ opts, args = getopt.gnu_getopt(argv, 'i:v', [ -+ 'instance=', 'cert-file=', 'csr-file=', -+ 'pkcs12-file=', 'pkcs12-password=', 'pkcs12-password-file=', -+ 'append', 'no-trust-flags', 'no-key', 'no-chain', -+ 'verbose', 'debug', 'help']) -+ -+ except getopt.GetoptError as e: -+ print('ERROR: ' + str(e)) -+ self.usage() -+ sys.exit(1) -+ -+ instance_name = 'pki-tomcat' -+ cert_file = None -+ csr_file = None -+ pkcs12_file = None -+ pkcs12_password = None -+ pkcs12_password_file = None -+ append = False -+ include_trust_flags = True -+ include_key = True -+ include_chain = True -+ debug = False -+ -+ for o, a in opts: -+ if o in ('-i', '--instance'): -+ instance_name = a -+ -+ elif o == '--cert-file': -+ cert_file = a -+ -+ elif o == '--csr-file': -+ csr_file = a -+ -+ elif o == '--pkcs12-file': -+ pkcs12_file = a -+ -+ elif o == '--pkcs12-password': -+ pkcs12_password = a -+ -+ elif o == '--pkcs12-password-file': -+ pkcs12_password_file = a -+ -+ elif o == '--append': -+ append = True -+ -+ elif o == '--no-trust-flags': -+ include_trust_flags = False -+ -+ elif o == '--no-key': -+ include_key = False -+ -+ elif o == '--no-chain': -+ include_chain = False -+ -+ elif o in ('-v', '--verbose'): -+ self.set_verbose(True) -+ -+ elif o == '--debug': -+ debug = True -+ -+ elif o == '--help': -+ self.usage() -+ sys.exit() -+ -+ else: -+ self.print_message('ERROR: unknown option ' + o) -+ self.usage() -+ sys.exit(1) -+ -+ if len(args) < 1: -+ print('ERROR: missing cert ID') -+ self.usage() -+ sys.exit(1) -+ -+ cert_id = args[0] -+ -+ if not (cert_file or csr_file or pkcs12_file): -+ print('ERROR: missing output file') -+ self.usage() -+ sys.exit(1) -+ -+ instance = server.PKIInstance(instance_name) -+ -+ if not instance.is_valid(): -+ print('ERROR: Invalid instance %s.' % instance_name) -+ sys.exit(1) -+ -+ instance.load() -+ -+ subsystem_name = None -+ cert_tag = cert_id -+ -+ if cert_id != 'sslserver' and cert_id != 'subsystem': -+ # To avoid ambiguity where cert ID can contain more than 1 _, we limit to one split -+ temp_cert_identify = cert_id.split('_', 1) -+ subsystem_name = temp_cert_identify[0] -+ cert_tag = temp_cert_identify[1] -+ -+ # If cert ID is instance specific, get it from first subsystem -+ if not subsystem_name: -+ subsystem_name = instance.subsystems[0].name -+ -+ subsystem = instance.get_subsystem(subsystem_name) -+ -+ if not subsystem: -+ print('ERROR: No %s subsystem in instance.' -+ '%s.' % (subsystem_name, instance_name)) -+ sys.exit(1) -+ -+ nssdb = instance.open_nssdb() -+ -+ try: -+ cert = subsystem.get_subsystem_cert(cert_tag) -+ -+ if not cert: -+ print('ERROR: missing %s certificate' % cert_id) -+ self.usage() -+ sys.exit(1) -+ -+ if cert_file: -+ -+ if self.verbose: -+ print('Exporting %s certificate into %s.' % (cert_id, cert_file)) -+ -+ cert_data = cert.get('data', None) -+ if cert_data is None: -+ print("ERROR: Unable to find certificate data for %s" % cert_id) -+ sys.exit(1) -+ -+ cert_data = pki.nssdb.convert_cert(cert_data, 'base64', 'pem') -+ with open(cert_file, 'w') as f: -+ f.write(cert_data) -+ -+ if csr_file: -+ -+ if self.verbose: -+ print('Exporting %s CSR into %s.' % (cert_id, csr_file)) -+ -+ cert_request = cert.get('request', None) -+ if cert_request is None: -+ print("ERROR: Unable to find certificate request for %s" % cert_id) -+ sys.exit(1) -+ -+ csr_data = pki.nssdb.convert_csr(cert_request, 'base64', 'pem') -+ with open(csr_file, 'w') as f: -+ f.write(csr_data) -+ -+ if pkcs12_file: -+ -+ if self.verbose: -+ print('Exporting %s certificate and key into %s.' % (cert_id, pkcs12_file)) -+ -+ if not pkcs12_password and not pkcs12_password_file: -+ pkcs12_password = getpass.getpass(prompt='Enter password for PKCS #12 file: ') -+ -+ nicknames = [] -+ nicknames.append(cert['nickname']) -+ -+ nssdb.export_pkcs12( -+ pkcs12_file=pkcs12_file, -+ pkcs12_password=pkcs12_password, -+ pkcs12_password_file=pkcs12_password_file, -+ nicknames=nicknames, -+ append=append, -+ include_trust_flags=include_trust_flags, -+ include_key=include_key, -+ include_chain=include_chain, -+ debug=debug) -+ -+ finally: -+ nssdb.close() --- -1.8.3.1 - - -From 0f379b99a6397319962220d9fdbea8fb384db5a3 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 6 Dec 2017 19:15:11 +0100 -Subject: Updated logger for Tomcat-related classes. - -The Tomcat-related classes have been modified to use JUL logging -framework. - -https://pagure.io/dogtagpki/issue/2560 - -Change-Id: Ifb0fb61e3018940f27cd71f584cbeae2fc9e707c -(cherry picked from commit 9328085e1dae988f64445812af5d07027797fe92) ---- - .../cms/tomcat/AbstractPKIAuthenticator.java | 35 +++++++++++----------- - .../cms/tomcat/ExternalAuthenticationValve.java | 19 +++++++----- - .../src/com/netscape/cms/tomcat/PKIListener.java | 27 +++++++++-------- - 3 files changed, 43 insertions(+), 38 deletions(-) - -diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java b/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java -index f98377d..2a68a39 100644 ---- a/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java -+++ b/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java -@@ -20,15 +20,16 @@ package com.netscape.cms.tomcat; - - import java.io.IOException; - import java.security.cert.X509Certificate; -+import java.util.logging.Logger; - - import javax.servlet.http.HttpServletRequest; - import javax.servlet.http.HttpServletResponse; - import javax.servlet.http.HttpServletResponseWrapper; - -+import org.apache.catalina.Authenticator; - import org.apache.catalina.Container; - import org.apache.catalina.Globals; - import org.apache.catalina.LifecycleException; --import org.apache.catalina.Authenticator; - import org.apache.catalina.authenticator.AuthenticatorBase; - import org.apache.catalina.authenticator.BasicAuthenticator; - import org.apache.catalina.authenticator.FormAuthenticator; -@@ -40,6 +41,8 @@ import org.apache.catalina.connector.Request; - */ - public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { - -+ final static Logger logger = Logger.getLogger(AbstractPKIAuthenticator.class.getName()); -+ - public final static String BASIC_AUTHENTICATOR = "BASIC"; - public final static String FORM_AUTHENTICATOR = "FORM"; - -@@ -49,7 +52,7 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { - AuthenticatorBase fallbackAuthenticator = new BasicAuthenticator(); - - public AbstractPKIAuthenticator() { -- log("Creating SSL authenticator with fallback"); -+ logger.info("PKIAuthenticator: Creating " + getClass().getSimpleName()); - } - - public String getFallbackMethod() { -@@ -57,7 +60,7 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { - } - - public void setFallbackMethod(String fallbackMethod) { -- log("Fallback method: "+fallbackMethod); -+ logger.info("PKIAuthenticator: Fallback method: " + fallbackMethod); - this.fallbackMethod = fallbackMethod; - - if (BASIC_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) { -@@ -74,25 +77,25 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { - boolean result; - - if (certs != null && certs.length > 0) { -- log("Authenticate with client certificate authentication"); -+ logger.info("PKIAuthenticator: Authenticate with client certificate authentication"); - HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) { - public void setHeader(String name, String value) { -- log("SSL auth header: "+name+"="+value); -+ logger.fine("PKIAuthenticator: SSL auth header: " + name + "=" + value); - }; - public void sendError(int code) { -- log("SSL auth return code: "+code); -+ logger.fine("PKIAuthenticator: SSL auth return code: " + code); - } - }; - result = doSubAuthenticate(sslAuthenticator, request, wrapper); - - } else { -- log("Authenticating with "+fallbackMethod+" authentication"); -+ logger.info("PKIAuthenticator: Authenticating with " + fallbackMethod + " authentication"); - HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) { - public void setHeader(String name, String value) { -- log("Fallback auth header: "+name+"="+value); -+ logger.fine("PKIAuthenticator: Fallback auth header: " + name + "=" + value); - }; - public void sendError(int code) { -- log("Fallback auth return code: "+code); -+ logger.fine("PKIAuthenticator: Fallback auth return code: " + code); - } - }; - result = doSubAuthenticate(fallbackAuthenticator, request, wrapper); -@@ -101,7 +104,7 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { - if (result) - return true; - -- log("Result: "+result); -+ logger.info("PKIAuthenticator: Result: " + result); - String realmName = doGetRealmName(request); - response.setHeader(AUTH_HEADER_NAME, - "Basic realm=\"" + (realmName == null ? REALM_NAME : realmName) + "\""); -@@ -124,7 +127,7 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { - - @Override - public void setContainer(Container container) { -- log("Setting container"); -+ logger.fine("PKIAuthenticator: Setting container"); - super.setContainer(container); - sslAuthenticator.setContainer(container); - fallbackAuthenticator.setContainer(container); -@@ -132,7 +135,7 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { - - @Override - protected void initInternal() throws LifecycleException { -- log("Initializing authenticators"); -+ logger.fine("PKIAuthenticator: Initializing authenticators"); - - super.initInternal(); - -@@ -145,7 +148,7 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { - - @Override - public void startInternal() throws LifecycleException { -- log("Starting authenticators"); -+ logger.fine("PKIAuthenticator: Starting authenticators"); - super.startInternal(); - sslAuthenticator.start(); - fallbackAuthenticator.start(); -@@ -153,13 +156,9 @@ public abstract class AbstractPKIAuthenticator extends AuthenticatorBase { - - @Override - public void stopInternal() throws LifecycleException { -- log("Stopping authenticators"); -+ logger.fine("PKIAuthenticator: Stopping authenticators"); - super.stopInternal(); - sslAuthenticator.stop(); - fallbackAuthenticator.stop(); - } -- -- public void log(String message) { -- System.out.println("SSLAuthenticatorWithFallback: "+message); -- } - } -diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java -index 6bc570b..e162840 100644 ---- a/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java -+++ b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java -@@ -21,6 +21,8 @@ package com.netscape.cms.tomcat; - import java.io.IOException; - import java.security.Principal; - import java.util.ArrayList; -+import java.util.logging.Logger; -+ - import javax.servlet.ServletException; - - import org.apache.catalina.Session; -@@ -30,13 +32,14 @@ import org.apache.catalina.valves.ValveBase; - - public class ExternalAuthenticationValve extends ValveBase { - -+ final static Logger logger = Logger.getLogger(ExternalAuthenticationValve.class.getName()); -+ - public void invoke(Request req, Response resp) - throws IOException, ServletException { -- System.out.println("ExternalAuthenticationValve; authType: " -- + req.getAuthType()); -- System.out.println("ExternalAuthenticationValve; principal: " -- + req.getUserPrincipal()); -- //System.out.println(req.getCoyoteRequest().getAttributes().toString()); -+ -+ logger.info("ExternalAuthenticationValve: authType: " + req.getAuthType()); -+ logger.info("ExternalAuthenticationValve: principal: " + req.getUserPrincipal()); -+ //logger.info("ExternalAuthenticationValve: attributes: " + req.getCoyoteRequest().getAttributes()); - - org.apache.coyote.Request coyoteReq = req.getCoyoteRequest(); - Principal principal = req.getUserPrincipal(); -@@ -49,7 +52,7 @@ public class ExternalAuthenticationValve extends ValveBase { - try { - numGroups = new Integer(numGroupsStr); - } catch (NumberFormatException e) { -- System.out.println("ExternalAuthenticationValve: invalid REMOTE_USER_GROUP_N value: " + e); -+ logger.warning("ExternalAuthenticationValve: invalid REMOTE_USER_GROUP_N value: " + e); - } - } - -@@ -60,13 +63,13 @@ public class ExternalAuthenticationValve extends ValveBase { - if (s != null && !s.isEmpty()) - groups.add(s); - else -- System.out.println("ExternalAuthenticationValve: missing or empty attribute: " + k); -+ logger.warning("ExternalAuthenticationValve: missing or empty attribute: " + k); - } - - // replace the principal - principal = new ExternalPrincipal( - principal.getName(), null, groups, coyoteReq.getAttributes()); -- System.out.println("ExternalAuthenticationValve: setting new principal: " + principal); -+ logger.info("ExternalAuthenticationValve: setting new principal: " + principal); - req.setUserPrincipal(principal); - - // cache principal in session -diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/PKIListener.java b/base/server/tomcat/src/com/netscape/cms/tomcat/PKIListener.java -index 5d1d0db..b2ed4a9 100644 ---- a/base/server/tomcat/src/com/netscape/cms/tomcat/PKIListener.java -+++ b/base/server/tomcat/src/com/netscape/cms/tomcat/PKIListener.java -@@ -19,6 +19,7 @@ - package com.netscape.cms.tomcat; - - import java.io.File; -+import java.util.logging.Logger; - - import org.apache.catalina.Context; - import org.apache.catalina.Engine; -@@ -34,27 +35,29 @@ import com.redhat.nuxwdog.WatchdogClient; - - public class PKIListener implements LifecycleListener { - -+ final static Logger logger = Logger.getLogger(PKIListener.class.getName()); -+ - private boolean startedByWD = false; - - @Override - public void lifecycleEvent(LifecycleEvent event) { - - String type = event.getType(); -- System.out.println("PKIListener: " + event.getLifecycle().getClass().getName() + "[" + type + "]"); -+ logger.info("PKIListener: " + event.getLifecycle().getClass().getName() + " [" + type + "]"); - - if (type.equals(Lifecycle.BEFORE_INIT_EVENT)) { - - String wdPipeName = System.getenv("WD_PIPE_NAME"); - if (StringUtils.isNotEmpty(wdPipeName)) { - startedByWD = true; -- System.out.println("PKIListener: Initializing the watchdog"); -+ logger.info("PKIListener: Initializing the watchdog"); - WatchdogClient.init(); - } - - } else if (type.equals(Lifecycle.AFTER_START_EVENT)) { - - if (startedByWD) { -- System.out.println("PKIListener: Sending endInit to the Watchdog"); -+ logger.info("PKIListener: Sending endInit to the watchdog"); - WatchdogClient.sendEndInit(0); - } - -@@ -88,13 +91,13 @@ public class PKIListener implements LifecycleListener { - - if (!contextXml.exists()) { - -- System.out.println("PKIListener: Subsystem " + subsystemName.toUpperCase() + " is disabled."); -+ logger.warning("PKIListener: Subsystem " + subsystemName.toUpperCase() + " is disabled."); - - String selftestsLog = "/var/log/pki/" + instanceName + "/" + subsystemName + "/selftests.log"; -- System.out.println("PKIListener: Check " + selftestsLog + " for possible errors."); -+ logger.warning("PKIListener: Check " + selftestsLog + " for possible errors."); - -- System.out.println("PKIListener: To enable the subsystem:"); -- System.out.println("PKIListener: pki-server subsystem-enable -i " + instanceName + " " + subsystemName); -+ logger.warning("PKIListener: To enable the subsystem:"); -+ logger.warning("PKIListener: pki-server subsystem-enable -i " + instanceName + " " + subsystemName); - - continue; - } -@@ -103,17 +106,17 @@ public class PKIListener implements LifecycleListener { - - if (context == null) { - -- System.out.println("PKIListener: " + "Subsystem " + subsystemName.toUpperCase() + " is not deployed."); -+ logger.warning("PKIListener: " + "Subsystem " + subsystemName.toUpperCase() + " is not deployed."); - - String catalinaLog = "/var/log/pki/" + instanceName + "/catalina.*.log"; -- System.out.println("PKIListener: Check " + catalinaLog); -- System.out.println("PKIListener: and Tomcat's standard output and error for possible errors:"); -- System.out.println("PKIListener: journalctl -u pki-tomcatd@" + instanceName + ".service"); -+ logger.warning("PKIListener: Check " + catalinaLog); -+ logger.warning("PKIListener: and Tomcat's standard output and error for possible errors:"); -+ logger.warning("PKIListener: journalctl -u pki-tomcatd@" + instanceName + ".service"); - - continue; - } - -- System.out.println("PKIListener: Subsystem " + subsystemName.toUpperCase() + " is running."); -+ logger.info("PKIListener: Subsystem " + subsystemName.toUpperCase() + " is running."); - } - } - } --- -1.8.3.1 - - -From a56579794417083cf41b05b702f66c895dc82823 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Wed, 6 Dec 2017 16:38:33 -0700 -Subject: Set the default NSS DB type - -dogtagpki Pagure Issue #2862 - Create a mechanism to select the -default NSS DB type - -The following changes are based upon the results of an investigation -by jmagne in which he suggested using the NSS_DEFAULT_DB_TYPE -environment variable to control NSS use of 'dbm' vs. 'sql'. - -* NSS_DEFAULT_DB_TYPE Environment Variable: - - In the future, the 'pkispawn' installer, 'pkiconsole', the 'pki' - command-line tool, as well as all other non-'pki' command-line - tools will be able to select to use either 'dbm' or 'sql' as their - default NSS DB type based upon the value in the - NSS_DEFAULT_DB_TYPE environment variable; if no - NSS_DEFAULT_DB_TYPE is defined, 'dbm' will be utilized. - - NOTE: For this patch, everything has been rigged to use an NSS - default DB type of 'dbm', as 'sql' is not yet supported. - -* PKI Server Instances: - - The selected NSS DB type will be stored as the value in the - NSS_DEFAULT_DB_TYPE variable within the file called - '/etc/sysconfig/' during creation of the - first subsystem of this PKI instance. - - As a part of their 'systemctl' service management, Linux systems - utilize the information in this file via the 'EnvironmentFile' - designation within their systemctl service files, - 'pki-tomcatd@.service', and - 'pki-tomcatd-nuxwdog@.service'. - - Finally, due to the presence of the '/etc/sysconfig/' - file, each PKI instance will always have its NSS DB type limited to a - single value that is common to all subsystems that co-exist within - this PKI instance. - - Relevant files: - - base/server/python/pki/server/deployment/pkiparser.py - - base/server/etc/default.cfg - - base/server/share/conf/tomcat.conf - -* 'pki' Java Command-Line Tools - - The selected NSS DB type will be computed at runtime and - stored as the value in the NSS_DEFAULT_DB_TYPE environment - variable. - - Relevant files: - - base/common/python/pki/cli/main.py - -* non-'pki' Java Command-Line Tools - - The selected NSS DB type will be computed at runtime and - stored as the value in the NSS_DEFAULT_DB_TYPE environment - variable. - - Relevant files: - - base/java-tools/templates/pki_java_command_wrapper.in - - base/java-tools/templates/pretty_print_cert_command_wrapper.in - - base/java-tools/templates/pretty_print_crl_command_wrapper.in - -* Native Command-Line Tools - - NOTE: Although this patch does not provide out-of-box fixes for - native command-line tools, these should still work - successfully provided the environment variable - NSS_DEFAULT_DB_TYPE=dbm has been exported - into the current environment. - -Change-Id: I33c001e732ce0f585710c79af2ecf4ce18768d26 -(cherry picked from commit 29d23b0f027bd046d0a6547bd8292fb28f5d1c88) ---- - base/common/python/pki/cli/main.py | 34 ++++++++++++++++++ - .../templates/pki_java_command_wrapper.in | 34 ++++++++++++++++++ - .../templates/pretty_print_cert_command_wrapper.in | 34 ++++++++++++++++++ - .../templates/pretty_print_crl_command_wrapper.in | 34 ++++++++++++++++++ - base/server/etc/default.cfg | 1 + - .../python/pki/server/deployment/pkiparser.py | 41 ++++++++++++++++++++++ - base/server/share/conf/tomcat.conf | 3 ++ - 7 files changed, 181 insertions(+) - -diff --git a/base/common/python/pki/cli/main.py b/base/common/python/pki/cli/main.py -index f201c1d..0eb18a5 100644 ---- a/base/common/python/pki/cli/main.py -+++ b/base/common/python/pki/cli/main.py -@@ -70,8 +70,42 @@ class PKICLI(pki.cli.CLI): - - super(PKICLI, self).print_help() - -+ def set_nss_default_db_type(self): -+ # Set default NSS DB type -+ nss_default_db_type = os.getenv('NSS_DEFAULT_DB_TYPE') -+ if nss_default_db_type is None: -+ # NSS_DEFAULT_DB_TYPE is undefined; set 'dbm' default NSS DB type -+ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') -+ elif nss_default_db_type == '': -+ # NSS_DEFAULT_DB_TYPE is empty; set 'dbm' default NSS DB type -+ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') -+ else: -+ nss_type = nss_default_db_type.lower() -+ if nss_type == 'dbm': -+ # Always set/reset 'dbm' default NSS DB type -+ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') -+ elif nss_type == 'sql': -+ # Always set/reset 'sql' default NSS DB type -+ # os.putenv('NSS_DEFAULT_DB_TYPE', 'sql') -+ -+ # Warn user and set 'dbm' default NSS DB type -+ print('WARNING: NSS_DEFAULT_DB_TYPE=sql is currently ' + -+ 'unsupported!') -+ print(' Resetting to NSS_DEFAULT_DB_TYPE=dbm.') -+ # Currently override 'sql' with 'dbm' default NSS DB type -+ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') -+ else: -+ # NSS_DEFAULT_DB_TYPE is invalid; set 'dbm' default NSS DB type -+ print('WARNING: NSS_DEFAULT_DB_TYPE=%s is invalid!' -+ % nss_default_db_type) -+ print(' Resetting to NSS_DEFAULT_DB_TYPE=dbm.') -+ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') -+ return -+ - def execute_java(self, args, stdout=sys.stdout): - -+ self.set_nss_default_db_type() -+ - java_home = os.getenv('JAVA_HOME') - pki_lib = os.getenv('PKI_LIB') - logging_config = os.getenv('LOGGING_CONFIG') -diff --git a/base/java-tools/templates/pki_java_command_wrapper.in b/base/java-tools/templates/pki_java_command_wrapper.in -index 696f661..bec96bd 100644 ---- a/base/java-tools/templates/pki_java_command_wrapper.in -+++ b/base/java-tools/templates/pki_java_command_wrapper.in -@@ -64,6 +64,38 @@ invalid_architecture() { - echo - } - -+set_nss_default_db_type() { -+ if [ -z ${NSS_DEFAULT_DB_TYPE+x} ]; then -+ # NSS_DEFAULT_DB_TYPE is undefined; set 'dbm' default NSS DB type -+ NSS_DEFAULT_DB_TYPE=dbm -+ elif [ -z ${NSS_DEFAULT_DB_TYPE} ] ; then -+ # NSS_DEFAULT_DB_TYPE is empty; set 'dbm' default NSS DB type -+ NSS_DEFAULT_DB_TYPE=dbm -+ else -+ # normalize NSS_DEFAULT_DB_TYPE to all lowercase letters -+ nss_type=`echo ${NSS_DEFAULT_DB_TYPE} | tr '[:upper:]' '[:lower:]'` -+ if [ ${nss_type} = 'dbm' ] ; then -+ # Always set/reset 'dbm' default NSS DB type -+ NSS_DEFAULT_DB_TYPE=dbm -+ elif [ ${nss_type} = 'sql' ] ; then -+ # Always set/reset 'sql' default NSS DB type -+ # NSS_DEFAULT_DB_TYPE=sql -+ -+ # Warn user and set 'dbm' default NSS DB type -+ echo "WARNING: NSS_DEFAULT_DB_TYPE=sql is currently unsupported!" -+ echo " Resetting to NSS_DEFAULT_DB_TYPE=dbm." -+ NSS_DEFAULT_DB_TYPE=dbm -+ else -+ # NSS_DEFAULT_DB_TYPE is invalid; set 'dbm' default NSS DB type -+ echo -n "WARNING: NSS_DEFAULT_DB_TYPE='${NSS_DEFAULT_DB_TYPE}' is " -+ echo "invalid!" -+ echo " Resetting to NSS_DEFAULT_DB_TYPE=dbm." -+ NSS_DEFAULT_DB_TYPE=dbm -+ fi -+ fi -+ export NSS_DEFAULT_DB_TYPE -+} -+ - - ############################################################################### - ## (4) Set the LD_LIBRARY_PATH environment variable to determine the ## -@@ -116,6 +148,8 @@ fi - ## based upon the LD_LIBRARY_PATH and PKI_LIB environment variables. ## - ############################################################################### - -+set_nss_default_db_type -+ - ${JAVA} ${JAVA_OPTIONS} \ - -Djava.ext.dirs=${PKI_LIB} \ - -Djava.util.logging.config.file=${LOGGING_CONFIG} \ -diff --git a/base/java-tools/templates/pretty_print_cert_command_wrapper.in b/base/java-tools/templates/pretty_print_cert_command_wrapper.in -index 882e7a1..486c023 100644 ---- a/base/java-tools/templates/pretty_print_cert_command_wrapper.in -+++ b/base/java-tools/templates/pretty_print_cert_command_wrapper.in -@@ -64,6 +64,38 @@ invalid_architecture() { - echo - } - -+set_nss_default_db_type() { -+ if [ -z ${NSS_DEFAULT_DB_TYPE+x} ]; then -+ # NSS_DEFAULT_DB_TYPE is undefined; set 'dbm' default NSS DB type -+ NSS_DEFAULT_DB_TYPE=dbm -+ elif [ -z ${NSS_DEFAULT_DB_TYPE} ] ; then -+ # NSS_DEFAULT_DB_TYPE is empty; set 'dbm' default NSS DB type -+ NSS_DEFAULT_DB_TYPE=dbm -+ else -+ # normalize NSS_DEFAULT_DB_TYPE to all lowercase letters -+ nss_type=`echo ${NSS_DEFAULT_DB_TYPE} | tr '[:upper:]' '[:lower:]'` -+ if [ ${nss_type} = 'dbm' ] ; then -+ # Always set/reset 'dbm' default NSS DB type -+ NSS_DEFAULT_DB_TYPE=dbm -+ elif [ ${nss_type} = 'sql' ] ; then -+ # Always set/reset 'sql' default NSS DB type -+ # NSS_DEFAULT_DB_TYPE=sql -+ -+ # Warn user and set 'dbm' default NSS DB type -+ echo "WARNING: NSS_DEFAULT_DB_TYPE=sql is currently unsupported!" -+ echo " Resetting to NSS_DEFAULT_DB_TYPE=dbm." -+ NSS_DEFAULT_DB_TYPE=dbm -+ else -+ # NSS_DEFAULT_DB_TYPE is invalid; set 'dbm' default NSS DB type -+ echo -n "WARNING: NSS_DEFAULT_DB_TYPE='${NSS_DEFAULT_DB_TYPE}' is " -+ echo "invalid!" -+ echo " Resetting to NSS_DEFAULT_DB_TYPE=dbm." -+ NSS_DEFAULT_DB_TYPE=dbm -+ fi -+ fi -+ export NSS_DEFAULT_DB_TYPE -+} -+ - - ############################################################################### - ## (4) Set the LD_LIBRARY_PATH environment variable to determine the ## -@@ -159,6 +191,8 @@ then - fi - fi - -+set_nss_default_db_type -+ - ${JAVA} ${JAVA_OPTIONS} -cp ${CP} com.netscape.cmstools.${COMMAND} "$@" - exit $? - -diff --git a/base/java-tools/templates/pretty_print_crl_command_wrapper.in b/base/java-tools/templates/pretty_print_crl_command_wrapper.in -index 0c518ce..38eb810 100644 ---- a/base/java-tools/templates/pretty_print_crl_command_wrapper.in -+++ b/base/java-tools/templates/pretty_print_crl_command_wrapper.in -@@ -64,6 +64,38 @@ invalid_architecture() { - echo - } - -+set_nss_default_db_type() { -+ if [ -z ${NSS_DEFAULT_DB_TYPE+x} ]; then -+ # NSS_DEFAULT_DB_TYPE is undefined; set 'dbm' default NSS DB type -+ NSS_DEFAULT_DB_TYPE=dbm -+ elif [ -z ${NSS_DEFAULT_DB_TYPE} ] ; then -+ # NSS_DEFAULT_DB_TYPE is empty; set 'dbm' default NSS DB type -+ NSS_DEFAULT_DB_TYPE=dbm -+ else -+ # normalize NSS_DEFAULT_DB_TYPE to all lowercase letters -+ nss_type=`echo ${NSS_DEFAULT_DB_TYPE} | tr '[:upper:]' '[:lower:]'` -+ if [ ${nss_type} = 'dbm' ] ; then -+ # Always set/reset 'dbm' default NSS DB type -+ NSS_DEFAULT_DB_TYPE=dbm -+ elif [ ${nss_type} = 'sql' ] ; then -+ # Always set/reset 'sql' default NSS DB type -+ # NSS_DEFAULT_DB_TYPE=sql -+ -+ # Warn user and set 'dbm' default NSS DB type -+ echo "WARNING: NSS_DEFAULT_DB_TYPE=sql is currently unsupported!" -+ echo " Resetting to NSS_DEFAULT_DB_TYPE=dbm." -+ NSS_DEFAULT_DB_TYPE=dbm -+ else -+ # NSS_DEFAULT_DB_TYPE is invalid; set 'dbm' default NSS DB type -+ echo -n "WARNING: NSS_DEFAULT_DB_TYPE='${NSS_DEFAULT_DB_TYPE}' is " -+ echo "invalid!" -+ echo " Resetting to NSS_DEFAULT_DB_TYPE=dbm." -+ NSS_DEFAULT_DB_TYPE=dbm -+ fi -+ fi -+ export NSS_DEFAULT_DB_TYPE -+} -+ - - ############################################################################### - ## (4) Set the LD_LIBRARY_PATH environment variable to determine the ## -@@ -146,6 +178,8 @@ then - fi - fi - -+set_nss_default_db_type -+ - ${JAVA} ${JAVA_OPTIONS} -cp ${CP} com.netscape.cmstools.${COMMAND} "$@" - exit $? - -diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg -index ad19105..73f884f 100644 ---- a/base/server/etc/default.cfg -+++ b/base/server/etc/default.cfg -@@ -11,6 +11,7 @@ - ############################################################################### - [DEFAULT] - -+NSS_DEFAULT_DB_TYPE=%(nss_default_db_type)s - JAVA_HOME=%(java_home)s - - # The sensitive_parameters contains a list of parameters which may contain -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index e924908..8c9f1aa 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -259,8 +259,48 @@ class PKIConfigParser: - self.arg_parser.print_help() - self.arg_parser.exit(-1) - -+ def set_nss_default_db_type(self): -+ # Define default NSS DB types -+ dbm = 'dbm' -+ # sql = 'sql' -+ default = dbm -+ -+ # Set default NSS DB type -+ nss_default_db_type = os.getenv('NSS_DEFAULT_DB_TYPE') -+ if nss_default_db_type is None: -+ # NSS_DEFAULT_DB_TYPE is undefined; set 'dbm' default NSS DB type -+ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') -+ elif nss_default_db_type == '': -+ # NSS_DEFAULT_DB_TYPE is empty; set 'dbm' default NSS DB type -+ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') -+ else: -+ nss_type = nss_default_db_type.lower() -+ if nss_type == 'dbm': -+ # Always set/reset 'dbm' default NSS DB type -+ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') -+ elif nss_type == 'sql': -+ # Always set/reset 'sql' default NSS DB type -+ # os.putenv('NSS_DEFAULT_DB_TYPE', 'sql') -+ # default = sql -+ -+ # Warn user and set 'dbm' default NSS DB type -+ print('WARNING: NSS_DEFAULT_DB_TYPE=sql is currently ' + -+ 'unsupported!') -+ print(' Resetting to NSS_DEFAULT_DB_TYPE=dbm.') -+ # Currently override 'sql' with 'dbm' default NSS DB type -+ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') -+ else: -+ # NSS_DEFAULT_DB_TYPE is invalid; set 'dbm' default NSS DB type -+ print('WARNING: NSS_DEFAULT_DB_TYPE=%s is invalid!' -+ % nss_default_db_type) -+ print(' Resetting to NSS_DEFAULT_DB_TYPE=dbm.') -+ os.putenv('NSS_DEFAULT_DB_TYPE', 'dbm') -+ return default -+ - def init_config(self): - -+ nss_default_db_type = self.set_nss_default_db_type() -+ - java_home = subprocess.check_output( - '. /usr/share/pki/etc/pki.conf && . /etc/pki/pki.conf ' - '&& echo $JAVA_HOME', -@@ -303,6 +343,7 @@ class PKIConfigParser: - 'pki_subsystem': self.deployer.subsystem_name, - 'pki_subsystem_type': self.deployer.subsystem_name.lower(), - 'pki_root_prefix': config.pki_root_prefix, -+ 'nss_default_db_type': nss_default_db_type, - 'java_home': java_home, - 'resteasy_lib': resteasy_lib, - 'jni_jar_dir': jni_jar_dir, -diff --git a/base/server/share/conf/tomcat.conf b/base/server/share/conf/tomcat.conf -index bd2359c..c1d3900 100644 ---- a/base/server/share/conf/tomcat.conf -+++ b/base/server/share/conf/tomcat.conf -@@ -6,6 +6,9 @@ - - # This file contains instance-specific configuration. - -+# Default NSS DB type (computed at instance creation time) -+NSS_DEFAULT_DB_TYPE="[NSS_DEFAULT_DB_TYPE]" -+ - # Where your java installation lives - JAVA_HOME="[JAVA_HOME]" - --- -1.8.3.1 - - -From 043501a4b4c10fc408b4a644381c9f2782892bb3 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Fri, 8 Dec 2017 17:17:34 -0700 -Subject: Fix nuxwdog to work on all platforms - -- dogtagpki Pagure Issue #2874 - nuxwdog won't start on Fedora - -Change-Id: I5ff65c75087aeb939cb58ee7cf888bbbacb57ad5 -(cherry picked from commit 19f04606cb58f7dc6e2872e39f62d3dad427ae22) ---- - base/server/sbin/pki-server-nuxwdog | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog -index ead9253..cb89938 100755 ---- a/base/server/sbin/pki-server-nuxwdog -+++ b/base/server/sbin/pki-server-nuxwdog -@@ -41,8 +41,8 @@ nux_fname="${CATALINA_BASE}/conf/nuxwdog.conf" - touch ${nux_fname} - chown pkiuser: ${nux_fname} - --echo "ExeFile ${JAVACMD}" > $nux_fname --echo "ExeArgs ${JAVACMD} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname -+echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname -+echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname - echo "TmpDir ${CATALINA_BASE}/logs/pids" >> $nux_fname - echo "ChildSecurity 1" >> $nux_fname - echo "ExeOut ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.1-snapshot-1.patch b/SOURCES/pki-core-10.5.1-snapshot-1.patch deleted file mode 100644 index 8ef53f5..0000000 --- a/SOURCES/pki-core-10.5.1-snapshot-1.patch +++ /dev/null @@ -1,3920 +0,0 @@ -From 5a479577ca778dd8f35501bba79eb97aa2087549 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 18 Dec 2017 21:41:08 +0100 -Subject: [PATCH 01/30] Fixed missing admin PKCS #12 file on external KRA/OCSP - installation. - -The deployment tool has been modified to generate a PKCS #12 file -that contains the admin certificate for KRA/OCSP installation with -external certificates. - -https://pagure.io/dogtagpki/issue/2873 - -Change-Id: Ide6b08ba8f2121b4cdf21208c32d745534893f0f -(cherry picked from commit ffac807486d36e031c1afbcbb2b246536d4ae240) ---- - base/server/python/pki/server/deployment/scriptlets/configuration.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index 0fe4191..16a827d 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -1193,7 +1193,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # Cloned PKI subsystems do not return an Admin Certificate - if not clone: - -- if standalone: -+ if external or standalone: - if not step_two: - # NOTE: Do nothing for Stand-alone PKI (Step 1) - # as this has already been addressed --- -1.8.3.1 - - -From 6bdb3184284ecad0d532e6fd05ca9b129ae3821f Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 2 Jan 2018 13:24:23 -0500 -Subject: [PATCH 03/30] Fix various PEP8 and pylint issues - -Change-Id: I8b2b52599ab6b2d4738b748f36598319f11477c7 -(cherry picked from commit e9b5fc7ef000abfd2cbdd6be6bfd4b2d015816a2) ---- - .../python/pki/server/deployment/pkihelper.py | 50 ++++++++++++---------- - .../python/pki/server/deployment/pkimessages.py | 25 ++++++----- - .../python/pki/server/deployment/pkiparser.py | 4 -- - .../server/deployment/scriptlets/configuration.py | 12 +++--- - base/server/sbin/pkidestroy | 4 +- - base/server/sbin/pkispawn | 4 +- - 6 files changed, 52 insertions(+), 47 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 49945b9..9c732d0 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -428,7 +428,8 @@ class ConfigurationFile: - - self.existing = config.str2bool(self.mdict['pki_existing']) - self.external = config.str2bool(self.mdict['pki_external']) -- self.external_step_one = not config.str2bool(self.mdict['pki_external_step_two']) -+ self.external_step_one = not config.str2bool( -+ self.mdict['pki_external_step_two']) - self.external_step_two = not self.external_step_one - - if self.external: -@@ -496,7 +497,8 @@ class ConfigurationFile: - # ALWAYS defined via 'pkiparser.py' - if self.external_step_two: - # Only allowed for External CA/KRA/OCSP, or Stand-alone PKI -- if self.subsystem not in ['CA', 'KRA', 'OCSP'] and not self.standalone: -+ if (self.subsystem not in ['CA', 'KRA', 'OCSP'] and -+ not self.standalone): - config.pki_log.error(log.PKI_EXTERNAL_STEP_TWO_UNSUPPORTED_1, - self.subsystem, - extra=config.PKI_INDENTATION_LEVEL_2) -@@ -557,8 +559,9 @@ class ConfigurationFile: - # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones) - if not config.str2bool(self.mdict['pki_hsm_enable']): - -- # If system certificates are already provided via pki_server_pkcs12 -- # there's no need to provide pki_clone_pkcs12. -+ # If system certificates are already provided via -+ # pki_server_pkcs12, there's no need to provide -+ # pki_clone_pkcs12. - if not self.mdict['pki_server_pkcs12_path']: - self.confirm_data_exists("pki_clone_pkcs12_password") - -@@ -680,8 +683,9 @@ class ConfigurationFile: - # Check clone parameters for non-HSM clone - if not config.str2bool(self.mdict['pki_hsm_enable']): - -- # If system certificates are already provided via pki_server_pkcs12 -- # there's no need to provide pki_clone_pkcs12. -+ # If system certificates are already provided via -+ # pki_server_pkcs12, there's no need to provide -+ # pki_clone_pkcs12. - if not self.mdict['pki_server_pkcs12_path']: - self.confirm_data_exists("pki_clone_pkcs12_path") - self.confirm_file_exists("pki_clone_pkcs12_path") -@@ -1045,7 +1049,7 @@ class Instance: - "No connection - server may still be down", - extra=config.PKI_INDENTATION_LEVEL_3) - config.pki_log.debug( -- "No connection - exception thrown: " + str(exc), -+ "No connection - exception thrown: %s", exc, - extra=config.PKI_INDENTATION_LEVEL_3) - return None - -@@ -1707,7 +1711,8 @@ class File: - - def substitute_deployment_params(self, line): - """ -- Replace all occurrences of [param] in the line with the value of the deployment parameter. -+ Replace all occurrences of [param] in the line with the value of the -+ deployment parameter. - """ - - # find the first parameter in the line -@@ -2181,7 +2186,7 @@ class FIPS: - with open(os.devnull, "w") as fnull: - output = subprocess.check_output(command, stderr=fnull, - close_fds=True) -- if (output != "0"): -+ if output != "0": - # Set FIPS mode as enabled - self.mdict['pki_fips_mode_enabled'] = True - config.pki_log.info(log.PKIHELPER_FIPS_MODE_IS_ENABLED, -@@ -2214,7 +2219,7 @@ class HSM: - - def initialize(self): - if config.str2bool(self.mdict['pki_hsm_enable']): -- if (self.mdict['pki_hsm_libfile'] == config.PKI_HSM_NCIPHER_LIB): -+ if self.mdict['pki_hsm_libfile'] == config.PKI_HSM_NCIPHER_LIB: - self.initialize_ncipher() - return - -@@ -3026,8 +3031,8 @@ class KRAConnector: - sechost, secport) - except Exception as e: - config.pki_log.error( -- "unable to access security domain. Continuing .. " + -- str(e), -+ "unable to access security domain. Continuing .. %s ", -+ e, - extra=config.PKI_INDENTATION_LEVEL_2) - ca_list = [] - -@@ -3849,8 +3854,7 @@ class ConfigClient: - # Store the Administration Certificate in a file - admin_cert_file = self.mdict['pki_client_admin_cert'] - admin_cert_bin_file = admin_cert_file + ".der" -- self.save_admin_cert(log.PKI_CONFIG_ADMIN_CERT_SAVE_1, -- admin_cert, admin_cert_file, -+ self.save_admin_cert(admin_cert, admin_cert_file, - self.mdict['pki_subsystem_name']) - - # convert the cert file to binary -@@ -3983,8 +3987,9 @@ class ConfigClient: - - def save_admin_csr(self): - config.pki_log.info( -- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_ADMIN_1 + " '" + -- self.mdict['pki_admin_csr_path'] + "'", self.subsystem, -+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_ADMIN_2, -+ self.subsystem, -+ self.mdict['pki_admin_csr_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - self.deployer.directory.create( - os.path.dirname(self.mdict['pki_admin_csr_path'])) -@@ -4005,20 +4010,20 @@ class ConfigClient: - log.PKI_CONFIG_CDATA_REQUEST + "\n" + admin_certreq, - extra=config.PKI_INDENTATION_LEVEL_2) - -- def save_admin_cert(self, message, input_data, output_file, -- subsystem_name): -- config.pki_log.debug(message + " '" + output_file + "'", -+ def save_admin_cert(self, input_data, output_file, subsystem_name): -+ config.pki_log.debug(log.PKI_CONFIG_ADMIN_CERT_SAVE_2, - subsystem_name, -+ output_file, - extra=config.PKI_INDENTATION_LEVEL_2) - with open(output_file, "w") as f: - f.write(input_data) - - def save_system_csr(self, csr, message, path, subsystem=None): - if subsystem is not None: -- config.pki_log.info(message + " '" + path + "'", subsystem, -+ config.pki_log.info(message, subsystem, path, - extra=config.PKI_INDENTATION_LEVEL_2) - else: -- config.pki_log.info(message + " '" + path + "'", -+ config.pki_log.info(message, path, - extra=config.PKI_INDENTATION_LEVEL_2) - self.deployer.directory.create(os.path.dirname(path)) - with open(path, "w") as f: -@@ -4310,7 +4315,8 @@ class ConfigClient: - password=self.mdict['pki_client_database_password']) - - try: -- data.adminCert = client_nssdb.get_cert(self.mdict['pki_admin_nickname']) -+ data.adminCert = client_nssdb.get_cert( -+ self.mdict['pki_admin_nickname']) - if data.adminCert: # already imported, return - return - -diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py -index 1158383..7f2d749 100644 ---- a/base/server/python/pki/server/deployment/pkimessages.py -+++ b/base/server/python/pki/server/deployment/pkimessages.py -@@ -358,7 +358,7 @@ PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ." - PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s" - PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s" - --PKI_CONFIG_ADMIN_CERT_SAVE_1 = "saving %s Admin Certificate to file:" -+PKI_CONFIG_ADMIN_CERT_SAVE_2 = "saving %s Admin Certificate to file: %s" - PKI_CONFIG_ADMIN_CERT_ATOB_1 = "converting %s Admin Certificate to binary:" - PKI_CONFIG_CDATA_TAG = "tag:" - PKI_CONFIG_CDATA_CERT = "cert:" -@@ -384,16 +384,19 @@ PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_SUBSYSTEM_1 = \ - PKI_CONFIG_EXTERNAL_CERT_LOAD_PKI_AUDIT_SIGNING_1 = \ - "loading external CA signed %s Audit Signing certificate from file:" - PKI_CONFIG_EXTERNAL_CSR_SAVE = "saving CA Signing CSR to file:" --PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE = "saving KRA Storage CSR to file:" --PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT = "saving KRA Transport CSR to file:" --PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING = "saving OCSP Signing CSR to file:" --PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_ADMIN_1 = "saving %s Admin CSR to file:" --PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_1 = \ -- "saving %s Audit Signing CSR to file:" --PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_1 = \ -- "saving %s SSL Server CSR to file:" --PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_1 = \ -- "saving %s Subsystem CSR to file:" -+PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE_1 = ( -+ "saving KRA Storage CSR to file: %s") -+PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT_1 = ( -+ "saving KRA Transport CSR to file: %s") -+PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING_1 = ( -+ "saving OCSP Signing CSR to file: %s") -+PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_ADMIN_2 = "saving %s Admin CSR to file: '%s'" -+PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_2 = \ -+ "saving %s Audit Signing CSR to file: %s" -+PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_2 = ( -+ "saving %s SSL Server CSR to file: %s") -+PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_2 = ( -+ "saving %s Subsystem CSR to file: %s") - PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION = \ - "Exception from Java Configuration Servlet:" - PKI_CONFIG_RESPONSE_ADMIN_CERT = "adminCert:" -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index 8c9f1aa..18cf19d 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -617,8 +617,6 @@ class PKIConfigParser: - self.ds_connect() - self.ds_bind() - self.ds_search() -- except: -- raise - finally: - self.ds_close() - -@@ -636,8 +634,6 @@ class PKIConfigParser: - - except ldap.NO_SUCH_OBJECT: - base_dn_exists = False -- except: -- raise - finally: - self.ds_close() - return base_dn_exists -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index 16a827d..8f7460c 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -1133,7 +1133,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # (Step 1) - deployer.config_client.save_system_csr( - cdata['request'], -- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_1, -+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_AUDIT_SIGNING_2, - deployer.mdict['pki_audit_signing_csr_path'], - subsystem.name) - -@@ -1142,7 +1142,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # CSR (Step 1) - deployer.config_client.save_system_csr( - cdata['request'], -- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING, -+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_OCSP_SIGNING_1, - deployer.mdict['pki_signing_csr_path']) - - elif cdata['tag'].lower() == "sslserver": -@@ -1150,7 +1150,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # (Step 1) - deployer.config_client.save_system_csr( - cdata['request'], -- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_1, -+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SSLSERVER_2, - deployer.mdict['pki_sslserver_csr_path'], - subsystem.name) - -@@ -1159,7 +1159,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # (Step 1) - deployer.config_client.save_system_csr( - cdata['request'], -- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE, -+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_STORAGE_1, - deployer.mdict['pki_storage_csr_path']) - - elif cdata['tag'].lower() == "subsystem": -@@ -1167,7 +1167,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # (Step 1) - deployer.config_client.save_system_csr( - cdata['request'], -- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_1, -+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_PKI_SUBSYSTEM_2, - deployer.mdict['pki_subsystem_csr_path'], - subsystem.name) - -@@ -1176,7 +1176,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # (Step 1) - deployer.config_client.save_system_csr( - cdata['request'], -- log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT, -+ log.PKI_CONFIG_EXTERNAL_CSR_SAVE_KRA_TRANSPORT_1, - deployer.mdict['pki_transport_csr_path']) - - else: -diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy -index 4a0c6a0..036c5ef 100755 ---- a/base/server/sbin/pkidestroy -+++ b/base/server/sbin/pkidestroy -@@ -255,9 +255,9 @@ def main(argv): - def log_error_details(): - e_type, e_value, e_stacktrace = sys.exc_info() - config.pki_log.debug( -- "Error Type: " + e_type.__name__, extra=config.PKI_INDENTATION_LEVEL_2) -+ "Error Type: %s", e_type.__name__, extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.debug( -- "Error Message: " + str(e_value), extra=config.PKI_INDENTATION_LEVEL_2) -+ "Error Message: %s", e_value, extra=config.PKI_INDENTATION_LEVEL_2) - stacktrace_list = traceback.format_list(traceback.extract_tb(e_stacktrace)) - e_stacktrace = "" - for l in stacktrace_list: -diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn -index 5489622..a715efc 100755 ---- a/base/server/sbin/pkispawn -+++ b/base/server/sbin/pkispawn -@@ -864,9 +864,9 @@ def print_final_install_information(mdict): - def log_error_details(): - e_type, e_value, e_stacktrace = sys.exc_info() - config.pki_log.debug( -- "Error Type: " + e_type.__name__, extra=config.PKI_INDENTATION_LEVEL_2) -+ "Error Type: %s", e_type.__name__, extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.debug( -- "Error Message: " + str(e_value), extra=config.PKI_INDENTATION_LEVEL_2) -+ "Error Message: %s", e_value, extra=config.PKI_INDENTATION_LEVEL_2) - stacktrace_list = traceback.format_list(traceback.extract_tb(e_stacktrace)) - e_stacktrace = "" - for l in stacktrace_list: --- -1.8.3.1 - - -From ae39e98d64fa5ca7e92e8fc378be400c5160cbaf Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 2 Jan 2018 13:38:40 -0500 -Subject: [PATCH 04/30] Modified systemd invocations in pkispawn to handle - nuxwdog - -The systemd invocations in pkispawn/pkidestroy did not account for -nuxwdog enabled instances. This patch allows pkispawn/pkidestroy to -use the right service name if the nuxwdog service unit files exist. - -Also modified instance_layout deployment script to delete the right -systemd link. - -Change-Id: I25eac0555aad022784d7728913ae4a335eab3463 -(cherry picked from commit c7c907c07599ef1d9b52638c25153f7bd82de999) ---- - .../python/pki/server/deployment/pkihelper.py | 55 ++++++++++------------ - .../deployment/scriptlets/instance_layout.py | 5 +- - 2 files changed, 28 insertions(+), 32 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 9c732d0..3736782 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -3491,17 +3491,28 @@ class Systemd(object): - - Args: - deployer (dictionary): PKI Deployment name/value parameters -- -- Attributes: -- -- Returns: -- -- Raises: -- -- Examples: -- - """ - self.mdict = deployer.mdict -+ instance_name = deployer.mdict['pki_instance_name'] -+ -+ unit_file = 'pki-tomcatd@%s.service' % instance_name -+ systemd_link = os.path.join( -+ '/etc/systemd/system/pki-tomcatd.target.wants', -+ unit_file) -+ -+ nuxwdog_unit_file = 'pki-tomcatd-nuxwdog@%s.service' % instance_name -+ nuxwdog_systemd_link = os.path.join( -+ '/etc/systemd/system/pki-tomcatd-nuxwdog.target.wants', -+ nuxwdog_unit_file) -+ -+ if os.path.exists(nuxwdog_systemd_link): -+ self.is_nuxwdog_enabled = True -+ self.service_name = nuxwdog_unit_file -+ self.systemd_link = nuxwdog_systemd_link -+ else: -+ self.is_nuxwdog_enabled = False -+ self.service_name = unit_file -+ self.systemd_link = systemd_link - - def daemon_reload(self, critical_failure=True): - """PKI Deployment execution management lifecycle function. -@@ -3575,7 +3586,7 @@ class Systemd(object): - command = ["rm", "/etc/rc3.d/*" + - self.mdict['pki_instance_name']] - else: -- command = ["systemctl", "disable", "pki-tomcatd.target"] -+ command = ["systemctl", "disable", self.service_name] - - # Display this "systemd" execution managment command - config.pki_log.info( -@@ -3625,7 +3636,7 @@ class Systemd(object): - command = ["ln", "-s", "/etc/init.d/pki-tomcatd", - "/etc/rc3.d/S89" + self.mdict['pki_instance_name']] - else: -- command = ["systemctl", "enable", "pki-tomcatd.target"] -+ command = ["systemctl", "enable", self.service_name] - - # Display this "systemd" execution managment command - config.pki_log.info( -@@ -3669,20 +3680,15 @@ class Systemd(object): - - """ - try: -- service = None - # Execute the "systemd daemon-reload" management lifecycle command - if reload_daemon: - self.daemon_reload(critical_failure) -- # Compose this "systemd" execution management command -- service = "pki-tomcatd" + "@" +\ -- self.mdict['pki_instance_name'] + "." +\ -- "service" - - if pki.system.SYSTEM_TYPE == "debian": - command = ["/etc/init.d/pki-tomcatd", "start", - self.mdict['pki_instance_name']] - else: -- command = ["systemctl", "start", service] -+ command = ["systemctl", "start", self.service_name] - - # Display this "systemd" execution managment command - config.pki_log.info( -@@ -3722,17 +3728,11 @@ class Systemd(object): - - """ - try: -- service = None -- # Compose this "systemd" execution management command -- service = "pki-tomcatd" + "@" +\ -- self.mdict['pki_instance_name'] + "." +\ -- "service" -- - if pki.system.SYSTEM_TYPE == "debian": - command = ["/etc/init.d/pki-tomcatd", "stop", - self.mdict['pki_instance_name']] - else: -- command = ["systemctl", "stop", service] -+ command = ["systemctl", "stop", self.service_name] - - # Display this "systemd" execution managment command - config.pki_log.info( -@@ -3773,21 +3773,16 @@ class Systemd(object): - - """ - try: -- service = None - # Compose this "systemd" execution management command - # Execute the "systemd daemon-reload" management lifecycle command - if reload_daemon: - self.daemon_reload(critical_failure) - -- service = "pki-tomcatd" + "@" +\ -- self.mdict['pki_instance_name'] + "." +\ -- "service" -- - if pki.system.SYSTEM_TYPE == "debian": - command = ["/etc/init.d/pki-tomcatd", "restart", - self.mdict['pki_instance_name']] - else: -- command = ["systemctl", "restart", service] -+ command = ["systemctl", "restart", self.service_name] - - # Display this "systemd" execution managment command - config.pki_log.info( -diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -index fc08fe1..15c0441 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -@@ -59,7 +59,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # Link /etc/pki//logging.properties - # to /usr/share/pki/server/conf/logging.properties. - deployer.symlink.create( -- os.path.join(deployer.mdict['pki_source_server_path'], "logging.properties"), -+ os.path.join(deployer.mdict['pki_source_server_path'], -+ "logging.properties"), - os.path.join(deployer.mdict['pki_instance_configuration_path'], - "logging.properties")) - -@@ -176,7 +177,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - return - - # remove Tomcat instance systemd service link -- deployer.symlink.delete(deployer.mdict['pki_systemd_service_link']) -+ deployer.symlink.delete(deployer.systemd.systemd_link) - - # remove Tomcat instance base - deployer.directory.delete(deployer.mdict['pki_instance_path']) --- -1.8.3.1 - - -From cf50a28a14908be726cefb1e7e79233a2b13a575 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 2 Jan 2018 14:52:32 -0500 -Subject: [PATCH 05/30] Allow prompting for token passwords if not present - -Change-Id: Ifa2e60424d713ebe15bf9aa92f1d5b7691b7e0ff -(cherry picked from commit 6716b82ecc38b23de81c8f0fe18863e1df4bfddb) ---- - .../python/pki/server/deployment/__init__.py | 4 +++- - .../python/pki/server/deployment/pkihelper.py | 27 ++++++++-------------- - base/server/sbin/pkidestroy | 2 +- - base/server/sbin/pkispawn | 2 +- - 4 files changed, 15 insertions(+), 20 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py -index 70e9c9b..dbacc57 100644 ---- a/base/server/python/pki/server/deployment/__init__.py -+++ b/base/server/python/pki/server/deployment/__init__.py -@@ -66,6 +66,7 @@ class PKIDeployer: - self.systemd = None - self.tps_connector = None - self.config_client = None -+ self.parser = None - - # Set installation time - ticks = time.time() -@@ -88,7 +89,7 @@ class PKIDeployer: - if not len(self.dns_domainname): - self.dns_domainname = self.hostname - -- def init(self): -+ def init(self, parser): - - # Utility objects - self.identity = util.Identity(self) -@@ -111,6 +112,7 @@ class PKIDeployer: - self.systemd = util.Systemd(self) - self.tps_connector = util.TPSConnector(self) - self.config_client = util.ConfigClient(self) -+ self.parser = parser - - def flatten_master_dict(self): - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 3736782..26aca14 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -2053,6 +2053,7 @@ class Password: - - def __init__(self, deployer): - self.mdict = deployer.mdict -+ self.deployer = deployer - - def create_password_conf(self, path, pin, pin_sans_token=False, - overwrite_flag=False, critical_failure=True): -@@ -2142,7 +2143,7 @@ class Password: - raise - return - -- def get_password(self, path, token_name, critical_failure=True): -+ def get_password(self, path, token_name): - token_pwd = None - if os.path.exists(path) and os.path.isfile(path) and\ - os.access(path, os.R_OK): -@@ -2155,16 +2156,11 @@ class Password: - token_pwd = tokens[token_name] - - if token_pwd is None or token_pwd == '': -- # TODO prompt for this password -- config.pki_log.error(log.PKIHELPER_PASSWORD_NOT_FOUND_1, -- token_name, -- extra=config.PKI_INDENTATION_LEVEL_2) -- if critical_failure: -- raise Exception( -- log.PKIHELPER_PASSWORD_NOT_FOUND_1 % -- token_name) -- else: -- return -+ self.deployer.parser.read_password( -+ 'Password for token {}'.format(token_name), -+ self.deployer.subsystem_name, -+ 'token_pwd') -+ token_pwd = self.mdict['token_pwd'] - return token_pwd - - -@@ -2994,8 +2990,7 @@ class KRAConnector: - - token_pwd = self.password.get_password( - self.mdict['pki_shared_password_conf'], -- token_name, -- critical_failure) -+ token_name) - - if token_pwd is None or token_pwd == '': - config.pki_log.warning( -@@ -3199,8 +3194,7 @@ class TPSConnector: - - token_pwd = self.password.get_password( - self.mdict['pki_shared_password_conf'], -- token_name, -- critical_failure) -+ token_name) - - if token_pwd is None or token_pwd == '': - config.pki_log.warning( -@@ -3437,8 +3431,7 @@ class SecurityDomain: - - token_pwd = self.password.get_password( - self.mdict['pki_shared_password_conf'], -- token_name, -- critical_failure) -+ token_name) - - if token_pwd is None or token_pwd == '': - config.pki_log.warning( -diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy -index 036c5ef..0b6ef6b 100755 ---- a/base/server/sbin/pkidestroy -+++ b/base/server/sbin/pkidestroy -@@ -227,7 +227,7 @@ def main(argv): - - # Process the various "scriptlets" to remove the specified PKI subsystem. - pki_subsystem_scriptlets = parser.mdict['destroy_scriplets'].split() -- deployer.init() -+ deployer.init(parser) - - try: - for scriptlet_name in pki_subsystem_scriptlets: -diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn -index a715efc..d671ba7 100755 ---- a/base/server/sbin/pkispawn -+++ b/base/server/sbin/pkispawn -@@ -519,7 +519,7 @@ def main(argv): - - # Process the various "scriptlets" to create the specified PKI subsystem. - pki_subsystem_scriptlets = parser.mdict['spawn_scriplets'].split() -- deployer.init() -+ deployer.init(parser) - - try: - for scriptlet_name in pki_subsystem_scriptlets: --- -1.8.3.1 - - -From af8c909653fae1d02dc801021ad73a43b548aacf Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 9 Jan 2018 21:29:39 -0600 -Subject: [PATCH 06/30] Added pki-server -audit-event-find command. - -A new pki-server -audit-event-find command has been -added to list audit events and their attributes (e.g. filter). -Currently the command can only list enabled events. - -https://pagure.io/dogtagpki/issue/2656 - -Change-Id: I7319ac4e449045d7456e9ae225aca58075093bcd -(cherry picked from commit 9f3a7d6c3a190a2e937ffb3586d6c9d72fe9d2f1) ---- - base/server/python/pki/server/__init__.py | 20 +++++++ - base/server/python/pki/server/cli/audit.py | 83 ++++++++++++++++++++++++++++++ - 2 files changed, 103 insertions(+) - -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index 9969dcc..bb01dcf 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -419,6 +419,26 @@ class PKISubsystem(object): - - pki.util.customize_file(input_file, output_file, params) - -+ def find_audit_events(self, enabled=None): -+ -+ if not enabled: -+ raise Exception('This operation is not yet supported. Specify --enabled True.') -+ -+ events = [] -+ -+ names = self.config['log.instance.SignedAudit.events'].split(',') -+ names = list(map(str.strip, names)) -+ names.sort() -+ -+ for name in names: -+ event = {} -+ event['name'] = name -+ event['enabled'] = True -+ event['filter'] = self.config.get('log.instance.SignedAudit.filters.%s' % name) -+ events.append(event) -+ -+ return events -+ - def get_audit_log_dir(self): - - current_file_path = self.config['log.instance.SignedAudit.fileName'] -diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py -index 665fe91..bbbdd10 100644 ---- a/base/server/python/pki/server/cli/audit.py -+++ b/base/server/python/pki/server/cli/audit.py -@@ -37,10 +37,93 @@ class AuditCLI(pki.cli.CLI): - 'audit', 'Audit management commands') - - self.parent = parent -+ self.add_module(AuditEventFindCLI(self)) - self.add_module(AuditFileFindCLI(self)) - self.add_module(AuditFileVerifyCLI(self)) - - -+class AuditEventFindCLI(pki.cli.CLI): -+ -+ def __init__(self, parent): -+ super(AuditEventFindCLI, self).__init__( -+ 'event-find', 'Find audit event configurations') -+ -+ self.parent = parent -+ -+ def print_help(self): -+ print('Usage: pki-server %s-audit-event-find [OPTIONS]' % self.parent.parent.name) -+ print() -+ print(' -i, --instance Instance ID (default: pki-tomcat).') -+ print(' --enabled Show enabled/disabled events only.') -+ print(' -v, --verbose Run in verbose mode.') -+ print(' --help Show help message.') -+ print() -+ -+ def execute(self, argv): -+ -+ try: -+ opts, _ = getopt.gnu_getopt(argv, 'i:v', [ -+ 'instance=', -+ 'enabled=', -+ 'verbose', 'help']) -+ -+ except getopt.GetoptError as e: -+ print('ERROR: ' + str(e)) -+ self.print_help() -+ sys.exit(1) -+ -+ instance_name = 'pki-tomcat' -+ enabled = None -+ -+ for o, a in opts: -+ if o in ('-i', '--instance'): -+ instance_name = a -+ -+ elif o == '--enabled': -+ enabled = a == 'True' -+ -+ elif o in ('-v', '--verbose'): -+ self.set_verbose(True) -+ -+ elif o == '--help': -+ self.print_help() -+ sys.exit() -+ -+ else: -+ print('ERROR: unknown option ' + o) -+ self.print_help() -+ sys.exit(1) -+ -+ instance = pki.server.PKIInstance(instance_name) -+ if not instance.is_valid(): -+ print('ERROR: Invalid instance %s.' % instance_name) -+ sys.exit(1) -+ -+ instance.load() -+ -+ subsystem_name = self.parent.parent.name -+ subsystem = instance.get_subsystem(subsystem_name) -+ if not subsystem: -+ print('ERROR: No %s subsystem in instance %s.' -+ % (subsystem_name.upper(), instance_name)) -+ sys.exit(1) -+ -+ events = subsystem.find_audit_events(enabled) -+ -+ self.print_message('%s entries matched' % len(events)) -+ -+ first = True -+ for event in events: -+ if first: -+ first = False -+ else: -+ print() -+ -+ print(' Event Name: %s' % event.get('name')) -+ print(' Enabled: %s' % event.get('enabled')) -+ print(' Filter: %s' % event.get('filter')) -+ -+ - class AuditFileFindCLI(pki.cli.CLI): - - def __init__(self, parent): --- -1.8.3.1 - - -From 2942a723169fbd2d46605dc847ca702accf0c79e Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Wed, 20 Dec 2017 14:08:58 -0800 -Subject: [PATCH 07/30] Ticket #2604 adding FIPS support-RFE: shared token - storage and retrieval mechanism - -This patch adds FIPS support to the original ticket 2604. Two changes were -made: -1. in CMCSharedToken tool, "-p" is used to specify the password for token login -and "-s" is used to specify the shared secret (or passphrase) -2. on the server side, in SharedSecret, an existing configuration parameter, cmc.token is utilized for admin to specify -the token where the issuance protection cert's private key resides on. - -Change-Id: Ia454598bca7843bfc0a6ad21f57f6a74d05d67fe -(cherry picked from commit fc92dbafb9051ac7d1019924b62e356eb17bd0f1) ---- - .../src/com/netscape/cmstools/CMCSharedToken.java | 19 ++++++++++++---- - .../netscape/cms/authentication/SharedSecret.java | 25 +++++++++++----------- - 2 files changed, 27 insertions(+), 17 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java b/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java -index d16dd0c..f52199a 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCSharedToken.java -@@ -38,6 +38,7 @@ import org.mozilla.jss.crypto.ObjectNotFoundException; - import org.mozilla.jss.crypto.PrivateKey; - import org.mozilla.jss.crypto.SymmetricKey; - import org.mozilla.jss.crypto.X509Certificate; -+import org.mozilla.jss.util.Password; - - import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.cmsutil.util.Cert; -@@ -77,7 +78,11 @@ public class CMCSharedToken { - option.setArgName("output"); - options.addOption(option); - -- option = new Option("p", true, "passphrase"); -+ option = new Option("p", true, "password"); -+ option.setArgName("password"); -+ options.addOption(option); -+ -+ option = new Option("s", true, "passphrase"); - option.setArgName("passphrase"); - options.addOption(option); - -@@ -104,7 +109,8 @@ public class CMCSharedToken { - System.out.println("Options:"); - System.out.println(" -d Security database location (default: current directory)"); - System.out.println(" -h Security token name (default: internal)"); -- System.out.println(" -p CMC enrollment passphrase (put in \"\" if containing spaces)"); -+ System.out.println(" -p Security token password"); -+ System.out.println(" -s CMC enrollment passphrase (shared secret) (put in \"\" if containing spaces)"); - System.out.println(" Use either -b OR -n below"); - System.out.println(" -b PEM issuance protection certificate"); - System.out.println(" -n issuance protection certificate nickname"); -@@ -177,7 +183,7 @@ public class CMCSharedToken { - boolean verbose = cmd.hasOption("v"); - - String databaseDir = cmd.getOptionValue("d", "."); -- String passphrase = cmd.getOptionValue("p"); -+ String passphrase = cmd.getOptionValue("s"); - if (passphrase == null) { - printError("Missing passphrase"); - System.exit(1); -@@ -188,6 +194,7 @@ public class CMCSharedToken { - System.out.println(Arrays.toString(passphrase.getBytes("UTF-8"))); - } - String tokenName = cmd.getOptionValue("h"); -+ String tokenPassword = cmd.getOptionValue("p"); - - String issuanceProtCertFilename = cmd.getOptionValue("b"); - String issuanceProtCertNick = cmd.getOptionValue("n"); -@@ -201,6 +208,10 @@ public class CMCSharedToken { - CryptoToken token = CryptoUtil.getKeyStorageToken(tokenName); - tokenName = token.getName(); - manager.setThreadToken(token); -+ -+ Password password = new Password(tokenPassword.toCharArray()); -+ token.login(password); -+ - X509Certificate issuanceProtCert = null; - if (issuanceProtCertFilename != null) { - if (verbose) System.out.println("Loading issuance protection certificate"); -@@ -295,7 +306,7 @@ public class CMCSharedToken { - - SymmetricKey ver_session = CryptoUtil.unwrap(token, SymmetricKey.AES, 128, SymmetricKey.Usage.UNWRAP, wrappingKey, wrapped_session, wrapAlgorithm); - byte[] ver_passphrase = CryptoUtil.decryptUsingSymmetricKey(token, new IVParameterSpec(iv), wrapped_passphrase, -- ver_session, EncryptionAlgorithm.AES_128_CBC_PAD); -+ ver_session, encryptAlgorithm); - - String ver_spassphrase = new String(ver_passphrase, "UTF-8"); - -diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -index ee7a7d7..1a3d877 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java -@@ -21,7 +21,6 @@ import java.math.BigInteger; - // ldap java sdk - import java.util.Enumeration; - --import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.crypto.CryptoToken; - import org.mozilla.jss.crypto.EncryptionAlgorithm; - import org.mozilla.jss.crypto.IVParameterSpec; -@@ -143,8 +142,7 @@ public class SharedSecret extends DirBasedAuthentication - private IConfigStore shrTokLdapConfigStore = null; - - private PrivateKey issuanceProtPrivKey = null; -- protected CryptoManager cm = null; -- protected CryptoToken tmpToken = null; -+ protected CryptoToken token = null; - protected byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; - EncryptionAlgorithm encryptAlgorithm = EncryptionAlgorithm.AES_128_CBC_PAD; - ICertificateRepository certRepository = null; -@@ -193,15 +191,16 @@ public class SharedSecret extends DirBasedAuthentication - } - - try { -- cm = CryptoManager.getInstance(); -+ String tokenName = -+ CMS.getConfigStore().getString("cmc.token", CryptoUtil.INTERNAL_TOKEN_NAME); -+ CMS.debug(method + "getting token :" + tokenName); -+ token = CryptoUtil.getKeyStorageToken(tokenName); - } catch (Exception e) { -- msg = method + e.toString(); -- CMS.debug(msg); -- throw new EBaseException(msg); -+ CMS.debug(method + e); -+ throw new EBaseException(e); - } -- tmpToken = cm.getInternalKeyStorageToken(); -- if (tmpToken == null) { -- msg = method + "tmpToken null"; -+ if (token == null) { -+ msg = method + "token null"; - CMS.debug(msg); - throw new EBaseException(msg); - } -@@ -355,11 +354,11 @@ public class SharedSecret extends DirBasedAuthentication - byte wrapped_passphrase[] = wrapped_dPassphrase.getOctetString(); - CMS.debug(method + "wrapped passphrase retrieved"); - -- SymmetricKey ver_session = CryptoUtil.unwrap(tmpToken, SymmetricKey.AES, 128, SymmetricKey.Usage.UNWRAP, -+ SymmetricKey ver_session = CryptoUtil.unwrap(token, SymmetricKey.AES, 128, SymmetricKey.Usage.UNWRAP, - issuanceProtPrivKey, wrapped_session, wrapAlgorithm); -- ver_passphrase = CryptoUtil.decryptUsingSymmetricKey(tmpToken, new IVParameterSpec(iv), -+ ver_passphrase = CryptoUtil.decryptUsingSymmetricKey(token, new IVParameterSpec(iv), - wrapped_passphrase, -- ver_session, EncryptionAlgorithm.AES_128_CBC_PAD); -+ ver_session, encryptAlgorithm); - - char[] ver_spassphraseChars = CryptoUtil.bytesToChars(ver_passphrase); - return ver_spassphraseChars; --- -1.8.3.1 - - -From 3320b3942eb27e96169bee1289af648262258ec9 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 9 Jan 2018 21:41:13 -0600 -Subject: [PATCH 08/30] Merged CMC_USER_SIGNED_REQUEST_SIG_VERIFY events. - -The CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS and -CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE events have -been merged into CMC_USER_SIGNED_REQUEST_SIG_VERIFY event, -and encapsulated using CMCUserSignedRequestSigVerifyEvent -class. - -https://pagure.io/dogtagpki/issue/2656 - -Change-Id: I85ec9c871526da9ca8711ebcd6c9281086e2199f -(cherry picked from commit b142b035b86d7c47818c21def377ff6d6ba903c8) -(cherry picked from commit 21c56574c2aaf9e96f50a0807bc81bc0c285b238) ---- - base/ca/shared/conf/CS.cfg | 4 +- - .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- - .../event/CMCUserSignedRequestSigVerifyEvent.java | 74 ++++++++++++++++++++++ - .../cms/authentication/CMCUserSignedAuth.java | 50 ++++++--------- - base/server/cmsbundle/src/LogMessages.properties | 4 +- - 5 files changed, 97 insertions(+), 39 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/CMCUserSignedRequestSigVerifyEvent.java - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index aa9bf5a..908407b 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -905,11 +905,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION -+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index f4b813c..8aebd0f 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -82,10 +82,6 @@ public class AuditEvent extends LogEvent { - "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3"; - public final static String CRL_VALIDATION = - "LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2"; -- public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS = -- "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS_5"; -- public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE = -- "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6"; - - public final static String COMPUTE_RANDOM_DATA_REQUEST = - "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2"; -diff --git a/base/common/src/com/netscape/certsrv/logging/event/CMCUserSignedRequestSigVerifyEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CMCUserSignedRequestSigVerifyEvent.java -new file mode 100644 -index 0000000..76b4a9a ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/CMCUserSignedRequestSigVerifyEvent.java -@@ -0,0 +1,74 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2018 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.SignedAuditEvent; -+ -+public class CMCUserSignedRequestSigVerifyEvent extends SignedAuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS"; -+ -+ public final static String CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE = -+ "LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE"; -+ -+ public CMCUserSignedRequestSigVerifyEvent(String messageID) { -+ super(messageID); -+ } -+ -+ public static CMCUserSignedRequestSigVerifyEvent createSuccessEvent( -+ String subjectID, -+ String reqType, -+ String certSubject, -+ String signerInfo) { -+ -+ CMCUserSignedRequestSigVerifyEvent event = new CMCUserSignedRequestSigVerifyEvent( -+ CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS); -+ -+ event.setAttribute("SubjectID", subjectID); -+ event.setAttribute("Outcome", ILogger.SUCCESS); -+ event.setAttribute("ReqType", reqType); -+ event.setAttribute("CertSubject", certSubject); -+ event.setAttribute("SignerInfo", signerInfo); -+ -+ return event; -+ } -+ -+ public static CMCUserSignedRequestSigVerifyEvent createFailureEvent( -+ String subjectID, -+ String reqType, -+ String certSubject, -+ String cmcSignerInfo, -+ String info) { -+ -+ CMCUserSignedRequestSigVerifyEvent event = new CMCUserSignedRequestSigVerifyEvent( -+ CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE); -+ -+ event.setAttribute("SubjectID", subjectID); -+ event.setAttribute("Outcome", ILogger.FAILURE); -+ event.setAttribute("ReqType", reqType); -+ event.setAttribute("CertSubject", certSubject); -+ event.setAttribute("CMCSignerInfo", cmcSignerInfo); -+ event.setAttribute("info", info); -+ -+ return event; -+ } -+} -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index dd73055..9dbf787 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -82,8 +82,8 @@ import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.base.IExtendedPluginInfo; - import com.netscape.certsrv.base.SessionContext; --import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.event.CMCUserSignedRequestSigVerifyEvent; - import com.netscape.certsrv.profile.EProfileException; - import com.netscape.certsrv.profile.IProfile; - import com.netscape.certsrv.profile.IProfileAuthenticator; -@@ -260,7 +260,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - String msg = ""; - CMS.debug(method + "begins"); - -- String auditMessage = null; - String auditSubjectID = getAuditSubjectID(); - String auditReqType = ILogger.UNIDENTIFIED; - String requestCertSubject = ILogger.UNIDENTIFIED; -@@ -725,22 +724,20 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - } - - // For accuracy, make sure revocation by shared secret doesn't -- // log CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS -+ // log successful CMC_USER_SIGNED_REQUEST_SIG_VERIFY audit event - if (authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT) != null || - authToken.get(IAuthManager.CRED_CMC_SELF_SIGNED) != null) { -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS, -+ -+ signedAuditLogger.log( -+ CMCUserSignedRequestSigVerifyEvent.createSuccessEvent( - getAuditSubjectID(), -- ILogger.SUCCESS, - auditReqType, - getRequestCertSubject(auditContext), -- getAuditSignerInfo(auditContext)); -+ getAuditSignerInfo(auditContext))); - -- signedAuditLogger.log(auditMessage); - } else { - CMS.debug(method -- + "audit event CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS not logged due to unsigned data for revocation with shared secret."); -+ + "successful CMC_USER_SIGNED_REQUEST_SIG_VERIFY audit event not logged due to unsigned data for revocation with shared secret."); - } - - CMS.debug(method + "ends successfully; returning authToken"); -@@ -752,49 +749,40 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - throw eAudit1; - } catch (EInvalidCredentials eAudit2) { - CMS.debug(method + eAudit2); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, -+ -+ signedAuditLogger.log( -+ CMCUserSignedRequestSigVerifyEvent.createFailureEvent( - getAuditSubjectID(), -- ILogger.FAILURE, - auditReqType, - getRequestCertSubject(auditContext), - getAuditSignerInfo(auditContext), -- eAudit2.toString()); -- -- signedAuditLogger.log(auditMessage); -+ eAudit2.toString())); - - // rethrow the specific exception to be handled later - throw eAudit2; - } catch (EBaseException eAudit3) { - CMS.debug(method + eAudit3); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, -+ -+ signedAuditLogger.log( -+ CMCUserSignedRequestSigVerifyEvent.createFailureEvent( - getAuditSubjectID(), -- ILogger.FAILURE, - auditReqType, - getRequestCertSubject(auditContext), - getAuditSignerInfo(auditContext), -- eAudit3.toString()); -- -- signedAuditLogger.log(auditMessage); -+ eAudit3.toString())); - - // rethrow the specific exception to be handled later - throw eAudit3; - } catch (Exception eAudit4) { - CMS.debug(method + eAudit4); -- // store a message in the signed audit log file -- auditMessage = CMS.getLogMessage( -- AuditEvent.CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE, -+ -+ signedAuditLogger.log( -+ CMCUserSignedRequestSigVerifyEvent.createFailureEvent( - getAuditSubjectID(), -- ILogger.FAILURE, - auditReqType, - getRequestCertSubject(auditContext), - getAuditSignerInfo(auditContext), -- eAudit4.toString()); -- -- signedAuditLogger.log(auditMessage); -+ eAudit4.toString())); - - // rethrow the exception to be handled later - throw new EBaseException(eAudit4); -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index ceb57ca..4ec6c39 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2235,8 +2235,8 @@ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] User signed CMC request signature verification success --LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE_6=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][CMCSignerInfo={4}][info={5}] User signed CMC request signature verification failure -+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY] User signed CMC request signature verification success -+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY] User signed CMC request signature verification failure - - # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST - # - used for TPS to TKS to get random challenge data --- -1.8.3.1 - - -From 57f7313a7def443fc68f952e065c69d0b47a239c Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 11 Jan 2018 15:16:02 -0500 -Subject: [PATCH 09/30] Modify get_cert to get rid of spurious certutil error - messages - -Also shortened some lines to comply with PEP8 -rhbz# 1520277 - -Change-Id: I71d5ecb24c979c1be642a0c3529aebfae6e98aa7 -(cherry picked from commit 2e5f4408a09819242de0b1b0eb023e5ddf074acd) ---- - base/common/python/pki/nssdb.py | 99 +++++++++++++++++++++++++---------------- - 1 file changed, 61 insertions(+), 38 deletions(-) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index bd270ab..8edfca2 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -72,19 +72,23 @@ def convert_data(data, input_format, output_format, header=None, footer=None): - - return ''.join(lines) - -- raise Exception('Unable to convert data from %s to %s' % (input_format, output_format)) -+ raise Exception('Unable to convert data from {} to {}'.format( -+ input_format, output_format)) - - - def convert_csr(csr_data, input_format, output_format): -- return convert_data(csr_data, input_format, output_format, CSR_HEADER, CSR_FOOTER) -+ return convert_data(csr_data, input_format, output_format, -+ CSR_HEADER, CSR_FOOTER) - - - def convert_cert(cert_data, input_format, output_format): -- return convert_data(cert_data, input_format, output_format, CERT_HEADER, CERT_FOOTER) -+ return convert_data(cert_data, input_format, output_format, -+ CERT_HEADER, CERT_FOOTER) - - - def convert_pkcs7(pkcs7_data, input_format, output_format): -- return convert_data(pkcs7_data, input_format, output_format, PKCS7_HEADER, PKCS7_FOOTER) -+ return convert_data(pkcs7_data, input_format, output_format, -+ PKCS7_HEADER, PKCS7_FOOTER) - - - def get_file_type(filename): -@@ -105,11 +109,13 @@ def get_file_type(filename): - - class NSSDatabase(object): - -- def __init__(self, directory=None, token=None, password=None, password_file=None, -- internal_password=None, internal_password_file=None): -+ def __init__(self, directory=None, token=None, password=None, -+ password_file=None, internal_password=None, -+ internal_password_file=None): - - if not directory: -- directory = os.path.join(os.path.expanduser("~"), '.dogtag', 'nssdb') -+ directory = os.path.join( -+ os.path.expanduser("~"), '.dogtag', 'nssdb') - - self.directory = directory - -@@ -133,7 +139,8 @@ class NSSDatabase(object): - - if internal_password: - # Store the specified internal token into password file. -- self.internal_password_file = os.path.join(self.tmpdir, 'internal_password.txt') -+ self.internal_password_file = os.path.join( -+ self.tmpdir, 'internal_password.txt') - with open(self.internal_password_file, 'w') as f: - f.write(internal_password) - -@@ -281,7 +288,8 @@ class NSSDatabase(object): - - keystroke += '\n' - -- # Enter the path length constraint, enter to skip [<0 for unlimited path]: -+ # Enter the path length constraint, -+ # enter to skip [<0 for unlimited path]: - if basic_constraints_ext['path_length'] is not None: - keystroke += basic_constraints_ext['path_length'] - -@@ -316,7 +324,8 @@ class NSSDatabase(object): - with open(data_file, 'w') as f: - f.write(generic_ext['data']) - -- critical = 'critical' if generic_ext['critical'] else 'not-critical' -+ critical = ('critical' if generic_ext['critical'] -+ else 'not-critical') - - ext = generic_ext['oid'] - ext += ':' + critical -@@ -328,7 +337,9 @@ class NSSDatabase(object): - cmd.append(','.join(exts)) - - # generate binary request -- p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, -+ p = subprocess.Popen(cmd, -+ stdin=subprocess.PIPE, -+ stdout=subprocess.PIPE, - stderr=subprocess.STDOUT) - - p.communicate(keystroke) -@@ -336,7 +347,8 @@ class NSSDatabase(object): - rc = p.wait() - - if rc: -- raise Exception('Failed to generate certificate request. RC: %d' % rc) -+ raise Exception( -+ 'Failed to generate certificate request. RC: %d' % rc) - - # encode binary request in base-64 - b64_request_file = os.path.join(tmpdir, 'request.b64') -@@ -358,8 +370,8 @@ class NSSDatabase(object): - - def create_cert(self, request_file, cert_file, serial, issuer=None, - key_usage_ext=None, basic_constraints_ext=None, -- aki_ext=None, ski_ext=None, aia_ext=None, ext_key_usage_ext=None, -- validity=None): -+ aki_ext=None, ski_ext=None, aia_ext=None, -+ ext_key_usage_ext=None, validity=None): - cmd = [ - 'certutil', - '-C', -@@ -448,7 +460,8 @@ class NSSDatabase(object): - - keystroke += '\n' - -- # Enter the path length constraint, enter to skip [<0 for unlimited path]: -+ # Enter the path length constraint, -+ # enter to skip [<0 for unlimited path]: - if basic_constraints_ext['path_length']: - keystroke += basic_constraints_ext['path_length'] - -@@ -482,7 +495,7 @@ class NSSDatabase(object): - # To ensure whether this is the first AIA being added - firstentry = True - -- # Enter access method type for Authority Information Access extension: -+ # Enter access method type for AIA extension: - for s in aia_ext: - if not firstentry: - keystroke += 'y\n' -@@ -507,7 +520,8 @@ class NSSDatabase(object): - # One entry is done. - firstentry = False - -- # Add another location to the Authority Information Access extension [y/N] -+ # Add another location to the Authority Information -+ # Access extension [y/N] - keystroke += '\n' - - # Is this a critical extension [y/N]? -@@ -516,7 +530,9 @@ class NSSDatabase(object): - - keystroke += '\n' - -- p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, -+ p = subprocess.Popen(cmd, -+ stdin=subprocess.PIPE, -+ stdout=subprocess.PIPE, - stderr=subprocess.STDOUT) - - p.communicate(keystroke) -@@ -575,7 +591,8 @@ class NSSDatabase(object): - aia_ext=aia_ext) - - if rc: -- raise Exception('Failed to generate self-signed CA certificate. RC: %d' % rc) -+ raise Exception( -+ 'Failed to generate self-signed CA certificate. RC: %d' % rc) - - def show_certs(self): - -@@ -616,20 +633,22 @@ class NSSDatabase(object): - output_format_option - ]) - -- try: -- cert_data = subprocess.check_output(cmd) -+ pipes = subprocess.Popen(cmd, stdout=subprocess.PIPE, -+ stderr=subprocess.PIPE) -+ cert_data, std_err = pipes.communicate() -+ -+ if pipes.returncode != 0: -+ # certutil returned an error -+ # raise exception unless its not cert not found -+ if std_err.startswith('certutil: Could not find cert: '): -+ return None - -- if output_format == 'base64': -- cert_data = base64.b64encode(cert_data) -+ raise Exception(std_err.strip()) - -- return cert_data -+ if output_format == 'base64': -+ cert_data = base64.b64encode(cert_data) - -- except subprocess.CalledProcessError: -- # All certutil errors return the same code (i.e. 255). -- # For now assume it was caused by missing certificate. -- # TODO: Check error message. If it's caused by other -- # issue, throw exception. -- return None -+ return cert_data - - def get_cert_info(self, nickname): - -@@ -641,23 +660,27 @@ class NSSDatabase(object): - '-n', nickname - ] - -- cert_details = subprocess.check_output(cmd_extract_serial, stderr=subprocess.STDOUT) -+ cert_details = subprocess.check_output( -+ cmd_extract_serial, stderr=subprocess.STDOUT) - cert_pem = subprocess.check_output( - cmd_extract_serial + ['-a'], stderr=subprocess.STDOUT) - -- cert_obj = x509.load_pem_x509_certificate(cert_pem, backend=default_backend()) -+ cert_obj = x509.load_pem_x509_certificate( -+ cert_pem, backend=default_backend()) - - cert["serial_number"] = cert_obj.serial_number - -- cert["issuer"] = re.search(r'Issuer:(.*)', cert_details).group(1).strip()\ -- .replace('"', '') -- cert["subject"] = re.search(r'Subject:(.*)', cert_details).group(1).strip()\ -- .replace('"', '') -+ cert["issuer"] = re.search( -+ r'Issuer:(.*)', cert_details).group(1).strip().replace('"', '') -+ cert["subject"] = re.search( -+ r'Subject:(.*)', cert_details).group(1).strip().replace('"', '') - -- str_not_before = re.search(r'Not Before.?:(.*)', cert_details).group(1).strip() -+ str_not_before = re.search( -+ r'Not Before.?:(.*)', cert_details).group(1).strip() - cert["not_before"] = self.convert_time_to_millis(str_not_before) - -- str_not_after = re.search(r'Not After.?:(.*)', cert_details).group(1).strip() -+ str_not_after = re.search( -+ r'Not After.?:(.*)', cert_details).group(1).strip() - cert["not_after"] = self.convert_time_to_millis(str_not_after) - - return cert --- -1.8.3.1 - - -From 21b7b2ed80c5916492c89b61a758f0c337a3db4d Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 11 Jan 2018 02:01:37 +0100 -Subject: [PATCH 10/30] Fixed pki-server cert-find to work with HSM. - -Previously the pki-server cert-find command would prompt for -token password if used with HSM. It has been fixed with the -following changes: - -The PKISubsystem.create_subsystem_cert_object() was modified to -get the certificate info from the proper token. - -The NSSDatabase.get_cert_info() was modified to specify the token -name in the certutil command if provided. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: If8862abe4c3057f3094c414134b9719088796963 -(cherry picked from commit e715c8a9445de93bc131ab0332d0fc64e44cca12) -(cherry picked from commit ebf46355270cb1f5a64a70336f991cda310067eb) ---- - base/common/python/pki/nssdb.py | 24 +++++++++++++++++------- - base/server/python/pki/server/__init__.py | 6 +++--- - 2 files changed, 20 insertions(+), 10 deletions(-) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index 8edfca2..cc9194e 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -382,7 +382,7 @@ class NSSDatabase(object): - if issuer: - cmd.extend(['-c', issuer]) - else: -- cmd.extend('-x') -+ cmd.extend(['-x']) - - if self.token: - cmd.extend(['-h', self.token]) -@@ -392,7 +392,7 @@ class NSSDatabase(object): - '-a', - '-i', request_file, - '-o', cert_file, -- '-m', serial -+ '-m', str(serial) - ]) - - if validity: -@@ -653,17 +653,27 @@ class NSSDatabase(object): - def get_cert_info(self, nickname): - - cert = dict() -- cmd_extract_serial = [ -+ cmd = [ - 'certutil', - '-L', -- '-d', self.directory, -- '-n', nickname -+ '-d', self.directory - ] - -+ fullname = nickname -+ -+ if self.token: -+ cmd.extend(['-h', self.token]) -+ fullname = self.token + ':' + fullname -+ -+ cmd.extend([ -+ '-f', self.password_file, -+ '-n', fullname -+ ]) -+ - cert_details = subprocess.check_output( -- cmd_extract_serial, stderr=subprocess.STDOUT) -+ cmd, stderr=subprocess.STDOUT) - cert_pem = subprocess.check_output( -- cmd_extract_serial + ['-a'], stderr=subprocess.STDOUT) -+ cmd + ['-a'], stderr=subprocess.STDOUT) - - cert_obj = x509.load_pem_x509_certificate( - cert_pem, backend=default_backend()) -diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py -index bb01dcf..65aee2f 100644 ---- a/base/server/python/pki/server/__init__.py -+++ b/base/server/python/pki/server/__init__.py -@@ -161,12 +161,12 @@ class PKISubsystem(object): - def create_subsystem_cert_object(self, cert_id): - - nickname = self.config.get('%s.%s.nickname' % (self.name, cert_id)) -+ token = self.config.get('%s.%s.tokenname' % (self.name, cert_id)) - - cert = {} - cert['id'] = cert_id - cert['nickname'] = nickname -- cert['token'] = self.config.get( -- '%s.%s.tokenname' % (self.name, cert_id), None) -+ cert['token'] = token - cert['data'] = self.config.get( - '%s.%s.cert' % (self.name, cert_id), None) - cert['request'] = self.config.get( -@@ -177,7 +177,7 @@ class PKISubsystem(object): - if not nickname: - return cert - -- nssdb = self.instance.open_nssdb() -+ nssdb = self.instance.open_nssdb(token) - try: - cert_info = nssdb.get_cert_info(nickname) - cert.update(cert_info) --- -1.8.3.1 - - -From 6a074d7519a475bc5245ff5a9759cbcbcfa7973c Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 15 Jan 2018 16:57:13 +0100 -Subject: [PATCH 11/30] Fixed pki-server subsystem-cert-verify to work with - HSM. - -The pki-server subsystem-cert-verify has been modified to use the -proper token name to call pki client-cert-verify. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: Ifc496beb0f81c1c6310b183175037243b71a1926 -(cherry picked from commit f65ea152af4492de845295fb12180de3aac3c2f1) -(cherry picked from commit f59768f3cdc920a27f1ca90184083142fec98f63) ---- - base/server/python/pki/server/cli/subsystem.py | 29 ++++++++++++++++++-------- - 1 file changed, 20 insertions(+), 9 deletions(-) - -diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py -index ca5652d..0abf90a 100644 ---- a/base/server/python/pki/server/cli/subsystem.py -+++ b/base/server/python/pki/server/cli/subsystem.py -@@ -1000,23 +1000,34 @@ class SubsystemCertValidateCLI(pki.cli.CLI): - token = cert.get('token', '') - print(' Token: %s' % token) - -- # get internal token password and store in temporary file -- passwd = instance.get_token_password() -+ # get token password and store in temporary file -+ passwd = instance.get_token_password(token) - - pwfile_handle, pwfile_path = tempfile.mkstemp() - os.write(pwfile_handle, passwd) - os.close(pwfile_handle) - - try: -- cmd = ['pki', -- '-d', instance.nssdb_dir, -- '-C', pwfile_path, -- 'client-cert-validate', -- nickname, -- '--certusage', usage] -+ cmd = [ -+ 'pki', -+ '-d', instance.nssdb_dir -+ ] -+ -+ fullname = nickname -+ -+ if token: -+ cmd.extend(['--token', token]) -+ fullname = token + ':' + fullname -+ -+ cmd.extend([ -+ '-C', pwfile_path, -+ 'client-cert-validate', -+ fullname, -+ '--certusage', usage -+ ]) - - if self.verbose: -- print('Command: %s' % cmd) -+ print('Command: %s' % ' '.join(cmd)) - - subprocess.check_output(cmd, stderr=subprocess.STDOUT) - print(' Status: VALID') --- -1.8.3.1 - - -From 311a196d934c5748a61e0094f37dc24e5a120c09 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 15 Jan 2018 16:57:13 +0100 -Subject: [PATCH 12/30] Fixed nssdb.add_cert() for HSM. - -The nssdb.add_cert() has been modified to import certificates -properly. If HSM is used, the certificate will be imported into -HSM without trust attributes. If trust attributes are specified, -the certificate will be imported into internal token as well with -the trust attributes. If no HSM is used, the certificate will be -imported into the internal token with the trust attributes if -available. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: I4027b3064694ecf41bc616cf1b67581e4d103531 -(cherry picked from commit c8f9058432776500dcfe5b2c40e205018919896b) -(cherry picked from commit 3e10aa429cde0ad22f43b1217609230fca3a2517) ---- - base/common/python/pki/nssdb.py | 27 +++++++++++++++------------ - 1 file changed, 15 insertions(+), 12 deletions(-) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index cc9194e..11758f1 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -159,13 +159,14 @@ class NSSDatabase(object): - - # Add cert in two steps due to bug #1393668. - -- # First, import cert into HSM without trust attributes. -+ # If HSM is used, import cert into HSM without trust attributes. - if self.token: - cmd = [ - 'certutil', - '-A', - '-d', self.directory, - '-h', self.token, -+ '-P', self.token, - '-f', self.password_file, - '-n', nickname, - '-i', cert_file, -@@ -175,18 +176,20 @@ class NSSDatabase(object): - # Ignore return code due to bug #1393668. - subprocess.call(cmd) - -- # Then, import cert into internal token with trust attributes. -- cmd = [ -- 'certutil', -- '-A', -- '-d', self.directory, -- '-f', self.internal_password_file, -- '-n', nickname, -- '-i', cert_file, -- '-t', trust_attributes -- ] -+ # If HSM is not used, or cert has trust attributes, -+ # import cert into internal token. -+ if not self.token or trust_attributes != ',,': -+ cmd = [ -+ 'certutil', -+ '-A', -+ '-d', self.directory, -+ '-f', self.internal_password_file, -+ '-n', nickname, -+ '-i', cert_file, -+ '-t', trust_attributes -+ ] - -- subprocess.check_call(cmd) -+ subprocess.check_call(cmd) - - def modify_cert(self, nickname, trust_attributes): - cmd = [ --- -1.8.3.1 - - -From 1fafa7125d93eeedf627c63539fe00aad7b1e15f Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 16 Jan 2018 15:10:15 -0500 -Subject: [PATCH 13/30] Make sure tomcat is running as pki user with nuxwdog - -The nuxwdog process needs to run as a privileged user to be able -to retrieve the passwords from the systemd tty agent in systemctl. -Therefore, the nuxwdog unit file should NOT specify the PKI user -there. - -However, we have added an option to nuxwdog to specify the user -in the nuxwdog config file, so that the process that nuxwdog spawns -(ie. tomcat) will run as the specified user. - -The code changes in this patch ensure that when the nuxwdog conf -file is created, the user is set correctly as the value of the -variable TOMCAT_USER. - -Change-Id: I0b4f8caedb048aaedf6a8a8f72b24fab39ad7bbf -(cherry picked from commit 96e99209b278b5ba380a61486a5b6ce6a87326a0) ---- - base/server/sbin/pki-server-nuxwdog | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/base/server/sbin/pki-server-nuxwdog b/base/server/sbin/pki-server-nuxwdog -index cb89938..ffdbc33 100755 ---- a/base/server/sbin/pki-server-nuxwdog -+++ b/base/server/sbin/pki-server-nuxwdog -@@ -39,7 +39,7 @@ set_javacmd - # create the nuxwdog config file - nux_fname="${CATALINA_BASE}/conf/nuxwdog.conf" - touch ${nux_fname} --chown pkiuser: ${nux_fname} -+chown ${TOMCAT_USER}: ${nux_fname} - - echo "ExeFile ${JAVA_HOME}/bin/java" > $nux_fname - echo "ExeArgs ${JAVA_HOME}/bin/java ${JAVACMD_OPTS} ${FLAGS} -classpath ${CLASSPATH} ${OPTIONS} ${MAIN_CLASS} start" >> $nux_fname -@@ -50,4 +50,5 @@ echo "ExeErr ${CATALINA_BASE}/logs/catalina.out" >> $nux_fname - echo "ExeBackground 1" >> $nux_fname - echo "PidFile $NUXWDOG_PID" >> $nux_fname - echo "ChildPidFile $CATALINA_PID" >> $nux_fname -+echo "User ${TOMCAT_USER}" >> $nux_fname - --- -1.8.3.1 - - -From 2ac0712fb41c49db35e2482039330d20d5bb8366 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Wed, 17 Jan 2018 18:31:19 -0500 -Subject: [PATCH 14/30] Allow instances to be created with custom users - -Some folks want to run instances under a different user and -group (ie. not pkiuser). They may even want a different user for -each instance. The way to do this in systemd is to create systemd -override files for the specific instance. - -The deployment scriptlets have been updated to create (and delete) -these override files. - -Change-Id: Icb0b6d15c6c8542dbbd565987d5fb3f1bddf6037 -(cherry picked from commit afe0a2525cace41a1bef2ff7fe0f8f53aa5990e5) ---- - .../python/pki/server/deployment/pkihelper.py | 55 ++++++++++++++++++++++ - .../deployment/scriptlets/instance_layout.py | 18 +++++++ - 2 files changed, 73 insertions(+) - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 26aca14..96ae092 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -21,6 +21,12 @@ - # System Imports - from __future__ import absolute_import - from __future__ import print_function -+ -+try: -+ import configparser -+except ImportError: -+ import ConfigParser as configparser -+ - import errno - import sys - import os -@@ -3486,26 +3492,75 @@ class Systemd(object): - deployer (dictionary): PKI Deployment name/value parameters - """ - self.mdict = deployer.mdict -+ self.deployer = deployer - instance_name = deployer.mdict['pki_instance_name'] - - unit_file = 'pki-tomcatd@%s.service' % instance_name - systemd_link = os.path.join( - '/etc/systemd/system/pki-tomcatd.target.wants', - unit_file) -+ override_dir = '/etc/systemd/system/pki-tomcatd@{}.service.d'.format( -+ instance_name) -+ self.base_override_dir = override_dir - - nuxwdog_unit_file = 'pki-tomcatd-nuxwdog@%s.service' % instance_name - nuxwdog_systemd_link = os.path.join( - '/etc/systemd/system/pki-tomcatd-nuxwdog.target.wants', - nuxwdog_unit_file) -+ nuxwdog_override_dir = ( -+ '/etc/systemd/system/pki-tomcatd-nuxwdog@{}.service.d'.format( -+ instance_name)) -+ self.nuxwdog_override_dir = nuxwdog_override_dir -+ -+ # self.overrides will be a hash of ConfigParsers indexed by filename -+ # once the overrides have been constructed, the caller should call -+ # write_overrides() -+ self.overrides = {} - - if os.path.exists(nuxwdog_systemd_link): - self.is_nuxwdog_enabled = True - self.service_name = nuxwdog_unit_file - self.systemd_link = nuxwdog_systemd_link -+ self.override_dir = nuxwdog_override_dir - else: - self.is_nuxwdog_enabled = False - self.service_name = unit_file - self.systemd_link = systemd_link -+ self.override_dir = override_dir -+ -+ def create_override_directory(self): -+ self.deployer.directory.create(self.override_dir, uid=0, gid=0) -+ -+ def create_override_file(self, fname): -+ self.create_override_directory() -+ self.deployer.file.create( -+ os.path.join(self.override_dir, fname), -+ uid=0, gid=0 -+ ) -+ -+ def set_override(self, section, param, value, fname='local.conf'): -+ if fname not in self.overrides: -+ parser = configparser.ConfigParser() -+ parser.optionxform = str -+ override_file = os.path.join(self.override_dir, fname) -+ if os.path.exists(override_file): -+ parser.read(override_file) -+ self.overrides[fname] = parser -+ else: -+ parser = self.overrides[fname] -+ -+ if not parser.has_section(section): -+ parser.add_section(section) -+ -+ parser[section][param] = value -+ -+ def write_overrides(self): -+ for fname, parser in self.overrides.items(): -+ override_file = os.path.join(self.override_dir, fname) -+ if not os.path.exists(override_file): -+ self.create_override_file(override_file) -+ with open(override_file, 'w') as fp: -+ parser.write(fp, space_around_delimiters=False) - - def daemon_reload(self, critical_failure=True): - """PKI Deployment execution management lifecycle function. -diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -index 15c0441..4eb5496 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -@@ -145,10 +145,21 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.symlink.create( - deployer.mdict['pki_tomcat_bin_path'], - deployer.mdict['pki_tomcat_bin_link']) -+ -+ # create systemd links - deployer.symlink.create( - deployer.mdict['pki_tomcat_systemd'], - deployer.mdict['pki_instance_systemd_link'], - uid=0, gid=0) -+ user = deployer.mdict['pki_user'] -+ group = deployer.mdict['pki_group'] -+ if user != 'pkiuser' or group != 'pkiuser': -+ deployer.systemd.set_override( -+ 'Service', 'User', user, 'user.conf') -+ deployer.systemd.set_override( -+ 'Service', 'Group', group, 'user.conf') -+ deployer.systemd.write_overrides() -+ deployer.systemd.daemon_reload() - - # establish shared NSS security databases for this instance - deployer.directory.create(deployer.mdict['pki_database_path']) -@@ -179,6 +190,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # remove Tomcat instance systemd service link - deployer.symlink.delete(deployer.systemd.systemd_link) - -+ # delete systemd override directories -+ if deployer.directory.exists(deployer.systemd.base_override_dir): -+ deployer.directory.delete(deployer.systemd.base_override_dir) -+ if deployer.directory.exists(deployer.systemd.nuxwdog_override_dir): -+ deployer.directory.delete(deployer.systemd.nuxwdog_override_dir) -+ deployer.systemd.daemon_reload() -+ - # remove Tomcat instance base - deployer.directory.delete(deployer.mdict['pki_instance_path']) - # remove Tomcat instance logs --- -1.8.3.1 - - -From 623313038b5a90bec95faaf5bcb6afcd2dedfcbb Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 12 Jan 2018 06:58:04 +0100 -Subject: [PATCH 15/30] Added default CA cert nickname in pki - client-cert-import. - -The pki client-cert-import has been modified to support optional -nickname for CA cert. If not specified, a default nickname will -be generated based on the subject DN. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: I285a6f1ceb68d388fdf8bb5638f3767a312854a5 -(cherry picked from commit 1cda0ab32279097b73427bcfb2b4afd37408e0c4) -(cherry picked from commit 67c8376024f2ae141a26efb4f82ca1c873cd4264) ---- - .../cmstools/client/ClientCertImportCLI.java | 41 +++++++++++++++++----- - 1 file changed, 33 insertions(+), 8 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -index ddab6ab..c6ad761 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -@@ -46,6 +46,7 @@ import com.netscape.certsrv.client.PKIClient; - import com.netscape.certsrv.dbs.certdb.CertId; - import com.netscape.cmstools.cli.CLI; - import com.netscape.cmstools.cli.MainCLI; -+import com.netscape.cmsutil.util.Cert; - - import netscape.security.pkcs.PKCS12; - import netscape.security.pkcs.PKCS7; -@@ -180,10 +181,13 @@ public class ClientCertImportCLI extends CLI { - - if (verbose) System.out.println("Importing CA certificate from " + caCertPath + "."); - -+ // initialize JSS -+ mainCLI.init(); -+ - if (trustAttributes == null) - trustAttributes = "CT,C,C"; - -- importCert( -+ importCACert( - mainCLI.certDatabase, - nssdbPasswordFile, - caCertPath, -@@ -300,13 +304,6 @@ public class ClientCertImportCLI extends CLI { - } else { - throw new Exception("Missing certificate to import"); - } -- -- if (nickname == null) { -- MainCLI.printMessage("Imported certificates from PKCS #12 file"); -- -- } else { -- MainCLI.printMessage("Imported certificate \"" + nickname + "\""); -- } - } - - public void setTrustAttributes(X509Certificate cert, String trustAttributes) -@@ -355,6 +352,30 @@ public class ClientCertImportCLI extends CLI { - } catch (Exception e) { - throw new Exception("Unable to import certificate file", e); - } -+ -+ MainCLI.printMessage("Imported certificate \"" + nickname + "\""); -+ } -+ -+ public void importCACert( -+ File dbPath, -+ File dbPasswordFile, -+ String certFile, -+ String nickname, -+ String trustAttributes) throws Exception { -+ -+ if (nickname != null) { -+ importCert(dbPath, dbPasswordFile, certFile, nickname, trustAttributes); -+ return; -+ } -+ -+ String pemCert = new String(Files.readAllBytes(Paths.get(certFile))).trim(); -+ byte[] binCert = Cert.parseCertificate(pemCert); -+ -+ CryptoManager manager = CryptoManager.getInstance(); -+ X509Certificate cert = manager.importCACertPackage(binCert); -+ setTrustAttributes(cert, trustAttributes); -+ -+ MainCLI.printMessage("Imported certificate \"" + cert.getNickname() + "\""); - } - - /** -@@ -532,6 +553,8 @@ public class ClientCertImportCLI extends CLI { - "Setting trust attributes to CT,C,C"); - } - setTrustAttributes(root, "CT,C,C"); -+ -+ MainCLI.printMessage("Imported certificate \"" + nickname + "\""); - } - - public void importPKCS12( -@@ -560,5 +583,7 @@ public class ClientCertImportCLI extends CLI { - } catch (Exception e) { - throw new Exception("Unable to import PKCS #12 file", e); - } -+ -+ MainCLI.printMessage("Imported certificates from PKCS #12 file"); - } - } --- -1.8.3.1 - - -From 8fb7b7af8a8c19093c6bb1225f251f5a9aefef3e Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 19 Jan 2018 06:36:58 +0100 -Subject: [PATCH 16/30] Added NSSDatabase.add_ca_cert(). - -A new NSSDatabase.add_ca_cert() method has been added to import -CA cert without nickname using pki client-cert-import. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: I45d83938e92293dd54ec5af6e05c6edb215f80ea -(cherry picked from commit ca5e4fde0eaa1b3d26fa7c2cc4c483016833b4bb) -(cherry picked from commit e71e5957c79e03536f6adeef6e79adc8c728db5b) ---- - base/common/python/pki/nssdb.py | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index 11758f1..97746c9 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -191,6 +191,26 @@ class NSSDatabase(object): - - subprocess.check_call(cmd) - -+ def add_ca_cert(self, cert_file, trust_attributes=None): -+ cmd = [ -+ 'pki', -+ '-d', self.directory, -+ '-C', self.password_file -+ ] -+ -+ if self.token: -+ cmd.extend(['--token', self.token]) -+ -+ cmd.extend([ -+ 'client-cert-import', -+ '--ca-cert', cert_file -+ ]) -+ -+ if trust_attributes: -+ cmd.extend(['--trust', trust_attributes]) -+ -+ subprocess.check_call(cmd) -+ - def modify_cert(self, nickname, trust_attributes): - cmd = [ - 'certutil', --- -1.8.3.1 - - -From dbca3d74b6c3b296cca5afd834d7b27a9912187b Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 12 Jan 2018 02:50:28 +0100 -Subject: [PATCH 17/30] Refactored ClientCertImportCLI.sort(). - -The ClientCertImportCLI.sort() has been changed to support sorting -in both directions. It also has been renamed to sortCertificateChain(). - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: I431b80e65e4a859d8d6deadf43af6af6aeefad4d -(cherry picked from commit ad67ee9989771598c85d8b3aa87523a7ae5e2d38) -(cherry picked from commit 57a0f4294d9d1858e7e59c6e605c85ee31bff2a3) ---- - .../cmstools/client/ClientCertImportCLI.java | 45 ++++++++++++++++------ - 1 file changed, 33 insertions(+), 12 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -index c6ad761..46d820a 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -@@ -29,11 +29,13 @@ import java.util.ArrayList; - import java.util.Arrays; - import java.util.HashMap; - import java.util.LinkedHashMap; -+import java.util.LinkedList; - import java.util.List; - import java.util.Map; - - import org.apache.commons.cli.CommandLine; - import org.apache.commons.cli.Option; -+import org.apache.commons.lang.ArrayUtils; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.crypto.InternalCertificate; - import org.mozilla.jss.crypto.X509Certificate; -@@ -379,21 +381,22 @@ public class ClientCertImportCLI extends CLI { - } - - /** -- * Sorts certificate chain from leaf to root. -+ * Sorts certificate chain from root to leaf. - * - * This method sorts an array of certificates (e.g. from a PKCS #7 -- * data) that represents a certificate chain from leaf to root -+ * data) that represents a certificate chain from root to leaf - * according to the subject DNs and issuer DNs. - * -- * The array must contain exactly one unbranched certificate chain -- * with one leaf and one root. The subject DNs must be unique. -+ * The input array is a set of certificates that are part of a -+ * chain but not in specific order. - * -- * The result is returned in a new array. The input array is unchanged. -+ * The result is a new array that contains the certificate chain -+ * sorted from root to leaf. The input array is unchanged. - * -- * @param certs array of certificates -+ * @param certs input array of certificates - * @return new array containing sorted certificates - */ -- public java.security.cert.X509Certificate[] sort(java.security.cert.X509Certificate[] certs) throws Exception { -+ public java.security.cert.X509Certificate[] sortCertificateChain(java.security.cert.X509Certificate[] certs) throws Exception { - - // lookup map: subject DN -> cert - Map certMap = new LinkedHashMap<>(); -@@ -416,7 +419,7 @@ public class ClientCertImportCLI extends CLI { - - certMap.put(subjectDN, cert); - -- // ignore self-signed certificate when building hierarchy maps -+ // ignore self-signed certificate - if (subjectDN.equals(issuerDN)) continue; - - if (childMap.containsKey(issuerDN)) { -@@ -464,21 +467,39 @@ public class ClientCertImportCLI extends CLI { - throw new Exception("Multiple leaf certificates: " + sb); - } - -- // build cert chain from leaf cert -- List chain = new ArrayList<>(); -+ // build sorted chain -+ LinkedList chain = new LinkedList<>(); -+ -+ // start from leaf - String current = leafCerts.get(0); - - while (current != null) { - - java.security.cert.X509Certificate cert = certMap.get(current); -- chain.add(cert); - -+ // add to the beginning of chain -+ chain.addFirst(cert); -+ -+ // follow parent to root - current = parentMap.get(current); - } - - return chain.toArray(new java.security.cert.X509Certificate[chain.size()]); - } - -+ public java.security.cert.X509Certificate[] sortCertificateChain( -+ java.security.cert.X509Certificate[] certs, -+ boolean reverse) throws Exception { -+ -+ certs = sortCertificateChain(certs); -+ -+ if (reverse) { -+ ArrayUtils.reverse(certs); -+ } -+ -+ return certs; -+ } -+ - public void importPKCS7( - String pkcs7Path, - String nickname, -@@ -499,7 +520,7 @@ public class ClientCertImportCLI extends CLI { - } - - // sort certs from leaf to root -- certs = sort(certs); -+ certs = sortCertificateChain(certs, true); - - CryptoManager manager = CryptoManager.getInstance(); - --- -1.8.3.1 - - -From c0c55cadcb45758730393b03a73720f818834bb9 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 19 Jan 2018 06:15:59 +0100 -Subject: [PATCH 18/30] Moved ClientCertImportCLI.sortCertificateChain(). - -The ClientCertImportCLI.sortCertificateChain() has been moved into -CryptoUtil for reusability. It also has been changed to use SLF4J -logger. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: I465c99b9763147357c38ad0526137302acf90a5e -(cherry picked from commit 1622094ac8800bc06e932dea1be77316067f63b3) -(cherry picked from commit ee0918be9bb45611c14b2684954d14459bcb0627) ---- - .../cmstools/client/ClientCertImportCLI.java | 128 +-------------------- - base/util/src/CMakeLists.txt | 1 + - .../com/netscape/cmsutil/crypto/CryptoUtil.java | 128 +++++++++++++++++++++ - 3 files changed, 131 insertions(+), 126 deletions(-) - -diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -index 46d820a..99b215e 100644 ---- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertImportCLI.java -@@ -27,15 +27,10 @@ import java.nio.file.Files; - import java.nio.file.Paths; - import java.util.ArrayList; - import java.util.Arrays; --import java.util.HashMap; --import java.util.LinkedHashMap; --import java.util.LinkedList; - import java.util.List; --import java.util.Map; - - import org.apache.commons.cli.CommandLine; - import org.apache.commons.cli.Option; --import org.apache.commons.lang.ArrayUtils; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.crypto.InternalCertificate; - import org.mozilla.jss.crypto.X509Certificate; -@@ -48,6 +43,7 @@ import com.netscape.certsrv.client.PKIClient; - import com.netscape.certsrv.dbs.certdb.CertId; - import com.netscape.cmstools.cli.CLI; - import com.netscape.cmstools.cli.MainCLI; -+import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.cmsutil.util.Cert; - - import netscape.security.pkcs.PKCS12; -@@ -380,126 +376,6 @@ public class ClientCertImportCLI extends CLI { - MainCLI.printMessage("Imported certificate \"" + cert.getNickname() + "\""); - } - -- /** -- * Sorts certificate chain from root to leaf. -- * -- * This method sorts an array of certificates (e.g. from a PKCS #7 -- * data) that represents a certificate chain from root to leaf -- * according to the subject DNs and issuer DNs. -- * -- * The input array is a set of certificates that are part of a -- * chain but not in specific order. -- * -- * The result is a new array that contains the certificate chain -- * sorted from root to leaf. The input array is unchanged. -- * -- * @param certs input array of certificates -- * @return new array containing sorted certificates -- */ -- public java.security.cert.X509Certificate[] sortCertificateChain(java.security.cert.X509Certificate[] certs) throws Exception { -- -- // lookup map: subject DN -> cert -- Map certMap = new LinkedHashMap<>(); -- -- // hierarchy map: subject DN -> issuer DN -- Map parentMap = new HashMap<>(); -- -- // reverse hierarchy map: issuer DN -> subject DN -- Map childMap = new HashMap<>(); -- -- // build maps -- for (java.security.cert.X509Certificate cert : certs) { -- -- String subjectDN = cert.getSubjectDN().toString(); -- String issuerDN = cert.getIssuerDN().toString(); -- -- if (certMap.containsKey(subjectDN)) { -- throw new Exception("Duplicate certificate: " + subjectDN); -- } -- -- certMap.put(subjectDN, cert); -- -- // ignore self-signed certificate -- if (subjectDN.equals(issuerDN)) continue; -- -- if (childMap.containsKey(issuerDN)) { -- throw new Exception("Branched chain: " + issuerDN); -- } -- -- parentMap.put(subjectDN, issuerDN); -- childMap.put(issuerDN, subjectDN); -- } -- -- if (verbose) { -- System.out.println("Certificates:"); -- for (String subjectDN : certMap.keySet()) { -- System.out.println(" - " + subjectDN); -- -- String parent = parentMap.get(subjectDN); -- if (parent != null) System.out.println(" parent: " + parent); -- -- String child = childMap.get(subjectDN); -- if (child != null) System.out.println(" child: " + child); -- } -- } -- -- // find leaf cert -- List leafCerts = new ArrayList<>(); -- -- for (String subjectDN : certMap.keySet()) { -- -- // if cert has a child, skip -- if (childMap.containsKey(subjectDN)) continue; -- -- // found leaf cert -- leafCerts.add(subjectDN); -- } -- -- if (leafCerts.isEmpty()) { -- throw new Exception("Unable to find leaf certificate"); -- -- } else if (leafCerts.size() > 1) { -- StringBuilder sb = new StringBuilder(); -- for (String subjectDN : leafCerts) { -- if (sb.length() > 0) sb.append(", "); -- sb.append("[" + subjectDN + "]"); -- } -- throw new Exception("Multiple leaf certificates: " + sb); -- } -- -- // build sorted chain -- LinkedList chain = new LinkedList<>(); -- -- // start from leaf -- String current = leafCerts.get(0); -- -- while (current != null) { -- -- java.security.cert.X509Certificate cert = certMap.get(current); -- -- // add to the beginning of chain -- chain.addFirst(cert); -- -- // follow parent to root -- current = parentMap.get(current); -- } -- -- return chain.toArray(new java.security.cert.X509Certificate[chain.size()]); -- } -- -- public java.security.cert.X509Certificate[] sortCertificateChain( -- java.security.cert.X509Certificate[] certs, -- boolean reverse) throws Exception { -- -- certs = sortCertificateChain(certs); -- -- if (reverse) { -- ArrayUtils.reverse(certs); -- } -- -- return certs; -- } -- - public void importPKCS7( - String pkcs7Path, - String nickname, -@@ -520,7 +396,7 @@ public class ClientCertImportCLI extends CLI { - } - - // sort certs from leaf to root -- certs = sortCertificateChain(certs, true); -+ certs = CryptoUtil.sortCertificateChain(certs, true); - - CryptoManager manager = CryptoManager.getInstance(); - -diff --git a/base/util/src/CMakeLists.txt b/base/util/src/CMakeLists.txt -index 2a00967..a2269b2 100644 ---- a/base/util/src/CMakeLists.txt -+++ b/base/util/src/CMakeLists.txt -@@ -120,6 +120,7 @@ javac(pki-cmsutil-classes - ${APACHE_COMMONS_LANG_JAR} ${HTTPCORE_JAR} ${HTTPCLIENT_JAR} - ${LDAPJDK_JAR} ${XALAN_JAR} ${XERCES_JAR} - ${JSS_JAR} ${COMMONS_CODEC_JAR} ${NUXWDOG_JAR} -+ ${SLF4J_API_JAR} - OUTPUT_DIR - ${CMAKE_CURRENT_BINARY_DIR}/classes - DEPENDS -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index 7a68c9b..f527967 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -47,10 +47,14 @@ import java.util.Arrays; - import java.util.Date; - import java.util.Enumeration; - import java.util.HashMap; -+import java.util.LinkedHashMap; -+import java.util.LinkedList; - import java.util.List; -+import java.util.Map; - import java.util.StringTokenizer; - import java.util.Vector; - -+import org.apache.commons.lang.ArrayUtils; - import org.apache.commons.lang.StringUtils; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.CryptoManager.NotInitializedException; -@@ -117,6 +121,8 @@ import org.mozilla.jss.ssl.SSLSocket.SSLProtocolVariant; - import org.mozilla.jss.ssl.SSLSocket.SSLVersionRange; - import org.mozilla.jss.util.Base64OutputStream; - import org.mozilla.jss.util.Password; -+import org.slf4j.Logger; -+import org.slf4j.LoggerFactory; - - import com.netscape.cmsutil.util.Cert; - import com.netscape.cmsutil.util.Utils; -@@ -158,6 +164,8 @@ import netscape.security.x509.X509Key; - @SuppressWarnings("serial") - public class CryptoUtil { - -+ private static Logger logger = LoggerFactory.getLogger(CryptoUtil.class); -+ - public static enum SSLVersion { - SSL_3_0(SSLVersionRange.ssl3), - TLS_1_0(SSLVersionRange.tls1_0), -@@ -1218,6 +1226,126 @@ public class CryptoUtil { - } - return val.toString(); - } -+ /** -+ * Sorts certificate chain from root to leaf. -+ * -+ * This method sorts an array of certificates (e.g. from a PKCS #7 -+ * data) that represents a certificate chain from root to leaf -+ * according to the subject DNs and issuer DNs. -+ * -+ * The input array is a set of certificates that are part of a -+ * chain but not in specific order. -+ * -+ * The result is a new array that contains the certificate chain -+ * sorted from root to leaf. The input array is unchanged. -+ * -+ * @param certs input array of certificates -+ * @return new array containing sorted certificates -+ */ -+ public static java.security.cert.X509Certificate[] sortCertificateChain(java.security.cert.X509Certificate[] certs) throws Exception { -+ -+ // lookup map: subject DN -> cert -+ Map certMap = new LinkedHashMap<>(); -+ -+ // hierarchy map: subject DN -> issuer DN -+ Map parentMap = new HashMap<>(); -+ -+ // reverse hierarchy map: issuer DN -> subject DN -+ Map childMap = new HashMap<>(); -+ -+ // build maps -+ for (java.security.cert.X509Certificate cert : certs) { -+ -+ String subjectDN = cert.getSubjectDN().toString(); -+ String issuerDN = cert.getIssuerDN().toString(); -+ -+ if (certMap.containsKey(subjectDN)) { -+ throw new Exception("Duplicate certificate: " + subjectDN); -+ } -+ -+ certMap.put(subjectDN, cert); -+ -+ // ignore self-signed certificate -+ if (subjectDN.equals(issuerDN)) continue; -+ -+ if (childMap.containsKey(issuerDN)) { -+ throw new Exception("Branched chain: " + issuerDN); -+ } -+ -+ parentMap.put(subjectDN, issuerDN); -+ childMap.put(issuerDN, subjectDN); -+ } -+ -+ if (logger.isDebugEnabled()) { -+ logger.debug("Certificates:"); -+ for (String subjectDN : certMap.keySet()) { -+ logger.debug(" - " + subjectDN); -+ -+ String parent = parentMap.get(subjectDN); -+ if (parent != null) logger.debug(" parent: " + parent); -+ -+ String child = childMap.get(subjectDN); -+ if (child != null) logger.debug(" child: " + child); -+ } -+ } -+ -+ // find leaf cert -+ List leafCerts = new ArrayList<>(); -+ -+ for (String subjectDN : certMap.keySet()) { -+ -+ // if cert has a child, skip -+ if (childMap.containsKey(subjectDN)) continue; -+ -+ // found leaf cert -+ leafCerts.add(subjectDN); -+ } -+ -+ if (leafCerts.isEmpty()) { -+ throw new Exception("Unable to find leaf certificate"); -+ } -+ -+ if (leafCerts.size() > 1) { -+ StringBuilder sb = new StringBuilder(); -+ for (String subjectDN : leafCerts) { -+ if (sb.length() > 0) sb.append(", "); -+ sb.append("[" + subjectDN + "]"); -+ } -+ throw new Exception("Multiple leaf certificates: " + sb); -+ } -+ -+ // build sorted chain -+ LinkedList chain = new LinkedList<>(); -+ -+ // start from leaf -+ String current = leafCerts.get(0); -+ -+ while (current != null) { -+ -+ java.security.cert.X509Certificate cert = certMap.get(current); -+ -+ // add to the beginning of chain -+ chain.addFirst(cert); -+ -+ // follow parent to root -+ current = parentMap.get(current); -+ } -+ -+ return chain.toArray(new java.security.cert.X509Certificate[chain.size()]); -+ } -+ -+ public static java.security.cert.X509Certificate[] sortCertificateChain( -+ java.security.cert.X509Certificate[] certs, -+ boolean reverse) throws Exception { -+ -+ certs = sortCertificateChain(certs); -+ -+ if (reverse) { -+ ArrayUtils.reverse(certs); -+ } -+ -+ return certs; -+ } - - public static void importCertificateChain(byte[] bytes) - throws IOException, --- -1.8.3.1 - - -From 68ac5378e421e2d4afd40f8c1b4caa788362d96c Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 12 Jan 2018 04:29:30 +0100 -Subject: [PATCH 19/30] Added pki pkcs7 CLI. - -A new pki pkcs7 CLI has been added to manage a certificate chain in -a PKCS #7 file. The pki pkcs7-cert-find can be used to inspect the -certificates. The pki pkcs7-cert-export can be used to export the -certificates into separate files. The output certificates are sorted -from root to leaf so they can be processed further more consistently. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: I7e5c9e2dc0ddd12db126955114b3314f75d475d7 -(cherry picked from commit 165c786512141815d3cb77caef119357ecf5a7e4) -(cherry picked from commit 949d4731575fedc96706eb62e2359846a8668718) ---- - .../src/com/netscape/cmstools/cli/MainCLI.java | 2 + - .../src/com/netscape/cmstools/pkcs7/PKCS7CLI.java | 40 +++++++ - .../com/netscape/cmstools/pkcs7/PKCS7CertCLI.java | 41 +++++++ - .../cmstools/pkcs7/PKCS7CertExportCLI.java | 131 +++++++++++++++++++++ - .../netscape/cmstools/pkcs7/PKCS7CertFindCLI.java | 111 +++++++++++++++++ - 5 files changed, 325 insertions(+) - create mode 100644 base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertExportCLI.java - create mode 100644 base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertFindCLI.java - -diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -index 945e10e..711625a 100644 ---- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java -@@ -59,6 +59,7 @@ import com.netscape.cmstools.key.KeyCLI; - import com.netscape.cmstools.kra.KRACLI; - import com.netscape.cmstools.ocsp.OCSPCLI; - import com.netscape.cmstools.pkcs12.PKCS12CLI; -+import com.netscape.cmstools.pkcs7.PKCS7CLI; - import com.netscape.cmstools.system.SecurityDomainCLI; - import com.netscape.cmstools.tks.TKSCLI; - import com.netscape.cmstools.tps.TPSCLI; -@@ -113,6 +114,7 @@ public class MainCLI extends CLI { - addModule(new TKSCLI(this)); - addModule(new TPSCLI(this)); - -+ addModule(new PKCS7CLI(this)); - addModule(new PKCS12CLI(this)); - - createOptions(); -diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CLI.java -new file mode 100644 -index 0000000..782d574 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CLI.java -@@ -0,0 +1,40 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2018 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.pkcs7; -+ -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmstools.cli.MainCLI; -+ -+public class PKCS7CLI extends CLI { -+ -+ public PKCS7CLI(CLI parent) { -+ super("pkcs7", "PKCS #7 utilities", parent); -+ -+ addModule(new PKCS7CertCLI(this)); -+ } -+ -+ public String getFullName() { -+ if (parent instanceof MainCLI) { -+ // do not include MainCLI's name -+ return name; -+ } else { -+ return parent.getFullName() + "-" + name; -+ } -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertCLI.java -new file mode 100644 -index 0000000..03a8a4c ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertCLI.java -@@ -0,0 +1,41 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2018 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.pkcs7; -+ -+import java.security.cert.X509Certificate; -+ -+import com.netscape.certsrv.dbs.certdb.CertId; -+import com.netscape.cmstools.cli.CLI; -+ -+public class PKCS7CertCLI extends CLI { -+ -+ public PKCS7CertCLI(PKCS7CLI parent) { -+ super("cert", "PKCS #7 certificate management commands", parent); -+ -+ addModule(new PKCS7CertFindCLI(this)); -+ addModule(new PKCS7CertExportCLI(this)); -+ } -+ -+ public static void printCertInfo(X509Certificate cert) throws Exception { -+ -+ System.out.println(" Serial Number: " + new CertId(cert.getSerialNumber()).toHexString()); -+ System.out.println(" Subject DN: " + cert.getSubjectDN()); -+ System.out.println(" Issuer DN: " + cert.getIssuerDN()); -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertExportCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertExportCLI.java -new file mode 100644 -index 0000000..a57f34a ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertExportCLI.java -@@ -0,0 +1,131 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2018 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.pkcs7; -+ -+import java.io.FileWriter; -+import java.io.PrintWriter; -+import java.nio.file.Files; -+import java.nio.file.Paths; -+import java.security.cert.X509Certificate; -+import java.util.logging.Level; -+import java.util.logging.Logger; -+ -+import org.apache.commons.cli.CommandLine; -+import org.apache.commons.cli.Option; -+ -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmsutil.crypto.CryptoUtil; -+import com.netscape.cmsutil.util.Cert; -+import com.netscape.cmsutil.util.Utils; -+ -+import netscape.security.pkcs.PKCS7; -+ -+public class PKCS7CertExportCLI extends CLI { -+ -+ private static Logger logger = Logger.getLogger(PKCS7CertExportCLI.class.getName()); -+ -+ public PKCS7CertExportCLI(PKCS7CertCLI certCLI) { -+ super("export", "Export certificates from PKCS #7 file", certCLI); -+ -+ createOptions(); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(getFullName() + " [OPTIONS...] [nicknames...]", options); -+ } -+ -+ public void createOptions() { -+ Option option = new Option(null, "pkcs7-file", true, "PKCS #7 file"); -+ option.setArgName("path"); -+ options.addOption(option); -+ -+ option = new Option(null, "output-prefix", true, "Prefix for output file"); -+ option.setArgName("string"); -+ options.addOption(option); -+ -+ option = new Option(null, "output-suffix", true, "Suffix for output file"); -+ option.setArgName("string"); -+ options.addOption(option); -+ -+ options.addOption("v", "verbose", false, "Run in verbose mode."); -+ options.addOption(null, "debug", false, "Run in debug mode."); -+ options.addOption(null, "help", false, "Show help message."); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ CommandLine cmd = parser.parse(options, args, true); -+ -+ if (cmd.hasOption("help")) { -+ printHelp(); -+ return; -+ } -+ -+ if (cmd.hasOption("verbose")) { -+ Logger.getLogger("org.dogtagpki").setLevel(Level.INFO); -+ Logger.getLogger("com.netscape").setLevel(Level.INFO); -+ Logger.getLogger("netscape").setLevel(Level.INFO); -+ -+ } else if (cmd.hasOption("debug")) { -+ Logger.getLogger("org.dogtagpki").setLevel(Level.FINE); -+ Logger.getLogger("com.netscape").setLevel(Level.FINE); -+ Logger.getLogger("netscape").setLevel(Level.FINE); -+ } -+ -+ String filename = cmd.getOptionValue("pkcs7-file"); -+ -+ if (filename == null) { -+ throw new Exception("Missing PKCS #7 file."); -+ } -+ -+ logger.info("Loading PKCS #7 data from " + filename); -+ String str = new String(Files.readAllBytes(Paths.get(filename))).trim(); -+ PKCS7 pkcs7 = new PKCS7(str); -+ -+ X509Certificate[] certs = pkcs7.getCertificates(); -+ if (certs == null || certs.length == 0) { -+ System.out.println("PKCS #7 data contains no certificates"); -+ return; -+ } -+ -+ // sort certs from root to leaf -+ certs = CryptoUtil.sortCertificateChain(certs); -+ -+ String prefix = cmd.getOptionValue("output-prefix", filename + "-"); -+ String suffix = cmd.getOptionValue("output-suffix", ""); -+ int i = 0; -+ -+ for (X509Certificate cert : certs) { -+ -+ logger.info("Exporting certificate #" + i + ": " + cert.getSubjectDN()); -+ -+ String output = prefix + i + suffix; -+ -+ try (PrintWriter out = new PrintWriter(new FileWriter(output))) { -+ out.println(Cert.HEADER); -+ out.print(Utils.base64encode(cert.getEncoded(), true)); -+ out.println(Cert.FOOTER); -+ } -+ -+ System.out.println(output + ": " + cert.getSubjectDN()); -+ -+ i++; -+ } -+ } -+} -diff --git a/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertFindCLI.java -new file mode 100644 -index 0000000..7b84393 ---- /dev/null -+++ b/base/java-tools/src/com/netscape/cmstools/pkcs7/PKCS7CertFindCLI.java -@@ -0,0 +1,111 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2018 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+ -+package com.netscape.cmstools.pkcs7; -+ -+import java.nio.file.Files; -+import java.nio.file.Paths; -+import java.security.cert.X509Certificate; -+import java.util.logging.Level; -+import java.util.logging.Logger; -+ -+import org.apache.commons.cli.CommandLine; -+import org.apache.commons.cli.Option; -+ -+import com.netscape.cmstools.cli.CLI; -+import com.netscape.cmsutil.crypto.CryptoUtil; -+ -+import netscape.security.pkcs.PKCS7; -+ -+public class PKCS7CertFindCLI extends CLI { -+ -+ private static Logger logger = Logger.getLogger(PKCS7CertFindCLI.class.getName()); -+ -+ public PKCS7CertFindCLI(PKCS7CertCLI certCLI) { -+ super("find", "Find certificates in PKCS #7 file", certCLI); -+ -+ createOptions(); -+ } -+ -+ public void printHelp() { -+ formatter.printHelp(getFullName() + " [OPTIONS...] [nicknames...]", options); -+ } -+ -+ public void createOptions() { -+ Option option = new Option(null, "pkcs7-file", true, "PKCS #7 file"); -+ option.setArgName("path"); -+ options.addOption(option); -+ -+ options.addOption("v", "verbose", false, "Run in verbose mode."); -+ options.addOption(null, "debug", false, "Run in debug mode."); -+ options.addOption(null, "help", false, "Show help message."); -+ } -+ -+ public void execute(String[] args) throws Exception { -+ -+ CommandLine cmd = parser.parse(options, args, true); -+ -+ if (cmd.hasOption("help")) { -+ printHelp(); -+ return; -+ } -+ -+ if (cmd.hasOption("verbose")) { -+ Logger.getLogger("org.dogtagpki").setLevel(Level.INFO); -+ Logger.getLogger("com.netscape").setLevel(Level.INFO); -+ Logger.getLogger("netscape").setLevel(Level.INFO); -+ -+ } else if (cmd.hasOption("debug")) { -+ Logger.getLogger("org.dogtagpki").setLevel(Level.FINE); -+ Logger.getLogger("com.netscape").setLevel(Level.FINE); -+ Logger.getLogger("netscape").setLevel(Level.FINE); -+ } -+ -+ String filename = cmd.getOptionValue("pkcs7-file"); -+ -+ if (filename == null) { -+ throw new Exception("Missing PKCS #7 file."); -+ } -+ -+ logger.info("Loading PKCS #7 data from " + filename); -+ String str = new String(Files.readAllBytes(Paths.get(filename))).trim(); -+ PKCS7 pkcs7 = new PKCS7(str); -+ -+ X509Certificate[] certs = pkcs7.getCertificates(); -+ if (certs == null || certs.length == 0) { -+ System.out.println("PKCS #7 data contains no certificates"); -+ return; -+ } -+ -+ // sort certs from root to leaf -+ certs = CryptoUtil.sortCertificateChain(certs); -+ -+ boolean first = true; -+ -+ for (X509Certificate cert : certs) { -+ -+ if (first) { -+ first = false; -+ } else { -+ System.out.println(); -+ } -+ -+ PKCS7CertCLI.printCertInfo(cert); -+ } -+ } -+} --- -1.8.3.1 - - -From 845abb8d8bd5a7e8168576de63a9b5860d05e51e Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Tue, 9 Jan 2018 12:14:23 -0500 -Subject: [PATCH 20/30] Fix masking in the archived deployment.cfg - -Cherry-picked from 26bc698847b5348033ce3abb225ed24ebce4386d -Resolves rhbz#1532759 -Change-Id: Ia464852bab792b1629436ddbb963be1479579bc4 - -(cherry picked from commit 0c9d093b790aba0d2912f7ba848e280d960c7387) ---- - .../pki/server/deployment/scriptlets/infrastructure_layout.py | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py -index b105378..2573e4e 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py -@@ -70,9 +70,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # parameters - sensitive_parameters = deployer.mdict['sensitive_parameters'].split() - sections = deployer.user_config.sections() -+ sections.append('DEFAULT') - for s in sections: - for k in sensitive_parameters: - deployer.user_config.set(s, k, 'XXXXXXXX') -+ -+ deployer.file.create( -+ deployer.mdict['pki_user_deployment_cfg_replica'] -+ ) -+ - with open(deployer.mdict['pki_user_deployment_cfg_replica'], 'w') as f: - deployer.user_config.write(f) - --- -1.8.3.1 - - -From 9df879bd000951d8cc23482a78af01b9a711da5d Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 15 Jan 2018 16:57:13 +0100 -Subject: [PATCH 21/30] Fixed NSSDatabase.import_pkcs7() for HSM. - -Previously NSSDatabase.import_pkcs7() was implemented using pki -client-cert-import --pkcs7 which uses JSS to import the certificate -chain from a PKCS #7 file. Apparently, when it is used with HSM -outside of PKI server JSS imports the certificates incorrectly. - -The method has been changed to use pki pkcs7-cert-export to sort -and split the certificate chain into separate files. The CA certs -will be imported with pki client-cert-import --ca-cert (such that -the nickname will be consistently generated by JSS), and the user -certificate will be imported using certutil with the nickname -provided by the caller. This method seems to be working fine with -HSM. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: If04963eb6ad86737593df7d64eef8b17f7bde75f -(cherry picked from commit 3d231ae0d6bd2a2627fc223aa86cd8e7f84872f5) -(cherry picked from commit a032321c8324b4fcd1135bb1c623615fbd0c4fdf) ---- - base/common/python/pki/nssdb.py | 46 +++++++++++++++++++++++++++++++++-------- - 1 file changed, 37 insertions(+), 9 deletions(-) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index 97746c9..b2339aa 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -800,15 +800,43 @@ class NSSDatabase(object): - def import_pkcs7(self, pkcs7_file, nickname, trust_attributes=None, - output_format='pem'): - -- subprocess.check_call([ -- 'pki', -- '-d', self.directory, -- '-C', self.password_file, -- 'client-cert-import', -- '--pkcs7', pkcs7_file, -- '--trust', trust_attributes, -- nickname -- ]) -+ tmpdir = tempfile.mkdtemp() -+ -+ try: -+ # Sort and split the certs from root to leaf. -+ prefix = os.path.join(tmpdir, 'cert') -+ suffix = '.crt' -+ -+ cmd = [ -+ 'pki', -+ '-d', self.directory, -+ 'pkcs7-cert-export', -+ '--pkcs7-file', pkcs7_file, -+ '--output-prefix', prefix, -+ '--output-suffix', suffix -+ ] -+ -+ subprocess.check_call(cmd) -+ -+ # Count the number of certs in the chain. -+ n = 0 -+ while True: -+ cert_file = prefix + str(n) + suffix -+ if not os.path.exists(cert_file): -+ break -+ n = n + 1 -+ -+ # Import CA certs with default nicknames and trust attributes. -+ for i in range(0, n - 1): -+ cert_file = prefix + str(i) + suffix -+ self.add_ca_cert(cert_file) -+ -+ # Import user cert with specified nickname and trust attributes. -+ cert_file = prefix + str(n - 1) + suffix -+ self.add_cert(nickname, cert_file, trust_attributes) -+ -+ finally: -+ shutil.rmtree(tmpdir) - - # convert PKCS #7 data to the requested format - with open(pkcs7_file, 'r') as f: --- -1.8.3.1 - - -From d989c7c3576b4ad737128a1714bfc0030087646c Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Thu, 18 Jan 2018 15:53:27 -0700 -Subject: [PATCH 22/30] Fixed setup of ECC CA - -Restored ECC functionality that was lost during -'Refactoring SSL server cert creation' -(https://pagure.io/dogtagpki/issue/2786). - -Additionally, to avoid confusion, deprecated -'pki_admin_keysize' and use 'pki_admin_key_size' -to make parameters consistent across different -certificate key types. - -Fixes: https://pagure.io/dogtagpki/issue/2887 -Change-Id: I1206b37a00b7da5e30fef5b2d12fb266e2779cfb -(cherry picked from commit 5d83be16f89bcd010c9deb25ead6028e8c619574) ---- - base/server/etc/default.cfg | 1 + - base/server/man/man5/pki_default.cfg.5 | 10 +++--- - base/server/man/man8/pkispawn.8 | 37 +++++++++++----------- - .../python/pki/server/deployment/pkihelper.py | 35 ++++++++++++++++++-- - .../python/pki/server/deployment/pkimessages.py | 4 +++ - .../python/pki/server/deployment/pkiparser.py | 2 ++ - .../server/deployment/scriptlets/configuration.py | 2 ++ - 7 files changed, 65 insertions(+), 26 deletions(-) - -diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg -index 73f884f..9d326e2 100644 ---- a/base/server/etc/default.cfg -+++ b/base/server/etc/default.cfg -@@ -72,6 +72,7 @@ pki_admin_cert_file=%(pki_client_dir)s/ca_admin.cert - pki_admin_cert_request_type=pkcs10 - pki_admin_dualkey=False - pki_admin_key_algorithm=SHA256withRSA -+# DEPRECATED: Use 'pki_admin_key_size' instead. - pki_admin_keysize=2048 - pki_admin_key_size=%(pki_admin_keysize)s - pki_admin_key_type=rsa -diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5 -index a505c4b..fe3cdc7 100644 ---- a/base/server/man/man5/pki_default.cfg.5 -+++ b/base/server/man/man5/pki_default.cfg.5 -@@ -123,10 +123,10 @@ If an optional hardware security module (HSM) is being utilized (rather than the - .PP - Each system certificate can be customized using the parameters below: - .TP --.B pki__key_type, pki__keysize, pki__key_algorithm -+.B pki__key_type, pki__key_size, pki__key_algorithm - .IP - Characteristics of the private key. See the Red Hat Certificate System documentation at https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/ for possible options. The defaults are RSA for the type, 2048 bits for the key size, and SHA256withRSA for the algorithm. --.TP -+.TP - .B pki__signing_algorithm - .IP - For signing certificates, the algorithm used for signing. Defaults to SHA256withRSA. -@@ -157,7 +157,7 @@ Password for the admin user. This password is used to log into the pki-console - .IP - Email address for the admin user. - .TP --.B pki_admin_dualkey, pki_admin_keysize, pki_admin_key_type -+.B pki_admin_dualkey, pki_admin_key_size, pki_admin_key_type, pki_admin_key_algorithm - .IP - Settings for the administrator certificate and keys. - .TP -@@ -211,7 +211,7 @@ Hostname and ports for the internal database. Defaults to localhost, 389, and 6 - .PP - .B pki_ds_bind_dn, pki_ds_password - .IP --Credentials to connect to the database during installation. Directory Manager-level access is required during installation to set up the relevant schema and database. During the installation, a more restricted Certificate Server user is set up to client authentication connections to the database. Some additional configuration is required, including setting up the directory server to use SSL. See the documentation for details. -+Credentials to connect to the database during installation. Directory Manager-level access is required during installation to set up the relevant schema and database. During the installation, a more restricted Certificate Server user is set up to client authentication connections to the database. Some additional configuration is required, including setting up the directory server to use SSL. See the documentation for details. - .PP - .B pki_ds_secure_connection - .IP -@@ -315,7 +315,7 @@ If you would like the Dogtag installer to add the indexes and reindex the data i - .TP - .B pki_clone_replication_master_port, pki_clone_replication_clone_port - .IP --Ports on which replication occurs. These are the ports on the master and clone databases respectively. Defaults to the internal database port. -+Ports on which replication occurs. These are the ports on the master and clone databases respectively. Defaults to the internal database port. - .TP - .B pki_clone_replicate_schema - .IP -diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8 -index c1feac3..1411592 100644 ---- a/base/server/man/man8/pkispawn.8 -+++ b/base/server/man/man8/pkispawn.8 -@@ -24,14 +24,14 @@ pkispawn \-s \-f [\-h] [\-v] [\-p ] - Sets up a Certificate Server subsystem (CA, KRA, OCSP, TKS, or TPS) in a - Tomcat instance. - .TP --\fBNote:\fP -+\fBNote:\fP - A 389 Directory Server instance must be configured and running before this script can be run. Certificate Server requires an internal directory database. The default configuration assumes a Directory Server instance running on the same machine on port 389. For more information on creating a Directory Server instance, see - .B setup-ds.pl(8). - .PP --An instance can contain multiple subsystems, although it may contain at most one of each type of subsystem on a single machine. So, for example, an instance could contain CA and KRA subsystems, but not two CA subsystems. To create an instance with a CA and a KRA, simply run pkispawn twice, with values --.I -s CA --and --.I -s KRA -+An instance can contain multiple subsystems, although it may contain at most one of each type of subsystem on a single machine. So, for example, an instance could contain CA and KRA subsystems, but not two CA subsystems. To create an instance with a CA and a KRA, simply run pkispawn twice, with values -+.I -s CA -+and -+.I -s KRA - respectively. - .PP - The instances are created based on values for configuration parameters in the default configuration (/etc/pki/default.cfg) and the user-provided configuration file. The user-provided configuration file is read after the default configuration file, so any parameters defined in that file will override parameters in the default configuration file. In general, most users will store only those parameters which are different from the default configuration in their user-provided configuration file. -@@ -48,22 +48,22 @@ customization. - \fBNote:\fP - Any non-password related parameter values in the configuration file that needs to contain a \fB%\fP character must be properly escaped. For example, a value of \fBfoo%bar\fP would be specified as \fBfoo%%bar\fP in the configuration file. - .PP --At a minimum, the user-defined configuration file must provide some passwords needed for the install. An example configuration file is provided in the -+At a minimum, the user-defined configuration file must provide some passwords needed for the install. An example configuration file is provided in the - .B EXAMPLES - section below. For more information on the default configuration file and the parameters it contains (and can be customized), see - .B pki_default.cfg(5). - .PP - The \fBpkispawn\fP run creates several different installation files that can be referenced later, if need be: - .IP --* For Tomcat-based instances, a Tomcat instance is created at \fT/var/lib/pki/\fP, where pki_instance_name is defined in the configuration file. -+* For Tomcat-based instances, a Tomcat instance is created at \fT/var/lib/pki/\fP, where pki_instance_name is defined in the configuration file. - .IP --* A log file of \fBpkispawn\fP operations is written to \fI/var/log/pki/pki--spawn..log\fP. -+* A log file of \fBpkispawn\fP operations is written to \fI/var/log/pki/pki--spawn..log\fP. - .IP --* A .p12 (PKCS #12) file containing a certificate for a subsystem administrator is stored in pki_client_dir. -+* A .p12 (PKCS #12) file containing a certificate for a subsystem administrator is stored in pki_client_dir. - .PP --When the utility is done running, the CA can be accessed by pointing a browser to https://:/. The agent pages can be accessed by importing the CA certificate and administrator certificate into the browser. -+When the utility is done running, the CA can be accessed by pointing a browser to https://:/. The agent pages can be accessed by importing the CA certificate and administrator certificate into the browser. - .PP --The Certificate Server instance can also be accessed using the \fBpki\fP command line interface. See -+The Certificate Server instance can also be accessed using the \fBpki\fP command line interface. See - \fBpki(1)\fP. For more extensive documentation on how to use Certificate Server features, see the Red Hat Certificate System Documentation at https://access.redhat.com/knowledge/docs/Red_Hat_Certificate_System/. - .PP - Instances created using \fBpkispawn\fP can be removed using \fBpkidestroy\fP. See -@@ -71,7 +71,7 @@ Instances created using \fBpkispawn\fP can be removed using \fBpkidestroy\fP. S - .PP - \fBpkispawn\fP supersedes and combines the functionality of \fBpkicreate\fP and \fBpkisilent\fP, which were available in earlier releases of Certificate Server. It is now possible to completely create and configure the Certificate Server subsystem in a single step using \fBpkispawn\fP. - .TP --\fBNote:\fP -+\fBNote:\fP - Previously, as an alternative to using \fBpkisilent\fP to perform a non-interactive batch configuration, a PKI instance could be interactively configured by a GUI-based configuration wizard via a Firefox browser. GUI-based configuration of a PKI instance is unavailable in this version of the product. - .SH OPTIONS - .TP -@@ -89,7 +89,7 @@ Prints additional help information. - .TP - .B -v - Displays verbose information about the installation. This flag can be provided multiple times to increase verbosity. See --.B pkispawn -h -+.B pkispawn -h - for details. - - .SH SEPARATE VERSUS SHARED INSTANCES -@@ -165,7 +165,7 @@ the AJP port of the Tomcat instance. The default value is 8009. - \fIManagement port:\fP - the management port of the Tomcat instance. The default value is 8005. - .TP --\fBNote:\fP When deploying a new subsystem into an existing instance, pkispawn will attempt to read the ports from \fBdeployment.cfg\fP files stored for previously installed subsystems for this instance. If successful, the installer will not prompt for these ports. -+\fBNote:\fP When deploying a new subsystem into an existing instance, pkispawn will attempt to read the ports from \fBdeployment.cfg\fP files stored for previously installed subsystems for this instance. If successful, the installer will not prompt for these ports. - .PP - \fBAdministrative User Parameters\fP - .TP -@@ -274,7 +274,7 @@ its default configuration: - * Installed on the local machine - - .IP --* Listening on port 389 -+* Listening on port 389 - - .IP - * The user is cn=Directory Manager, with the password specified in pki_ds_password -@@ -315,7 +315,8 @@ where \fImyconfig.txt\fP contains the following text: - .nf - [DEFAULT] - pki_admin_password=\fISecret123\fP --pki_admin_keysize=nistp256 -+pki_admin_key_algorithm=SHA256withEC -+pki_admin_key_size=nistp256 - pki_admin_key_type=ecc - pki_client_pkcs12_password=\fISecret123\fP - pki_ds_password=\fISecret123\fP -@@ -698,7 +699,7 @@ The subsystem section is [KRA], [OCSP], [TKS], or [TPS]. - This example assumes that the specified CA hosts the security - domain. The CA must be running and accessible. - --.PP -+.PP - A new administrator certificate is generated for the new - subsystem and stored in a PKCS #12 file - in \fI$HOME/.dogtag/\fP. -@@ -942,7 +943,7 @@ To install a CA clone execute the following command: - .IP - \x'-1'\fBpkispawn \-s CA \-f myconfig.txt\fR - --.PP -+.PP - where \fImyconfig.txt\fP contains the following text: - - .IP -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 96ae092..a5edaa4 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -2414,8 +2414,8 @@ class Certutil: - - def generate_self_signed_certificate(self, path, pki_cert_database, - pki_key_database, pki_secmod_database, -- token, nickname, -- subject, serial_number, -+ token, nickname, subject, -+ key_type, key_size, serial_number, - validity_period, issuer_name, - trustargs, noise_file, - password_file=None, -@@ -2455,6 +2455,35 @@ class Certutil: - log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKIHELPER_CERTUTIL_MISSING_SUBJECT) -+ # Specify the key type -+ if key_type: -+ if key_type == "ecc": -+ command.extend(["-k", "ec"]) -+ # Specify the curve name -+ if key_size: -+ command.extend(["-q", key_size]) -+ else: -+ config.pki_log.error( -+ log.PKIHELPER_CERTUTIL_MISSING_CURVE_NAME, -+ extra=config.PKI_INDENTATION_LEVEL_2) -+ raise Exception( -+ log.PKIHELPER_CERTUTIL_MISSING_CURVE_NAME) -+ else: -+ command.extend(["-k", key_type]) -+ # Specify the key size -+ if key_size: -+ command.extend(["-g", key_size]) -+ else: -+ config.pki_log.error( -+ log.PKIHELPER_CERTUTIL_MISSING_KEY_SIZE, -+ extra=config.PKI_INDENTATION_LEVEL_2) -+ raise Exception( -+ log.PKIHELPER_CERTUTIL_MISSING_KEY_SIZE) -+ else: -+ config.pki_log.error( -+ log.PKIHELPER_CERTUTIL_MISSING_KEY_TYPE, -+ extra=config.PKI_INDENTATION_LEVEL_2) -+ raise Exception(log.PKIHELPER_CERTUTIL_MISSING_KEY_TYPE) - # Specify the serial number - if serial_number is not None: - command.extend(["-m", str(serial_number)]) -@@ -4415,7 +4444,7 @@ class ConfigClient: - self.deployer.certutil.generate_certificate_request( - self.mdict['pki_admin_subject_dn'], - self.mdict['pki_admin_key_type'], -- self.mdict['pki_admin_keysize'], -+ self.mdict['pki_admin_key_size'], - self.mdict['pki_client_password_conf'], - noise_file, - output_file, -diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py -index 7f2d749..7bb79ca 100644 ---- a/base/server/python/pki/server/deployment/pkimessages.py -+++ b/base/server/python/pki/server/deployment/pkimessages.py -@@ -179,6 +179,10 @@ PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = \ - "certutil: Missing '-c issuer-name' option!" - PKIHELPER_CERTUTIL_MISSING_KEY_TYPE = \ - "certutil: Missing '-k key-type-or-id' option (must be 'ecc' or 'rsa')!" -+PKIHELPER_CERTUTIL_MISSING_KEY_SIZE = \ -+ "certutil: Missing '-g keysize' option!" -+PKIHELPER_CERTUTIL_MISSING_CURVE_NAME = \ -+ "certutil: Missing '-q curve-name' option!" - PKIHELPER_CERTUTIL_MISSING_NICKNAME = \ - "certutil: Missing '-n nickname' option!" - PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = \ -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index 18cf19d..b91c674 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -65,6 +65,8 @@ class PKIConfigParser: - # The 'new_param' is the new param name. - - DEPRECATED_DEFAULT_PARAMS = [ -+ (None, 'pki_admin_keysize', -+ None, 'pki_admin_key_size'), - (None, 'pki_external_ca_cert_path', - None, 'pki_ca_signing_cert_path'), - (None, 'pki_external_ca_cert_chain_path', -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index 8f7460c..c59e679 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -866,6 +866,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.mdict['pki_self_signed_token'], - deployer.mdict['pki_self_signed_nickname'], - deployer.mdict['pki_self_signed_subject'], -+ deployer.mdict['pki_sslserver_key_type'], -+ deployer.mdict['pki_sslserver_key_size'], - deployer.mdict['pki_self_signed_serial_number'], - deployer.mdict['pki_self_signed_validity_period'], - deployer.mdict['pki_self_signed_issuer_name'], --- -1.8.3.1 - - -From e7b2dae4cf003e35b463b39a641e6235f5658be9 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Tue, 16 Jan 2018 18:15:21 -0800 -Subject: [PATCH 23/30] Ticket #2675 additional fix to allow requests without - POP - -This patch adds support for requests without POP to be served even when cmc.popLinkWitnessRequired is true. Requests without POP will be handled with EncryptedPOP/DecryptedPOP two-trip mechanism. - -Fixes: https://pagure.io/dogtagpki/issue/2675 -Change-Id: Id4aab1a85dcaeaa65e625873e617af86b44a271b -(cherry picked from commit c52c51c6516cd39caec52441d0756b1756050ae3) -(cherry picked from commit bb10545e728f0ff86ea4b3899d2de42b2398acfa) ---- - base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 9051baf..7c57064 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -1052,7 +1052,10 @@ public abstract class EnrollProfile extends BasicProfile - msgs[i] = (TaggedRequest) reqSeq.elementAt(i); - if (id_cmc_revokeRequest) - continue; -+ -+ CertReqMsg crm = msgs[i].getCrm(); - if (popLinkWitnessRequired && -+ crm.hasPop() && // popLinkWitness needs POP - !context.containsKey("POPLinkWitnessV2") && - !context.containsKey("POPLinkWitness")) { - CMS.debug(method + "popLinkWitness(V2) required"); --- -1.8.3.1 - - -From 39deb83ed9fc573165c0e806eccd8152d696e935 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Fri, 19 Jan 2018 14:45:17 -0800 -Subject: [PATCH 24/30] Ticket #2675 take care of PKCS#10 for - cmc.popLinkWitnessRequired - -This patch adds support to handle PKCS#10 which was neglected in previous -"additional" fix. - -Fixes: https://pagure.io/dogtagpki/issue/2675 -Change-Id: Ifc824d64c83f979ffd610658a6e7114598ce8055 -(cherry picked from commit 91c6c781e5e2c26b77619e6f4c08dc5d77bb5adf) -(cherry picked from commit d69c11d56d0e1f4368ab21715c2c5496fb08f969) ---- - .../cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -index 7c57064..caa466c 100644 ---- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java -@@ -1053,9 +1053,14 @@ public abstract class EnrollProfile extends BasicProfile - if (id_cmc_revokeRequest) - continue; - -- CertReqMsg crm = msgs[i].getCrm(); -+ boolean hasPop = true; -+ if (msgs[i].getType().equals(TaggedRequest.CRMF)) { -+ CertReqMsg crm = msgs[i].getCrm(); -+ if (!crm.hasPop()) -+ hasPop = false; -+ } - if (popLinkWitnessRequired && -- crm.hasPop() && // popLinkWitness needs POP -+ hasPop && // popLinkWitness needs POP - !context.containsKey("POPLinkWitnessV2") && - !context.containsKey("POPLinkWitness")) { - CMS.debug(method + "popLinkWitness(V2) required"); --- -1.8.3.1 - - -From 3ee72c5c688af6f4434fdac3c082d00619a49535 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 18 Jan 2018 05:00:28 +0100 -Subject: [PATCH 25/30] Fixed cert chain importation. - -For KRA/OCSP installation with external certs, the installer has -been modified to always import the cert chain into the internal -token regardless if HSM is used. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: Ifedb54e88ea6c8fc2ef3b562e15fb4077ec5179a -(cherry picked from commit 2ffa44852bf5286529877203f60f1084e740f7df) -(cherry picked from commit a338f3fab9b4a9986657a7517dc6c1e3bacaad0b) ---- - .../pki/server/deployment/scriptlets/configuration.py | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index c59e679..5aad372 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -593,13 +593,25 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - self.import_ca_ocsp_signing_cert(deployer, nssdb) - - if subsystem.name == 'kra': -- self.import_ca_signing_cert(deployer, nssdb) -+ # Always import cert chain into internal token. -+ internal_nssdb = subsystem.instance.open_nssdb() -+ try: -+ self.import_ca_signing_cert(deployer, internal_nssdb) -+ finally: -+ internal_nssdb.close() -+ - self.import_kra_storage_cert(deployer, nssdb) - self.import_kra_transport_cert(deployer, nssdb) - self.import_admin_cert(deployer) - - if subsystem.name == 'ocsp': -- self.import_ca_signing_cert(deployer, nssdb) -+ # Always import cert chain into internal token. -+ internal_nssdb = subsystem.instance.open_nssdb() -+ try: -+ self.import_ca_signing_cert(deployer, internal_nssdb) -+ finally: -+ internal_nssdb.close() -+ - self.import_ocsp_signing_cert(deployer, nssdb) - self.import_admin_cert(deployer) - --- -1.8.3.1 - - -From 705354698c8967c7a97238721a20e33c302bbfd5 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 20 Jan 2018 03:37:28 +0100 -Subject: [PATCH 26/30] Refactored replace_sslserver_cert() in - configuration.py. - -The replace_sslserver_cert() in configuration.py has been split into -separate methods for removing the temp SSL server cert and importing -the permanent SSL server cert. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: I35cb95e61959ff99c235f116304c7272a39694e5 -(cherry picked from commit c86eb1bc43529b24fc49444eeff8cb4e44204fef) -(cherry picked from commit 5ad7efb44f434f8695c404ba40b4baea27d6bfec) ---- - .../pki/server/deployment/scriptlets/configuration.py | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index 5aad372..ef40963 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -899,7 +899,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - finally: - nssdb.close() - -- def replace_sslserver_cert(self, deployer, instance, sslserver): -+ def remove_temp_sslserver_cert(self, deployer, instance, sslserver): - - if len(deployer.instance.tomcat_instance_subsystems()) == 1: - # Modify contents of 'serverCertNick.conf' (if necessary) -@@ -922,6 +922,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - finally: - nssdb.close() - -+ def import_perm_sslserver_cert(self, deployer, instance, sslserver): -+ -+ nickname = sslserver['nickname'] - token = deployer.mdict['pki_token_name'] - - config.pki_log.info( -@@ -1225,7 +1228,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # replace it with the perm cert. - if create_temp_sslserver_cert and sslserver and sslserver['cert']: - deployer.systemd.stop() -- self.replace_sslserver_cert(deployer, instance, sslserver) -+ -+ # Remove temp SSL server cert. -+ self.remove_temp_sslserver_cert(deployer, instance, sslserver) -+ -+ # Import perm SSL server cert. -+ self.import_perm_sslserver_cert(deployer, instance, sslserver) -+ - deployer.systemd.start() - - elif config.str2bool(deployer.mdict['pki_restart_configured_instance']): --- -1.8.3.1 - - -From 88e67a6db3dc4f942c662b7a4ba02178cf887b3b Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 20 Jan 2018 03:37:28 +0100 -Subject: [PATCH 27/30] Fixed SSL server cert creation and replacement. - -The configuration.py has been modified to generate the temp SSL certificates -(and remove it later) in internal token regardless of HSM. It also has been -modified to import the perm cert if it has not been imported already. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: If473e2b314727399854638a94c6ec5a148fc52fb -(cherry picked from commit 249c323d23f38a6f778a46054360e705040bdda1) -(cherry picked from commit 30b499d21d731a1c3903bbfe7b23111963971038) ---- - .../server/deployment/scriptlets/configuration.py | 23 +++++++++++++++------- - 1 file changed, 16 insertions(+), 7 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index ef40963..43e9d83 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -809,12 +809,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - self.validate_system_cert(deployer, nssdb, subsystem, 'subsystem') - self.validate_system_cert(deployer, nssdb, subsystem, 'audit_signing') - -- def create_temp_sslserver_cert(self, deployer, instance, token): -+ def create_temp_sslserver_cert(self, deployer, instance): - - if len(deployer.instance.tomcat_instance_subsystems()) > 1: - return False - -- nssdb = instance.open_nssdb(token) -+ nssdb = instance.open_nssdb() - - try: - nickname = deployer.mdict['pki_self_signed_nickname'] -@@ -908,6 +908,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # TODO: replace with pki-server cert-import sslserver - - nickname = sslserver['nickname'] -+ token = deployer.mdict['pki_token_name'] - - config.pki_log.info( - "removing temp SSL server cert from internal token: %s" % nickname, -@@ -916,8 +917,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - nssdb = instance.open_nssdb() - - try: -- # remove temp SSL server cert but keep the key -- nssdb.remove_cert(nickname) -+ # Remove temp SSL server cert from internal token. -+ # Remove temp key too if the perm cert uses HSM. -+ if not token or token == 'internal': -+ remove_key = False -+ else: -+ remove_key = True -+ nssdb.remove_cert(nickname, remove_key=remove_key) - - finally: - nssdb.close() -@@ -1066,7 +1072,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - finally: - nssdb.close() - -- create_temp_sslserver_cert = self.create_temp_sslserver_cert(deployer, instance, token) -+ create_temp_sslserver_cert = self.create_temp_sslserver_cert(deployer, instance) - - # Start/Restart this Tomcat PKI Process - # Optionally prepare to enable a java debugger -@@ -1232,8 +1238,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # Remove temp SSL server cert. - self.remove_temp_sslserver_cert(deployer, instance, sslserver) - -- # Import perm SSL server cert. -- self.import_perm_sslserver_cert(deployer, instance, sslserver) -+ # Import perm SSL server cert unless it's already imported -+ # earlier in external/standalone installation. -+ -+ if not (standalone or external and subsystem.name in ['kra', 'ocsp']): -+ self.import_perm_sslserver_cert(deployer, instance, sslserver) - - deployer.systemd.start() - --- -1.8.3.1 - - -From f69f1bfa7929203e677077aa65eedaf9252a786d Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 19 Jan 2018 23:26:37 +0100 -Subject: [PATCH 28/30] Fixed admin cert processing. - -For KRA/OCSP installation with external certs, the installation -tool has been modified to import the externaly-generated admin -cert and also copy it to a location normally expected by admin. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: Id18ec2b6b8b1c3f307af11e2acba7866b2b5ee75 -(cherry picked from commit 1127a63cb473b471982c273dbbaa270f19f5d90d) -(cherry picked from commit b3664cd26b90d804e311f56cf16e4e31223d5960) ---- - base/server/python/pki/server/deployment/pkihelper.py | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index a5edaa4..7f88873 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -4369,7 +4369,7 @@ class ConfigClient: - data.adminUID = self.mdict['pki_admin_uid'] - data.adminSubjectDN = self.mdict['pki_admin_subject_dn'] - -- if self.standalone: -+ if self.standalone or self.external and self.subsystem in ['KRA', 'OCSP']: - if not self.external_step_two: - # IMPORTANT: ALWAYS set 'pki_import_admin_cert' FALSE for - # Stand-alone PKI (Step 1) -@@ -4395,11 +4395,10 @@ class ConfigClient: - finally: - client_nssdb.close() - -- if self.standalone: -- # Stand-alone PKI (Step 2) -+ if self.standalone or self.external and self.subsystem in ['KRA', 'OCSP']: -+ # Stand-alone/External PKI (Step 2) - # -- # Copy the Stand-alone PKI 'Admin Certificate' -- # (that was previously generated via an external CA) into -+ # Copy the externally-issued admin certificate into - # 'ca_admin.cert' under the specified 'pki_client_dir' - # stripping the certificate HEADER/FOOTER prior to saving it. - imported_admin_cert = "" --- -1.8.3.1 - - -From 73dee32e2636e33f8c6af43b27dc6a3f65d2b7a5 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Tue, 16 Jan 2018 14:53:51 +1100 -Subject: [PATCH 29/30] Set nextUpdate in OCSP responses - -Some OCSP clients adhere to the Lightweight OCSP Profile (RFC 5019) -which requires that the OCSP response include the nextUpdate field. - -Update the CA subsystem's OCSP responder to include the nextUpdate -field when it is configured to use the CRL cache. The nextUpdate -field in the OCSP response is set to the nextUpdate time of the -"master" CRL issuing point. - -If the OCSP responder is not configured to use the CRL cache, there -is no reasonable value for nextUpdate. In this case, we continue to -omit it. - -Fixes: https://pagure.io/dogtagpki/issue/2661 -Change-Id: Idbf7354b0ecc45c0498c4b7c05458f726f40336f -(cherry picked from commit fc3067f2e955e18405f735269bfe5fe135382d21) -(cherry picked from commit eb14d5bc86fa1c68282f84246cbaf33c9f55399b) ---- - base/ca/src/com/netscape/ca/CertificateAuthority.java | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java -index 6309c1b..e5d21eb 100644 ---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java -+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java -@@ -2571,7 +2571,6 @@ public class CertificateAuthority - - CertStatus certStatus = null; - GeneralizedTime thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); -- GeneralizedTime nextUpdate = null; - - byte[] nameHash = null; - String digestName = cid.getDigestName(); -@@ -2609,6 +2608,12 @@ public class CertificateAuthority - CRLIssuingPoint point = (CRLIssuingPoint) - getCRLIssuingPoint(issuingPointId); - -+ /* set nextUpdate to the nextUpdate time of the CRL */ -+ GeneralizedTime nextUpdate = null; -+ Date crlNextUpdate = point.getNextUpdate(); -+ if (crlNextUpdate != null) -+ nextUpdate = new GeneralizedTime(crlNextUpdate); -+ - if (point.isCRLCacheEnabled()) { - // only do this if cache is enabled - BigInteger sno = new BigInteger(serialNo.toString()); -@@ -2660,7 +2665,12 @@ public class CertificateAuthority - certStatus = new UnknownInfo(); // not issued not all - } - -- return new SingleResponse(cid, certStatus, thisUpdate, nextUpdate); -+ return new SingleResponse( -+ cid, certStatus, thisUpdate, -+ /* We are not using a CRL cache for generating OCSP -+ * responses, so there is no reasonable value for -+ * nextUpdate. */ -+ null /* nextUpdate */); - } - - /** --- -1.8.3.1 - - -From 138ae505719adb0a0e43114d6acaa8ef8cc0fcec Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 22 Jan 2018 06:37:26 +0100 -Subject: [PATCH 30/30] Fixed cert import for exiting certs case. - -The configuration servlet has been fixed to properly import the -externally-signed certs in existing CA and external KRA/OCSP cases. - -https://pagure.io/dogtagpki/issue/2901 - -Change-Id: Ida7bd7758670c72063765462b7d735f69a465804 -(cherry picked from commit 441b832fb2172680ba3c83c3048a97c38c0c1ec0) -(cherry picked from commit 4196d2ab35c4b683228e3ff03cda98c120726702) ---- - .../org/dogtagpki/server/rest/SystemConfigService.java | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -index 97508b7..575f97c 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -@@ -401,12 +401,19 @@ public class SystemConfigService extends PKIService implements SystemConfigResou - cert.setSubsystem(subsystem); - cert.setType(cs.getString("preop.cert." + tag + ".type")); - -+ String fullName; -+ if (!CryptoUtil.isInternalToken(tokenName)) { -+ fullName = tokenName + ":" + nickname; -+ } else { -+ fullName = nickname; -+ } -+ - CMS.debug("SystemConfigService: checking " + tag + " cert in NSS database"); - - CryptoManager cm = CryptoManager.getInstance(); - X509Certificate x509Cert; - try { -- x509Cert = cm.findCertByNickname(nickname); -+ x509Cert = cm.findCertByNickname(fullName); - } catch (ObjectNotFoundException e) { - x509Cert = null; - } -@@ -414,11 +421,12 @@ public class SystemConfigService extends PKIService implements SystemConfigResou - // For external/existing CA case, some/all system certs may be provided. - // The SSL server cert will always be generated for the current host. - -- // For standalone KRA/OCSP case, all system certs will be provided. -+ // For external/standalone KRA/OCSP case, all system certs will be provided. - // No system certs will be generated including the SSL server cert. - -- if (request.isExternal() && !tag.equals("sslserver") && x509Cert != null -- || request.getStandAlone()) { -+ if (request.isExternal() && "ca".equals(subsystem) && !tag.equals("sslserver") && x509Cert != null -+ || request.getStandAlone() -+ || request.isExternal() && ("kra".equals(subsystem) || "ocsp".equals(subsystem))) { - - CMS.debug("SystemConfigService: loading existing " + tag + " cert"); - byte[] bytes = x509Cert.getEncoded(); --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.1-snapshot-2.patch b/SOURCES/pki-core-10.5.1-snapshot-2.patch deleted file mode 100644 index 6b2aecb..0000000 --- a/SOURCES/pki-core-10.5.1-snapshot-2.patch +++ /dev/null @@ -1,2392 +0,0 @@ -From 085966b0eddd9786003e4dc3074314ad0626c203 Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Tue, 23 Jan 2018 18:31:53 -0800 -Subject: [PATCH 01/18] Fix Bug 1501436 - TPS CS.cfg should be reflected with - the changes after an in-place upgrade. - -This upgrade script will add the needed config params to an existing CS.cfg for TPS. - -The params consist of the params required for the token profile : externalRegISEtoken. - -The code also grabs the unsecure phone home url out of the instances's server.xml. -This way the new profile is configured exactly like what happens when doing a pkispawn. -The correct nonsecure url will be in place. - -Added some review changes. Also we modified the python properties file class to be able to -handle a property value that happens to contain the delimeter "=". Ex name=cn=people. - -Added directory server/upgrade/10.5.1 so rhel can use it when performing this upgrade. - -Change-Id: I2478013b396082ffdc3d99ed86a821ec86ac4c5d -(cherry picked from commit 2d1390f5d2f0ca653d03f936c601cd4cb7a488fd) -(cherry picked from commit bf199fa8b2215d68765117b79626a72374d71981) ---- - base/common/python/pki/__init__.py | 9 +- - base/server/upgrade/10.5.1/.gitignore | 4 + - .../10.5.5/01-AddTPSExternalRegISEtokenParams | 383 +++++++++++++++++++++ - 3 files changed, 391 insertions(+), 5 deletions(-) - create mode 100644 base/server/upgrade/10.5.1/.gitignore - create mode 100755 base/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams - -diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py -index 1a6f5c2..dbe5629 100644 ---- a/base/common/python/pki/__init__.py -+++ b/base/common/python/pki/__init__.py -@@ -485,14 +485,13 @@ class PropertyFile(object): - for i, line in enumerate(self.lines): - - # parse -- match = re.match(r'^\s*(\S*)\s*%s\s*(.*)\s*$' % self.delimiter, -+ match = re.match(r'^\s*([^%s]*)\s*%s\s*(.*)\s*$' % (self.delimiter, self.delimiter), - line) - - if not match: - continue - - key = match.group(1) -- - if key.lower() == name.lower(): - return i - -@@ -511,7 +510,7 @@ class PropertyFile(object): - for line in self.lines: - - # parse -- match = re.match(r'^\s*(\S*)\s*%s\s*(.*)\s*$' % self.delimiter, -+ match = re.match(r'^\s*([^%s]*)\s*%s\s*(.*)\s*$' % (self.delimiter, self.delimiter), - line) - - if not match: -@@ -540,7 +539,7 @@ class PropertyFile(object): - for i, line in enumerate(self.lines): - - # parse -- match = re.match(r'^\s*(\S*)\s*%s\s*(.*)\s*$' % self.delimiter, -+ match = re.match(r'^\s*([^%s]*)\s*%s\s*(.*)\s*$' % (self.delimiter, self.delimiter), - line) - - if not match: -@@ -569,7 +568,7 @@ class PropertyFile(object): - for i, line in enumerate(self.lines): - - # parse -- match = re.match(r'^\s*(\S*)\s*%s\s*(.*)\s*$' % self.delimiter, -+ match = re.match(r'^\s*([^%s]*)\s*%s\s*(.*)\s*$' % (self.delimiter, self.delimiter), - line) - - if not match: -diff --git a/base/server/upgrade/10.5.1/.gitignore b/base/server/upgrade/10.5.1/.gitignore -new file mode 100644 -index 0000000..5e7d273 ---- /dev/null -+++ b/base/server/upgrade/10.5.1/.gitignore -@@ -0,0 +1,4 @@ -+# Ignore everything in this directory -+* -+# Except this file -+!.gitignore -diff --git a/base/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams b/base/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams -new file mode 100755 -index 0000000..85429cc ---- /dev/null -+++ b/base/server/upgrade/10.5.5/01-AddTPSExternalRegISEtokenParams -@@ -0,0 +1,383 @@ -+#!/usr/bin/python -+# Authors: -+# Jack Magne based on work -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation; version 2 of the License. -+# -+# This program is distributed in the hope that it will be useful', -+ -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License along -+# with this program; if not', write to the Free Software Foundation', Inc.', -+# 51 Franklin Street', Fifth Floor', Boston', MA 02110-1301 USA. -+# -+# Copyright (C) 2017 Red Hat', Inc. -+# All rights reserved. -+ -+from __future__ import absolute_import -+import os.path -+from lxml import etree -+import socket -+ -+import pki -+from pki.server.upgrade import PKIServerUpgradeScriptlet -+ -+proplist = [ -+ ('op.format.externalRegISEtoken.auth.enable', 'true'), -+ ('op.format.externalRegISEtoken.auth.id', 'ldap1'), -+ ('op.format.externalRegISEtoken.ca.conn', 'ca1'), -+ ('op.format.externalRegISEtoken.cardmgr_instance', 'A0000000030000'), -+ ('op.format.externalRegISEtoken.cuidMustMatchKDD', 'false'), -+ ('op.format.externalRegISEtoken.enableBoundedGPKeyVersion', 'true'), -+ ('op.format.externalRegISEtoken.issuerinfo.enable', 'true'), -+ ('op.format.externalRegISEtoken.issuerinfo.value', 'http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome'), -+ ('op.format.externalRegISEtoken.loginRequest.enable', 'true'), -+ ('op.format.externalRegISEtoken.maximumGPKeyVersion', 'FF'), -+ ('op.format.externalRegISEtoken.minimumGPKeyVersion', '01'), -+ ('op.format.externalRegISEtoken.revokeCert', 'false'), -+ ('op.format.externalRegISEtoken.revokeCert.reason', '0'), -+ ('op.format.externalRegISEtoken.rollbackKeyVersionOnPutKeyFailure', 'false'), -+ ('op.format.externalRegISEtoken.tks.conn', 'tks1'), -+ ('op.format.externalRegISEtoken.update.applet.directory', '/usr/share/pki/tps/applets'), -+ ('op.format.externalRegISEtoken.update.applet.emptyToken.enable', 'true'), -+ ('op.format.externalRegISEtoken.update.applet.encryption', 'true'), -+ ('op.format.externalRegISEtoken.update.applet.requiredVersion', '1.4.58768072'), -+ ('op.format.externalRegISEtoken.update.symmetricKeys.enable', 'false'), -+ ('op.format.externalRegISEtoken.update.symmetricKeys.requiredVersion', '1'), -+ ('op.format.externalRegISEtoken.validateCardKeyInfoAgainstTokenDB', 'true'), -+ ('op.enroll.externalRegISEtoken._000', '#########################################'), -+ ('op.enroll.externalRegISEtoken._001', '# Enrollment for externalReg'), -+ ('op.enroll.externalRegISEtoken._002', '# ID, Signing,Encryption'), -+ ('op.enroll.externalRegISEtoken._003', '# controlled by registration user record'), -+ ('op.enroll.externalRegISEtoken._004', '#########################################'), -+ ('op.enroll.externalRegISEtoken.auth.enable', 'true'), -+ ('op.enroll.externalRegISEtoken.auth.id', 'ldap1'), -+ ('op.enroll.externalRegISEtoken.cardmgr_instance', 'A0000000030000'), -+ ('op.enroll.externalRegISEtoken.cuidMustMatchKDD', 'false'), -+ ('op.enroll.externalRegISEtoken.enableBoundedGPKeyVersion', 'true'), -+ ('op.enroll.externalRegISEtoken.issuerinfo.enable', 'true'), -+ ('op.enroll.externalRegISEtoken.issuerinfo.value', 'http://[PKI_HOSTNAME]:[PKI_UNSECURE_PORT]/tps/phoneHome'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.SANpattern', '$auth.edipi$.$auth.pcc$@EXAMPLE.com'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.ca.conn', 'ca1'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.ca.profileId', 'caTokenUserDelegateAuthKeyEnrollment'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.certAttrId', 'c3'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.certId', 'C3'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.cuid_label', '$cuid$'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.dnpattern', 'cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.keySize', '1024'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.keyUsage', '0'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.keyUser', '0'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.label', 'authentication key for $userid$'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.overwrite', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.decrypt', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.derive', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.encrypt', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.private', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.sensitive', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.sign', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.signRecover', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.token', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.unwrap', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.verify', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.verifyRecover', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.private.keyCapabilities.wrap', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.privateKeyAttrId', 'k6'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.privateKeyNumber', '6'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.decrypt', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.derive', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.encrypt', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.private', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.sensitive', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.sign', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.signRecover', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.token', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.unwrap', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.verify', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.verifyRecover', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.public.keyCapabilities.wrap', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.publicKeyAttrId', 'k7'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.publicKeyNumber', '7'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.holdRevocationUntilLastCredential', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.revokeCert', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.revokeCert.reason', '0'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.revokeExpiredCerts', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.destroyed.scheme', 'GenerateNewKey'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.holdRevocationUntilLastCredential', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.revokeCert.reason', '1'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.revokeExpiredCerts', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.keyCompromise.scheme', 'GenerateNewKey'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.holdRevocationUntilLastCredential', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.revokeCert', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.revokeCert.reason', '6'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.revokeExpiredCerts', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.onHold.scheme', 'GenerateNewKey'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.holdRevocationUntilLastCredential', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.revokeCert', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.revokeCert.reason', '1'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.revokeExpiredCerts', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.recovery.terminated.scheme', 'GenerateNewKey'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.serverKeygen.archive', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.serverKeygen.drm.conn', 'kra1'), -+ ('op.enroll.externalRegISEtoken.keyGen.authentication.serverKeygen.enable', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.SANpattern', '$auth.mail$,$auth.edipi$.$auth.pcc$@EXAMPLE.com'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption._000', '#########################################'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption._001', '# encryption cert/keys are "recovered" for this profile'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption._002', '# controlled from User Registartion db'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption._003', '#########################################'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.ca.conn', 'ca1'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.ca.profileId', 'caTokenUserEncryptionKeyEnrollment'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.certAttrId', 'c2'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.certId', 'C2'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.cuid_label', '$cuid$'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.dnpattern', 'cn=$auth.firstname$.$auth.lastname$.$auth.exec-edipi$,e=$auth.mail$,o=TMS Org'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.keySize', '1024'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.keyUsage', '0'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.keyUser', '0'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.label', 'encryption key for $userid$'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.overwrite', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.decrypt', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.derive', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.encrypt', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.private', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.sensitive', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.sign', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.signRecover', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.token', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.unwrap', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.verify', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.verifyRecover', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.private.keyCapabilities.wrap', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.privateKeyAttrId', 'k4'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.privateKeyNumber', '4'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.decrypt', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.derive', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.encrypt', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.private', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.sensitive', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.sign', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.signRecover', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.token', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.unwrap', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.verify', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.verifyRecover', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.public.keyCapabilities.wrap', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.publicKeyAttrId', 'k5'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.publicKeyNumber', '5'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.holdRevocationUntilLastCredential', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.revokeCert', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.revokeCert.reason', '0'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.revokeExpiredCerts', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.destroyed.scheme', 'RecoverLast'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.holdRevocationUntilLastCredential', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.revokeCert', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.revokeCert.reason', '1'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.revokeExpiredCerts', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.keyCompromise.scheme', 'GenerateNewKey'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.holdRevocationUntilLastCredential', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.revokeCert', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.revokeCert.reason', '6'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.revokeExpiredCerts', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.onHold.scheme', 'GenerateNewKey'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.holdRevocationUntilLastCredential', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.revokeCert', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.revokeCert.reason', '1'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.revokeExpiredCerts', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.recovery.terminated.scheme', 'GenerateNewKey'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.serverKeygen.archive', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.serverKeygen.drm.conn', 'kra1'), -+ ('op.enroll.externalRegISEtoken.keyGen.encryption.serverKeygen.enable', 'True'), -+ ('op.enroll.externalRegISEtoken.keyGen.keyType.num', '3'), -+ ('op.enroll.externalRegISEtoken.keyGen.keyType.value.0', 'signing'), -+ ('op.enroll.externalRegISEtoken.keyGen.keyType.value.1', 'authentication'), -+ ('op.enroll.externalRegISEtoken.keyGen.keyType.value.2', 'encryption'), -+ ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.num', '3'), -+ ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.value.0', 'signing'), -+ ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.value.1', 'authentication'), -+ ('op.enroll.externalRegISEtoken.keyGen.recovery.destroyed.keyType.value.2', 'encryption'), -+ ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.num', '3'), -+ ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.value.0', 'signing'), -+ ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.value.1', 'authentication'), -+ ('op.enroll.externalRegISEtoken.keyGen.recovery.keyCompromise.keyType.value.2', 'encryption'), -+ ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.num', '3'), -+ ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.value.0', 'signing'), -+ ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.value.1', 'authentication'), -+ ('op.enroll.externalRegISEtoken.keyGen.recovery.onHold.keyType.value.2', 'encryption'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.SANpattern', '$auth.mail$'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.ca.conn', 'ca1'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.ca.profileId', 'caTokenUserDelegateSigningKeyEnrollment'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.certAttrId', 'c1'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.certId', 'C1'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.cuid_label', '$cuid$'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.dnpattern', 'cn=$auth.firstname$.$auth.lastname$.$auth.edipi$,e=$auth.mail$,o=TMS Org'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.keySize', '1024'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.keyUsage', '0'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.keyUser', '0'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.label', 'signing key for $userid$'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.overwrite', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.decrypt', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.derive', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.encrypt', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.private', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.sensitive', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.sign', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.signRecover', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.token', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.unwrap', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.verify', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.verifyRecover', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.private.keyCapabilities.wrap', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.privateKeyAttrId', 'k2'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.privateKeyNumber', '2'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.decrypt', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.derive', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.encrypt', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.private', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.sensitive', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.sign', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.signRecover', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.token', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.unwrap', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.verify', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.verifyRecover', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.public.keyCapabilities.wrap', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.publicKeyAttrId', 'k3'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.publicKeyNumber', '3'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.holdRevocationUntilLastCredential', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.revokeCert', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.revokeCert.reason', '0'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.revokeExpiredCerts', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.destroyed.scheme', 'GenerateNewKey'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.holdRevocationUntilLastCredential', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.revokeCert', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.revokeCert.reason', '1'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.revokeExpiredCerts', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.keyCompromise.scheme', 'GenerateNewKey'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.holdRevocationUntilLastCredential', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.revokeCert', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.revokeCert.reason', '6'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.revokeExpiredCerts', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.onHold.scheme', 'GenerateNewKey'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.holdRevocationUntilLastCredential', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.revokeCert', 'true'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.revokeCert.reason', '1'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.revokeExpiredCerts', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.recovery.terminated.scheme', 'GenerateNewKey'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.serverKeygen.archive', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.serverKeygen.drm.conn', 'kra1'), -+ ('op.enroll.externalRegISEtoken.keyGen.signing.serverKeygen.enable', 'false'), -+ ('op.enroll.externalRegISEtoken.keyGen.tokenName', '$auth.cn$'), -+ ('op.enroll.externalRegISEtoken.loginRequest.enable', 'true'), -+ ('op.enroll.externalRegISEtoken.maximumGPKeyVersion', 'FF'), -+ ('op.enroll.externalRegISEtoken.minimumGPKeyVersion', '01'), -+ ('op.enroll.externalRegISEtoken.pinReset.enable', 'true'), -+ ('op.enroll.externalRegISEtoken.pinReset.pin.maxLen', '10'), -+ ('op.enroll.externalRegISEtoken.pinReset.pin.maxRetries', '127'), -+ ('op.enroll.externalRegISEtoken.pinReset.pin.minLen', '4'), -+ ('op.enroll.externalRegISEtoken.pkcs11obj.compress.enable', 'true'), -+ ('op.enroll.externalRegISEtoken.pkcs11obj.enable', 'true'), -+ ('op.enroll.externalRegISEtoken.renewal._000', '#########################################'), -+ ('op.enroll.externalRegISEtoken.renewal._001', '# Token Renewal.'), -+ ('op.enroll.externalRegISEtoken.renewal._002', '#'), -+ ('op.enroll.externalRegISEtoken.renewal._003', '# For each token in TPS UI, set the'), -+ ('op.enroll.externalRegISEtoken.renewal._004', '# following to trigger renewal'), -+ ('op.enroll.externalRegISEtoken.renewal._005', '# operations:'), -+ ('op.enroll.externalRegISEtoken.renewal._006', '#'), -+ ('op.enroll.externalRegISEtoken.renewal._007', '# RENEW=YES'), -+ ('op.enroll.externalRegISEtoken.renewal._008', '#'), -+ ('op.enroll.externalRegISEtoken.renewal._009', '# Optional grace period enforcement'), -+ ('op.enroll.externalRegISEtoken.renewal._010', '# must coincide exactly with what'), -+ ('op.enroll.externalRegISEtoken.renewal._011', '# the CA enforces.'), -+ ('op.enroll.externalRegISEtoken.renewal._012', '#'), -+ ('op.enroll.externalRegISEtoken.renewal._013', '# In case of renewal, encryption certId'), -+ ('op.enroll.externalRegISEtoken.renewal._014', '# values are for completeness only, server'), -+ ('op.enroll.externalRegISEtoken.renewal._015', '# code calculates actual values used.'), -+ ('op.enroll.externalRegISEtoken.renewal._016', '#'), -+ ('op.enroll.externalRegISEtoken.renewal._017', '#########################################'), -+ ('op.enroll.externalRegISEtoken.renewal.authentication.ca.conn', 'ca1'), -+ ('op.enroll.externalRegISEtoken.renewal.authentication.ca.profileId', 'caTokenUserDelegateAuthKeyRenewal'), -+ ('op.enroll.externalRegISEtoken.renewal.authentication.certAttrId', 'c3'), -+ ('op.enroll.externalRegISEtoken.renewal.authentication.certId', 'C3'), -+ ('op.enroll.externalRegISEtoken.renewal.authentication.enable', 'true'), -+ ('op.enroll.externalRegISEtoken.renewal.authentication.gracePeriod.after', '30'), -+ ('op.enroll.externalRegISEtoken.renewal.authentication.gracePeriod.before', '30'), -+ ('op.enroll.externalRegISEtoken.renewal.authentication.gracePeriod.enable', 'false'), -+ ('op.enroll.externalRegISEtoken.renewal.keyType.num', '2'), -+ ('op.enroll.externalRegISEtoken.renewal.keyType.value.0', 'signing'), -+ ('op.enroll.externalRegISEtoken.renewal.keyType.value.1', 'authentication'), -+ ('op.enroll.externalRegISEtoken.renewal.signing.ca.conn', 'ca1'), -+ ('op.enroll.externalRegISEtoken.renewal.signing.ca.profileId', 'caTokenUserSigningKeyRenewal'), -+ ('op.enroll.externalRegISEtoken.renewal.signing.certAttrId', 'c1'), -+ ('op.enroll.externalRegISEtoken.renewal.signing.certId', 'C1'), -+ ('op.enroll.externalRegISEtoken.renewal.signing.enable', 'true'), -+ ('op.enroll.externalRegISEtoken.renewal.signing.gracePeriod.after', '30'), -+ ('op.enroll.externalRegISEtoken.renewal.signing.gracePeriod.before', '30'), -+ ('op.enroll.externalRegISEtoken.renewal.signing.gracePeriod.enable', 'false'), -+ ('op.enroll.externalRegISEtoken.rollbackKeyVersionOnPutKeyFailure', 'false'), -+ ('op.enroll.externalRegISEtoken.temporaryToken.tokenType', 'externalRegISEtokenTemporary'), -+ ('op.enroll.externalRegISEtoken.tks.conn', 'tks1'), -+ ('op.enroll.externalRegISEtoken.update.applet.directory', '/usr/share/pki/tps/applets'), -+ ('op.enroll.externalRegISEtoken.update.applet.emptyToken.enable', 'true'), -+ ('op.enroll.externalRegISEtoken.update.applet.enable', 'true'), -+ ('op.enroll.externalRegISEtoken.update.applet.encryption', 'true'), -+ ('op.enroll.externalRegISEtoken.update.applet.requiredVersion', '1.4.58768072'), -+ ('op.enroll.externalRegISEtoken.update.symmetricKeys.enable', 'false'), -+ ('op.enroll.externalRegISEtoken.update.symmetricKeys.requiredVersion', '1'), -+ ('op.enroll.externalRegISEtoken.validateCardKeyInfoAgainstTokenDB', 'true') -+] -+ -+ -+class AddTPSExternalRegISEtokenParams(PKIServerUpgradeScriptlet): -+ def __init__(self): -+ super(AddTPSExternalRegISEtokenParams, self).__init__() -+ self.parser = etree.XMLParser(remove_blank_text=True) -+ self.message = 'Add token profile params for externalRegISEtoken for TPS CS.cfg' -+ -+ def upgrade_subsystem(self, instance, subsystem): -+ if subsystem.name == 'tps': -+ self.upgrade_config(instance, subsystem) -+ -+ def upgrade_config(self, instance, subsystem): # pylint: disable=W0613 -+ filename = os.path.join(subsystem.conf_dir, 'CS.cfg') -+ server_xml = os.path.join(instance.conf_dir, 'server.xml') -+ self.backup(filename) -+ properties = pki.PropertyFile(filename) -+ properties.read() -+ -+ # Get the unsecure phone home url out of the server.xml -+ -+ tps_unsecure_port = None -+ hostname = socket.gethostname() -+ -+ document = etree.parse(server_xml, self.parser) -+ server = document.getroot() -+ connectors = server.findall('.//Connector') -+ -+ for connector in connectors: -+ # find the Secure connector -+ name = connector.get('name') -+ if name != 'Unsecure': -+ continue -+ else: -+ tps_unsecure_port = connector.get('port') -+ -+ # if the property exists, leave it alone', otherwise set -+ # it to the value defined above -+ # replace the standard non secure phone home url with value -+ # from the server.xml file, which is known correct -+ -+ for k, v in proplist: -+ cur = properties.get(k) -+ if cur is None: -+ properties.set(k, v) -+ # handle the case when we have an issuer url to plug in -+ if k.find("issuerinfo.value") != -1: -+ if tps_unsecure_port is not None: -+ properties.set(k, "http://" + hostname + ":" + tps_unsecure_port + "/tps/phoneHome") -+ -+ properties.write() --- -1.8.3.1 - - -From 42152f3c4b43e4aeb5c08223df2f0998f56a4c34 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 25 Jan 2018 03:48:35 +0100 -Subject: [PATCH 03/18] Updated RollingLogFile.EXPIRATION_TIME. - -The RollingLogFile.EXPIRATION_TIME has been changed to 0 such that -log expiration is disabled in case the log.instance.*.expirationTime -parameter is missing from the CS.cfg. - -https://pagure.io/dogtagpki/issue/2656 - -Change-Id: I8c8c7a1560f986920244f9660b0de10e197f93b4 -(cherry picked from commit e2a72fff7413cf084cf5f629cbaa0e8a9c2c64a0) -(cherry picked from commit 4b48f2c589f4320e23632ceccd9b20dba7ca140f) ---- - base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -index d804850..e0eb1df 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java -@@ -66,7 +66,7 @@ public class RollingLogFile extends LogFile { - /** - * The default expiration time in seconds - */ -- static final String EXPIRATION_TIME = "2592000"; -+ static final String EXPIRATION_TIME = "0"; - - /** - * The maximum file size in bytes --- -1.8.3.1 - - -From 2c1653d822d40b5d305f76a225d18614ad3ecd89 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 25 Jan 2018 04:32:23 +0100 -Subject: [PATCH 04/18] Merged TOKEN_APPLET_UPGRADE events. - -The TOKEN_APPLET_UPGRADE_* events have been merged into a single -event with different outcomes. Also, it has been encapsulated into -TokenAppletUpgradeEvent class. - -https://pagure.io/dogtagpki/issue/2656 - -Change-Id: Ifa34eacaa5a0da1c8026eb702e09828234d7f0f5 -(cherry picked from commit c006503ca9f99389da85da091a856d226a7eb244) -(cherry picked from commit 5d3ddcd3335023e4f8d3303fdeac95de2ea2851f) ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- - .../logging/event/TokenAppletUpgradeEvent.java | 56 ++++++++++++++++++++++ - base/server/cmsbundle/src/LogMessages.properties | 8 ++-- - .../server/tps/processor/TPSProcessor.java | 21 ++++---- - 4 files changed, 72 insertions(+), 17 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/TokenAppletUpgradeEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 8aebd0f..6bf2df6 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -133,10 +133,6 @@ public class AuditEvent extends LogEvent { - "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9"; - public final static String TOKEN_FORMAT_FAILURE = - "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9"; -- public final static String TOKEN_APPLET_UPGRADE_SUCCESS = -- "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9"; -- public final static String TOKEN_APPLET_UPGRADE_FAILURE = -- "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9"; - public final static String TOKEN_KEY_CHANGEOVER_REQUIRED = - "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10"; - public final static String TOKEN_KEY_CHANGEOVER_SUCCESS = -diff --git a/base/common/src/com/netscape/certsrv/logging/event/TokenAppletUpgradeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/TokenAppletUpgradeEvent.java -new file mode 100644 -index 0000000..06df664 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/TokenAppletUpgradeEvent.java -@@ -0,0 +1,56 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2018 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.SignedAuditEvent; -+ -+public class TokenAppletUpgradeEvent extends SignedAuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public final static String TOKEN_APPLET_UPGRADE_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS"; -+ -+ public final static String TOKEN_APPLET_UPGRADE_FAILURE = -+ "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE"; -+ -+ public TokenAppletUpgradeEvent( -+ String messageID, -+ String ip, -+ String subjectID, -+ String cuid, -+ String msn, -+ String outcome, -+ String keyVersion, -+ String oldAppletVersion, -+ String newAppletVersion, -+ String info) { -+ -+ super(messageID); -+ -+ setAttribute("IP", ip); -+ setAttribute("SubjectID", subjectID); -+ setAttribute("CUID", cuid); -+ setAttribute("MSN", msn); -+ setAttribute("Outcome", outcome); -+ setAttribute("KeyVersion", keyVersion); -+ setAttribute("oldAppletVersion", oldAppletVersion); -+ setAttribute("newAppletVersion", newAppletVersion); -+ setAttribute("Info", info); -+ } -+} -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 4ec6c39..183987f 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2235,8 +2235,8 @@ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY] User signed CMC request signature verification success --LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY] User signed CMC request signature verification failure -+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success -+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure - - # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST - # - used for TPS to TKS to get random challenge data -@@ -2613,12 +2613,12 @@ LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9=:[AuditEv - # - # LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS - # - used when token apple upgrade succeeded --LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9=:[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade success -+LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success - # - # - # LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE - # - used when token apple upgrade failed --LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9=:[AuditEvent=TOKEN_APPLET_UPGRADE_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade failure -+LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure - # - # LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED - # - used when token key changeover is required -diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -index a78db64..1093d78 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -@@ -95,6 +95,7 @@ import com.netscape.certsrv.base.IConfigStore; - import com.netscape.certsrv.common.Constants; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.LogEvent; -+import com.netscape.certsrv.logging.event.TokenAppletUpgradeEvent; - import com.netscape.certsrv.tps.token.TokenStatus; - import com.netscape.cms.logging.Logger; - import com.netscape.cms.logging.SignedAuditLogger; -@@ -4164,27 +4165,29 @@ public class TPSProcessor { - String newVersion, - String info) { - -- String auditType = ""; -+ String auditType; -+ - switch (status) { - case "success": -- auditType = AuditEvent.TOKEN_APPLET_UPGRADE_SUCCESS; -+ auditType = TokenAppletUpgradeEvent.TOKEN_APPLET_UPGRADE_SUCCESS; - break; - default: -- auditType = AuditEvent.TOKEN_APPLET_UPGRADE_FAILURE; -+ auditType = TokenAppletUpgradeEvent.TOKEN_APPLET_UPGRADE_FAILURE; - } - -- String auditMessage = CMS.getLogMessage( -+ TokenAppletUpgradeEvent event = new TokenAppletUpgradeEvent( - auditType, -- (session != null) ? session.getIpAddress() : null, -+ session != null ? session.getIpAddress() : null, - userid, -- (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null, -- (aInfo != null) ? aInfo.getMSNString() : null, -+ aInfo != null ? aInfo.getCUIDhexStringPlain() : null, -+ aInfo != null ? aInfo.getMSNString() : null, - status, - keyVersion, -- (aInfo != null) ? aInfo.getFinalAppletVersion() : null, -+ aInfo != null ? aInfo.getFinalAppletVersion() : null, - newVersion, - info); -- audit(auditMessage); -+ -+ signedAuditLogger.log(event); - } - - protected void auditKeyChangeoverRequired(AppletInfo aInfo, --- -1.8.3.1 - - -From 7ab4d71f5a6c5c5ff8be1bbeaac6528ec652cc32 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 25 Jan 2018 04:49:06 +0100 -Subject: [PATCH 05/18] Merged TOKEN_KEY_CHANGEOVER events. - -The TOKEN_KEY_CHANGEOVER_* events have been merged into a single -event with different outcomes. Also, it has been encapsulated into -TokenKeyChangeoverEvent class. - -https://pagure.io/dogtagpki/issue/2656 - -Change-Id: I09c5179645c2037ff6208e923f35177104e5babd -(cherry picked from commit 2c614e982805349b1c28f8647cd2be615c9ca1cd) -(cherry picked from commit 64bd7ecf033385972988b7c675ee446be8537644) ---- - .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- - .../logging/event/TokenKeyChangeoverEvent.java | 58 ++++++++++++++++++++++ - base/server/cmsbundle/src/LogMessages.properties | 4 +- - .../server/tps/processor/TPSProcessor.java | 21 ++++---- - 4 files changed, 72 insertions(+), 15 deletions(-) - create mode 100644 base/common/src/com/netscape/certsrv/logging/event/TokenKeyChangeoverEvent.java - -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 6bf2df6..131b2a9 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -135,10 +135,6 @@ public class AuditEvent extends LogEvent { - "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9"; - public final static String TOKEN_KEY_CHANGEOVER_REQUIRED = - "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10"; -- public final static String TOKEN_KEY_CHANGEOVER_SUCCESS = -- "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10"; -- public final static String TOKEN_KEY_CHANGEOVER_FAILURE = -- "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10"; - public final static String TOKEN_AUTH_FAILURE = - "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9"; - public final static String TOKEN_AUTH_SUCCESS = -diff --git a/base/common/src/com/netscape/certsrv/logging/event/TokenKeyChangeoverEvent.java b/base/common/src/com/netscape/certsrv/logging/event/TokenKeyChangeoverEvent.java -new file mode 100644 -index 0000000..5bbfe26 ---- /dev/null -+++ b/base/common/src/com/netscape/certsrv/logging/event/TokenKeyChangeoverEvent.java -@@ -0,0 +1,58 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2018 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.certsrv.logging.event; -+ -+import com.netscape.certsrv.logging.SignedAuditEvent; -+ -+public class TokenKeyChangeoverEvent extends SignedAuditEvent { -+ -+ private static final long serialVersionUID = 1L; -+ -+ public final static String TOKEN_KEY_CHANGEOVER_SUCCESS = -+ "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS"; -+ -+ public final static String TOKEN_KEY_CHANGEOVER_FAILURE = -+ "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE"; -+ -+ public TokenKeyChangeoverEvent( -+ String messageID, -+ String ip, -+ String subjectID, -+ String cuid, -+ String msn, -+ String outcome, -+ String tokenType, -+ String appletVersion, -+ String oldKeyVersion, -+ String newKeyVersion, -+ String info) { -+ -+ super(messageID); -+ -+ setAttribute("IP", ip); -+ setAttribute("SubjectID", subjectID); -+ setAttribute("CUID", cuid); -+ setAttribute("MSN", msn); -+ setAttribute("Outcome", outcome); -+ setAttribute("tokenType", tokenType); -+ setAttribute("AppletVersion", appletVersion); -+ setAttribute("oldKeyVersion", oldKeyVersion); -+ setAttribute("newKeyVersion", newKeyVersion); -+ setAttribute("Info", info); -+ } -+} -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 183987f..9ca508a 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2627,12 +2627,12 @@ LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=:[AuditEvent=TOKEN_KEY_CHANGEOVER_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover success -+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success - # - # LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE - # - used when token key changeover failed - # - Info is used for storing more info in case of failure --LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10=:[AuditEvent=TOKEN_KEY_CHANGEOVER_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover failure -+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure - # - # LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE - # - used when authentication failed -diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -index 1093d78..811c9a7 100644 ---- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java -@@ -96,6 +96,7 @@ import com.netscape.certsrv.common.Constants; - import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.LogEvent; - import com.netscape.certsrv.logging.event.TokenAppletUpgradeEvent; -+import com.netscape.certsrv.logging.event.TokenKeyChangeoverEvent; - import com.netscape.certsrv.tps.token.TokenStatus; - import com.netscape.cms.logging.Logger; - import com.netscape.cms.logging.SignedAuditLogger; -@@ -4218,28 +4219,30 @@ public class TPSProcessor { - String newKeyVersion, - String info) { - -- String auditType = ""; -+ String auditType; -+ - switch (status) { - case "success": -- auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_SUCCESS; -+ auditType = TokenKeyChangeoverEvent.TOKEN_KEY_CHANGEOVER_SUCCESS; - break; - default: -- auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_FAILURE; -+ auditType = TokenKeyChangeoverEvent.TOKEN_KEY_CHANGEOVER_FAILURE; - } - -- String auditMessage = CMS.getLogMessage( -+ TokenKeyChangeoverEvent event = new TokenKeyChangeoverEvent( - auditType, -- (session != null) ? session.getIpAddress() : null, -+ session != null ? session.getIpAddress() : null, - userid, -- (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null, -- (aInfo != null) ? aInfo.getMSNString() : null, -+ aInfo != null ? aInfo.getCUIDhexStringPlain() : null, -+ aInfo != null ? aInfo.getMSNString() : null, - status, - getSelectedTokenType(), -- (aInfo != null) ? aInfo.getFinalAppletVersion() : null, -+ aInfo != null ? aInfo.getFinalAppletVersion() : null, - oldKeyVersion, - newKeyVersion, - info); -- audit(auditMessage); -+ -+ signedAuditLogger.log(event); - } - - /* --- -1.8.3.1 - - -From 6bf58209dda17ab2e76e6038e7a6209539e37816 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 21 Apr 2017 20:16:16 +0200 -Subject: [PATCH 06/18] Updated default audit events. - -The default audit events and their filters have been updated in -all PKI subsystem configuration files. - -https://pagure.io/dogtagpki/issue/2656 - -Change-Id: I867a38a366ad7cc23d71f2a0c22996a9ccce8088 -(cherry picked from commit d928a667e6d573ce1d1d936d3c3682945bb0f9fc) -(cherry picked from commit a67cfbaee71e3f2254fb8ee201bd47fbcd60d834) ---- - base/ca/shared/conf/CS.cfg | 8 +++++++- - base/kra/shared/conf/CS.cfg | 16 +++++++++++++++- - base/ocsp/shared/conf/CS.cfg | 3 ++- - base/tks/shared/conf/CS.cfg | 3 ++- - base/tps/shared/conf/CS.cfg | 5 ++++- - 5 files changed, 30 insertions(+), 5 deletions(-) - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 908407b..76a7057 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -909,8 +909,14 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION -+log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) -+log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) -+log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) -+log.instance.SignedAudit.filters.FULL_CRL_GENERATION=(Outcome=Failure) -+log.instance.SignedAudit.filters.OCSP_GENERATION=(Outcome=Failure) - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) -+log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index a5ddab6..06bd0fe 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -304,8 +304,22 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED -+log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure) -+log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) -+log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure) -+log.instance.SignedAudit.filters.KEY_RECOVERY_AGENT_LOGIN=(Outcome=Failure) - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) -+log.instance.SignedAudit.filters.SECURITY_DATA_ARCHIVAL_REQUEST=(Outcome=Failure) -+log.instance.SignedAudit.filters.SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=(Outcome=Failure) -+log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST=(Outcome=Failure) -+log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=(Outcome=Failure) -+log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=(Outcome=Failure) -+log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) -+log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST=(Outcome=Failure) -+log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST=PROCESSED (Outcome=Failure) -+log.instance.SignedAudit.filters.SYMKEY_GENERATION_REQUEST=(Outcome=Failure) -+log.instance.SignedAudit.filters.SYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg -index 13c9bcf..dc993b0 100644 ---- a/base/ocsp/shared/conf/CS.cfg -+++ b/base/ocsp/shared/conf/CS.cfg -@@ -220,8 +220,9 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) -+log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ocsp_cert-ocsp_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg -index 751398f..d1da996 100644 ---- a/base/tks/shared/conf/CS.cfg -+++ b/base/tks/shared/conf/CS.cfg -@@ -212,8 +212,9 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) -+log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) - log.instance.SignedAudit.expirationTime=0 - log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/tks_cert-tks_audit - log.instance.SignedAudit.flushInterval=5 -diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg -index c244d19..c44bc75 100644 ---- a/base/tps/shared/conf/CS.cfg -+++ b/base/tps/shared/conf/CS.cfg -@@ -229,8 +229,11 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=SELFTESTS_EXECUTION,AUTHZ,AUTH,ROLE_ASSUME,CIMC_CERT_VERIFICATION,CONFIG_SIGNED_AUDIT,CONFIG_ROLE,CONFIG_AUTH,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER_SUCCESS,TOKEN_KEY_CHANGEOVER_FAILURE,CONFIG_TOKEN_PROFILE,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_GENERAL,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_RECORD,CONFIG_TOKEN_AUTHENTICATOR,TOKEN_STATE_CHANGE,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER - log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) -+log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) -+log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure) -+log.instance.SignedAudit.filters.TOKEN_KEY_CHANGEOVER=(Outcome=Failure) - log.instance.SignedAudit.unselected.events= - log.instance.SignedAudit.mandatory.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING - log.instance.SignedAudit.expirationTime=0 --- -1.8.3.1 - - -From 6bf945e96d8c41e21eb22105e46c33f11f2be26c Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 26 Jan 2018 20:56:45 +0100 -Subject: [PATCH 07/18] Using case-insensitive audit event filter. - -The code that evaluates audit event filter has been modified to -use case-insensitive attribute value comparison. - -https://pagure.io/dogtagpki/issue/2656 - -Change-Id: I548dee048b0ed70779fb67a8cdfc39943f2bc9b7 -(cherry picked from commit a1ff57e0b84a4737771511268c5b92a8af975ca3) -(cherry picked from commit 5e4785bf697fc2844255c3499b2944c84899aa3e) ---- - base/server/cms/src/com/netscape/cms/logging/LogFile.java | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -index 738eabf..510e796 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -@@ -1202,7 +1202,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - - String stringAttr = (String)attr; - -- return value.equals(stringAttr); -+ return value.equalsIgnoreCase(stringAttr); - } - - public boolean eval(SignedAuditEvent event, JDAPFilterSubString filter) { -@@ -1215,18 +1215,18 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - if (attr == null) return false; - if (!(attr instanceof String)) return false; - -- String stringAttr = (String)attr; -+ String stringAttr = ((String)attr).toLowerCase(); - - // check initial substring - String initialSubstring = filter.getInitialSubstring(); - if (initialSubstring != null) { -- if (!stringAttr.startsWith(initialSubstring)) return false; -+ if (!stringAttr.startsWith(initialSubstring.toLowerCase())) return false; - stringAttr = stringAttr.substring(initialSubstring.length()); - } - - // check any substrings - for (String anySubstring : filter.getAnySubstrings()) { -- int p = stringAttr.indexOf(anySubstring); -+ int p = stringAttr.indexOf(anySubstring.toLowerCase()); - if (p < 0) return false; - stringAttr = stringAttr.substring(p + anySubstring.length()); - } -@@ -1234,7 +1234,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - // check final substring - String finalSubstring = filter.getFinalSubstring(); - if (finalSubstring != null) { -- if (!stringAttr.endsWith(finalSubstring)) return false; -+ if (!stringAttr.endsWith(finalSubstring.toLowerCase())) return false; - } - - return true; --- -1.8.3.1 - - -From 37a29eeb71a0e9adb81eb0e4c00fa36afcb17598 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 12 Dec 2017 01:59:53 +0100 -Subject: [PATCH 08/18] Fixed pylint warnings. - -Some Python files have been modified to avoid pylint warnings due -to subsequent changes. - -https://pagure.io/dogtagpki/issue/167 - -Change-Id: If16e5d7f60cef776c6b65ad9f803b178ba52bc85 -(cherry picked from commit c2f4157973880d7c0744718b0887ac184f085bcb) -(cherry picked from commit 75542c58f88f204c2f80d029946e65df7c26a54f) ---- - .../python/pki/server/deployment/pkihelper.py | 2 +- - .../server/deployment/scriptlets/configuration.py | 44 +++++++++++----------- - base/server/sbin/pkidestroy | 1 + - base/server/sbin/pkispawn | 1 + - 4 files changed, 25 insertions(+), 23 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 7f88873..8195e28 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -4109,7 +4109,7 @@ class ConfigClient: - if not nickname: - nickname = cert.nickname - -- config.pki_log.info("loading %s certificate" % nickname, -+ config.pki_log.info("loading %s certificate", nickname, - extra=config.PKI_INDENTATION_LEVEL_2) - - cert.cert = nssdb.get_cert(nickname) -diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py -index 43e9d83..2cda5e0 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/configuration.py -+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py -@@ -94,7 +94,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - cert_id = self.get_cert_id(subsystem, tag) - - config.pki_log.info( -- "generating %s CSR in %s" % (cert_id, csr_path), -+ "generating %s CSR in %s", cert_id, csr_path, - extra=config.PKI_INDENTATION_LEVEL_2) - - subject_dn = deployer.mdict['pki_%s_subject_dn' % cert_id] -@@ -361,7 +361,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - return - - config.pki_log.info( -- "importing %s CSR from %s" % (tag, csr_path), -+ "importing %s CSR from %s", tag, csr_path, - extra=config.PKI_INDENTATION_LEVEL_2) - - with open(csr_path) as f: -@@ -377,7 +377,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - return - - config.pki_log.info( -- "importing ca_signing CSR from %s" % csr_path, -+ "importing ca_signing CSR from %s", csr_path, - extra=config.PKI_INDENTATION_LEVEL_2) - - with open(csr_path) as f: -@@ -404,7 +404,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - nickname = deployer.mdict['pki_ca_signing_nickname'] - - config.pki_log.info( -- "importing ca_signing certificate from %s" % cert_file, -+ "importing ca_signing certificate from %s", cert_file, - extra=config.PKI_INDENTATION_LEVEL_2) - - nssdb.import_cert_chain( -@@ -421,7 +421,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - nickname = deployer.mdict['pki_ocsp_signing_nickname'] - - config.pki_log.info( -- "importing ca_ocsp_signing certificate from %s" % cert_file, -+ "importing ca_ocsp_signing certificate from %s", cert_file, - extra=config.PKI_INDENTATION_LEVEL_2) - - nssdb.import_cert_chain( -@@ -438,7 +438,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - nickname = deployer.mdict['pki_sslserver_nickname'] - - config.pki_log.info( -- "importing sslserver certificate from %s" % cert_file, -+ "importing sslserver certificate from %s", cert_file, - extra=config.PKI_INDENTATION_LEVEL_2) - - nssdb.import_cert_chain( -@@ -455,7 +455,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - nickname = deployer.mdict['pki_subsystem_nickname'] - - config.pki_log.info( -- "importing subsystem certificate from %s" % cert_file, -+ "importing subsystem certificate from %s", cert_file, - extra=config.PKI_INDENTATION_LEVEL_2) - - nssdb.import_cert_chain( -@@ -472,7 +472,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - nickname = deployer.mdict['pki_audit_signing_nickname'] - - config.pki_log.info( -- "importing audit_signing certificate from %s" % cert_file, -+ "importing audit_signing certificate from %s", cert_file, - extra=config.PKI_INDENTATION_LEVEL_2) - - nssdb.import_cert_chain( -@@ -494,7 +494,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - - try: - config.pki_log.info( -- "importing admin certificate from %s" % cert_file, -+ "importing admin certificate from %s", cert_file, - extra=config.PKI_INDENTATION_LEVEL_2) - - client_nssdb.import_cert_chain( -@@ -514,7 +514,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - nickname = deployer.mdict['pki_storage_nickname'] - - config.pki_log.info( -- "importing kra_storage certificate from %s" % cert_file, -+ "importing kra_storage certificate from %s", cert_file, - extra=config.PKI_INDENTATION_LEVEL_2) - - nssdb.import_cert_chain( -@@ -531,7 +531,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - nickname = deployer.mdict['pki_transport_nickname'] - - config.pki_log.info( -- "importing kra_transport certificate from %s" % cert_file, -+ "importing kra_transport certificate from %s", cert_file, - extra=config.PKI_INDENTATION_LEVEL_2) - - nssdb.import_cert_chain( -@@ -548,7 +548,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - nickname = deployer.mdict['pki_ocsp_signing_nickname'] - - config.pki_log.info( -- "importing ocsp_signing certificate from %s" % cert_file, -+ "importing ocsp_signing certificate from %s", cert_file, - extra=config.PKI_INDENTATION_LEVEL_2) - - nssdb.import_cert_chain( -@@ -563,7 +563,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - return - - config.pki_log.info( -- "importing certificates and keys from %s" % pkcs12_file, -+ "importing certificates and keys from %s", pkcs12_file, - extra=config.PKI_INDENTATION_LEVEL_2) - - pkcs12_password = deployer.mdict['pki_external_pkcs12_password'] -@@ -578,7 +578,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - nickname = deployer.mdict['pki_cert_chain_nickname'] - - config.pki_log.info( -- "importing certificate chain from %s" % chain_file, -+ "importing certificate chain from %s", chain_file, - extra=config.PKI_INDENTATION_LEVEL_2) - - nssdb.import_cert_chain( -@@ -787,7 +787,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - return - - config.pki_log.info( -- "validating %s certificate" % tag, -+ "validating %s certificate", tag, - extra=config.PKI_INDENTATION_LEVEL_2) - - subsystem.validate_system_cert(tag) -@@ -820,7 +820,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - nickname = deployer.mdict['pki_self_signed_nickname'] - - config.pki_log.info( -- "checking existing SSL server cert: %s" % nickname, -+ "checking existing SSL server cert: %s", nickname, - extra=config.PKI_INDENTATION_LEVEL_2) - - pem_cert = nssdb.get_cert(nickname) -@@ -831,7 +831,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - hostname = cn.value - - config.pki_log.info( -- "existing SSL server cert is for %s" % hostname, -+ "existing SSL server cert is for %s", hostname, - extra=config.PKI_INDENTATION_LEVEL_2) - - # if hostname is correct, don't create temp cert -@@ -839,13 +839,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - return False - - config.pki_log.info( -- "removing SSL server cert for %s" % hostname, -+ "removing SSL server cert for %s", hostname, - extra=config.PKI_INDENTATION_LEVEL_2) - - nssdb.remove_cert(nickname, remove_key=True) - - config.pki_log.info( -- "creating temp SSL server cert for %s" % deployer.mdict['pki_hostname'], -+ "creating temp SSL server cert for %s", deployer.mdict['pki_hostname'], - extra=config.PKI_INDENTATION_LEVEL_2) - - # TODO: replace with pki-server create-cert sslserver --temp -@@ -911,7 +911,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - token = deployer.mdict['pki_token_name'] - - config.pki_log.info( -- "removing temp SSL server cert from internal token: %s" % nickname, -+ "removing temp SSL server cert from internal token: %s", nickname, - extra=config.PKI_INDENTATION_LEVEL_2) - - nssdb = instance.open_nssdb() -@@ -934,7 +934,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - token = deployer.mdict['pki_token_name'] - - config.pki_log.info( -- "importing permanent SSL server cert into %s token: %s" % (token, nickname), -+ "importing permanent SSL server cert into %s token: %s", token, nickname, - extra=config.PKI_INDENTATION_LEVEL_2) - - tmpdir = tempfile.mkdtemp() -@@ -1121,7 +1121,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - - restart_server = os.path.join(instance.conf_dir, 'restart_server_after_configuration') - config.pki_log.debug( -- 'creating %s' % restart_server, -+ 'creating %s', restart_server, - extra=config.PKI_INDENTATION_LEVEL_2) - - open(restart_server, 'a').close() -diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy -index 0b6ef6b..23feba1 100755 ---- a/base/server/sbin/pkidestroy -+++ b/base/server/sbin/pkidestroy -@@ -265,6 +265,7 @@ def log_error_details(): - config.pki_log.debug(e_stacktrace, extra=config.PKI_INDENTATION_LEVEL_2) - del e_type, e_value, e_stacktrace - -+ - # PKI Deployment Entry Point - if __name__ == "__main__": - signal.signal(signal.SIGINT, interrupt_handler) -diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn -index d671ba7..052edb4 100755 ---- a/base/server/sbin/pkispawn -+++ b/base/server/sbin/pkispawn -@@ -874,6 +874,7 @@ def log_error_details(): - config.pki_log.debug(e_stacktrace, extra=config.PKI_INDENTATION_LEVEL_2) - del e_type, e_value, e_stacktrace - -+ - # PKI Deployment Entry Point - if __name__ == "__main__": - signal.signal(signal.SIGINT, interrupt_handler) --- -1.8.3.1 - - -From 66c0aeb997f840c3253a78f30d90273834833f7e Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 30 Jan 2018 03:19:21 +0100 -Subject: [PATCH 09/18] Refactored pkispawn and pkidestroy logger configuration - -The method that configures the loggers for pkispawn and pkidestroy -has been modified to configure the global pki logger as well. - -https://pagure.io/dogtagpki/issue/2916 - -Change-Id: I66b532a87c1e728ad2adc673e35dfc6bcb568570 -(cherry picked from commit 5dcab6c7ef62d08c51bca90ece03198b82c54aef) -(cherry picked from commit 094d238a75f0335f9c374f65f0bc1d913ea49444) ---- - .../python/pki/server/deployment/pkilogging.py | 26 +++++++++++++--------- - base/server/sbin/pkidestroy | 15 +++++-------- - base/server/sbin/pkispawn | 16 +++++-------- - 3 files changed, 26 insertions(+), 31 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkilogging.py b/base/server/python/pki/server/deployment/pkilogging.py -index 7a7afd7..2634189 100644 ---- a/base/server/python/pki/server/deployment/pkilogging.py -+++ b/base/server/python/pki/server/deployment/pkilogging.py -@@ -24,6 +24,8 @@ import logging - import os - import pprint - -+from pki.server.deployment import pkiconfig as config -+ - sensitive_parameters = [] - - # Initialize 'pretty print' for objects -@@ -46,15 +48,9 @@ def log_format(given_dict): - - # PKI Deployment Logging Functions - def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name): -- if not os.path.isdir(log_dir): -- try: -- os.makedirs(log_dir) -- except OSError: -- return OSError - -- # Configure logger -- logger = logging.getLogger(name) -- logger.setLevel(log_level) -+ if not os.path.isdir(log_dir): -+ os.makedirs(log_dir) - - # Configure console handler - console = logging.StreamHandler() -@@ -63,7 +59,6 @@ def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name): - '%(levelname)-8s ' + - '%(indent)s%(message)s') - console.setFormatter(console_format) -- logger.addHandler(console) - - # Configure file handler - log_file = logging.FileHandler(log_dir + "/" + log_name, 'w') -@@ -73,6 +68,15 @@ def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name): - '%(indent)s%(message)s', - '%Y-%m-%d %H:%M:%S') - log_file.setFormatter(file_format) -- logger.addHandler(log_file) - -- return logger -+ # Configure pkispawn/pkidestroy logger -+ config.pki_log = logging.getLogger(name) -+ config.pki_log.setLevel(log_level) -+ config.pki_log.addHandler(console) -+ config.pki_log.addHandler(log_file) -+ -+ # Configure pki logger -+ logger = logging.getLogger('pki') -+ logger.setLevel(log_level) -+ logger.addHandler(console) -+ logger.addHandler(log_file) -diff --git a/base/server/sbin/pkidestroy b/base/server/sbin/pkidestroy -index 23feba1..4df74a4 100755 ---- a/base/server/sbin/pkidestroy -+++ b/base/server/sbin/pkidestroy -@@ -195,16 +195,11 @@ def main(argv): - deployer.log_timestamp + "." + "log" - print('Log file: %s/%s' % (config.pki_log_dir, config.pki_log_name)) - -- rv = pkilogging.enable_pki_logger(config.pki_log_dir, -- config.pki_log_name, -- config.pki_log_level, -- config.pki_console_log_level, -- "pkidestroy") -- if rv != OSError: -- config.pki_log = rv -- else: -- print(log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir) -- sys.exit(1) -+ pkilogging.enable_pki_logger(config.pki_log_dir, -+ config.pki_log_name, -+ config.pki_log_level, -+ config.pki_console_log_level, -+ "pkidestroy") - - # Read the specified PKI configuration file. - rv = parser.read_pki_configuration_file() -diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn -index 052edb4..b2ac8b4 100755 ---- a/base/server/sbin/pkispawn -+++ b/base/server/sbin/pkispawn -@@ -651,16 +651,12 @@ def start_logging(): - "-" + "spawn" + "." + \ - deployer.log_timestamp + "." + "log" - print('Log file: %s/%s' % (config.pki_log_dir, config.pki_log_name)) -- rv = pkilogging.enable_pki_logger(config.pki_log_dir, -- config.pki_log_name, -- config.pki_log_level, -- config.pki_console_log_level, -- "pkispawn") -- if rv != OSError: -- config.pki_log = rv -- else: -- print(log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir) -- sys.exit(1) -+ -+ pkilogging.enable_pki_logger(config.pki_log_dir, -+ config.pki_log_name, -+ config.pki_log_level, -+ config.pki_console_log_level, -+ "pkispawn") - - - def create_master_dictionary(parser): --- -1.8.3.1 - - -From e5278b1633c9fd2df170291349fc0c07d91fd1d5 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 30 Jan 2018 03:25:11 +0100 -Subject: [PATCH 10/18] Added pki.nssdb logger. - -To help troubleshooting, the pki.nssdb module has been modified to -generate debug logs using the standard Python logger. - -https://pagure.io/dogtagpki/issue/2916 - -Change-Id: Iba74df01fd796fa9fe5fa48f117721d790b7337c -(cherry picked from commit 2660c8cae34451d6525a481d60075b1749f344c2) -(cherry picked from commit 9431707fb93c000dcdd0eb89516dfc09bd5e55ac) ---- - base/common/python/pki/nssdb.py | 35 +++++++++++++++++++++++++++++++---- - 1 file changed, 31 insertions(+), 4 deletions(-) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index b2339aa..60f57c7 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -22,6 +22,7 @@ - - from __future__ import absolute_import - import base64 -+import logging - import os - import shutil - import subprocess -@@ -42,6 +43,10 @@ CERT_FOOTER = '-----END CERTIFICATE-----' - PKCS7_HEADER = '-----BEGIN PKCS7-----' - PKCS7_FOOTER = '-----END PKCS7-----' - -+logger = logging.LoggerAdapter( -+ logging.getLogger(__name__), -+ extra={'indent': ''}) -+ - - def convert_data(data, input_format, output_format, header=None, footer=None): - if input_format == output_format: -@@ -173,8 +178,11 @@ class NSSDatabase(object): - '-t', '' - ] - -- # Ignore return code due to bug #1393668. -- subprocess.call(cmd) -+ logger.debug('Command: %s', ' '.join(cmd)) -+ rc = subprocess.call(cmd) -+ -+ if rc: -+ logger.warning('certutil returned non-zero exit code (bug #1393668)') - - # If HSM is not used, or cert has trust attributes, - # import cert into internal token. -@@ -189,6 +197,7 @@ class NSSDatabase(object): - '-t', trust_attributes - ] - -+ logger.debug('Command: %s', ' '.join(cmd)) - subprocess.check_call(cmd) - - def add_ca_cert(self, cert_file, trust_attributes=None): -@@ -209,6 +218,7 @@ class NSSDatabase(object): - if trust_attributes: - cmd.extend(['--trust', trust_attributes]) - -+ logger.debug('Command: %s', ' '.join(cmd)) - subprocess.check_call(cmd) - - def modify_cert(self, nickname, trust_attributes): -@@ -227,15 +237,19 @@ class NSSDatabase(object): - '-t', trust_attributes - ]) - -+ logger.debug('Command: %s', ' '.join(cmd)) - subprocess.check_call(cmd) - - def create_noise(self, noise_file, size=2048): -- subprocess.check_call([ -+ cmd = [ - 'openssl', - 'rand', - '-out', noise_file, - str(size) -- ]) -+ ] -+ -+ logger.debug('Command: %s', ' '.join(cmd)) -+ subprocess.check_call(cmd) - - def create_request(self, subject_dn, request_file, noise_file=None, - key_type=None, key_size=None, curve=None, -@@ -359,6 +373,8 @@ class NSSDatabase(object): - - cmd.append(','.join(exts)) - -+ logger.debug('Command: %s', ' '.join(cmd)) -+ - # generate binary request - p = subprocess.Popen(cmd, - stdin=subprocess.PIPE, -@@ -553,6 +569,8 @@ class NSSDatabase(object): - - keystroke += '\n' - -+ logger.debug('Command: %s', ' '.join(cmd)) -+ - p = subprocess.Popen(cmd, - stdin=subprocess.PIPE, - stdout=subprocess.PIPE, -@@ -625,6 +643,7 @@ class NSSDatabase(object): - '-d', self.directory - ] - -+ logger.debug('Command: %s', ' '.join(cmd)) - subprocess.check_call(cmd) - - def get_cert(self, nickname, output_format='pem'): -@@ -656,6 +675,8 @@ class NSSDatabase(object): - output_format_option - ]) - -+ logger.debug('Command: %s', ' '.join(cmd)) -+ - pipes = subprocess.Popen(cmd, stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - cert_data, std_err = pipes.communicate() -@@ -693,6 +714,8 @@ class NSSDatabase(object): - '-n', fullname - ]) - -+ logger.debug('Command: %s', ' '.join(cmd)) -+ - cert_details = subprocess.check_output( - cmd, stderr=subprocess.STDOUT) - cert_pem = subprocess.check_output( -@@ -743,6 +766,7 @@ class NSSDatabase(object): - '-n', nickname - ]) - -+ logger.debug('Command: %s', ' '.join(cmd)) - subprocess.check_call(cmd) - - def import_cert_chain(self, nickname, cert_chain_file, -@@ -816,6 +840,7 @@ class NSSDatabase(object): - '--output-suffix', suffix - ] - -+ logger.debug('Command: %s', ' '.join(cmd)) - subprocess.check_call(cmd) - - # Count the number of certs in the chain. -@@ -889,6 +914,7 @@ class NSSDatabase(object): - if overwrite: - cmd.extend(['--overwrite']) - -+ logger.debug('Command: %s', ' '.join(cmd)) - subprocess.check_call(cmd) - - finally: -@@ -952,6 +978,7 @@ class NSSDatabase(object): - if nicknames: - cmd.extend(nicknames) - -+ logger.debug('Command: %s', ' '.join(cmd)) - subprocess.check_call(cmd) - - finally: --- -1.8.3.1 - - -From f5781c6df5a35c23512dff6e538a5dc3811a7e2f Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 30 Jan 2018 03:27:38 +0100 -Subject: [PATCH 11/18] Fixed NSSDatabase.get_cert(). - -The NSSDatabase.get_cert() method has been modified to ignore the -certutil exit code due to bug #1539996. - -https://pagure.io/dogtagpki/issue/2916 - -Change-Id: I10e489d14bdaaace9f917b797a7da14ac64a9a67 -(cherry picked from commit bde116f2ce0482a1597486010e68fb7706ddd97c) -(cherry picked from commit 6cc361d6c5776b96037910d6bc0811d145f725db) ---- - base/common/python/pki/nssdb.py | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index 60f57c7..f32121e 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -33,7 +33,6 @@ import datetime - from cryptography import x509 - from cryptography.hazmat.backends import default_backend - -- - CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----' - CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----' - -@@ -677,17 +676,26 @@ class NSSDatabase(object): - - logger.debug('Command: %s', ' '.join(cmd)) - -- pipes = subprocess.Popen(cmd, stdout=subprocess.PIPE, -- stderr=subprocess.PIPE) -- cert_data, std_err = pipes.communicate() -+ p = subprocess.Popen(cmd, -+ stdout=subprocess.PIPE, -+ stderr=subprocess.PIPE) -+ -+ cert_data, std_err = p.communicate() - -- if pipes.returncode != 0: -+ if std_err: - # certutil returned an error - # raise exception unless its not cert not found - if std_err.startswith('certutil: Could not find cert: '): - return None - -- raise Exception(std_err.strip()) -+ raise Exception('Could not find cert: %s: %s' % (fullname, std_err.strip())) -+ -+ if not cert_data: -+ # certutil did not return data -+ return None -+ -+ if p.returncode != 0: -+ logger.warning('certutil returned non-zero exit code (bug #1539996)') - - if output_format == 'base64': - cert_data = base64.b64encode(cert_data) --- -1.8.3.1 - - -From 4498d77e9b6b220d364094ea8222b70453f9ca9a Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Tue, 30 Jan 2018 16:56:21 +0100 -Subject: [PATCH 12/18] Fixed NSSDatabase.get_cert_info(). - -The NSSDatabase.get_cert_info() has been modified to use get_cert() -to retrieve the cert since it has the workaround for bug #1539996. -Then it will use Python Cryptography to get the cert info. - -A new method has been added into pki module to convert X.509 Name -into NSS-style DN string. - -https://pagure.io/dogtagpki/issue/2916 - -Change-Id: I726e2c442e5b7f351dac2d9515e9f13965d7de3f -(cherry picked from commit d6a70005e314ba3d53e32886262c45a9d4544b5d) -(cherry picked from commit 9ad1d47bee65a76b878d6c2298e7bcbc345df31f) ---- - base/common/python/pki/__init__.py | 59 ++++++++++++++++++++++++++++++++++++++ - base/common/python/pki/nssdb.py | 44 ++++++---------------------- - 2 files changed, 67 insertions(+), 36 deletions(-) - -diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py -index dbe5629..f3aff51 100644 ---- a/base/common/python/pki/__init__.py -+++ b/base/common/python/pki/__init__.py -@@ -26,6 +26,7 @@ from __future__ import print_function - - from functools import wraps - import os -+import cryptography.x509 - import random - import re - import string -@@ -51,6 +52,64 @@ CERT_FOOTER = "-----END CERTIFICATE-----" - # - backslash since it's causing SSL handshake failure - PUNCTUATIONS = '!"#$%&\'()*+,-./:;<>?@[]^_`{|}~' - -+# Map from X.509 attribute OID to short name. -+# Source: https://github.com/freeipa/freeipa/blob/master/ipapython/dn.py -+ATTR_NAME_BY_OID = { -+ cryptography.x509.oid.NameOID.COMMON_NAME: 'CN', -+ cryptography.x509.oid.NameOID.COUNTRY_NAME: 'C', -+ cryptography.x509.oid.NameOID.LOCALITY_NAME: 'L', -+ cryptography.x509.oid.NameOID.STATE_OR_PROVINCE_NAME: 'ST', -+ cryptography.x509.oid.NameOID.ORGANIZATION_NAME: 'O', -+ cryptography.x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME: 'OU', -+ cryptography.x509.oid.NameOID.SERIAL_NUMBER: 'serialNumber', -+ cryptography.x509.oid.NameOID.SURNAME: 'SN', -+ cryptography.x509.oid.NameOID.GIVEN_NAME: 'givenName', -+ cryptography.x509.oid.NameOID.TITLE: 'title', -+ cryptography.x509.oid.NameOID.GENERATION_QUALIFIER: 'generationQualifier', -+ cryptography.x509.oid.NameOID.DN_QUALIFIER: 'dnQualifier', -+ cryptography.x509.oid.NameOID.PSEUDONYM: 'pseudonym', -+ cryptography.x509.oid.NameOID.DOMAIN_COMPONENT: 'DC', -+ cryptography.x509.oid.NameOID.EMAIL_ADDRESS: 'E', -+ cryptography.x509.oid.NameOID.JURISDICTION_COUNTRY_NAME: -+ 'incorporationCountry', -+ cryptography.x509.oid.NameOID.JURISDICTION_LOCALITY_NAME: -+ 'incorporationLocality', -+ cryptography.x509.oid.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME: -+ 'incorporationState', -+ cryptography.x509.oid.NameOID.BUSINESS_CATEGORY: 'businessCategory', -+ cryptography.x509.ObjectIdentifier('2.5.4.9'): 'STREET', -+ cryptography.x509.ObjectIdentifier('2.5.4.17'): 'postalCode', -+ cryptography.x509.ObjectIdentifier('0.9.2342.19200300.100.1.1'): 'UID', -+} -+ -+ -+def convert_x509_name_to_dn(name): -+ """ -+ Convert X.509 Name into NSS-style DN string. -+ -+ See also: -+ - https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Name -+ - https://cryptography.io/en/latest/x509/reference/#cryptography.x509.NameAttribute -+ - https://cryptography.io/en/latest/x509/reference/#cryptography.x509.ObjectIdentifier -+ -+ :param name: X.509 Name -+ :type name: cryptography.x509.Name -+ :returns: str -- DN string. -+ """ -+ dn = None -+ -+ for attr in name: -+ oid = attr.oid -+ attr_name = ATTR_NAME_BY_OID.get(oid, oid.dotted_string) -+ rdn = '%s=%s' % (attr_name, attr.value) -+ -+ if dn: -+ dn = rdn + ',' + dn -+ else: -+ dn = rdn -+ -+ return dn -+ - - def read_text(message, - options=None, default=None, delimiter=':', -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index f32121e..7c2602e 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -27,12 +27,13 @@ import os - import shutil - import subprocess - import tempfile --import re - import datetime - - from cryptography import x509 - from cryptography.hazmat.backends import default_backend - -+import pki -+ - CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----' - CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----' - -@@ -705,55 +706,26 @@ class NSSDatabase(object): - def get_cert_info(self, nickname): - - cert = dict() -- cmd = [ -- 'certutil', -- '-L', -- '-d', self.directory -- ] - -- fullname = nickname -- -- if self.token: -- cmd.extend(['-h', self.token]) -- fullname = self.token + ':' + fullname -- -- cmd.extend([ -- '-f', self.password_file, -- '-n', fullname -- ]) -- -- logger.debug('Command: %s', ' '.join(cmd)) -- -- cert_details = subprocess.check_output( -- cmd, stderr=subprocess.STDOUT) -- cert_pem = subprocess.check_output( -- cmd + ['-a'], stderr=subprocess.STDOUT) -+ cert_pem = self.get_cert(nickname) - - cert_obj = x509.load_pem_x509_certificate( - cert_pem, backend=default_backend()) - - cert["serial_number"] = cert_obj.serial_number - -- cert["issuer"] = re.search( -- r'Issuer:(.*)', cert_details).group(1).strip().replace('"', '') -- cert["subject"] = re.search( -- r'Subject:(.*)', cert_details).group(1).strip().replace('"', '') -- -- str_not_before = re.search( -- r'Not Before.?:(.*)', cert_details).group(1).strip() -- cert["not_before"] = self.convert_time_to_millis(str_not_before) -+ cert["issuer"] = pki.convert_x509_name_to_dn(cert_obj.issuer) -+ cert["subject"] = pki.convert_x509_name_to_dn(cert_obj.subject) - -- str_not_after = re.search( -- r'Not After.?:(.*)', cert_details).group(1).strip() -- cert["not_after"] = self.convert_time_to_millis(str_not_after) -+ cert["not_before"] = self.convert_time_to_millis(cert_obj.not_valid_before) -+ cert["not_after"] = self.convert_time_to_millis(cert_obj.not_valid_after) - - return cert - - @staticmethod - def convert_time_to_millis(date): - epoch = datetime.datetime.utcfromtimestamp(0) -- stripped_date = datetime.datetime.strptime(date, "%a %b %d %H:%M:%S %Y") -- return (stripped_date - epoch).total_seconds() * 1000 -+ return (date - epoch).total_seconds() * 1000 - - def remove_cert(self, nickname, remove_key=False): - --- -1.8.3.1 - - -From 6829dde05fd27555a0e8f1de278c7013e5d22073 Mon Sep 17 00:00:00 2001 -From: Matthew Harmsen -Date: Wed, 31 Jan 2018 17:01:55 -0700 -Subject: [PATCH 13/18] Enable FIPS ciphers as the new default cipher suites - -https://pagure.io/dogtagpki/issue/2855 - -Change-Id: I968cd0e08f69401cb30ecdbdc86eb1f5049a5f37 -(cherry picked from commit 8f3700681ea2cbcc3dbe0c768dca177051e9a243) -(cherry picked from commit 427edd6d16d7d74bb98bb0cda7c0bf67a4463bb9) ---- - .../python/pki/server/deployment/pkiparser.py | 16 ++-- - base/server/share/conf/ciphers.info | 105 ++++++++++++++++----- - 2 files changed, 87 insertions(+), 34 deletions(-) - -diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py -index b91c674..b64e99b 100644 ---- a/base/server/python/pki/server/deployment/pkiparser.py -+++ b/base/server/python/pki/server/deployment/pkiparser.py -@@ -1111,7 +1111,7 @@ class PKIConfigParser: - self.mdict['TOMCAT_SERVER_PORT_SLOT'] = \ - self.mdict['pki_tomcat_server_port'] - self.mdict['TOMCAT_SSL_VERSION_RANGE_STREAM_SLOT'] = \ -- "tls1_0:tls1_2" -+ "tls1_1:tls1_2" - self.mdict['TOMCAT_SSL_VERSION_RANGE_DATAGRAM_SLOT'] = \ - "tls1_1:tls1_2" - ## -@@ -1171,18 +1171,18 @@ class PKIConfigParser: - "-TLS_DHE_DSS_WITH_AES_128_CBC_SHA," + \ - "-TLS_DHE_DSS_WITH_AES_256_CBC_SHA," + \ - "-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," + \ -- "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ -- "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ -- "-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ -- "-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ -- "-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ -+ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," + \ -+ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA," + \ -+ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256," + \ -+ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256," + \ -+ "+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256," + \ - "-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256," + \ - "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256," + \ - "-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256," + \ -- "-TLS_RSA_WITH_AES_128_CBC_SHA256," + \ -- "-TLS_RSA_WITH_AES_256_CBC_SHA256," + \ -+ "+TLS_RSA_WITH_AES_128_CBC_SHA256," + \ -+ "+TLS_RSA_WITH_AES_256_CBC_SHA256," + \ - "-TLS_RSA_WITH_AES_128_GCM_SHA256," + \ - "-TLS_RSA_WITH_3DES_EDE_CBC_SHA," + \ - "+TLS_RSA_WITH_AES_128_CBC_SHA," + \ -diff --git a/base/server/share/conf/ciphers.info b/base/server/share/conf/ciphers.info -index 70d704c..b3e74d3 100644 ---- a/base/server/share/conf/ciphers.info -+++ b/base/server/share/conf/ciphers.info -@@ -6,67 +6,120 @@ - # - # This file contains the default sslRangeCiphers that come with this version of - # the PKI software in its /conf/server.xml file. -+# - # Depending on which kind of SSL server you have, you want to reference the --# corresponding cipher suite for making adjustments to your instance server.xml. -+# corresponding cipher suite for making adjustments to your instance -+# server.xml. - # - # - # About the TLS range related parameters: -+# - # 'sslVersionRangeStream' - # 'sslVersionRangeDatagram' - # 'sslRangeCiphers' --# The sslVersionRangeStream and sslVersionRangeDatagram by default --# contains values that are supported by the native NSS. Changes can --# be made to restrict or relax the support. --# The sslRangeCiphers by default conatins a list of ciphers best --# for the type of the server installed. Changes can be made to suit --# each site's needs. --# Although TLS1.2 ciphers (SHA256) are preferred, many older clients --# do not support them. For example, --# the following "preferred modern" ciphers are on by default, and by --# simply limiting the sslVersionRange* parameters, they can be turned off. -+# -+# The default sslVersionRangeStream and sslVersionRangeDatagram -+# parameters contain values that are supported by the native NSS. -+# Changes can be made to restrict or relax the support. -+# -+# The default sslRangeCiphers parameter contains a list of ciphers best -+# suited for the type of the server installed. Changes can be made to -+# suit each site's needs. -+# -+# Although TLS1.2 ciphers (SHA256) are preferred, many older clients -+# do not support them. For example, the following "preferred modern" -+# ciphers are on by default, and by simply limiting the -+# sslVersionRange* parameters, they can be turned off. -+# - # TLS_RSA_WITH_AES_128_CBC_SHA256, - # TLS_RSA_WITH_AES_256_CBC_SHA256, - # TLS_RSA_WITH_AES_128_GCM_SHA256, - # TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - # TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -+# - # The TLS_ECDHE_RSA_* ciphers provide Perfect Forward Secrecy, - # which, while provide added security to the already secure and adequate --# TLS_RSA_* ciphers, requries 3 times longer to establish SSL sessions. -+# TLS_RSA_* ciphers, requires 3 times longer to establish SSL sessions. - # In our testing environment, some HSM might also have issues providing - # subsystem->subsystem SSL handshake. We are therefore turning them - # off by default. One can enable them manually by turning the "-" to - # "+" under sslRangeCiphers and restart the subsystem. -+# - # TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - # TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA --# The following ciphers are supported in rhel7.2 or greater, and they --# are off by default, and can be turned on by sites running rhel7.2 or --# greater: -+# -+# The following ciphers are supported in RHEL 7.2 or greater, and -+# are turned on by default. They can be turned off by sites running -+# older versions of RHEL: -+# - # TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, - # TLS_DHE_RSA_WITH_AES_128_CBC_SHA, - # TLS_DHE_RSA_WITH_AES_256_CBC_SHA, - # TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, - # TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, - # TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 --# Although the following (somewhat weaker ciphers, in CBC mode), though --# adaquate for the CS operations, they can be turned off if needed: -+# -+# The following somewhat weaker ciphers (in CBC mode), though -+# adequate for the CS operations, can be turned off if so desired: -+# - # TLS_RSA_WITH_AES_128_CBC_SHA, - # TLS_RSA_WITH_AES_256_CBC_SHA, -+# - # Note: In an EC CS server setup, you will see by default that the --# following RSA ciphers are left on. Those are used for installation --# where the actual systems certs have not yet been crated, and a --# temporary RSA ssl server cert is at play. --# Those can be turned off manually by sites. --# TLS_RSA_WITH_AES_256_CBC_SHA256, --# TLS_RSA_WITH_AES_128_GCM_SHA256 --# These ciphers might be removed by the installation script in some --# future release. -+# following RSA ciphers are left on. Those are used for -+# installation where the actual systems certs have not yet been -+# created, and a temporary RSA ssl server cert is at play. -+# -+# Those can be turned off manually by sites. -+# -+# TLS_RSA_WITH_AES_256_CBC_SHA256, -+# TLS_RSA_WITH_AES_128_GCM_SHA256 -+# -+# These ciphers might be removed by the installation script in -+# some future release. -+# -+# For RHEL 7.5 or greater: -+# -+# * all '3DES' ciphers have been disabled, -+# * the default sslVersionRangeStream and -+# sslVersionRangeDatagram ranges have been upgraded to -+# only allow ciphers in the TLS1.1 to TLS1.2 range, and -+# * the default sslRangeCiphers values have been altered to -+# include all recommended 'FIPS' ciphers for both RSA and ECC -+# servers regardless of whether 'FIPS' is enabled or disabled -+# -+# Default ciphers enabled for RSA servers: -+# -+# +TLS_DHE_RSA_WITH_AES_128_CBC_SHA, -+# +TLS_DHE_RSA_WITH_AES_256_CBC_SHA, -+# +TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, -+# +TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, -+# +TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, -+# +TLS_RSA_WITH_AES_128_CBC_SHA256, -+# +TLS_RSA_WITH_AES_256_CBC_SHA256, -+# +TLS_RSA_WITH_AES_128_CBC_SHA, -+# +TLS_RSA_WITH_AES_256_CBC_SHA -+# -+# NOTE: The last two ciphers, TLS_RSA_WITH_AES_128_CBC_SHA, -+# and TLS_RSA_WITH_AES_256_CBC_SHA, may need to remain -+# enabled in order to talk to the LDAP server -+# during pkispawn installation/configuration. -+# -+# Default ciphers enabled for ECC servers: -+# -+# +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, -+# +TLS_RSA_WITH_AES_256_CBC_SHA, -+# +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, -+# +TLS_RSA_WITH_AES_256_CBC_SHA256, -+# +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, -+# +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - # - ## - # For RSA servers: -- sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" -+ sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,+TLS_RSA_WITH_AES_128_CBC_SHA256,+TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA" - # - # - # For ECC servers: --- -1.8.3.1 - - -From 8b5528c04e949be96641222e4f87b125fa4c2ca1 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 1 Feb 2018 01:24:15 +0100 -Subject: [PATCH 14/18] Fixed inconsistent CERT_REQUEST_PROCESSED outcomes. - -Some CERT_REQUEST_PROCESSED events in ProcessCertReq have been -modified to generate a FAILURE outcome since there is no cert -issued for the request. - -https://pagure.io/dogtagpki/issue/2838 - -Change-Id: I38656f950599f06bd9969c278137fdd192e26ae8 -(cherry picked from commit 8319105ba04976494e05030ee5340b5879ad6a48) -(cherry picked from commit 5af21f519b7bbc6106ede549ed81974520e21e5d) ---- - .../cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -index bfa83b7..bb1a2a9 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java -@@ -966,7 +966,7 @@ public class ProcessCertReq extends CMSServlet { - // store a message in the signed audit log file - // (manual "agent" cert request processed - // - "accepted") -- audit(CertRequestProcessedEvent.createSuccessEvent( -+ audit(CertRequestProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - auditInfoName, -@@ -1087,7 +1087,7 @@ public class ProcessCertReq extends CMSServlet { - - // store a message in the signed audit log file - // (manual "agent" cert request processed - "rejected") -- audit(CertRequestProcessedEvent.createSuccessEvent( -+ audit(CertRequestProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - auditInfoName, -@@ -1145,7 +1145,7 @@ public class ProcessCertReq extends CMSServlet { - - // store a message in the signed audit log file - // (manual "agent" cert request processed - "cancelled") -- audit(CertRequestProcessedEvent.createSuccessEvent( -+ audit(CertRequestProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - auditInfoName, --- -1.8.3.1 - - -From 6a049ee93e1311c32482289092f765bac09e09a4 Mon Sep 17 00:00:00 2001 -From: Ade Lee -Date: Thu, 1 Feb 2018 13:02:03 -0500 -Subject: [PATCH 15/18] More fixes for non-standard users - -Needed to fix some python code that was added that works only on Python 3. -The top level directories for the registry should be owned by -root and be world readable/executable so that different users -can read the registry. - -Change-Id: Ic0ce188cb678ff66e1a7370451f8df2285fc1282 -cherry-pick from 79e8a8e99a3c9c6d16b63bb5d4b2b18a4b828b11 - -(cherry picked from commit e37ddfbc8b54e17dbe081221f6c849732a30ebe2) ---- - base/common/CMakeLists.txt | 12 ++++++++++++ - base/server/python/pki/server/deployment/pkihelper.py | 8 ++------ - .../server/deployment/scriptlets/infrastructure_layout.py | 14 ++++++++++---- - .../pki/server/deployment/scriptlets/instance_layout.py | 5 +++-- - 4 files changed, 27 insertions(+), 12 deletions(-) - -diff --git a/base/common/CMakeLists.txt b/base/common/CMakeLists.txt -index d7856e1..3e8659d 100644 ---- a/base/common/CMakeLists.txt -+++ b/base/common/CMakeLists.txt -@@ -135,6 +135,18 @@ install( - - install( - DIRECTORY -+ DESTINATION -+ /etc/sysconfig/pki -+) -+ -+install( -+ DIRECTORY -+ DESTINATION -+ /etc/sysconfig/pki/tomcat -+) -+ -+install( -+ DIRECTORY - man/ - DESTINATION - ${MAN_INSTALL_DIR} -diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py -index 8195e28..79f1e57 100644 ---- a/base/server/python/pki/server/deployment/pkihelper.py -+++ b/base/server/python/pki/server/deployment/pkihelper.py -@@ -1019,8 +1019,6 @@ class Instance: - raise - - def get_instance_status(self, secure_connection=True): -- pki_protocol = None -- pki_port = None - if secure_connection: - pki_protocol = "https" - pki_port = self.mdict['pki_https_port'] -@@ -2956,7 +2954,6 @@ class ServerCertNickConf: - try: - # overwrite value inside 'serverCertNick.conf' - with open(self.servercertnick_conf, "w") as fd: -- sslserver_nickname = None - if self.step_two: - # use final HSM name - sslserver_nickname = (self.token_name + ":" + -@@ -3581,7 +3578,7 @@ class Systemd(object): - if not parser.has_section(section): - parser.add_section(section) - -- parser[section][param] = value -+ parser.set(section, param, value) - - def write_overrides(self): - for fname, parser in self.overrides.items(): -@@ -3589,7 +3586,7 @@ class Systemd(object): - if not os.path.exists(override_file): - self.create_override_file(override_file) - with open(override_file, 'w') as fp: -- parser.write(fp, space_around_delimiters=False) -+ parser.write(fp) - - def daemon_reload(self, critical_failure=True): - """PKI Deployment execution management lifecycle function. -@@ -4067,7 +4064,6 @@ class ConfigClient: - os.path.dirname(self.mdict['pki_admin_csr_path'])) - with open(self.mdict['pki_admin_csr_path'], "w") as f: - f.write("-----BEGIN CERTIFICATE REQUEST-----\n") -- admin_certreq = None - with open(os.path.join( - self.mdict['pki_client_database_dir'], - "admin_pkcs10.bin.asc"), "r") as f: -diff --git a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py -index 2573e4e..bfcca60 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/infrastructure_layout.py -@@ -53,9 +53,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - # registry directories for storage of a copy of the original - # deployment configuration file used to spawn this instance, - # and save a copy of this file -- deployer.directory.create(deployer.mdict['pki_registry_path']) -- deployer.directory.create( -- deployer.mdict['pki_instance_type_registry_path']) -+ # -+ # Unless a prefix is used, the top level directories should exist -+ # and be owned by the rpm -+ if deployer.mdict['pki_root_prefix'] != "": -+ deployer.directory.create(deployer.mdict['pki_registry_path']) -+ deployer.directory.create( -+ deployer.mdict['pki_instance_type_registry_path']) -+ - deployer.directory.create(deployer.mdict['pki_instance_registry_path']) - deployer.directory.create( - deployer.mdict['pki_subsystem_registry_path']) -@@ -129,4 +134,5 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.directory.delete( - deployer.mdict['pki_configuration_path']) - # remove top-level infrastructure registry -- deployer.directory.delete(deployer.mdict['pki_registry_path']) -+ if deployer.mdict['pki_root_prefix'] != "": -+ deployer.directory.delete(deployer.mdict['pki_registry_path']) -diff --git a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -index 4eb5496..2095212 100644 ---- a/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -+++ b/base/server/python/pki/server/deployment/scriptlets/instance_layout.py -@@ -214,8 +214,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - deployer.mdict['pki_instance_registry_path']) - # remove Tomcat PKI registry (if empty) - if deployer.instance.tomcat_instances() == 0: -- deployer.directory.delete( -- deployer.mdict['pki_instance_type_registry_path']) -+ if deployer.mdict['pki_root_prefix'] != "": -+ deployer.directory.delete( -+ deployer.mdict['pki_instance_type_registry_path']) - - - # Callback only when the /usr/share/pki/server/conf directory --- -1.8.3.1 - - -From 63aca0e86b21de2673180d7d1e6c2a2750b2dc86 Mon Sep 17 00:00:00 2001 -From: Amol Kahat -Date: Fri, 28 Apr 2017 01:31:10 +0530 -Subject: [PATCH 17/18] Added man page for PKCS10Client - -(cherry picked from commit 774fbef5a913227c1764f6a29842771c3dc545ee) ---- - base/java-tools/man/man1/PKCS10Client.1 | 95 +++++++++++++++++++++++++++++++++ - 1 file changed, 95 insertions(+) - create mode 100644 base/java-tools/man/man1/PKCS10Client.1 - -diff --git a/base/java-tools/man/man1/PKCS10Client.1 b/base/java-tools/man/man1/PKCS10Client.1 -new file mode 100644 -index 0000000..e85c833 ---- /dev/null -+++ b/base/java-tools/man/man1/PKCS10Client.1 -@@ -0,0 +1,95 @@ -+.\" First parameter, NAME, should be all caps -+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection -+.\" other parameters are allowed: see man(7), man(1) -+.TH PKCS10Client 1 "April 28, 2017" "version 10.4" "PKI PKCS10Client certificate request tool" Dogtag Team -+.\" Please adjust this date whenever revising the man page. -+.\" -+.\" Some roff macros, for reference: -+.\" .nh disable hyphenation -+.\" .hy enable hyphenation -+.\" .ad l left justify -+.\" .ad b justify to both left and right margins -+.\" .nf disable filling -+.\" .fi enable filling -+.\" .br insert line break -+.\" .sp insert n+1 empty lines -+.\" for man page specific macros, see man(7) -+.SH NAME -+PKCS10Client \- Used to generate 1024-bit RSA key pair in the security database. -+ -+.SH SYNOPSIS -+.PP -+\fBUsage: PKCS10Client -d -h -p -a -l -c -o -n \fP -+ -+Available ECC curve names (if provided by the crypto module): nistp256 (secp256r1), nistp384 (secp384r1), nistp521 (secp521r1), nistk163 (sect163k1), sect163r1,nistb163 (sect163r2), sect193r1, sect193r2, nistk233 (sect233k1), nistb233 (sect233r1), sect239k1, nistk283 (sect283k1), nistb283 (sect283r1), nistk409 (sect409k1), nistb409 (sect409r1), nistk571 (sect571k1), nistb571 (sect571r1), secp160k1, secp160r1, secp160r2, secp192k1, nistp192 (secp192r1, prime192v1), secp224k1, nistp224 (secp224r1), secp256k1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2 -+ -+To get a certificate from the CA, the certificate request needs to be submitted to and approved by a CA agent. Once approved, a certificate is created for the request, and certificate attributes, such as extensions, are populated according to certificate profiles. -+ -+Optionally, for ECC key generation per definition in JSS pkcs11.PK11KeyPairGenerator. -+ -+.SH DESCRIPTION -+.PP -+The PKCS #10 utility, \fBPKCS10Client\fP, generates a 1024-bit RSA key pair in the security database, constructs a PKCS#10 certificate request with the public key, and outputs the request to a file. -+.PP -+\fBPKCS #10\fP is a certification request syntax standard defined by RSA. A CA may support multiple types of certificate requests. The Certificate System CA supports KEYGEN, PKCS#10, CRMF, and CMC. -+.PP -+ -+.SH OPTIONS -+.PP -+\fBPKCS10Client\fP parameters: -+.PP -+.TP -+.B -d -+The directory containing the \fBcert8.db\fP, \fBkey3.db\fP, and \fBsecmod.db\fP files. This is usually the client's personal directory. -+ -+.TP -+.B -h -+Name of the token. By default it takes 'internal'. -+ -+.TP -+.B -p -+The password to the token. -+ -+.TP -+.B -l -+The algorithm type either 'rsa' or 'ec'. By default it takes 'rsa'. -+ -+.TP -+.B -c -+Eleptic Curve cryptography curve name. -+.TP -+.B -o -+Sets the path and filename to output the new PKCS #10 certificate in base64 format. -+ -+.TP -+.B -n -+Gives the subject DN of the certificate. -+ -+.TP -+.B -k -+ -+.TP -+.B -t -+ -+.TP -+.B -s <1 for sensitive; 0 for non-sensitive; -1 temporaryPairMode dependent; default is -1> -+ -+.TP -+.B -e <1 for extractable; 0 for non-extractable; -1 token dependent; default is -1> -+ -+ -+.TP Also optional for ECC key generation: -+ -+.TP -+.B -x -+ -+.TP -+.B -y -+ -+.SH AUTHORS -+Amol Kahat . -+ -+.SH COPYRIGHT -+Copyright (c) 2017 Red Hat, Inc. This is licensed under the GNU General Public -+License, version 2 (GPLv2). A copy of this license is available at -+http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.1-snapshot-3.patch b/SOURCES/pki-core-10.5.1-snapshot-3.patch deleted file mode 100644 index 9ad4c45..0000000 --- a/SOURCES/pki-core-10.5.1-snapshot-3.patch +++ /dev/null @@ -1,1955 +0,0 @@ -From 73fe8961f585f2948c796fe0cf94aac25982b75a Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 1 Feb 2018 22:31:42 +0100 -Subject: [PATCH 1/9] Refactored SecurityDataArchivalProcessedEvent. - -The SecurityDataArchivalProcessedEvent has been modified to provide -separate factory methods for SUCCESS and FAILURE events. - -https://pagure.io/dogtagpki/issue/2848 - -Change-Id: Ie102aabaa81553ac1ea6963841a0568f1b6e04a5 -(cherry picked from commit c1f607dc515f1b37a848a8b013d02f9d366e5402) -(cherry picked from commit f2d828681d8b40e4d801af8d3bd5a6d6aaf71391) ---- - .../event/SecurityDataArchivalProcessedEvent.java | 49 +++++++--- - .../src/com/netscape/kra/EnrollmentService.java | 4 +- - .../src/com/netscape/kra/KeyRecoveryAuthority.java | 11 +-- - .../src/com/netscape/kra/NetkeyKeygenService.java | 6 +- - .../com/netscape/kra/SecurityDataProcessor.java | 102 +++++++++++++-------- - 5 files changed, 112 insertions(+), 60 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java -index dd88b45..2d87ece 100644 ---- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java -@@ -18,6 +18,7 @@ - package com.netscape.certsrv.logging.event; - - import com.netscape.certsrv.dbs.keydb.KeyId; -+import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.SignedAuditEvent; - import com.netscape.certsrv.request.RequestId; - -@@ -28,9 +29,33 @@ public class SecurityDataArchivalProcessedEvent extends SignedAuditEvent { - private static final String LOGGING_PROPERTY = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED"; - -- public SecurityDataArchivalProcessedEvent( -+ public SecurityDataArchivalProcessedEvent() { -+ super(LOGGING_PROPERTY); -+ } -+ -+ public static SecurityDataArchivalProcessedEvent createSuccessEvent( -+ String subjectID, -+ String archivalRequestId, -+ RequestId requestID, -+ String clientKeyID, -+ KeyId keyID, -+ String pubkey) { -+ -+ SecurityDataArchivalProcessedEvent event = new SecurityDataArchivalProcessedEvent(); -+ -+ event.setAttribute("SubjectID", subjectID); -+ event.setAttribute("Outcome", ILogger.SUCCESS); -+ event.setAttribute("ArchivalRequestID", archivalRequestId); -+ event.setAttribute("RequestId", requestID); -+ event.setAttribute("ClientKeyID", clientKeyID); -+ event.setAttribute("KeyID", keyID); -+ event.setAttribute("PubKey", pubkey); -+ -+ return event; -+ } -+ -+ public static SecurityDataArchivalProcessedEvent createFailureEvent( - String subjectID, -- String outcome, - String archivalRequestId, - RequestId requestID, - String clientKeyID, -@@ -38,15 +63,17 @@ public class SecurityDataArchivalProcessedEvent extends SignedAuditEvent { - String failureReason, - String pubkey) { - -- super(LOGGING_PROPERTY); -+ SecurityDataArchivalProcessedEvent event = new SecurityDataArchivalProcessedEvent(); -+ -+ event.setAttribute("SubjectID", subjectID); -+ event.setAttribute("Outcome", ILogger.FAILURE); -+ event.setAttribute("ArchivalRequestID", archivalRequestId); -+ event.setAttribute("RequestId", requestID); -+ event.setAttribute("ClientKeyID", clientKeyID); -+ event.setAttribute("KeyID", keyID); -+ event.setAttribute("FailureReason", failureReason); -+ event.setAttribute("PubKey", pubkey); - -- setAttribute("SubjectID", subjectID); -- setAttribute("Outcome", outcome); -- setAttribute("ArchivalRequestID", archivalRequestId); -- setAttribute("RequestId", requestID); -- setAttribute("ClientKeyID", clientKeyID); -- setAttribute("KeyID", keyID); -- setAttribute("FailureReason", failureReason); -- setAttribute("PubKey", pubkey); -+ return event; - } - } -diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java -index 93493fe..ee8a754 100644 ---- a/base/kra/src/com/netscape/kra/EnrollmentService.java -+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java -@@ -602,14 +602,12 @@ public class EnrollmentService implements IService { - - // store a message in the signed audit log file - auditPublicKey = auditPublicKey(rec); -- signedAuditLogger.log(new SecurityDataArchivalProcessedEvent( -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createSuccessEvent( - auditSubjectID, -- ILogger.SUCCESS, - auditRequesterID, - requestId, - null, - new KeyId(rec.getSerialNumber()), -- null, - auditPublicKey)); - - // Xxx - should sign this proof of archival -diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -index 964a73c..05c7e71 100644 ---- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java -@@ -59,8 +59,8 @@ import com.netscape.certsrv.kra.IKeyService; - import com.netscape.certsrv.listeners.EListenersException; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.LogEvent; --import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent; - import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; -+import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent; - import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; - import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; - import com.netscape.certsrv.request.ARequestNotifier; -@@ -783,19 +783,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove - queue.processRequest(r); - } - -- audit(new SecurityDataArchivalProcessedEvent( -+ audit(SecurityDataArchivalProcessedEvent.createSuccessEvent( - auditSubjectID, -- ILogger.SUCCESS, - auditRequesterID, - r.getRequestId(), - null, - new KeyId(rec.getSerialNumber()), -- null, - auditPublicKey)); -+ - } catch (EBaseException eAudit1) { -- audit(new SecurityDataArchivalProcessedEvent( -+ -+ audit(SecurityDataArchivalProcessedEvent.createFailureEvent( - auditSubjectID, -- ILogger.FAILURE, - auditRequesterID, - r.getRequestId(), - null, -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index 1cd827f..052c289 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -50,8 +50,8 @@ import com.netscape.certsrv.dbs.keydb.KeyId; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.LogEvent; --import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent; - import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; -+import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent; - import com.netscape.certsrv.logging.event.SecurityDataExportEvent; - import com.netscape.certsrv.logging.event.ServerSideKeyGenEvent; - import com.netscape.certsrv.logging.event.ServerSideKeyGenProcessedEvent; -@@ -495,14 +495,12 @@ public class NetkeyKeygenService implements IService { - storage.addKeyRecord(rec); - CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid); - -- audit(new SecurityDataArchivalProcessedEvent( -+ audit(SecurityDataArchivalProcessedEvent.createSuccessEvent( - agentId, -- ILogger.SUCCESS, - auditSubjectID, - request.getRequestId(), - null, - new KeyId(serialNo), -- null, - PubKey)); - } //if archive - -diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -index 8de1311..5a64530 100644 ---- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java -@@ -40,7 +40,6 @@ import com.netscape.certsrv.key.KeyRequestResource; - import com.netscape.certsrv.kra.EKRAException; - import com.netscape.certsrv.kra.IKeyRecoveryAuthority; - import com.netscape.certsrv.logging.ILogger; --import com.netscape.certsrv.logging.LogEvent; - import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.request.IRequest; -@@ -121,8 +120,16 @@ public class SecurityDataProcessor { - - //Check here even though restful layer checks for this. - if (clientKeyId == null || dataType == null) { -- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, -- clientKeyId, null, "Bad data in request"); -+ -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( -+ auditSubjectID, -+ null, -+ requestId, -+ clientKeyId, -+ null, -+ "Bad data in request", -+ null)); -+ - throw new EBaseException("Bad data in SecurityDataService.serviceRequest"); - } - -@@ -237,14 +244,29 @@ public class SecurityDataProcessor { - privateSecurityData = storageUnit.encryptInternalPrivate(securityData, params); - doEncrypt = true; - } else { // We have no data. -- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, -- clientKeyId, null, "Failed to create security data to archive"); -+ -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( -+ auditSubjectID, -+ null, -+ requestId, -+ clientKeyId, -+ null, -+ "Failed to create security data to archive", -+ null)); -+ - throw new EBaseException("Failed to create security data to archive!"); - } - } catch (Exception e) { - CMS.debug("Failed to create security data to archive: " + e.getMessage()); -- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, -- clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); -+ -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( -+ auditSubjectID, -+ null, -+ requestId, -+ clientKeyId, -+ null, -+ CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), -+ null)); - - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); - } finally { -@@ -269,8 +291,16 @@ public class SecurityDataProcessor { - //Now we need a serial number for our new key. - - if (rec.getSerialNumber() != null) { -- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, -- clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_STATE")); -+ -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( -+ auditSubjectID, -+ null, -+ requestId, -+ clientKeyId, -+ null, -+ CMS.getUserMessage("CMS_KRA_INVALID_STATE"), -+ null)); -+ - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); - } - -@@ -279,8 +309,16 @@ public class SecurityDataProcessor { - if (serialNo == null) { - kra.log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); -- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, -- clientKeyId, null, "Failed to get next Key ID"); -+ -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( -+ auditSubjectID, -+ null, -+ requestId, -+ clientKeyId, -+ null, -+ "Failed to get next Key ID", -+ null)); -+ - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); - } - -@@ -302,8 +340,16 @@ public class SecurityDataProcessor { - } catch (Exception e) { - kra.log(ILogger.LL_FAILURE, - "Failed to store wrapping parameters: " + e); -- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId, -- clientKeyId, null, "Failed to store wrapping parameters"); -+ -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( -+ auditSubjectID, -+ null, -+ requestId, -+ clientKeyId, -+ null, -+ "Failed to store wrapping parameters", -+ null)); -+ - throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"), e); - } - -@@ -311,8 +357,13 @@ public class SecurityDataProcessor { - - keyRepository.addKeyRecord(rec); - -- auditArchivalRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestId, -- clientKeyId, new KeyId(serialNo), "None"); -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createSuccessEvent( -+ auditSubjectID, -+ null, -+ requestId, -+ clientKeyId, -+ new KeyId(serialNo), -+ null)); - - request.setExtData(ATTR_KEY_RECORD, serialNo); - request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); -@@ -852,25 +903,4 @@ public class SecurityDataProcessor { - - return retData; - } -- -- private void audit(String msg) { -- signedAuditLogger.log(msg); -- } -- -- protected void audit(LogEvent event) { -- signedAuditLogger.log(event); -- } -- -- private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, -- KeyId keyID, String reason) { -- audit(new SecurityDataArchivalProcessedEvent( -- subjectID, -- status, -- null, -- requestID, -- clientKeyID, -- keyID, -- reason, -- null)); -- } - } --- -1.8.3.1 - - -From 0347843054e0a977826c4d7b50260e9f711190a9 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 1 Feb 2018 22:48:29 +0100 -Subject: [PATCH 2/9] Changed audit event types in EnrollmentService. - -The EnrollmentService has been modified to generate -SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED instead of. -SECURITY_DATA_ARCHIVAL_REQUEST. - -https://pagure.io/dogtagpki/issue/2848 - -Change-Id: I63017c4d9c058daac92fe606f0096402ca78b6ec -(cherry picked from commit 3c4770d520d6dab967bdba1b67b638c81a959e48) -(cherry picked from commit a30eee31512022a1a419bb949f912b08419ddf8d) ---- - .../src/com/netscape/kra/EnrollmentService.java | 74 +++++++++++++--------- - 1 file changed, 44 insertions(+), 30 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java -index ee8a754..20d68ff 100644 ---- a/base/kra/src/com/netscape/kra/EnrollmentService.java -+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java -@@ -51,7 +51,6 @@ import com.netscape.certsrv.kra.ProofOfArchival; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; --import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent; - import com.netscape.certsrv.profile.IEnrollProfile; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.IService; -@@ -203,12 +202,14 @@ public class EnrollmentService implements IService { - - } catch (IOException e) { - -- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - requestId, - null, -- e)); -+ null, -+ e.toString(), -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY") + ": " + e, e); -@@ -250,12 +251,14 @@ public class EnrollmentService implements IService { - } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); - -- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - requestId, - null, -- e)); -+ null, -+ e.toString(), -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY") + ": " + e, e); -@@ -288,12 +291,14 @@ public class EnrollmentService implements IService { - String message = CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"); - mKRA.log(ILogger.LL_FAILURE, message); - -- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - requestId, - null, -- message)); -+ null, -+ message, -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY") + ": " + message); -@@ -329,12 +334,14 @@ public class EnrollmentService implements IService { - mKRA.log(ILogger.LL_DEBUG, e.getMessage()); - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); - -- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - requestId, - null, -- e)); -+ null, -+ e.toString(), -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY") + ": " + e, e); -@@ -357,12 +364,14 @@ public class EnrollmentService implements IService { - jssSubsystem.obscureBytes(unwrapped); - mKRA.log(ILogger.LL_FAILURE, e.toString()); - -- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - requestId, - null, -- e)); -+ null, -+ e.toString(), -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY") + ": " + e, e); -@@ -383,12 +392,14 @@ public class EnrollmentService implements IService { - String message = CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND"); - mKRA.log(ILogger.LL_FAILURE, message); - -- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - requestId, - null, -- message)); -+ null, -+ message, -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD") + ": " + message); -@@ -419,12 +430,14 @@ public class EnrollmentService implements IService { - mKRA.log(ILogger.LL_DEBUG, e.getMessage()); - mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); - -- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - requestId, - null, -- e)); -+ null, -+ e.toString(), -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY") + ": " + e, e); -@@ -450,12 +463,14 @@ public class EnrollmentService implements IService { - rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); - } catch (InvalidKeyException e) { - -- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - requestId, - null, -- e)); -+ null, -+ e.toString(), -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD") + ": " + e, e); -@@ -499,12 +514,14 @@ public class EnrollmentService implements IService { - String message = CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER", rec.getSerialNumber().toString()); - mKRA.log(ILogger.LL_FAILURE, message); - -- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - requestId, - null, -- message)); -+ null, -+ message, -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_STATE") + ": " + message); -@@ -521,12 +538,14 @@ public class EnrollmentService implements IService { - } catch (Exception e) { - mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters"); - // TODO(alee) Set correct audit message here -- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - requestId, - null, -- e)); -+ null, -+ e.toString(), -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_STATE") + ": " + e, e); -@@ -539,12 +558,14 @@ public class EnrollmentService implements IService { - String message = CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL"); - mKRA.log(ILogger.LL_FAILURE, message); - -- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent( -+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent( - auditSubjectID, - auditRequesterID, - requestId, - null, -- message)); -+ null, -+ message, -+ null)); - - throw new EKRAException( - CMS.getUserMessage("CMS_KRA_INVALID_STATE") + ": " + message); -@@ -594,13 +615,6 @@ public class EnrollmentService implements IService { - "serial number: 0x" + serialNo.toString(16) } - ); - -- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createSuccessEvent( -- auditSubjectID, -- auditRequesterID, -- requestId, -- null)); -- -- // store a message in the signed audit log file - auditPublicKey = auditPublicKey(rec); - signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createSuccessEvent( - auditSubjectID, --- -1.8.3.1 - - -From 138f1464d072690f9efb6f55c6c3ac297fb098d8 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 2 Feb 2018 21:54:01 +0100 -Subject: [PATCH 3/9] Fixed try-catch block in - NetkeyKeygenService.serviceRequest(). - -The try-catch block in NetkeyKeygenService.serviceRequest() has -been fixed to return false on exception. It also has been split -into two blocks. - -https://pagure.io/dogtagpki/issue/2848 - -Change-Id: Ia78bd5371720dc551c2470898d83597d554183b7 -(cherry picked from commit 4d54490f7fec01a6c5bc113f5f48f1d08e8b47a5) -(cherry picked from commit 70dff0d5d4b68f17058d30338bfebf81bbf96fa6) ---- - .../kra/src/com/netscape/kra/NetkeyKeygenService.java | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index 052c289..17ac66d 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -65,7 +65,6 @@ import com.netscape.cms.logging.SignedAuditLogger; - import com.netscape.cms.servlet.key.KeyRecordParser; - import com.netscape.cmscore.dbs.KeyRecord; - import com.netscape.cmscore.security.JssSubsystem; --import com.netscape.cmscore.util.Debug; - import com.netscape.cmsutil.crypto.CryptoUtil; - import com.netscape.cmsutil.util.Utils; - -@@ -279,8 +278,10 @@ public class NetkeyKeygenService implements IService { - - return false; - } -+ - CMS.debug("NetkeyKeygenService: finished generate key pair for " + rCUID + ":" + rUserid); - -+ java.security.PrivateKey privKey; - try { - publicKeyData = keypair.getPublic().getEncoded(); - if (publicKeyData == null) { -@@ -309,8 +310,7 @@ public class NetkeyKeygenService implements IService { - PubKey)); - - //...extract the private key handle (not privatekeydata) -- java.security.PrivateKey privKey = -- keypair.getPrivate(); -+ privKey = keypair.getPrivate(); - - if (privKey == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); -@@ -386,6 +386,13 @@ public class NetkeyKeygenService implements IService { - iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); - request.setExtData("iv_s", iv_s); - -+ } catch (Exception e) { -+ CMS.debug(e); -+ request.setExtData(IRequest.RESULT, Integer.valueOf(4)); -+ return false; -+ } -+ -+ try { - /* - * archival - option flag "archive" controllable by the caller - TPS - */ -@@ -505,11 +512,13 @@ public class NetkeyKeygenService implements IService { - } //if archive - - request.setExtData(IRequest.RESULT, Integer.valueOf(1)); -+ - } catch (Exception e) { -- CMS.debug("NetKeyKeygenService: " + e.toString()); -- Debug.printStackTrace(e); -+ CMS.debug(e); - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); -+ return false; - } -+ - } else - request.setExtData(IRequest.RESULT, Integer.valueOf(2)); - --- -1.8.3.1 - - -From 625ac01b2f13ef469a3fc05a91b96522db802991 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Fri, 2 Feb 2018 16:39:30 -0800 -Subject: [PATCH 4/9] Ticket #2920 CMC: Audit Events needed for failures in - SharedToken scenarios - -This patch adds the missing CERT_STATUS_CHANGE_REQUEST_PROCESSED event in case of shared token failure at revocation; -In addition, a missing validate() call is made for decrypted POP request as well as the failure audit event. - -fixes: https://pagure.io/dogtagpki/issue/2920 -Change-Id: I45b53f579794c3a5f32cc475a6293240025922c2 -(cherry picked from commit e7ec7d3004354f4a4a98d696833e531fb7a0e41c) -(cherry picked from commit 4b0816d706ac4c70bd03633a34b07c2ff12f9690) ---- - .../CertStatusChangeRequestProcessedEvent.java | 22 ++++++++ - .../cms/servlet/common/CMCOutputTemplate.java | 66 ++++++++++++++++++---- - .../servlet/profile/ProfileSubmitCMCServlet.java | 6 ++ - 3 files changed, 82 insertions(+), 12 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java -index 259a395..8c7f9c9 100644 ---- a/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java -@@ -51,6 +51,28 @@ public class CertStatusChangeRequestProcessedEvent extends SignedAuditEvent { - public CertStatusChangeRequestProcessedEvent( - String subjectID, - String outcome, -+ String requesterID, -+ String serialNumber, -+ String requestType, -+ String reasonNum, -+ RequestStatus approvalStatus, -+ String info) { -+ -+ super(LOGGING_PROPERTY); -+ -+ setAttribute("SubjectID", subjectID); -+ setAttribute("Outcome", outcome); -+ setAttribute("ReqID", requesterID); -+ setAttribute("CertSerialNum", serialNumber); -+ setAttribute("RequestType", requestType); -+ setAttribute("RevokeReasonNum", reasonNum); -+ setAttribute("Approval", approvalStatus); -+ setAttribute("Info", info); -+ } -+ -+ public CertStatusChangeRequestProcessedEvent( -+ String subjectID, -+ String outcome, - IRequest request, - String serialNumber, - String requestType, -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -index 6c40d2d..814a9c2 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -@@ -1094,10 +1094,26 @@ public class CMCOutputTemplate { - } - ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; - -- char[] sharedSecret = tokenClass.getSharedToken(revokeSerial); -+ char[] sharedSecret = null; -+ try { -+ sharedSecret = tokenClass.getSharedToken(revokeSerial); -+ } catch (Exception eShrTok) { -+ CMS.debug("CMCOutputTemplate: " + eShrTok.toString()); -+ } - - if (sharedSecret == null) { -- CMS.debug("CMCOutputTemplate: shared secret not found."); -+ msg = " shared secret not found"; -+ CMS.debug(method + msg); -+ audit(new CertStatusChangeRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqID, -+ auditSerialNumber, -+ auditRequestType, -+ auditReasonNum, -+ auditApprovalStatus, -+ msg)); -+ - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), - null, null); - SEQUENCE failed_bpids = new SEQUENCE(); -@@ -1127,8 +1143,8 @@ public class CMCOutputTemplate { - secret1.clear(); - secret2.clear(); - } else { -- CMS.debug(method -- + " Client and server shared secret are not the same, cannot revoke certificate."); -+ msg = " Client and server shared secret are not the same, cannot revoke certificate."; -+ CMS.debug(method + msg); - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), - null, null); - SEQUENCE failed_bpids = new SEQUENCE(); -@@ -1146,7 +1162,8 @@ public class CMCOutputTemplate { - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus)); -+ auditApprovalStatus, -+ msg)); - - secret1.clear(); - secret2.clear(); -@@ -1165,7 +1182,18 @@ public class CMCOutputTemplate { - } - - if (record == null) { -- CMS.debug(method + " The certificate is not found"); -+ msg = " The certificate is not found"; -+ CMS.debug(method + msg); -+ audit(new CertStatusChangeRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqID, -+ auditSerialNumber, -+ auditRequestType, -+ auditReasonNum, -+ auditApprovalStatus, -+ msg)); -+ - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_CERT_ID), null, null); - SEQUENCE failed_bpids = new SEQUENCE(); - failed_bpids.addElement(attrbpid); -@@ -1178,7 +1206,18 @@ public class CMCOutputTemplate { - } - - if (record.getStatus().equals(ICertRecord.STATUS_REVOKED)) { -- CMS.debug("CMCOutputTemplate: The certificate is already revoked:" + auditSerialNumber); -+ msg = " The certificate is already revoked:" + auditSerialNumber; -+ CMS.debug( method + msg); -+ audit(new CertStatusChangeRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqID, -+ auditSerialNumber, -+ auditRequestType, -+ auditReasonNum, -+ auditApprovalStatus, -+ msg)); -+ - SEQUENCE success_bpids = new SEQUENCE(); - success_bpids.addElement(attrbpid); - cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS, -@@ -1198,7 +1237,7 @@ public class CMCOutputTemplate { - // principal matches that of the revoking cert - if ((reqSecret == null) && authManagerId.equals("CMCUserSignedAuth")) { - if (!certPrincipal.equals(signerPrincipal)) { -- msg = "certificate principal and signer do not match"; -+ msg = " certificate principal and signer do not match"; - CMS.debug(method + msg); - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), - null, null); -@@ -1218,7 +1257,8 @@ public class CMCOutputTemplate { - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus)); -+ auditApprovalStatus, -+ msg)); - - return bpid; - } else { -@@ -1260,8 +1300,9 @@ public class CMCOutputTemplate { - Integer result = revReq.getExtDataInInteger(IRequest.RESULT); - CMS.debug(method + " revReq result = " + result); - if (result.equals(IRequest.RES_ERROR)) { -- CMS.debug("CMCOutputTemplate: revReq exception: " + -- revReq.getExtDataInString(IRequest.ERROR)); -+ msg = " revReq exception: " + -+ revReq.getExtDataInString(IRequest.ERROR); -+ CMS.debug(method + msg); - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_REQUEST), - null, null); - SEQUENCE failed_bpids = new SEQUENCE(); -@@ -1280,7 +1321,8 @@ public class CMCOutputTemplate { - auditSerialNumber, - auditRequestType, - auditReasonNum, -- auditApprovalStatus)); -+ auditApprovalStatus, -+ msg)); - - return bpid; - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index c702624..5509080 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -909,6 +909,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - - auditRequesterID = auditRequesterID(provedReq); - try { -+ profile.validate(provedReq); - profile.execute(provedReq); - reqs = new IRequest[1]; - reqs[0] = provedReq; -@@ -950,6 +951,11 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - error_codes[0] = Integer.parseInt(errorCode); - profile.getRequestQueue().updateRequest(provedReq); - CMS.debug("ProfileSubmitCMCServlet: provedReq updateRequest"); -+ audit(CertRequestProcessedEvent.createFailureEvent( -+ auditSubjectID, -+ auditRequesterID, -+ ILogger.SIGNED_AUDIT_REJECTION, -+ errorReason)); - } - } - --- -1.8.3.1 - - -From 5781a5d47809fb1361a668e29e8fce07ce947303 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 2 Feb 2018 22:32:18 +0100 -Subject: [PATCH 5/9] Added SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED events in - NetkeyKeygenService. - -The NetkeyKeygenService.serviceRequest() has been modified to catch -all exceptions and generate SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED -with FAILURE outcome. - -https://pagure.io/dogtagpki/issue/2848 - -Change-Id: I08608fbb21ef14fddc2076d2e993766c30fd3cf0 -(cherry picked from commit 74d72d9b5798d16e68054c0859d79288a38eee36) -(cherry picked from commit a33c542fd4c8b2b7db259f092c2875fdbc842e95) ---- - .../src/com/netscape/kra/NetkeyKeygenService.java | 42 +++++++++++----------- - 1 file changed, 22 insertions(+), 20 deletions(-) - -diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -index 17ac66d..55fd9a0 100644 ---- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java -@@ -424,10 +424,10 @@ public class NetkeyKeygenService implements IService { - params.setPayloadEncryptionIV(params.getPayloadWrappingIV()); - - privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params); -+ - } catch (Exception e) { - request.setExtData(IRequest.RESULT, Integer.valueOf(4)); -- CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed"); -- return false; -+ throw new Exception("Unable to wrap private key with storage key", e); - } - - CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful"); -@@ -443,13 +443,13 @@ public class NetkeyKeygenService implements IService { - if (rKeytype.equals("RSA")) { - try { - RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData); -- - rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); -+ - } catch (InvalidKeyException e) { - request.setExtData(IRequest.RESULT, Integer.valueOf(11)); -- CMS.debug("NetkeyKeygenService: failed:InvalidKeyException"); -- return false; -+ throw new Exception("Invalid RSA public key", e); - } -+ - } else if (rKeytype.equals("EC")) { - CMS.debug("NetkeyKeygenService: alg is EC"); - String oidDescription = "UNDETERMINED"; -@@ -490,8 +490,7 @@ public class NetkeyKeygenService implements IService { - - if (serialNo == null) { - request.setExtData(IRequest.RESULT, Integer.valueOf(11)); -- CMS.debug("NetkeyKeygenService: serialNo null"); -- return false; -+ throw new Exception("Unable to generate next serial number"); - } - - rec.setWrappingParams(params, allowEncDecrypt_archival); -@@ -515,7 +514,22 @@ public class NetkeyKeygenService implements IService { - - } catch (Exception e) { - CMS.debug(e); -- request.setExtData(IRequest.RESULT, Integer.valueOf(4)); -+ -+ audit(SecurityDataArchivalProcessedEvent.createFailureEvent( -+ agentId, -+ auditSubjectID, -+ request.getRequestId(), -+ null, -+ null, -+ e.toString(), -+ PubKey)); -+ -+ Integer result = request.getExtDataInInteger(IRequest.RESULT); -+ if (result == null) { -+ // set default RESULT code -+ request.setExtData(IRequest.RESULT, Integer.valueOf(4)); -+ } -+ - return false; - } - -@@ -525,18 +539,6 @@ public class NetkeyKeygenService implements IService { - return true; - } //serviceRequest - -- /** -- * Signed Audit Log -- * y -- * This method is called to store messages to the signed audit log. -- *

-- * -- * @param msg signed audit log message -- */ -- private void audit(String msg) { -- signedAuditLogger.log(msg); -- } -- - protected void audit(LogEvent event) { - signedAuditLogger.log(event); - } --- -1.8.3.1 - - -From d80696789edf427fe0b05c208da0270249af44e0 Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Thu, 1 Feb 2018 14:58:30 -0800 -Subject: [PATCH 6/9] Fix Bug 1522938 - CC: Missing failure resumption - detection and audit event logging at startup - -This patch addressed two cases listed in the bug: - -1. Signing Failure due to bad HSM connection. -2. Audit log failure of some kind. - -I felt the best and safest way to handle these conditions was to simply write to the -error console, which results in a simple System.err.println being sent to the former -catalina.out file now covered with the journalctl command. - -I considered using some other dogtag log file, but if we are in some sort of emergency -or resource constrained situation, it is best to write the log out mostly simply. - -Quick testing instructions: - -1. To see signing failure put this in the CS.cfg for ONLY testing purposes. - -ca.signing.testSignatureFailure=true , This will force an error when trying to sign and log it. - - Approve a certificate request, which will trigger a signing operation. -2. Check the journalctl for a log message. - -3. Remove the config value to resume normal operation. - -4. To see an audit log failure do the following: - -[root@localhost signedAudit]# ps -fe | grep pki -pkiuser 8456 1 2 14:39 ? 00:00:32 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java - -lsof /var/lib/pki/pki-tomcat/ca/logs/signedAudit/ca_audit -java 9905 pkiuser 124u REG 253,0 17298 3016784 /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit - -gdb /usr/lib/jvm/jre-1.8.0-openjdk/bin/java 8456 , Use the pid from above - -Inside gdb do this: - -call close(124) - -This will close the file descriptor for the running server. - -5. Now just try to do anything with the CS UI and observe errors written to the journalctl log, -having to do with not being able to write to the ca_adit file. If signed audid logging is configured, -many of these conditions will result in the the shutdown of the server. - -Change-Id: I21c62a5ad6bedfe8678144a764bff2e2a4716dce -(cherry picked from commit 268cc70782b517c17439a17a5036f9f51182b650) -(cherry picked from commit cdfe6f3e5a29fa061a0e6b6fb599dcddc19984c3) ---- - base/ca/src/com/netscape/ca/SigningUnit.java | 16 +++++++ - .../cms/src/com/netscape/cms/logging/LogFile.java | 23 ++++++++++ - .../cms/src/com/netscape/cms/logging/LogQueue.java | 22 ++++++--- - .../netscape/cms/logging/SignedAuditLogger.java | 53 ++++++++++++++-------- - base/server/cmsbundle/src/UserMessages.properties | 2 + - .../src/com/netscape/cmscore/apps/CMSEngine.java | 9 ++++ - 6 files changed, 99 insertions(+), 26 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java -index 3194380..7cd0dd4 100644 ---- a/base/ca/src/com/netscape/ca/SigningUnit.java -+++ b/base/ca/src/com/netscape/ca/SigningUnit.java -@@ -41,7 +41,9 @@ import com.netscape.certsrv.base.ISubsystem; - import com.netscape.certsrv.ca.CAMissingCertException; - import com.netscape.certsrv.ca.CAMissingKeyException; - import com.netscape.certsrv.ca.ECAException; -+import com.netscape.certsrv.logging.ConsoleError; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.SystemEvent; - import com.netscape.certsrv.security.ISigningUnit; - import com.netscape.cms.logging.Logger; - import com.netscape.cmscore.security.JssSubsystem; -@@ -274,6 +276,7 @@ public final class SigningUnit implements ISigningUnit { - if (!mInited) { - throw new EBaseException("CASigningUnit not initialized!"); - } -+ boolean testSignatureFailure = false; - try { - // XXX for now do this mapping until James changes the names - // to match JCA names and provide a getAlgorithm method. -@@ -303,6 +306,13 @@ public final class SigningUnit implements ISigningUnit { - - // XXX add something more descriptive. - CMS.debug("Signing Certificate"); -+ -+ testSignatureFailure = mConfig.getBoolean("testSignatureFailure",false); -+ -+ if(testSignatureFailure == true) { -+ throw new SignatureException("Signature Exception forced for testing purposes."); -+ } -+ - return signer.sign(); - } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); -@@ -319,6 +329,12 @@ public final class SigningUnit implements ISigningUnit { - } catch (SignatureException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString())); - CMS.debug("SigningUnit.sign: " + e.toString()); -+ -+ //For this one case, show the eventual erorr message that will be written to the system error -+ //log in case of a Signature failure. -+ if (testSignatureFailure == true) { -+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_CA_SIGNING_OPERATION_FAILED", e.toString()))); -+ } - CMS.checkForAndAutoShutdown(); - // XXX fix this exception later. - throw new EBaseException(e); -diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -index 510e796..74a8ada 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java -+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java -@@ -824,6 +824,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - mFileName))); - } catch (GeneralSecurityException gse) { - // error with signed audit log, shutdown CMS -+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_OPEN_FAILED", mFileName, gse.toString()))); - gse.printStackTrace(); - shutdownCMS(); - } -@@ -843,6 +844,8 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - } catch (ELogException le) { - ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_FLUSH_LOG_FAILED", mFileName, - le.toString()))); -+ le.printStackTrace(); -+ shutdownCMS(); - } - } - -@@ -858,8 +861,15 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - } - } catch (GeneralSecurityException gse) { - // error with signed audit log, shutdown CMS -+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_FLUSH_LOG_FAILED", mFileName, gse.toString()))); - gse.printStackTrace(); - shutdownCMS(); -+ } catch (Exception ee) { -+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_FLUSH_LOG_FAILED", mFileName, ee.toString()))); -+ if(mLogSigning) { -+ ee.printStackTrace(); -+ shutdownCMS(); -+ } - } - - mBytesUnflushed = 0; -@@ -995,6 +1005,11 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - if (mLogWriter == null) { - String[] params = { mFileName, entry }; - -+ if (mLogSigning) { -+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_LOGFILE_CLOSED", params))); -+ // Failed to write to audit log, shut down CMS -+ shutdownCMS(); -+ } - throw new ELogException(CMS.getUserMessage("CMS_LOG_LOGFILE_CLOSED", params)); - } else { - try { -@@ -1066,6 +1081,14 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { - gse.printStackTrace(); - ConsoleError.send(new SignedAuditEvent(CMS.getLogMessage( - LOG_SIGNED_AUDIT_EXCEPTION, gse.toString()))); -+ } catch (Exception ee) { // Make darn sure we got everything -+ ConsoleError.send(new SignedAuditEvent(CMS.getLogMessage(LOG_SIGNED_AUDIT_EXCEPTION, ee.toString()))); -+ if (mLogSigning) { -+ // Failed to write to audit log, shut down CMS -+ ee.printStackTrace(); -+ shutdownCMS(); -+ } -+ - } - - // XXX -diff --git a/base/server/cms/src/com/netscape/cms/logging/LogQueue.java b/base/server/cms/src/com/netscape/cms/logging/LogQueue.java -index 1b40676..5eb96d7 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/LogQueue.java -+++ b/base/server/cms/src/com/netscape/cms/logging/LogQueue.java -@@ -19,10 +19,13 @@ package com.netscape.cms.logging; - - import java.util.Vector; - --import com.netscape.certsrv.logging.ELogException; -+import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.logging.ConsoleError; - import com.netscape.certsrv.logging.ILogEvent; - import com.netscape.certsrv.logging.ILogEventListener; - import com.netscape.certsrv.logging.ILogQueue; -+import com.netscape.certsrv.logging.SignedAuditEvent; -+import com.netscape.certsrv.logging.SystemEvent; - - /** - * A class represents a log queue. -@@ -95,13 +98,20 @@ public class LogQueue implements ILogQueue { - */ - public void log(ILogEvent event) { - for (int i = 0; i < mListeners.size(); i++) { -+ -+ boolean isAudit = false; -+ -+ if( event instanceof SignedAuditEvent) { -+ isAudit = true; -+ } - try { - mListeners.elementAt(i).log(event); -- } catch (ELogException e) { -- // Raidzilla Bug #57592: Don't display potentially -- // incorrect log message. -- // ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_EVENT_FAILED", -- // event.getEventType(), e.toString()))); -+ } catch (Exception e) {//Try to catch ELogException or possible RuntimeExceptions if thrown -+ //Last resort log to the system for failed audit log attempt -+ if(isAudit == true) { -+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_WRITE_FAILED", event.getEventType(), e.toString(), -+ "Audit Event Failure!"))); -+ } - } - } - } -diff --git a/base/server/cms/src/com/netscape/cms/logging/SignedAuditLogger.java b/base/server/cms/src/com/netscape/cms/logging/SignedAuditLogger.java -index 183f93c..90b5d5d 100644 ---- a/base/server/cms/src/com/netscape/cms/logging/SignedAuditLogger.java -+++ b/base/server/cms/src/com/netscape/cms/logging/SignedAuditLogger.java -@@ -18,11 +18,13 @@ - package com.netscape.cms.logging; - - import com.netscape.certsrv.apps.CMS; -+import com.netscape.certsrv.logging.ConsoleError; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.LogCategory; - import com.netscape.certsrv.logging.LogEvent; - import com.netscape.certsrv.logging.LogSource; - import com.netscape.certsrv.logging.SignedAuditEvent; -+import com.netscape.certsrv.logging.SystemEvent; - - /** - * A class represents certificate server logger -@@ -53,37 +55,48 @@ public class SignedAuditLogger extends Logger { - Object params[], boolean multiline) { - - // create event -- SignedAuditEvent event = (SignedAuditEvent)create( -+ SignedAuditEvent event = (SignedAuditEvent) create( - category, source, level, message, params, multiline); - - // parse attributes in message - int start = 0; -- while (start < message.length()) { - -- // find [name=value] -- int i = message.indexOf("[", start); -- if (i < 0) break; -+ try { -+ while (start < message.length()) { - -- int j = message.indexOf("=", i + 1); -- if (j < 0) { -- throw new RuntimeException("Missing equal sign: " + message); -- } -+ // find [name=value] -+ int i = message.indexOf("[", start); -+ if (i < 0) -+ break; - -- // get attribute name -- String name = message.substring(i + 1, j); -+ int j = message.indexOf("=", i + 1); -+ if (j < 0) { -+ throw new RuntimeException("Missing equal sign: " + message); -+ } - -- int k = message.indexOf("]", j + 1); -- if (k < 0) { -- throw new RuntimeException("Missing closing bracket: " + message); -- } -+ // get attribute name -+ String name = message.substring(i + 1, j); -+ -+ int k = message.indexOf("]", j + 1); -+ if (k < 0) { -+ throw new RuntimeException("Missing closing bracket: " + message); -+ } - -- // get attribute value -- String value = message.substring(j + 1, k); -+ // get attribute value -+ String value = message.substring(j + 1, k); -+ -+ // store attribute in event -+ event.setAttribute(name, value); -+ -+ start = k + 1; -+ } - -- // store attribute in event -- event.setAttribute(name, value); -+ } catch (Exception e) { //Catch any of our RunTime exceptions just so we can log it to the console -+ ConsoleError -+ .send(new SystemEvent(CMS.getUserMessage("CMS_LOG_WRITE_FAILED", event.getEventType(), e.toString(), -+ "Audit Event Failure!"))); - -- start = k + 1; -+ throw e; - } - - mLogQueue.log(event); -diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties -index 8007ce1..9c324f5 100644 ---- a/base/server/cmsbundle/src/UserMessages.properties -+++ b/base/server/cmsbundle/src/UserMessages.properties -@@ -387,6 +387,7 @@ CMS_CA_SET_SERIALNO_FAILED=Request {0} was completed with errors.\nError setting - CMS_CA_NOSERIALNO=Request {0} was completed with errors.\nCA has exausted all available serial numbers - CMS_CA_SIGNING_CRL_FAILED=Failed signing CRL. Error {0} - CMS_CA_SIGNING_CERT_FAILED=Failed signing certificate. Error {0} -+CMS_CA_SIGNING_OPERATION_FAILED=Signing Unit signing operation failed. Error {0} - CMS_CA_MISSING_INFO_IN_ISSUEREQ=Missing certificate info in issuing request - CMS_CA_MISSING_INFO_IN_REVREQ=Missing revocation info in revocation request - CMS_CA_MISSING_INFO_IN_CLAREQ=Missing CLA certificate info in cert4crl request -@@ -506,6 +507,7 @@ CMS_LOG_INVALID_FILE_NAME=Attempt to initialize log with an invalid filename: \" - CMS_LOG_UNEXPECTED_EXCEPTION=Caught unexpected exception: {0} - CMS_LOG_ILLEGALARGUMENT=Illegal argument when opening: {0} - CMS_LOG_CLOSE_FAILED=Failed to close file \"{0}\", error: {1} -+CMS_LOG_OPEN_FAILED=Failed to open file \"{0}\", error: {1} - CMS_LOG_INVALID_LOG_TYPE=Invalid log type in \"{0}\" property: {1} - CMS_LOG_SRVLT_ILL_PLUGIN_ID=Another plugin ID already exists {0} - CMS_LOG_SRVLT_NULL_CLASS=Plugin classname is null -diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -index be79607..b1df429 100644 ---- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java -@@ -100,12 +100,14 @@ import com.netscape.certsrv.ldap.ELdapException; - import com.netscape.certsrv.ldap.ILdapAuthInfo; - import com.netscape.certsrv.ldap.ILdapConnFactory; - import com.netscape.certsrv.ldap.ILdapConnInfo; -+import com.netscape.certsrv.logging.ConsoleError; - import com.netscape.certsrv.logging.ELogException; - import com.netscape.certsrv.logging.IAuditor; - import com.netscape.certsrv.logging.ILogEvent; - import com.netscape.certsrv.logging.ILogEventListener; - import com.netscape.certsrv.logging.ILogQueue; - import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.SystemEvent; - import com.netscape.certsrv.notification.IEmailFormProcessor; - import com.netscape.certsrv.notification.IEmailResolver; - import com.netscape.certsrv.notification.IEmailResolverKeys; -@@ -1318,6 +1320,7 @@ public class CMSEngine implements ICMSEngine { - public void checkForAndAutoShutdown() { - String method= "CMSEngine: checkForAndAutoShutdown: "; - CMS.debug(method + "begins"); -+ - try { - boolean allowShutdown = mConfig.getBoolean("autoShutdown.allowed", false); - if ((!allowShutdown) || (mSigningKey == null) || -@@ -1336,7 +1339,13 @@ public class CMSEngine implements ICMSEngine { - byte[] result = signer.sign(); - CMS.debug(method + " signining successful: " + new String(result)); - } catch (SignatureException e) { -+ -+ //Let's write to the error console in case we are in a bad memory situation -+ //This will be the most likely to work, giving us a record of the signing failure -+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_CA_SIGNING_OPERATION_FAILED", e.toString()))); -+ - CMS.debug(method + "autoShutdown for " + e.toString()); -+ - CMS.autoShutdown(); - } catch (Exception e) { - CMS.debug(method + "continue for " + e.toString()); --- -1.8.3.1 - - -From 54a52b8cfffdb3d39408d3e765e45f5751715700 Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Thu, 1 Feb 2018 18:37:10 -0800 -Subject: [PATCH 7/9] Ticket #2880 missing CMC request and response record - -This patch adds audit events to record received CMC requests and signed CMC responses: -CMC_REQUEST_RECEIVED -CMC_RESPONSE_SENT - -This patch fixes https://pagure.io/dogtagpki/issue/2880 - -Change-Id: Id093225b22a2c434e680726442c49b410fa738a3 -(cherry picked from commit 55a6fa09d24b1c30bfd9d80357d69a8905ee4090) -(cherry picked from commit d9ae15065d96bf5b634bae6dfa4b6d0e4780d4ae) ---- - base/ca/shared/conf/CS.cfg | 4 ++-- - .../com/netscape/certsrv/logging/AuditEvent.java | 4 ++++ - .../cms/servlet/common/CMCOutputTemplate.java | 15 ++++++++++++++ - .../servlet/profile/ProfileSubmitCMCServlet.java | 23 ++++++++++++++++++---- - base/server/cmsbundle/src/LogMessages.properties | 19 ++++++++++++++++-- - .../com/netscape/cmsutil/crypto/CryptoUtil.java | 10 +--------- - base/util/src/com/netscape/cmsutil/util/Utils.java | 23 ++++++++++++++++++++++ - 7 files changed, 81 insertions(+), 17 deletions(-) - -diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg -index 76a7057..59de904 100644 ---- a/base/ca/shared/conf/CS.cfg -+++ b/base/ca/shared/conf/CS.cfg -@@ -905,11 +905,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging - log.instance.SignedAudit._002=## - log.instance.SignedAudit._003=## - log.instance.SignedAudit._004=## Available Audit events: --log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION -+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION - log.instance.SignedAudit._006=## - log.instance.SignedAudit.bufferSize=512 - log.instance.SignedAudit.enable=true --log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION -+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION - log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) - log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) - log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) -diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -index 131b2a9..db58f34 100644 ---- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java -@@ -67,6 +67,10 @@ public class AuditEvent extends LogEvent { - "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5"; - public final static String PROFILE_CERT_REQUEST = - "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5"; -+ public final static String CMC_REQUEST_RECEIVED = -+ "LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3"; -+ public final static String CMC_RESPONSE_SENT = -+ "LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3"; - public final static String INTER_BOUNDARY = - "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5"; - public final static String CERT_PROFILE_APPROVAL = -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -index 814a9c2..e89c9a0 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -@@ -79,6 +79,7 @@ import com.netscape.certsrv.base.SessionContext; - import com.netscape.certsrv.ca.ICertificateAuthority; - import com.netscape.certsrv.dbs.certdb.ICertRecord; - import com.netscape.certsrv.dbs.certdb.ICertificateRepository; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.AuditFormat; - import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.logging.LogEvent; -@@ -150,6 +151,7 @@ public class CMCOutputTemplate { - OutputStream os = resp.getOutputStream(); - os.write(contentBytes); - os.flush(); -+ auditCMCResponseSent(Utils.base64encode(contentBytes, false)); - } catch (Exception e) { - CMS.debug("CMCOutputTemplate createFullResponseWithFailedStatus Exception: " + e.toString()); - return; -@@ -480,6 +482,7 @@ public class CMCOutputTemplate { - OutputStream os = resp.getOutputStream(); - os.write(contentBytes); - os.flush(); -+ auditCMCResponseSent(Utils.base64encode(contentBytes, false)); - CMS.debug(method + "ends"); - } catch (java.security.cert.CertificateEncodingException e) { - CMS.debug(method + e.toString()); -@@ -722,6 +725,7 @@ public class CMCOutputTemplate { - OutputStream os = resp.getOutputStream(); - os.write(contentBytes); - os.flush(); -+ auditCMCResponseSent(Utils.base64encode(contentBytes, false)); - } catch (java.security.cert.CertificateEncodingException e) { - CMS.debug("CMCOutputTemplate exception: " + e.toString()); - } catch (InvalidBERException e) { -@@ -1391,6 +1395,17 @@ public class CMCOutputTemplate { - signedAuditLogger.log(msg); - } - -+ protected void auditCMCResponseSent(String response) { -+ SessionContext context = SessionContext.getContext(); -+ -+ String auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_RESPONSE_SENT, -+ (String) context.get(SessionContext.USER_ID), -+ ILogger.SUCCESS, -+ Utils.normalizeString(response)); -+ audit(auditMessage); -+ } -+ - private RevocationReason toRevocationReason(ENUMERATED n) { - long code = n.getValue(); - if (code == RevokeRequest.aACompromise.getValue()) -diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -index 5509080..91a26b1 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java -@@ -46,9 +46,10 @@ import com.netscape.certsrv.authentication.IAuthToken; - import com.netscape.certsrv.authorization.AuthzToken; - import com.netscape.certsrv.base.EBaseException; - import com.netscape.certsrv.base.SessionContext; --import com.netscape.certsrv.logging.ILogger; -+import com.netscape.certsrv.logging.AuditEvent; - import com.netscape.certsrv.logging.event.AuthEvent; - import com.netscape.certsrv.logging.event.CertRequestProcessedEvent; -+import com.netscape.certsrv.logging.ILogger; - import com.netscape.certsrv.profile.ECMCBadIdentityException; - import com.netscape.certsrv.profile.ECMCBadMessageCheckException; - import com.netscape.certsrv.profile.ECMCBadRequestException; -@@ -67,6 +68,8 @@ import com.netscape.certsrv.request.INotify; - import com.netscape.certsrv.request.IRequest; - import com.netscape.certsrv.request.RequestId; - import com.netscape.certsrv.request.RequestStatus; -+import com.netscape.cms.logging.Logger; -+import com.netscape.cms.logging.SignedAuditLogger; - import com.netscape.cms.servlet.common.AuthCredentials; - import com.netscape.cms.servlet.common.CMCOutputTemplate; - import com.netscape.cms.servlet.common.CMSRequest; -@@ -85,6 +88,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - /** - * - */ -+ private static Logger signedAuditLogger = SignedAuditLogger.getLogger(); - private static final long serialVersionUID = -8017841111435988197L; - private static final String PROP_PROFILE_ID = "profileId"; - -@@ -112,7 +116,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - - private void setInputsIntoContext(HttpServletRequest request, IProfile profile, IProfileContext ctx) { -- -+ String method = "ProfileSubmitCMCServlet.setInputsIntoContext: "; - // passing inputs into context - Enumeration inputIds = profile.getProfileInputIds(); - -@@ -126,6 +130,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - String inputName = inputNames.nextElement(); - - if (request.getParameter(inputName) != null) { -+ CMS.debug(method + "setting: " + inputName); - ctx.set(inputName, request.getParameter(inputName)); - } - } -@@ -399,7 +404,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - IProfileContext ctx = profile.createContext(); - if (requestB64 != null) { - ctx.set("cert_request_type", cert_request_type); -- ctx.set("cert_request", requestB64); -+ ctx.set("cert_request", Utils.normalizeString(requestB64)); - } - // passing auths into context - IProfileAuthenticator authenticator = null; -@@ -481,6 +486,17 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - } - -+ String auditSubjectID = auditSubjectID(); -+ if (authToken != null) { -+ auditSubjectID = authToken.getInString(IAuthToken.USER_ID); -+ } -+ String auditMessage = CMS.getLogMessage( -+ AuditEvent.CMC_REQUEST_RECEIVED, -+ auditSubjectID, -+ ILogger.SUCCESS, -+ Utils.normalizeString(requestB64)); -+ signedAuditLogger.log(auditMessage); -+ - IRequest reqs[] = null; - - /////////////////////////////////////////////// -@@ -777,7 +793,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { - } - } //for - -- String auditSubjectID = auditSubjectID(); - String auditRequesterID = ILogger.UNIDENTIFIED; - - try { -diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties -index 9ca508a..7963f6f 100644 ---- a/base/server/cmsbundle/src/LogMessages.properties -+++ b/base/server/cmsbundle/src/LogMessages.properties -@@ -2008,6 +2008,21 @@ LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=:[AuditEvent=CRL_SI - # - LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles - # -+# LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED -+# - used when a CMC request is received. -+# SubjectID must be the UID of user that triggered this event -+# (if CMC requests is signed by an agent, SubjectID should -+# be that of the agent) -+# In case of an unsigned request, it would bear $Unidentified$ -+# -+LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received -+# -+# LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT -+# - used when a CMC response is sent -+# SubjectID must be the UID of user that triggered this event -+# -+LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent -+# - # LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST - # - used when a profile certificate request is made (before approval process) - # SubjectID must be the UID of user that triggered this event -@@ -2220,13 +2235,13 @@ LOGGING_SIGNED_AUDIT_OCSP_GENERATION=:[AuditEvent=OCSP_GEN - LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=:[AuditEvent=RANDOM_GENERATION]{0} Random number generation - # - # LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY --# - used when CMC (agent-pre-signed) certificate requests or revocation requests -+# - used when agent signed CMC certificate requests or revocation requests - # are submitted and signature is verified - # ReqType must be the request type (enrollment, or revocation) - # CertSubject must be the certificate subject name of the certificate request - # SignerInfo must be a unique String representation for the signer - # --LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent pre-approved CMC request signature verification -+LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification - # - # LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY - # - used when CMC (user-signed or self-signed) certificate requests or revocation requests -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index f527967..27ae0de 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -1198,15 +1198,7 @@ public class CryptoUtil { - // grammar defined at https://tools.ietf.org/html/rfc7468#section-3 - s = s.replaceAll("-----(BEGIN|END) [\\p{Print}&&[^- ]]([- ]?[\\p{Print}&&[^- ]])*-----", ""); - -- StringBuffer sb = new StringBuffer(); -- StringTokenizer st = new StringTokenizer(s, "\r\n "); -- -- while (st.hasMoreTokens()) { -- String nextLine = st.nextToken(); -- nextLine = nextLine.trim(); -- sb.append(nextLine); -- } -- return sb.toString(); -+ return Utils.normalizeString(s); - } - - public static String normalizeCertStr(String s) { -diff --git a/base/util/src/com/netscape/cmsutil/util/Utils.java b/base/util/src/com/netscape/cmsutil/util/Utils.java -index a9ee974..5ff78ad 100644 ---- a/base/util/src/com/netscape/cmsutil/util/Utils.java -+++ b/base/util/src/com/netscape/cmsutil/util/Utils.java -@@ -32,6 +32,7 @@ import java.net.InetAddress; - import java.net.UnknownHostException; - import java.text.SimpleDateFormat; - import java.util.Date; -+import java.util.StringTokenizer; - import java.util.Vector; - - import org.apache.commons.codec.binary.Base64; -@@ -330,4 +331,26 @@ public class Utils { - public static byte[] base64decode(String string) { - return Base64.decodeBase64(string); - } -+ -+ /** -+ * Normalize B64 input String -+ * -+ * @pram string base-64 string -+ * @return normalized string -+ */ -+ public static String normalizeString(String string) { -+ if (string == null) { -+ return string; -+ } -+ -+ StringBuffer sb = new StringBuffer(); -+ StringTokenizer st = new StringTokenizer(string, "\r\n "); -+ -+ while (st.hasMoreTokens()) { -+ String nextLine = st.nextToken(); -+ nextLine = nextLine.trim(); -+ sb.append(nextLine); -+ } -+ return sb.toString(); -+ } - } --- -1.8.3.1 - - -From 5d46447f9c680fff61bbb72b36dee13e53f549af Mon Sep 17 00:00:00 2001 -From: Christina Fu -Date: Sat, 3 Feb 2018 15:50:24 -0800 -Subject: [PATCH 8/9] Ticket #2921 CMC: Revocation works with an unknown - revRequest.issuer - -This patche adds check between the issuer value of the RevokeRequest against the issuer of the certificate to be revoked. - -fixes: https://pagure.io/dogtagpki/issue/2921 -Change-Id: Ib2bb2debeb7d1c7ffea1799b5c32630062ddca6a -(cherry picked from commit c2c5bdad088fabbb89a8d3634530c74dae78c875) -(cherry picked from commit d3fa14e61d76de48631a209f95ae6f91d9da4484) ---- - .../com/netscape/certsrv/base/SessionContext.java | 1 + - .../src/com/netscape/cmstools/CMCRequest.java | 1 + - .../cms/authentication/CMCUserSignedAuth.java | 18 ++++++++ - .../cms/servlet/common/CMCOutputTemplate.java | 52 +++++++++++++++++++--- - 4 files changed, 65 insertions(+), 7 deletions(-) - -diff --git a/base/common/src/com/netscape/certsrv/base/SessionContext.java b/base/common/src/com/netscape/certsrv/base/SessionContext.java -index 9323e6e..691173b 100644 ---- a/base/common/src/com/netscape/certsrv/base/SessionContext.java -+++ b/base/common/src/com/netscape/certsrv/base/SessionContext.java -@@ -56,6 +56,7 @@ public class SessionContext extends Hashtable { - * Principal name object of the signed CMC request - */ - public static final String CMC_SIGNER_PRINCIPAL = "cmcSignerPrincipal"; -+ public static final String CMC_ISSUER_PRINCIPAL = "cmcISSUERPrincipal"; - public static final String CMC_SIGNER_INFO = "cmcSignerInfo"; - public static final String CMC_REQUEST_CERT_SUBJECT = "cmcRequestCertSubject"; - -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -index fc58f4e..8146cee 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -@@ -1180,6 +1180,7 @@ public class CMCRequest { - System.out.println(method + "issuer name must be supplied when shared secret is used"); - System.exit(1); - } -+ System.out.println(method + "adding revRequestIssuer: " + revRequestIssuer); - issuerName = new X500Name(revRequestIssuer); - } else { // signing case; revokeSignCert is required - if (revokeSignCert == null) { -diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -index 9dbf787..527b7e5 100644 ---- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java -@@ -40,6 +40,7 @@ import java.util.Locale; - import java.util.Vector; - - import org.mozilla.jss.CryptoManager; -+import org.mozilla.jss.asn1.ANY; - import org.mozilla.jss.asn1.ASN1Util; - import org.mozilla.jss.asn1.BIT_STRING; - import org.mozilla.jss.asn1.INTEGER; -@@ -491,6 +492,23 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, - Integer IntObject = Integer.valueOf((int) reasonCode); - authToken.set(REASON_CODE, IntObject); - -+ ANY issuerANY = revRequest.getIssuerName(); -+ // handling of faillures with issuer is deferred -+ // to CMCOutputTemplate so that we can -+ // have a chance to capture user identification info -+ if (issuerANY != null) { -+ try { -+ byte[] issuerBytes = issuerANY.getEncoded(); -+ X500Name issuerName = new X500Name(issuerBytes); -+ CMS.debug(method + "revRequest issuer name = " + issuerName.toString()); -+ // capture issuer principal to be checked against -+ // cert issuer principal later in CMCOutputTemplate -+ auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, issuerName); -+ } catch (Exception e) { -+ CMS.debug(method + "failed getting issuer from RevokeRequest:" + e.toString()); -+ } -+ } -+ - //authToken.set("uid", uid); - //authToken.set("userid", userid); - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -index e89c9a0..a0a946d 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java -@@ -971,10 +971,6 @@ public class CMCOutputTemplate { - CMS.debug(method + "authManagerId =" + authManagerId); - } - -- // in case of CMCUserSignedAuth, -- // for matching signer and revoked cert principal -- X500Name signerPrincipal = null; -- - // for auditing - String auditRequesterID = null; - auditRequesterID = (String) context.get(SessionContext.USER_ID); -@@ -984,7 +980,14 @@ public class CMCOutputTemplate { - } else { - auditRequesterID = ILogger.NONROLEUSER; - } -- signerPrincipal = (X500Name) context.get(SessionContext.CMC_SIGNER_PRINCIPAL); -+ -+ // in case of CMCUserSignedAuth, -+ // for matching signer and revoked cert principal -+ X500Name reqSignerPrincipal = (X500Name) context.get(SessionContext.CMC_SIGNER_PRINCIPAL); -+ -+ // in case of shared secret revocation, for matching issuer -+ X500Name reqIssuerPrincipal = (X500Name) context.get(SessionContext.CMC_ISSUER_PRINCIPAL); -+ - String auditSubjectID = null; - String auditRequestType = "revoke"; - String auditSerialNumber = null; -@@ -1019,7 +1022,7 @@ public class CMCOutputTemplate { - - if (needVerify) { - if (authManagerId.equals("CMCUserSignedAuth")) { -- if (signerPrincipal == null) { -+ if (reqSignerPrincipal == null) { - CMS.debug(method + "missing CMC signer principal"); - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, - new INTEGER(OtherInfo.BAD_MESSAGE_CHECK), -@@ -1235,12 +1238,47 @@ public class CMCOutputTemplate { - X509CertImpl impl = record.getCertificate(); - - X500Name certPrincipal = (X500Name) impl.getSubjectDN(); -+ X500Name certIssuerPrincipal = (X500Name) impl.getIssuerDN(); - auditSubjectID = certPrincipal.toString(); - -+ // for Shared Secret case, check if issuer DN matches -+ if (reqSecret != null) { -+ CMS.debug(method + "shared secret revocation: checking issuer DN"); -+ if ((reqIssuerPrincipal == null) || -+ ! reqIssuerPrincipal.equals(certIssuerPrincipal)) { -+ msg = " certificate issuer DN and revocation request issuer DN do not match"; -+ CMS.debug(method + msg); -+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), -+ null, null); -+ SEQUENCE failed_bpids = new SEQUENCE(); -+ failed_bpids.addElement(attrbpid); -+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, msg, -+ otherInfo); -+ tagattr = new TaggedAttribute( -+ new INTEGER(bpid++), -+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2); -+ controlSeq.addElement(tagattr); -+ -+ audit(new CertStatusChangeRequestProcessedEvent( -+ auditSubjectID, -+ ILogger.FAILURE, -+ auditReqID, -+ auditSerialNumber, -+ auditRequestType, -+ auditReasonNum, -+ auditApprovalStatus, -+ msg)); -+ -+ return bpid; -+ } else { -+ CMS.debug( method + "certificate issuer DN and revocation request issuer DN match"); -+ } -+ } -+ - // in case of user-signed request, check if signer - // principal matches that of the revoking cert - if ((reqSecret == null) && authManagerId.equals("CMCUserSignedAuth")) { -- if (!certPrincipal.equals(signerPrincipal)) { -+ if (!certPrincipal.equals(reqSignerPrincipal)) { - msg = " certificate principal and signer do not match"; - CMS.debug(method + msg); - OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY), --- -1.8.3.1 - - -From 8f94902f7837fa3f9338e461e706f7ca85cdf7fd Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 19 Jan 2018 17:01:12 +1100 -Subject: [PATCH 9/9] Fix profile import dropping backslash characters - -When writing (importing, updating) RAW profile data, config values -that have backslashes in them have the backslashes dropped, leading -to issuance failures or issuance of incorrect certificates. For -example: - - policyset.x.1.default.params.name=CN=$request.req_subject_name.cn$,O=Red Hat\, Inc. - -becomes: - - policyset.x.1.default.params.name=CN=$request.req_subject_name.cn$,O=Red Hat, Inc. - -which causes issuance failures due to parse failure of the resulting -DN. - -This occurs because java.util.Properties is opinionated about what -does or doesn't need to be escaped. The ProfileSubsystem "raw" -methods originally used Properties to avoid more use of our "custom" -SimpleProperties class. That turned out to be a mistake, due to -Properties' incompatible treatment of backslashes. Switch over to -SimpleProperties for handling raw profile data. - -Fixes: https://pagure.io/dogtagpki/issue/2909 -Change-Id: I5cd738651cbfba0cad607d2b02edea04fe6be561 -(cherry picked from commit e634316eb7f2aedc65fe528fb572b15e1bdc1eb2) -(cherry picked from commit 10498f9c1db06ff31712a5543a9a0a76cb2523e2) ---- - .../dogtagpki/server/ca/rest/ProfileService.java | 27 ++++------------------ - 1 file changed, 4 insertions(+), 23 deletions(-) - -diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -index 3a68a1c..2884704 100644 ---- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -+++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java -@@ -29,7 +29,6 @@ import java.util.LinkedHashMap; - import java.util.List; - import java.util.Locale; - import java.util.Map; --import java.util.Properties; - import java.util.Vector; - - import javax.ws.rs.PathParam; -@@ -523,9 +522,7 @@ public class ProfileService extends SubsystemService implements ProfileResource - Map auditParams = new LinkedHashMap(); - String profileId = null; - String classId = null; -- // First read the data into a Properties to process escaped -- // separator characters (':', '=') in values -- Properties properties = new Properties(); -+ SimpleProperties properties = new SimpleProperties(); - try { - // load data and read profileId and classId - properties.load(new ByteArrayInputStream(data)); -@@ -543,16 +540,9 @@ public class ProfileService extends SubsystemService implements ProfileResource - properties.remove("profileId"); - properties.remove("classId"); - -- // Now copy into SimpleProperties to avoid unwanted escapes -- // of separator characters in output -- SimpleProperties simpleProperties = new SimpleProperties(); -- for (String k : properties.stringPropertyNames()) { -- simpleProperties.setProperty(k, properties.getProperty(k)); -- } -- - try { - ByteArrayOutputStream out = new ByteArrayOutputStream(); -- simpleProperties.store(out, null); -+ properties.store(out, null); - data = out.toByteArray(); // original data sans profileId, classId - - IProfile profile = ps.getProfile(profileId); -@@ -669,9 +659,7 @@ public class ProfileService extends SubsystemService implements ProfileResource - throw new ConflictingOperationException("Cannot change profile data. Profile must be disabled"); - } - -- // First read the data into a Properties to process escaped -- // separator characters (':', '=') in values -- Properties properties = new Properties(); -+ SimpleProperties properties = new SimpleProperties(); - try { - properties.load(new ByteArrayInputStream(data)); - } catch (IOException e) { -@@ -680,13 +668,6 @@ public class ProfileService extends SubsystemService implements ProfileResource - properties.remove("profileId"); - properties.remove("classId"); - -- // Now copy into SimpleProperties to avoid unwanted escapes -- // of separator characters in output -- SimpleProperties simpleProperties = new SimpleProperties(); -- for (String k : properties.stringPropertyNames()) { -- simpleProperties.setProperty(k, properties.getProperty(k)); -- } -- - try { - IProfile profile = ps.getProfile(profileId); - if (profile == null) { -@@ -694,7 +675,7 @@ public class ProfileService extends SubsystemService implements ProfileResource - } - - ByteArrayOutputStream out = new ByteArrayOutputStream(); -- simpleProperties.store(out, null); -+ properties.store(out, null); - data = out.toByteArray(); // original data sans profileId, classId - - // create temporary profile to verify profile configuration --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.1-snapshot-4.patch b/SOURCES/pki-core-10.5.1-snapshot-4.patch deleted file mode 100644 index 4a326e4..0000000 --- a/SOURCES/pki-core-10.5.1-snapshot-4.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 8fd3bae32bb540a850b64479c56d60f5557bc100 Mon Sep 17 00:00:00 2001 -From: Jack Magne -Date: Wed, 7 Feb 2018 14:05:13 -0800 -Subject: [PATCH 1/2] Fix Bug 1542210 - pki console configurations that - involves ldap passwords leave the plain text password in debug logs - -Simple sensitive data debug log prevention here. - -Change-Id: Ic409aaf7e392403c6a4c5afb255a421e1d351c46 -(cherry picked from commit ff70df12dd7fc4f801b281233f64bca3c674173b) -(cherry picked from commit e86691f5a5aba9c2d783ccddf79eb7226c36672c) ---- - .../cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -index d983e6c..769e8e4 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java -@@ -216,12 +216,13 @@ public class AdminServlet extends HttpServlet { - pn.equalsIgnoreCase("pin") || - pn.equalsIgnoreCase("pwd") || - pn.equalsIgnoreCase("pwdagain") || -- pn.equalsIgnoreCase("uPasswd")) { -+ pn.equalsIgnoreCase("uPasswd") || -+ pn.equalsIgnoreCase("PASSWORD_CACHE_ADD")) { - CMS.debug("AdminServlet::service() param name='" + pn + -- "' value='(sensitive)'"); -+ "' value='(sensitive)'"); - } else { - CMS.debug("AdminServlet::service() param name='" + pn + -- "' value='" + httpReq.getParameter(pn) + "'"); -+ "' value='" + httpReq.getParameter(pn) + "'"); - } - } - } --- -1.8.3.1 - - -From 511001c4aaa8e48de3932b4508846729b2e4ab6b Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 8 Feb 2018 15:06:53 +1100 -Subject: [PATCH 2/2] Fix lightweight CA key replication - -The resolution for issue https://pagure.io/dogtagpki/issue/2654 -caused a regression in lightweight CA key replication. When the -authorityMonitor encounters a CA whose keys are not present, -signingUnit initialisation fails (as expected). The signing info -event logging behaviour introduced in commit -4551eb1ce6b14e4a37f9c70b3bfd6c9050e13f10 then results in a -NullPointerException, crashing the authorityMonitor thread. - -Fix the issue by extracting the signing info event logging behaviour -to a separate method, and invoke that method as the final step of -signingUnit initialisation. - -Fixes: https://pagure.io/dogtagpki/issue/2929 -Change-Id: Ic6663c09c30754f4fb914dcaf0bc2d902aa91473 -(cherry picked from commit 2251f78c22b2e3b23450cdb274207893932cbd0b) ---- - base/ca/src/com/netscape/ca/CertificateAuthority.java | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java -index e5d21eb..9aaa9cb 100644 ---- a/base/ca/src/com/netscape/ca/CertificateAuthority.java -+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java -@@ -662,7 +662,10 @@ public class CertificateAuthority - } - throw e; - } -+ } - -+ private void generateSigningInfoAuditEvents() -+ throws EBaseException { - try { - - if (isHostAuthority()) { -@@ -1852,6 +1855,8 @@ public class CertificateAuthority - throw new ECAException( - CMS.getUserMessage("CMS_CA_BUILD_CA_CHAIN_FAILED", e.toString())); - } -+ -+ generateSigningInfoAuditEvents(); - } - - /** --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.1-snapshot-5.patch b/SOURCES/pki-core-10.5.1-snapshot-5.patch deleted file mode 100644 index 7fe60d6..0000000 --- a/SOURCES/pki-core-10.5.1-snapshot-5.patch +++ /dev/null @@ -1,702 +0,0 @@ -From b56da71239b10f42a7c0c017eda2f0d63d43031d Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 9 Feb 2018 01:53:37 +0100 -Subject: [PATCH 1/7] Disabled failing unit tests. - -Some unit tests have been disabled since they are currently -failing. This allows other tests to be enabled later. These -failures need to be investigated further. - -https://pagure.io/dogtagpki/issue/2908 - -Change-Id: If5aa31c10f89fb8388085b59377347338ae729a1 -(cherry picked from commit 17fcac5f807cbbf1ee6709a6613d9baa80f1115d) -(cherry picked from commit 431ad0ec9f6f8188c1d240ed60966d53a4c6982b) ---- - base/server/test/CMakeLists.txt | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/base/server/test/CMakeLists.txt b/base/server/test/CMakeLists.txt -index 6534a6c..707493f 100644 ---- a/base/server/test/CMakeLists.txt -+++ b/base/server/test/CMakeLists.txt -@@ -61,7 +61,7 @@ add_junit_test(test-pki-server - ${HAMCREST_JAR} ${JUNIT_JAR} - ${CMAKE_BINARY_DIR}/test/classes - TESTS -- com.netscape.cmscore.authentication.AuthTokenTest -+ # com.netscape.cmscore.authentication.AuthTokenTest - com.netscape.cmscore.dbs.CertRecordListTest - com.netscape.cmscore.dbs.DBRegistryTest - # com.netscape.cmscore.request.AgentApprovalsTest -@@ -69,7 +69,7 @@ add_junit_test(test-pki-server - com.netscape.cmscore.request.ExtDataHashtableTest - com.netscape.cmscore.request.RequestQueueTest - com.netscape.cmscore.request.RequestRecordTest -- com.netscape.cmscore.request.RequestTest -+ # com.netscape.cmscore.request.RequestTest - REPORTS_DIR - reports - ) --- -1.8.3.1 - - -From 38c6e86e434caf80635b88c2265bb5b6d036bef7 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Sat, 10 Feb 2018 05:16:41 +0100 -Subject: [PATCH 4/7] Added Key ID encoder and decoder. - -The following methods have been added to encode and decode NSS key -ID properly: - - CryptoUtil.encodeKeyID() - - CryptoUtil.decodeKeyID() - -A unit test has been added to verify the functionality. - -https://pagure.io/dogtagpki/issue/2884 - -Change-Id: Ib295bc1cb449f544cd0220bfaea1ed0d71136365 -(cherry picked from commit c46f53ff6f2fb398600c59410b2afe14fed9dbfa) ---- - .../com/netscape/cmsutil/crypto/CryptoUtil.java | 63 +++++- - base/util/test/CMakeLists.txt | 2 + - .../netscape/cmsutil/crypto/KeyIDCodecTest.java | 239 +++++++++++++++++++++ - 3 files changed, 303 insertions(+), 1 deletion(-) - create mode 100644 base/util/test/com/netscape/cmsutil/crypto/KeyIDCodecTest.java - -diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -index 27ae0de..0742f8e 100644 ---- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java -@@ -54,6 +54,7 @@ import java.util.Map; - import java.util.StringTokenizer; - import java.util.Vector; - -+import org.apache.commons.codec.binary.Hex; - import org.apache.commons.lang.ArrayUtils; - import org.apache.commons.lang.StringUtils; - import org.mozilla.jss.CryptoManager; -@@ -179,6 +180,8 @@ public class CryptoUtil { - } - } - -+ public final static int KEY_ID_LENGTH = 20; -+ - public final static String INTERNAL_TOKEN_NAME = "internal"; - public final static String INTERNAL_TOKEN_FULL_NAME = "Internal Key Storage Token"; - -@@ -2046,12 +2049,70 @@ public class CryptoUtil { - return false; - } - -+ /** -+ * Converts any length byte array into a signed, variable-length -+ * hexadecimal number. -+ */ - public static String byte2string(byte id[]) { - return new BigInteger(id).toString(16); - } - -+ /** -+ * Converts a signed, variable-length hexadecimal number into a byte -+ * array, which may not be identical to the original byte array. -+ */ - public static byte[] string2byte(String id) { -- return (new BigInteger(id, 16)).toByteArray(); -+ return new BigInteger(id, 16).toByteArray(); -+ } -+ -+ /** -+ * Converts NSS key ID from a 20 byte array into a signed, variable-length -+ * hexadecimal number (to maintain compatibility with byte2string()). -+ */ -+ public static String encodeKeyID(byte[] keyID) { -+ -+ if (keyID.length != KEY_ID_LENGTH) { -+ throw new IllegalArgumentException( -+ "Unable to encode Key ID: " + Hex.encodeHexString(keyID)); -+ } -+ -+ return new BigInteger(keyID).toString(16); -+ } -+ -+ /** -+ * Converts NSS key ID from a signed, variable-length hexadecimal number -+ * into a 20 byte array, which will be identical to the original byte array. -+ */ -+ public static byte[] decodeKeyID(String id) { -+ -+ BigInteger value = new BigInteger(id, 16); -+ byte[] array = value.toByteArray(); -+ -+ if (array.length > KEY_ID_LENGTH) { -+ throw new IllegalArgumentException( -+ "Unable to decode Key ID: " + id); -+ } -+ -+ if (array.length < KEY_ID_LENGTH) { -+ -+ // extend the array with most significant bit -+ byte[] tmp = array; -+ array = new byte[KEY_ID_LENGTH]; -+ -+ // calculate the extension -+ int p = KEY_ID_LENGTH - tmp.length; -+ -+ // create filler byte based op the most significant bit -+ byte b = (byte)(value.signum() >= 0 ? 0x00 : 0xff); -+ -+ // fill the extension with the filler byte -+ Arrays.fill(array, 0, p, b); -+ -+ // copy the original array -+ System.arraycopy(tmp, 0, array, p, tmp.length); -+ } -+ -+ return array; - } - - /** -diff --git a/base/util/test/CMakeLists.txt b/base/util/test/CMakeLists.txt -index eabda2f..cc5c07a 100644 ---- a/base/util/test/CMakeLists.txt -+++ b/base/util/test/CMakeLists.txt -@@ -20,11 +20,13 @@ javac(pki-util-test-classes - # TODO: create CMake function to find all JUnit test classes - add_junit_test(test-pki-util - CLASSPATH -+ ${SLF4J_API_JAR} ${SLF4J_JDK14_JAR} - ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR} - ${JSS_JAR} ${LDAPJDK_JAR} ${COMMONS_CODEC_JAR} - ${HAMCREST_JAR} ${JUNIT_JAR} - ${CMAKE_BINARY_DIR}/test/classes - TESTS -+ com.netscape.cmsutil.crypto.KeyIDCodecTest - com.netscape.security.util.BMPStringTest - com.netscape.security.util.IA5StringTest - com.netscape.security.util.PrintableStringTest -diff --git a/base/util/test/com/netscape/cmsutil/crypto/KeyIDCodecTest.java b/base/util/test/com/netscape/cmsutil/crypto/KeyIDCodecTest.java -new file mode 100644 -index 0000000..e25a431 ---- /dev/null -+++ b/base/util/test/com/netscape/cmsutil/crypto/KeyIDCodecTest.java -@@ -0,0 +1,239 @@ -+// --- BEGIN COPYRIGHT BLOCK --- -+// This program is free software; you can redistribute it and/or modify -+// it under the terms of the GNU General Public License as published by -+// the Free Software Foundation; version 2 of the License. -+// -+// This program is distributed in the hope that it will be useful, -+// but WITHOUT ANY WARRANTY; without even the implied warranty of -+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+// GNU General Public License for more details. -+// -+// You should have received a copy of the GNU General Public License along -+// with this program; if not, write to the Free Software Foundation, Inc., -+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -+// -+// (C) 2018 Red Hat, Inc. -+// All rights reserved. -+// --- END COPYRIGHT BLOCK --- -+package com.netscape.cmsutil.crypto; -+ -+import org.junit.Assert; -+import org.junit.Test; -+ -+/** -+ * Key ID encoder and decoder validation. -+ * -+ * Key ID in NSS database is a 20 byte array. The key ID is -+ * stored in CS.cfg as a signed, variable-length, hexadecimal -+ * number. -+ * -+ * This test verifies that Key ID can be encoded and -+ * decoded correctly using the following methods: -+ * - CryptoUtil.encodeKeyID() -+ * - CryptoUtil.decodeKeyID() -+ * -+ * The test is performed against a set of valid data that -+ * covers the entire range of 20 byte array, and some invalid -+ * data as well. -+ */ -+public class KeyIDCodecTest { -+ -+ // data #1: zero -+ String DATA1_HEX = "0"; -+ -+ // 0000000000000000000000000000000000000000 -+ byte[] DATA1_BYTES = new byte[] { -+ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, -+ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, -+ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, -+ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, -+ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00 -+ }; -+ -+ // data #2: small positive number (with leading 0x00) -+ String DATA2_HEX = "18604db6c7a073ff08338650"; -+ -+ // 000000000000000018604db6c7a073ff08338650 -+ byte[] DATA2_BYTES = new byte[] { -+ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, -+ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, -+ (byte)0x18, (byte)0x60, (byte)0x4d, (byte)0xb6, -+ (byte)0xc7, (byte)0xa0, (byte)0x73, (byte)0xff, -+ (byte)0x08, (byte)0x33, (byte)0x86, (byte)0x50 -+ }; -+ -+ // data #3: large positive number -+ String DATA3_HEX = "446ed35d7e811e7f73d0d1f220afc60083deba74"; -+ -+ // 446ed35d7e811e7f73d0d1f220afc60083deba74 -+ byte[] DATA3_BYTES = new byte[] { -+ (byte)0x44, (byte)0x6e, (byte)0xd3, (byte)0x5d, -+ (byte)0x7e, (byte)0x81, (byte)0x1e, (byte)0x7f, -+ (byte)0x73, (byte)0xd0, (byte)0xd1, (byte)0xf2, -+ (byte)0x20, (byte)0xaf, (byte)0xc6, (byte)0x00, -+ (byte)0x83, (byte)0xde, (byte)0xba, (byte)0x74 -+ }; -+ -+ // data #4: highest 20-byte number -+ String DATA4_HEX = "7fffffffffffffffffffffffffffffffffffffff"; -+ -+ // 7fffffffffffffffffffffffffffffffffffffff -+ byte[] DATA4_BYTES = new byte[] { -+ (byte)0x7f, (byte)0xff, (byte)0xff, (byte)0xff, -+ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, -+ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, -+ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, -+ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff -+ }; -+ -+ // data #5: negative one -+ String DATA5_HEX = "-1"; -+ -+ // ffffffffffffffffffffffffffffffffffffffff -+ byte[] DATA5_BYTES = new byte[] { -+ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, -+ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, -+ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, -+ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, -+ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff -+ }; -+ -+ // data 6: small negative number (with leading 0xff) -+ String DATA6_HEX = "-314bd3fd90753fe3687d358d"; -+ -+ // ffffffffffffffffffffceb42c026f8ac01c9782ca73 -+ byte[] DATA6_BYTES = new byte[] { -+ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, -+ (byte)0xff, (byte)0xff, (byte)0xff, (byte)0xff, -+ (byte)0xce, (byte)0xb4, (byte)0x2c, (byte)0x02, -+ (byte)0x6f, (byte)0x8a, (byte)0xc0, (byte)0x1c, -+ (byte)0x97, (byte)0x82, (byte)0xca, (byte)0x73 -+ }; -+ -+ // data #7: large negative number -+ String DATA7_HEX = "-16e096b561838ac32855acc30a09e6a2d9adc120"; -+ -+ // e91f694a9e7c753cd7aa533cf5f6195d26523ee0 -+ byte[] DATA7_BYTES = new byte[] { -+ (byte)0xe9, (byte)0x1f, (byte)0x69, (byte)0x4a, -+ (byte)0x9e, (byte)0x7c, (byte)0x75, (byte)0x3c, -+ (byte)0xd7, (byte)0xaa, (byte)0x53, (byte)0x3c, -+ (byte)0xf5, (byte)0xf6, (byte)0x19, (byte)0x5d, -+ (byte)0x26, (byte)0x52, (byte)0x3e, (byte)0xe0 -+ }; -+ -+ // data #8: lowest 20-byte number -+ String DATA8_HEX = "-8000000000000000000000000000000000000000"; -+ -+ // 8000000000000000000000000000000000000000 -+ byte[] DATA8_BYTES = new byte[] { -+ (byte)0x80, (byte)0x00, (byte)0x00, (byte)0x00, -+ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, -+ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, -+ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00, -+ (byte)0x00, (byte)0x00, (byte)0x00, (byte)0x00 -+ }; -+ -+ Object[][] TEST_DATA = { -+ new Object[] { DATA1_BYTES, DATA1_HEX }, -+ new Object[] { DATA2_BYTES, DATA2_HEX }, -+ new Object[] { DATA3_BYTES, DATA3_HEX }, -+ new Object[] { DATA4_BYTES, DATA4_HEX }, -+ new Object[] { DATA5_BYTES, DATA5_HEX }, -+ new Object[] { DATA6_BYTES, DATA6_HEX }, -+ new Object[] { DATA7_BYTES, DATA7_HEX }, -+ new Object[] { DATA8_BYTES, DATA8_HEX } -+ }; -+ -+ @Test -+ public void testEncoder() throws Exception { -+ -+ System.out.println("Testing Key ID encoder with valid data:"); -+ -+ for (int i = 0; i < TEST_DATA.length; i++) { -+ System.out.println(" - data #" + (i + 1)); -+ -+ byte[] bytes = (byte[])TEST_DATA[i][0]; -+ String hex = (String)TEST_DATA[i][1]; -+ -+ String result = CryptoUtil.encodeKeyID(bytes); -+ Assert.assertEquals(hex, result); -+ } -+ -+ System.out.println("Testing Key ID encoder with invalid data:"); -+ -+ try { -+ System.out.println(" - null data"); -+ CryptoUtil.encodeKeyID(null); -+ Assert.fail("should throw NullPointerException"); -+ } catch (Exception e) { -+ Assert.assertTrue(e instanceof NullPointerException); -+ } -+ -+ try { -+ System.out.println(" - empty data"); -+ CryptoUtil.encodeKeyID(new byte[] {}); -+ Assert.fail("should throw IllegalArgumentException"); -+ } catch (Exception e) { -+ Assert.assertTrue(e instanceof IllegalArgumentException); -+ } -+ -+ try { -+ System.out.println(" - incorrect length data"); -+ CryptoUtil.encodeKeyID(new byte[] { (byte)0x24, (byte)0xac }); -+ Assert.fail("should throw IllegalArgumentException"); -+ } catch (Exception e) { -+ Assert.assertTrue(e instanceof IllegalArgumentException); -+ } -+ } -+ -+ @Test -+ public void testDecoder() throws Exception { -+ -+ System.out.println("Testing Key ID decoder with valid data:"); -+ -+ for (int i = 0; i < TEST_DATA.length; i++) { -+ System.out.println(" - data #" + (i + 1)); -+ -+ byte[] bytes = (byte[])TEST_DATA[i][0]; -+ String hex = (String)TEST_DATA[i][1]; -+ -+ byte[] result = CryptoUtil.decodeKeyID(hex); -+ Assert.assertArrayEquals(bytes, result); -+ } -+ -+ System.out.println("Testing Key ID decoder with invalid data:"); -+ -+ try { -+ System.out.println(" - null data"); -+ CryptoUtil.decodeKeyID(null); -+ Assert.fail("should throw NullPointerException"); -+ } catch (Exception e) { -+ Assert.assertTrue(e instanceof NullPointerException); -+ } -+ -+ try { -+ System.out.println(" - empty data"); -+ CryptoUtil.decodeKeyID(""); -+ Assert.fail("should throw IllegalArgumentException"); -+ } catch (Exception e) { -+ Assert.assertTrue(e instanceof IllegalArgumentException); -+ } -+ -+ try { -+ System.out.println(" - incorrect length data"); -+ CryptoUtil.decodeKeyID("ffffffffffffffffffffffffffffffffffffffffff"); -+ Assert.fail("should throw IllegalArgumentException"); -+ } catch (Exception e) { -+ Assert.assertTrue(e instanceof IllegalArgumentException); -+ } -+ -+ try { -+ System.out.println(" - garbage data"); -+ CryptoUtil.decodeKeyID("garbage"); -+ Assert.fail("should throw NumberFormatException"); -+ } catch (Exception e) { -+ Assert.assertTrue(e instanceof NumberFormatException); -+ } -+ } -+} --- -1.8.3.1 - - -From 13b98e81cfc2c92fe435f0d3b0fa4017cb44c608 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Mon, 12 Feb 2018 18:20:57 +0100 -Subject: [PATCH 5/7] Fixed Key ID encoding and decoding. - -The code that encodes and decodes NSS key ID has been changed to -use CryptoUtil.encodeKeyID() and decodeKeyID(), respectively. - -https://pagure.io/dogtagpki/issue/2884 - -Change-Id: Ic97a9f8ea1ad7819c8f6ff0faf732ee04a2174e8 -(cherry picked from commit 275b706f0e38288db6c4c900b7116c9816ba82a7) -(cherry picked from commit d9969e2c2c5895056d4ecdb04718d5a4473c297d) ---- - base/ca/src/com/netscape/ca/SigningUnit.java | 2 +- - base/java-tools/src/com/netscape/cmstools/CMCRequest.java | 2 +- - base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java | 2 +- - base/java-tools/src/com/netscape/cmstools/PKCS10Client.java | 2 +- - base/ocsp/src/com/netscape/ocsp/SigningUnit.java | 2 +- - .../cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java | 6 +++--- - .../com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 12 ++++++------ - .../src/org/dogtagpki/server/rest/SystemConfigService.java | 2 +- - 8 files changed, 15 insertions(+), 15 deletions(-) - -diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java -index 7cd0dd4..ecd2a81 100644 ---- a/base/ca/src/com/netscape/ca/SigningUnit.java -+++ b/base/ca/src/com/netscape/ca/SigningUnit.java -@@ -190,7 +190,7 @@ public final class SigningUnit implements ISigningUnit { - throw new CAMissingKeyException(CMS.getUserMessage("CMS_CA_CERT_OBJECT_NOT_FOUND"), e); - } - -- String privateKeyID = CryptoUtil.byte2string(mPrivk.getUniqueID()); -+ String privateKeyID = CryptoUtil.encodeKeyID(mPrivk.getUniqueID()); - CMS.debug("SigningUnit: private key ID: " + privateKeyID); - - mPubk = mCert.getPublicKey(); -diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -index 8146cee..4e40143 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java -@@ -2163,7 +2163,7 @@ public class CMCRequest { - } else { - System.out.println("got request privKeyId: " + privKeyId); - -- byte[] keyIDb = CryptoUtil.string2byte(privKeyId); -+ byte[] keyIDb = CryptoUtil.decodeKeyID(privKeyId); - - privk = CryptoUtil.findPrivateKeyFromID(keyIDb); - -diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -index eadf3a8..bc95983 100644 ---- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java -@@ -475,7 +475,7 @@ public class CRMFPopClient { - PrivateKey privateKey = (PrivateKey) keyPair.getPrivate(); - @SuppressWarnings("deprecation") - byte id[] = privateKey.getUniqueID(); -- String kid = CryptoUtil.byte2string(id); -+ String kid = CryptoUtil.encodeKeyID(id); - System.out.println("Keypair private key id: " + kid); - - if (hostPort != null) { -diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java -index d2278b8..9f39430 100644 ---- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java -+++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java -@@ -303,7 +303,7 @@ public class PKCS10Client { - PrivateKey privateKey = (PrivateKey) pair.getPrivate(); - @SuppressWarnings("deprecation") - byte id[] = privateKey.getUniqueID(); -- String kid = CryptoUtil.byte2string(id); -+ String kid = CryptoUtil.encodeKeyID(id); - System.out.println("Keypair private key id: " + kid); - System.out.println(""); - -diff --git a/base/ocsp/src/com/netscape/ocsp/SigningUnit.java b/base/ocsp/src/com/netscape/ocsp/SigningUnit.java -index 686f1ed..4ed1625 100644 ---- a/base/ocsp/src/com/netscape/ocsp/SigningUnit.java -+++ b/base/ocsp/src/com/netscape/ocsp/SigningUnit.java -@@ -159,7 +159,7 @@ public final class SigningUnit implements ISigningUnit { - CMS.debug("SigningUnit: Loading private key"); - mPrivk = mManager.findPrivKeyByCert(mCert); - -- String privateKeyID = CryptoUtil.byte2string(mPrivk.getUniqueID()); -+ String privateKeyID = CryptoUtil.encodeKeyID(mPrivk.getUniqueID()); - CMS.debug("SigningUnit: private key ID: " + privateKeyID); - - mPubk = mCert.getPublicKey(); -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java -index da4f17f..12d4ac1 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/CertUtil.java -@@ -154,7 +154,7 @@ public class CertUtil { - } - // get private key - String privKeyID = config.getString(prefix + certTag + ".privkey.id"); -- byte[] keyIDb = CryptoUtil.string2byte(privKeyID); -+ byte[] keyIDb = CryptoUtil.decodeKeyID(privKeyID); - - PrivateKey privk = CryptoUtil.findPrivateKeyFromID(keyIDb); - -@@ -546,7 +546,7 @@ public class CertUtil { - PrivateKey caPrik = (PrivateKey) pk; - */ - String caPriKeyID = config.getString(prefix + "signing" + ".privkey.id"); -- byte[] keyIDb = CryptoUtil.string2byte(caPriKeyID); -+ byte[] keyIDb = CryptoUtil.decodeKeyID(caPriKeyID); - PrivateKey caPrik = CryptoUtil.findPrivateKeyFromID(keyIDb); - - if (caPrik == null) { -@@ -761,7 +761,7 @@ public class CertUtil { - } else { - String str = ""; - try { -- str = CryptoUtil.byte2string(privKey.getUniqueID()); -+ str = CryptoUtil.encodeKeyID(privKey.getUniqueID()); - } catch (Exception e) { - CMS.debug("CertUtil privateKeyExistsOnToken: encode string Exception: " + e.toString()); - } -diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -index 1d37d73..0a5cd2e 100644 ---- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java -@@ -2379,7 +2379,7 @@ public class ConfigurationUtils { - - PrivateKey privateKey = (PrivateKey) pair.getPrivate(); - byte id[] = privateKey.getUniqueID(); -- String kid = CryptoUtil.byte2string(id); -+ String kid = CryptoUtil.encodeKeyID(id); - config.putString(PCERT_PREFIX + tag + ".privkey.id", kid); - - String keyAlgo = config.getString(PCERT_PREFIX + tag + ".signingalgorithm"); -@@ -2439,10 +2439,10 @@ public class ConfigurationUtils { - - // XXX - store curve , w - byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID(); -- String kid = CryptoUtil.byte2string(id); -+ String kid = CryptoUtil.encodeKeyID(id); - - // try to locate the private key -- org.mozilla.jss.crypto.PrivateKey privk = CryptoUtil.findPrivateKeyFromID(CryptoUtil.string2byte(kid)); -+ org.mozilla.jss.crypto.PrivateKey privk = CryptoUtil.findPrivateKeyFromID(CryptoUtil.decodeKeyID(kid)); - if (privk == null) { - CMS.debug("Found bad ECC key id " + kid); - pair = null; -@@ -2461,11 +2461,11 @@ public class ConfigurationUtils { - do { - pair = CryptoUtil.generateRSAKeyPair(token, keysize); - byte id[] = ((org.mozilla.jss.crypto.PrivateKey) pair.getPrivate()).getUniqueID(); -- String kid = CryptoUtil.byte2string(id); -+ String kid = CryptoUtil.encodeKeyID(id); - - // try to locate the private key - org.mozilla.jss.crypto.PrivateKey privk = -- CryptoUtil.findPrivateKeyFromID(CryptoUtil.string2byte(kid)); -+ CryptoUtil.findPrivateKeyFromID(CryptoUtil.decodeKeyID(kid)); - - if (privk == null) { - CMS.debug("Found bad RSA key id " + kid); -@@ -3009,7 +3009,7 @@ public class ConfigurationUtils { - String privKeyID = config.getString(PCERT_PREFIX + certTag + ".privkey.id"); - - CMS.debug("generateCertRequest: private key ID: " + privKeyID); -- byte[] keyIDb = CryptoUtil.string2byte(privKeyID); -+ byte[] keyIDb = CryptoUtil.decodeKeyID(privKeyID); - - PrivateKey privk = CryptoUtil.findPrivateKeyFromID(keyIDb); - if (privk == null) { -diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -index 575f97c..5130a1a 100644 ---- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java -@@ -532,7 +532,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou - - cs.putString("preop.cert." + tag + ".pubkey.modulus", CryptoUtil.byte2string(modulus)); - cs.putString("preop.cert." + tag + ".pubkey.exponent", CryptoUtil.byte2string(exponent)); -- cs.putString("preop.cert." + tag + ".privkey.id", CryptoUtil.byte2string(privk.getUniqueID())); -+ cs.putString("preop.cert." + tag + ".privkey.id", CryptoUtil.encodeKeyID(privk.getUniqueID())); - cs.putString("preop.cert." + tag + ".keyalgorithm", cdata.getKeyAlgorithm()); - cs.putString("preop.cert." + tag + ".keytype", cdata.getKeyType()); - } --- -1.8.3.1 - - -From cb17add9f01bb418f567c156c8bcf01113700b83 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Thu, 15 Feb 2018 20:06:26 +0100 -Subject: [PATCH 6/7] Fixed SERVER_SIDE_KEYGEN_REQUEST_PROCESSED filter in KRA. - -The filter definition for SERVER_SIDE_KEYGEN_REQUEST_PROCESSED -event in KRA's CS.cfg has been updated to fix a typo. - -https://pagure.io/dogtagpki/issue/2656 - -Change-Id: I6f2e3d38597355e04b1899aeb324db43caefd4df -(cherry picked from commit d7db5fa81f9cda0997779e0ce57a309263669f1f) -(cherry picked from commit 6af503a10b95077780c15126e7af8336364854dc) ---- - base/kra/shared/conf/CS.cfg | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg -index 06bd0fe..f314234 100644 ---- a/base/kra/shared/conf/CS.cfg -+++ b/base/kra/shared/conf/CS.cfg -@@ -317,7 +317,7 @@ log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=(Outco - log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=(Outcome=Failure) - log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) - log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST=(Outcome=Failure) --log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST=PROCESSED (Outcome=Failure) -+log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=(Outcome=Failure) - log.instance.SignedAudit.filters.SYMKEY_GENERATION_REQUEST=(Outcome=Failure) - log.instance.SignedAudit.filters.SYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) - log.instance.SignedAudit.expirationTime=0 --- -1.8.3.1 - - -From eda0b35693530a8ad796ac9012f5bee7db6dd9ac Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Fri, 16 Feb 2018 18:00:09 +0100 -Subject: [PATCH 7/7] Fixed NSSDatabase.add_ca_cert(). - -The NSSDatabase.add_ca_cert() has been modified to import CA -certificates into internal token instead of HSM since trust -validation is done by NSS using internal token. - -https://pagure.io/dogtagpki/issue/2944 - -Change-Id: I460cd752d741f3f91306c510ce469a023828343b -(cherry picked from commit 2f8fa5bb2d33bf80e8a19f1e30697be3bb5de915) -(cherry picked from commit cefae7941c0894a35dbebaf8f076a1941b910d93) ---- - base/common/python/pki/nssdb.py | 18 ++++++++++++++---- - 1 file changed, 14 insertions(+), 4 deletions(-) - -diff --git a/base/common/python/pki/nssdb.py b/base/common/python/pki/nssdb.py -index 7c2602e..934fe8b 100644 ---- a/base/common/python/pki/nssdb.py -+++ b/base/common/python/pki/nssdb.py -@@ -201,15 +201,25 @@ class NSSDatabase(object): - subprocess.check_call(cmd) - - def add_ca_cert(self, cert_file, trust_attributes=None): -+ -+ # Import CA certificate into internal token with automatically -+ # assigned nickname. -+ -+ # If the certificate has previously been imported, it will keep -+ # the existing nickname. If the certificate has not been imported, -+ # JSS will generate a nickname based on root CA's subject DN. -+ -+ # For example, if the root CA's subject DN is "CN=CA Signing -+ # Certificate, O=EXAMPLE", the root CA cert's nickname will be -+ # "CA Signing Certificate - EXAMPLE". The subordinate CA cert's -+ # nickname will be "CA Signing Certificate - EXAMPLE #2". -+ - cmd = [ - 'pki', - '-d', self.directory, -- '-C', self.password_file -+ '-C', self.internal_password_file - ] - -- if self.token: -- cmd.extend(['--token', self.token]) -- - cmd.extend([ - 'client-cert-import', - '--ca-cert', cert_file --- -1.8.3.1 - diff --git a/SOURCES/pki-core-10.5.9-alpha.patch b/SOURCES/pki-core-10.5.9-alpha.patch new file mode 100644 index 0000000..f805723 --- /dev/null +++ b/SOURCES/pki-core-10.5.9-alpha.patch @@ -0,0 +1,1535 @@ +From 2d40c57887f7801f2ab0a8065b3b471bb7eafe80 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 19 Jun 2018 15:21:54 -0700 +Subject: [PATCH 1/7] Ticket 3037 CMC SharedToken SubjectDN default + +This patch adds proper subjectDN to CMC requests authenticated via ShardToken. +Specifically, the AuthTokenSubjectNameDefault profile default is added to +the default CMC profiles that authenticates via SharedToken. +Code were added to ensure that the proper subjectDN retrieved from the +mapped user entry is added to the AuthToken for such utilization. + +Fixes https://pagure.io/dogtagpki/issue/3037 + +Change-Id: Id92d9496ab5b41ea7b5dcffb8d73d3ffe8b29fbc +--- + .../ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 4 ++-- + .../netscape/certsrv/authentication/ISharedToken.java | 2 +- + .../com/netscape/cms/authentication/SharedSecret.java | 17 ++++++++++++++--- + .../com/netscape/cms/profile/common/EnrollProfile.java | 12 ++++++++++-- + .../cms/servlet/profile/ProfileSubmitCMCServlet.java | 1 + + 6 files changed, 30 insertions(+), 10 deletions(-) + +diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +index d0a3c25..144c05c 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +@@ -13,8 +13,8 @@ policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 + policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint + policyset.cmcUserCertSet.1.constraint.params.accept=true +-policyset.cmcUserCertSet.1.constraint.params.pattern=.* +-policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* ++policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl + policyset.cmcUserCertSet.1.default.name=Subject Name Default + policyset.cmcUserCertSet.1.default.params.name= + policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl +diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +index 6b2da33..bdcdc24 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +@@ -12,9 +12,9 @@ policyset.list=cmcUserCertSet + policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 + policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl + policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint ++policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* + policyset.cmcUserCertSet.1.constraint.params.accept=true +-policyset.cmcUserCertSet.1.constraint.params.pattern=.* +-policyset.cmcUserCertSet.1.default.class_id=userSubjectNameDefaultImpl ++policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl + policyset.cmcUserCertSet.1.default.name=Subject Name Default + policyset.cmcUserCertSet.1.default.params.name= + policyset.cmcUserCertSet.2.constraint.class_id=validityConstraintImpl +diff --git a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java +index 761c344..13f2286 100644 +--- a/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java ++++ b/base/common/src/com/netscape/certsrv/authentication/ISharedToken.java +@@ -28,7 +28,7 @@ import com.netscape.certsrv.base.EBaseException; + public interface ISharedToken { + + // support for id_cmc_identification +- public char[] getSharedToken(String identification) ++ public char[] getSharedToken(String identification, IAuthToken authToken) + throws EBaseException; + + public char[] getSharedToken(PKIData cmcData) +diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java +index 1a3d877..e304b74 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java +@@ -33,6 +33,7 @@ import com.netscape.certsrv.apps.CMS; + import com.netscape.certsrv.authentication.AuthToken; + import com.netscape.certsrv.authentication.EInvalidCredentials; + import com.netscape.certsrv.authentication.IAuthCredentials; ++import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authentication.ISharedToken; + import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; +@@ -233,18 +234,25 @@ public class SharedSecret extends DirBasedAuthentication + } + + /** +- * getSharedToken(String identification) provides ++ * getSharedToken(String identification, IAuthToken authToken) provides + * support for id_cmc_identification shared secret based enrollment + * ++ * @param identification maps to the uid in user's ldap record ++ * @param authToken the IAuthToken that will be filled with the DN ++ * in user's ldap record ++ * + * Note: caller should clear the memory for the returned token + * after each use + */ +- public char[] getSharedToken(String identification) ++ public char[] getSharedToken(String identification, IAuthToken authToken) + throws EBaseException { +- String method = "SharedSecret.getSharedToken(String identification): "; ++ String method = "SharedSecret.getSharedToken(String identification, IAuthToken authToken): "; + String msg = ""; + CMS.debug(method + "begins."); + ++ if ((identification == null) || (authToken == null)) { ++ throw new EBaseException(method + "paramsters identification or authToken cannot be null"); ++ } + LDAPConnection shrTokLdapConnection = null; + LDAPSearchResults res = null; + LDAPEntry entry = null; +@@ -287,6 +295,9 @@ public class SharedSecret extends DirBasedAuthentication + throw new EBaseException(msg); + } + ++ CMS.debug(method + "found user ldap entry: userdn = " + userdn); ++ authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn); ++ + res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE, + "(objectclass=*)", new String[] { mShrTokAttr }, false); + if (res != null && res.hasMoreElements()) { +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index caa466c..929e629 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -1412,10 +1412,14 @@ public abstract class EnrollProfile extends BasicProfile + CMS.debug(method + " Failed to retrieve shared secret authentication plugin class"); + sharedSecretFound = false; + } ++ ++ IAuthToken authToken = (IAuthToken) ++ context.get(SessionContext.AUTH_TOKEN); ++ + ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; + + if (ident_string != null) { +- sharedSecret = tokenClass.getSharedToken(ident_string); ++ sharedSecret = tokenClass.getSharedToken(ident_string, authToken); + } else { + sharedSecret = tokenClass.getSharedToken(mCMCData); + } +@@ -1709,12 +1713,16 @@ public abstract class EnrollProfile extends BasicProfile + signedAuditLogger.log(auditMessage); + return false; + } ++ ++ IAuthToken authToken = (IAuthToken) ++ sessionContext.get(SessionContext.AUTH_TOKEN); ++ + ISharedToken tokenClass = (ISharedToken) sharedTokenAuth; + + char[] token = null; + if (ident_string != null) { + auditAttemptedCred = ident_string; +- token = tokenClass.getSharedToken(ident_string); ++ token = tokenClass.getSharedToken(ident_string, authToken); + } else + token = tokenClass.getSharedToken(mCMCData); + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 7d75e31..f469a66 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -446,6 +446,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + // authentication success + if (authToken != null) { + auditSubjectID = authToken.getInString(IAuthToken.USER_ID); ++ context.put(SessionContext.AUTH_TOKEN, authToken); + } + } catch (EBaseException e) { + CMCOutputTemplate template = new CMCOutputTemplate(); +-- +1.8.3.1 + + +From 2a228b4a8e1af920e577d007be87291831c635d5 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 20 Jun 2018 18:59:28 -0700 +Subject: [PATCH 2/7] Ticket 2920 Part2 of SharedToken Audit + +This patch addresses the issue that the original audit message for failure +got overwritten for SharedToken. + +fixes https://pagure.io/dogtagpki/issue/2920 + +Change-Id: I0c09fbcc39135dc9aeee8a49a40772565af996c4 +--- + .../netscape/cms/authentication/SharedSecret.java | 5 ++ + .../def/CMCUserSignedSubjectNameDefault.java | 7 ++- + .../cms/servlet/common/CMCOutputTemplate.java | 9 ++-- + .../servlet/profile/ProfileSubmitCMCServlet.java | 63 ++++++++++++++-------- + 4 files changed, 57 insertions(+), 27 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java +index e304b74..5ebc213 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java +@@ -406,6 +406,11 @@ public class SharedSecret extends DirBasedAuthentication + String method = "SharedSecret.getSharedToken(BigInteger serial): "; + String msg = ""; + ++ if (serial == null) { ++ throw new EBaseException(method + "paramster serial cannot be null"); ++ } ++ CMS.debug(method + serial.toString()); ++ + ICertRecord record = null; + try { + record = certRepository.readCertificateRecord(serial); +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java +index a0816ea..f1810b0 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/CMCUserSignedSubjectNameDefault.java +@@ -137,12 +137,17 @@ public class CMCUserSignedSubjectNameDefault extends EnrollDefault { + String msg = ""; + CMS.debug(method + "begins"); + +- String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); + if (info == null) { + msg = method + "info null"; + CMS.debug(msg); + throw new EProfileException(msg); + } ++ String signingUserSerial = request.getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); ++ if (signingUserSerial == null) { ++ msg = method + "signing user serial not found; request was unsigned?"; ++ CMS.debug(msg); ++ throw new EProfileException(msg); ++ } + + CertificateSubjectName certSN = null; + try { +diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +index a0a946d..154cd33 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java +@@ -1103,14 +1103,15 @@ public class CMCOutputTemplate { + + char[] sharedSecret = null; + try { +- sharedSecret = tokenClass.getSharedToken(revokeSerial); ++ sharedSecret = tokenClass.getSharedToken(revokeSerial); + } catch (Exception eShrTok) { +- CMS.debug("CMCOutputTemplate: " + eShrTok.toString()); ++ msg = "CMCOutputTemplate: " + eShrTok.toString(); + } + + if (sharedSecret == null) { +- msg = " shared secret not found"; +- CMS.debug(method + msg); ++ if (msg.equals("")) // don't overwrite the msg ++ msg = " shared secret not found"; ++ CMS.debug(msg); + audit(new CertStatusChangeRequestProcessedEvent( + auditSubjectID, + ILogger.FAILURE, +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index f469a66..12fd294 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -533,10 +533,16 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in ctx for CMCUserSignedAuth"); + ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); + } ++ ++ String errorCode = null; ++ String errorReason = null; ++ String auditRequesterID = ILogger.UNIDENTIFIED; ++ + try { + reqs = profile.createRequests(ctx, locale); + } catch (ECMCBadMessageCheckException e) { +- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); ++ errorReason = e.toString(); ++ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new INTEGER(0)); +@@ -547,9 +553,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + template.createFullResponseWithFailedStatus(response, seq, + OtherInfo.BAD_MESSAGE_CHECK, s); +- return; + } catch (ECMCBadIdentityException e) { +- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); ++ errorReason = e.toString(); ++ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new INTEGER(0)); +@@ -560,9 +566,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + template.createFullResponseWithFailedStatus(response, seq, + OtherInfo.BAD_IDENTITY, s); +- return; + } catch (ECMCPopFailedException e) { +- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); ++ errorReason = e.toString(); ++ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new INTEGER(0)); +@@ -573,9 +579,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + template.createFullResponseWithFailedStatus(response, seq, + OtherInfo.POP_FAILED, s); +- return; + } catch (ECMCBadRequestException e) { +- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); ++ errorReason = e.toString(); ++ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new INTEGER(0)); +@@ -586,9 +592,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + template.createFullResponseWithFailedStatus(response, seq, + OtherInfo.BAD_REQUEST, s); +- return; + } catch (EProfileException e) { +- CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + e.toString()); ++ errorReason = e.toString(); ++ CMS.debug("ProfileSubmitCMCServlet: after createRequests - " + errorReason); + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new INTEGER(0)); +@@ -599,9 +605,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + template.createFullResponseWithFailedStatus(response, seq, + OtherInfo.INTERNAL_CA_ERROR, s); +- return; + } catch (Throwable e) { +- CMS.debug("ProfileSubmitCMCServlet: createRequests - " + e.toString()); ++ errorReason = e.toString(); ++ CMS.debug("ProfileSubmitCMCServlet: createRequests - " + errorReason); + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new INTEGER(0)); +@@ -612,7 +618,15 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + template.createFullResponseWithFailedStatus(response, seq, + OtherInfo.INTERNAL_CA_ERROR, s); +- return; ++ } ++ ++ if (errorReason != null) { ++ audit(CertRequestProcessedEvent.createFailureEvent( ++ auditSubjectID, ++ auditRequesterID, ++ ILogger.SIGNED_AUDIT_REJECTION, ++ errorReason)); ++ return; + } + + TaggedAttribute attr = +@@ -684,13 +698,11 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + } + +- String errorCode = null; +- String errorReason = null; +- + /////////////////////////////////////////////// + // populate request + /////////////////////////////////////////////// + for (int k = 0; (!isRevoke) && (provedReq == null) &&(k < reqs.length); k++) { ++ auditRequesterID = auditRequesterID(reqs[k]); + // adding parameters to request + setInputsIntoRequest(request, profile, reqs[k]); + +@@ -769,7 +781,8 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + profile.populateInput(ctx, reqs[k]); + profile.populate(reqs[k]); + } catch (ECMCPopFailedException e) { +- CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); ++ errorReason = e.toString(); ++ CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason); + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new INTEGER(0)); +@@ -780,9 +793,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + template.createFullResponseWithFailedStatus(response, seq, + OtherInfo.POP_FAILED, s); +- return; + } catch (EProfileException e) { +- CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); ++ errorReason = e.toString(); ++ CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason); + CMCOutputTemplate template = new CMCOutputTemplate(); + SEQUENCE seq = new SEQUENCE(); + seq.addElement(new INTEGER(0)); +@@ -793,9 +806,9 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + template.createFullResponseWithFailedStatus(response, seq, + OtherInfo.BAD_REQUEST, s); +- return; + } catch (Throwable e) { +- CMS.debug("ProfileSubmitCMCServlet: after populate - " + e.toString()); ++ errorReason = e.toString(); ++ CMS.debug("ProfileSubmitCMCServlet: after populate - " + errorReason); + // throw new IOException("Profile " + profileId + + // " cannot populate"); + CMCOutputTemplate template = new CMCOutputTemplate(); +@@ -808,12 +821,18 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + } + template.createFullResponseWithFailedStatus(response, seq, + OtherInfo.INTERNAL_CA_ERROR, s); ++ } ++ ++ if (errorReason != null) { ++ audit(CertRequestProcessedEvent.createFailureEvent( ++ auditSubjectID, ++ auditRequesterID, ++ ILogger.SIGNED_AUDIT_REJECTION, ++ errorReason)); + return; + } + } //for + +- String auditRequesterID = ILogger.UNIDENTIFIED; +- + try { + /////////////////////////////////////////////// + // submit request +-- +1.8.3.1 + + +From a85486cfc7644b6a1caac6f5a2b34c4516ea1288 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 15 Jun 2018 00:28:43 +1000 +Subject: [PATCH 3/7] IPAddressName: fix construction from String + +The IPAddressName(String) constructor (the non-netmask case) was +broken by commit 628ace0c90073a8a1d90e96fae0aab9e43903fd6. Fix it, +and rename one of the helper methods to clarify its behaviour. + +Fixes: https://pagure.io/dogtagpki/issue/2922 +Change-Id: I711cf6845496f54c86b10d2d01368912084f96ea +--- + base/util/src/netscape/security/x509/IPAddressName.java | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/base/util/src/netscape/security/x509/IPAddressName.java b/base/util/src/netscape/security/x509/IPAddressName.java +index a343a5f..b227af0 100644 +--- a/base/util/src/netscape/security/x509/IPAddressName.java ++++ b/base/util/src/netscape/security/x509/IPAddressName.java +@@ -76,7 +76,7 @@ public class IPAddressName implements GeneralNameInterface { + * @param netmask the netmask address in the format: n.n.n.n or x:x:x:x:x:x:x:x (RFC 1884) + */ + public IPAddressName(String s, String netmask) { +- address = initAddress(true, s); ++ address = parseAddress(true, s); + if (address.length == IPv4_LEN * 2) + fillIPv4Address(netmask, address, address.length / 2); + else +@@ -90,7 +90,7 @@ public class IPAddressName implements GeneralNameInterface { + * @param mask a CIDR netmask + */ + public IPAddressName(String s, CIDRNetmask mask) { +- address = initAddress(true, s); ++ address = parseAddress(true, s); + mask.write(ByteBuffer.wrap( + address, address.length / 2, address.length / 2)); + } +@@ -102,7 +102,7 @@ public class IPAddressName implements GeneralNameInterface { + * @param s the ip address in the format: n.n.n.n or x:x:x:x:x:x:x:x + */ + public IPAddressName(String s) { +- initAddress(false, s); ++ address = parseAddress(false, s); + } + + /** +@@ -113,7 +113,7 @@ public class IPAddressName implements GeneralNameInterface { + * @return byte[] of length 4 or 16 if withNetmask == false, + * or length 8 or 32 if withNetmask == true. + */ +- private static byte[] initAddress(boolean withNetmask, String s) { ++ private static byte[] parseAddress(boolean withNetmask, String s) { + if (s.indexOf(':') != -1) { + byte[] address = new byte[IPv6_LEN * (withNetmask ? 2 : 1)]; + fillIPv6Address(s, address, 0); +-- +1.8.3.1 + + +From 1f5e857759cb822093cdc20125fa4d0990432356 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 25 Jun 2018 16:46:36 -0700 +Subject: [PATCH 4/7] Ticket 3003 AuditVerify failure due to line breaks + +This patch normalizes the CONFIG_ROLE audit event params to eliminate line breaks +in audit entry from running pki ca-user-cert-add which would cause AuditVerify +to fail. (note: adding user cert via the java console does not have such issue) + +fixes https://pagure.io/dogtagpki/issue/3003 + +Change-Id: I52814714acebd29774abf0eb66aef3655ef2adb9 +--- + .../com/netscape/certsrv/logging/event/ConfigRoleEvent.java | 3 ++- + base/util/src/com/netscape/cmsutil/util/Utils.java | 12 +++++++++++- + 2 files changed, 13 insertions(+), 2 deletions(-) + +diff --git a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java +index cc5f0b7..0ac71a8 100644 +--- a/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java ++++ b/base/common/src/com/netscape/certsrv/logging/event/ConfigRoleEvent.java +@@ -18,6 +18,7 @@ + package com.netscape.certsrv.logging.event; + + import com.netscape.certsrv.logging.SignedAuditEvent; ++import com.netscape.cmsutil.util.Utils; + + public class ConfigRoleEvent extends SignedAuditEvent { + +@@ -35,6 +36,6 @@ public class ConfigRoleEvent extends SignedAuditEvent { + + setAttribute("SubjectID", subjectID); + setAttribute("Outcome", outcome); +- setAttribute("ParamNameValPairs", params); ++ setAttribute("ParamNameValPairs", Utils.normalizeString(params, true /*keep space*/)); + } + } +diff --git a/base/util/src/com/netscape/cmsutil/util/Utils.java b/base/util/src/com/netscape/cmsutil/util/Utils.java +index 5ff78ad..9d0f9eb 100644 +--- a/base/util/src/com/netscape/cmsutil/util/Utils.java ++++ b/base/util/src/com/netscape/cmsutil/util/Utils.java +@@ -336,15 +336,24 @@ public class Utils { + * Normalize B64 input String + * + * @pram string base-64 string ++ * @param keepspace a boolean variable to control whether to keep spaces or not + * @return normalized string + */ + public static String normalizeString(String string) { ++ return normalizeString(string, false /*keepSpace*/); ++ } ++ ++ public static String normalizeString(String string, Boolean keepSpace) { + if (string == null) { + return string; + } + + StringBuffer sb = new StringBuffer(); +- StringTokenizer st = new StringTokenizer(string, "\r\n "); ++ StringTokenizer st = null; ++ if (keepSpace) ++ st = new StringTokenizer(string, "\r\n"); ++ else ++ st = new StringTokenizer(string, "\r\n "); + + while (st.hasMoreTokens()) { + String nextLine = st.nextToken(); +@@ -353,4 +362,5 @@ public class Utils { + } + return sb.toString(); + } ++ + } +-- +1.8.3.1 + + +From cf1b83ed6e7be07636c3deac770d586433d80f9e Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 26 Jun 2018 15:16:53 -0700 +Subject: [PATCH 5/7] Ticket 2992 CMC Simple request profiles and CMCResponse + to support simple response + +This patch fixes the broken profiles resulted from https://pagure.io/dogtagpki/issue/3018. + +In addition, CMCResponse has been improved to handle CMC simple response. + +fixes https://pagure.io/dogtagpki/issue/2992 + +Change-Id: If72aa08f044c96e4e5bd5ed98512d2936fe0d50a +--- + .../shared/profiles/ca/caECSimpleCMCUserCert.cfg | 6 +-- + base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg | 6 +-- + .../src/com/netscape/cmstools/CMCResponse.java | 46 +++++++++++++--------- + 3 files changed, 34 insertions(+), 24 deletions(-) + +diff --git a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg +index 64a6ad9..8df3576 100644 +--- a/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECSimpleCMCUserCert.cfg +@@ -1,11 +1,11 @@ +-desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. ++desc=This certificate profile is for enrolling user certificates by using the CMC simple certificate request with agent authentication. + enable=true + enableBy=admin + name=Simple CMC Enrollment Request for User Certificate + visible=false +-auth.instance_id= ++auth.instance_id=AgentCertAuth + input.list=i1 +-input.i1.class_id=cmcCertReqInputImpl ++input.i1.class_id=certReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +diff --git a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg +index 0628a36..a55873f 100644 +--- a/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caSimpleCMCUserCert.cfg +@@ -1,11 +1,11 @@ +-desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with CMC Signature authentication. ++desc=This certificate profile is for enrolling user certificates by using the CMC Simple certificate request with agent authentication. + enable=true + enableBy=admin + name=Simple CMC Enrollment Request for User Certificate + visible=false +-auth.instance_id= ++auth.instance_id=AgentCertAuth + input.list=i1 +-input.i1.class_id=cmcCertReqInputImpl ++input.i1.class_id=certReqInputImpl + output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet +diff --git a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java +index 945f09f..5d4f6c6 100644 +--- a/base/java-tools/src/com/netscape/cmstools/CMCResponse.java ++++ b/base/java-tools/src/com/netscape/cmstools/CMCResponse.java +@@ -82,14 +82,20 @@ public class CMCResponse { + + public Collection getStatusInfos() throws IOException, InvalidBERException { + +- Collection list = new ArrayList<>(); +- +- // assume full CMC response +- + SignedData signedData = (SignedData) contentInfo.getInterpretedContent(); + EncapsulatedContentInfo eci = signedData.getContentInfo(); + ++ Collection list = new ArrayList<>(); ++ + OCTET_STRING content = eci.getContent(); ++ if (content == null) { ++ System.out.println("CMC Simple Response."); ++ // No EncapsulatedContentInfo content; Assume simple response; ++ return null; ++ } ++ // assume full CMC response ++ System.out.println("CMC Full Response."); ++ + ByteArrayInputStream is = new ByteArrayInputStream(content.toByteArray()); + ResponseBody responseBody = (ResponseBody) (new ResponseBody.Template()).decode(is); + +@@ -166,8 +172,10 @@ public class CMCResponse { + System.out.println("Invalid CMC Response Format"); + } + +- if (!ci.hasContent()) ++ if (!ci.hasContent()) { ++ // No EncapsulatedContentInfo content; Assume simple response + return; ++ } + + OCTET_STRING content1 = ci.getContent(); + ByteArrayInputStream bbis = new ByteArrayInputStream(content1.toByteArray()); +@@ -371,23 +379,25 @@ public class CMCResponse { + + // terminate if any of the statuses is not a SUCCESS + Collection statusInfos = response.getStatusInfos(); +- for (CMCStatusInfoV2 statusInfo : statusInfos) { ++ if (statusInfos != null) { // full response ++ for (CMCStatusInfoV2 statusInfo : statusInfos) { + +- int status = statusInfo.getStatus(); +- if (status == CMCStatusInfoV2.SUCCESS) { +- continue; +- } ++ int status = statusInfo.getStatus(); ++ if (status == CMCStatusInfoV2.SUCCESS) { ++ continue; ++ } + +- SEQUENCE bodyList = statusInfo.getBodyList(); ++ SEQUENCE bodyList = statusInfo.getBodyList(); + +- Collection list = new ArrayList<>(); +- for (int i = 0; i < bodyList.size(); i++) { +- INTEGER n = (INTEGER) bodyList.elementAt(i); +- list.add(n); +- } ++ Collection list = new ArrayList<>(); ++ for (int i = 0; i < bodyList.size(); i++) { ++ INTEGER n = (INTEGER) bodyList.elementAt(i); ++ list.add(n); ++ } + +- System.err.println("ERROR: CMC status for " + list + ": " + CMCStatusInfoV2.STATUS[status]); +- System.exit(1); ++ System.err.println("ERROR: CMC status for " + list + ": " + CMCStatusInfoV2.STATUS[status]); ++ System.exit(1); ++ } + } + + // export PKCS #7 if requested +-- +1.8.3.1 + + +From 3ad054342a08719cd80c618c2aa260210b418113 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 27 Jun 2018 15:04:57 -0700 +Subject: [PATCH 6/7] Ticket #2959 Address pkispawn ECC profile overrides + +This patch enables proper ECC profiles to be automatically applied during +pkispawn. + +This patch would eliminate the need for the workaround documented here: +http://www.dogtagpki.org/wiki/PKI_10.5_Pkispawn_ECC_Profile_Workaround + +The idea is to use the % replacement strings as part of the profile names +in the default.cfg file for pkispawn, +and change the profile names to mach the format. So for example: + +%(pki_admin_key_type)AdminCert.profile + +would either be translated to rsaAdminCert.profile or eccAdminCert.profile +depending on the value in pki_admin_key_type + +All 6 relevant profiles have been renamed per new convention. + +fixes https://pagure.io/dogtagpki/issue/2959 + +Change-Id: I9a9f70e415438e0b4130294abb725c74fd6e1b95 +--- + base/ca/shared/conf/ECadminCert.profile | 39 -------------------------- + base/ca/shared/conf/ECserverCert.profile | 39 -------------------------- + base/ca/shared/conf/ECsubsystemCert.profile | 39 -------------------------- + base/ca/shared/conf/adminCert.profile | 39 -------------------------- + base/ca/shared/conf/eccAdminCert.profile | 39 ++++++++++++++++++++++++++ + base/ca/shared/conf/eccServerCert.profile | 39 ++++++++++++++++++++++++++ + base/ca/shared/conf/eccSubsystemCert.profile | 39 ++++++++++++++++++++++++++ + base/ca/shared/conf/rsaAdminCert.profile | 39 ++++++++++++++++++++++++++ + base/ca/shared/conf/rsaServerCert.profile | 41 ++++++++++++++++++++++++++++ + base/ca/shared/conf/rsaSubsystemCert.profile | 39 ++++++++++++++++++++++++++ + base/ca/shared/conf/serverCert.profile | 41 ---------------------------- + base/ca/shared/conf/subsystemCert.profile | 39 -------------------------- + base/server/etc/default.cfg | 6 ++-- + 13 files changed, 239 insertions(+), 239 deletions(-) + delete mode 100644 base/ca/shared/conf/ECadminCert.profile + delete mode 100644 base/ca/shared/conf/ECserverCert.profile + delete mode 100644 base/ca/shared/conf/ECsubsystemCert.profile + delete mode 100644 base/ca/shared/conf/adminCert.profile + create mode 100644 base/ca/shared/conf/eccAdminCert.profile + create mode 100644 base/ca/shared/conf/eccServerCert.profile + create mode 100644 base/ca/shared/conf/eccSubsystemCert.profile + create mode 100644 base/ca/shared/conf/rsaAdminCert.profile + create mode 100644 base/ca/shared/conf/rsaServerCert.profile + create mode 100644 base/ca/shared/conf/rsaSubsystemCert.profile + delete mode 100644 base/ca/shared/conf/serverCert.profile + delete mode 100644 base/ca/shared/conf/subsystemCert.profile + +diff --git a/base/ca/shared/conf/ECadminCert.profile b/base/ca/shared/conf/ECadminCert.profile +deleted file mode 100644 +index 46d157a..0000000 +--- a/base/ca/shared/conf/ECadminCert.profile ++++ /dev/null +@@ -1,39 +0,0 @@ +-# +-# Admin Certificate +-# +-id=adminCert.profile +-name=All Purpose admin cert with ECC keys Profile +-description=This profile creates an administrator's certificate with ECC keys +-profileIDMapping=caAdminCert +-profileSetIDMapping=adminCertSet +-list=2,4,5,6,7 +-2.default.class=com.netscape.cms.profile.def.ValidityDefault +-2.default.name=Validity Default +-2.default.params.range=720 +-2.default.params.startTime=0 +-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +-4.default.name=Authority Key Identifier Default +-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +-5.default.name=AIA Extension Default +-5.default.params.authInfoAccessADEnable_0=true +-5.default.params.authInfoAccessADLocationType_0=URIName +-5.default.params.authInfoAccessADLocation_0= +-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +-5.default.params.authInfoAccessCritical=false +-5.default.params.authInfoAccessNumADs=1 +-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +-6.default.name=Key Usage Default +-6.default.params.keyUsageCritical=true +-6.default.params.keyUsageDigitalSignature=true +-6.default.params.keyUsageNonRepudiation=true +-6.default.params.keyUsageDataEncipherment=true +-6.default.params.keyUsageKeyEncipherment=false +-6.default.params.keyUsageKeyAgreement=true +-6.default.params.keyUsageKeyCertSign=false +-6.default.params.keyUsageCrlSign=false +-6.default.params.keyUsageEncipherOnly=false +-6.default.params.keyUsageDecipherOnly=false +-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +-7.default.name=Extended Key Usage Extension Default +-7.default.params.exKeyUsageCritical=false +-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +diff --git a/base/ca/shared/conf/ECserverCert.profile b/base/ca/shared/conf/ECserverCert.profile +deleted file mode 100644 +index 8c679f7..0000000 +--- a/base/ca/shared/conf/ECserverCert.profile ++++ /dev/null +@@ -1,39 +0,0 @@ +-# +-# ECC Server Certificate +-# +-id=serverCert.profile +-name=All Purpose SSL server cert with ECC keys Profile +-description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers +-profileIDMapping=caECServerCert +-profileSetIDMapping=serverCertSet +-list=2,4,5,6,7 +-2.default.class=com.netscape.cms.profile.def.ValidityDefault +-2.default.name=Validity Default +-2.default.params.range=720 +-2.default.params.startTime=0 +-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +-4.default.name=Authority Key Identifier Default +-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +-5.default.name=AIA Extension Default +-5.default.params.authInfoAccessADEnable_0=true +-5.default.params.authInfoAccessADLocationType_0=URIName +-5.default.params.authInfoAccessADLocation_0= +-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +-5.default.params.authInfoAccessCritical=false +-5.default.params.authInfoAccessNumADs=1 +-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +-6.default.name=Key Usage Default +-6.default.params.keyUsageCritical=true +-6.default.params.keyUsageDigitalSignature=true +-6.default.params.keyUsageNonRepudiation=false +-6.default.params.keyUsageDataEncipherment=true +-6.default.params.keyUsageKeyEncipherment=false +-6.default.params.keyUsageKeyAgreement=true +-6.default.params.keyUsageKeyCertSign=false +-6.default.params.keyUsageCrlSign=false +-6.default.params.keyUsageEncipherOnly=false +-6.default.params.keyUsageDecipherOnly=false +-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +-7.default.name=Extended Key Usage Extension Default +-7.default.params.exKeyUsageCritical=false +-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +diff --git a/base/ca/shared/conf/ECsubsystemCert.profile b/base/ca/shared/conf/ECsubsystemCert.profile +deleted file mode 100644 +index d11dabb..0000000 +--- a/base/ca/shared/conf/ECsubsystemCert.profile ++++ /dev/null +@@ -1,39 +0,0 @@ +-# +-# ECC Subsystem Certificate +-# +-id=subsystemCert.profile +-name=Subsystem cert with ECC keys Profile +-description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients +-profileIDMapping=caECSubsystemCert +-profileSetIDMapping=serverCertSet +-list=2,4,5,6,7 +-2.default.class=com.netscape.cms.profile.def.ValidityDefault +-2.default.name=Validity Default +-2.default.params.range=720 +-2.default.params.startTime=0 +-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +-4.default.name=Authority Key Identifier Default +-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +-5.default.name=AIA Extension Default +-5.default.params.authInfoAccessADEnable_0=true +-5.default.params.authInfoAccessADLocationType_0=URIName +-5.default.params.authInfoAccessADLocation_0= +-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +-5.default.params.authInfoAccessCritical=false +-5.default.params.authInfoAccessNumADs=1 +-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +-6.default.name=Key Usage Default +-6.default.params.keyUsageCritical=true +-6.default.params.keyUsageDigitalSignature=true +-6.default.params.keyUsageNonRepudiation=false +-6.default.params.keyUsageDataEncipherment=true +-6.default.params.keyUsageKeyEncipherment=false +-6.default.params.keyUsageKeyAgreement=true +-6.default.params.keyUsageKeyCertSign=false +-6.default.params.keyUsageCrlSign=false +-6.default.params.keyUsageEncipherOnly=false +-6.default.params.keyUsageDecipherOnly=false +-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +-7.default.name=Extended Key Usage Extension Default +-7.default.params.exKeyUsageCritical=false +-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +diff --git a/base/ca/shared/conf/adminCert.profile b/base/ca/shared/conf/adminCert.profile +deleted file mode 100644 +index 5e84d74..0000000 +--- a/base/ca/shared/conf/adminCert.profile ++++ /dev/null +@@ -1,39 +0,0 @@ +-# +-# Server Certificate +-# +-id=adminCert.profile +-name=All Purpose admin server cert Profile +-description=This profile creates an administrator's certificate +-profileIDMapping=caAdminCert +-profileSetIDMapping=adminCertSet +-list=2,4,5,6,7 +-2.default.class=com.netscape.cms.profile.def.ValidityDefault +-2.default.name=Validity Default +-2.default.params.range=720 +-2.default.params.startTime=0 +-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +-4.default.name=Authority Key Identifier Default +-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +-5.default.name=AIA Extension Default +-5.default.params.authInfoAccessADEnable_0=true +-5.default.params.authInfoAccessADLocationType_0=URIName +-5.default.params.authInfoAccessADLocation_0= +-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +-5.default.params.authInfoAccessCritical=false +-5.default.params.authInfoAccessNumADs=1 +-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +-6.default.name=Key Usage Default +-6.default.params.keyUsageCritical=true +-6.default.params.keyUsageDigitalSignature=true +-6.default.params.keyUsageNonRepudiation=true +-6.default.params.keyUsageDataEncipherment=true +-6.default.params.keyUsageKeyEncipherment=true +-6.default.params.keyUsageKeyAgreement=false +-6.default.params.keyUsageKeyCertSign=false +-6.default.params.keyUsageCrlSign=false +-6.default.params.keyUsageEncipherOnly=false +-6.default.params.keyUsageDecipherOnly=false +-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +-7.default.name=Extended Key Usage Extension Default +-7.default.params.exKeyUsageCritical=false +-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +diff --git a/base/ca/shared/conf/eccAdminCert.profile b/base/ca/shared/conf/eccAdminCert.profile +new file mode 100644 +index 0000000..46d157a +--- /dev/null ++++ b/base/ca/shared/conf/eccAdminCert.profile +@@ -0,0 +1,39 @@ ++# ++# Admin Certificate ++# ++id=adminCert.profile ++name=All Purpose admin cert with ECC keys Profile ++description=This profile creates an administrator's certificate with ECC keys ++profileIDMapping=caAdminCert ++profileSetIDMapping=adminCertSet ++list=2,4,5,6,7 ++2.default.class=com.netscape.cms.profile.def.ValidityDefault ++2.default.name=Validity Default ++2.default.params.range=720 ++2.default.params.startTime=0 ++4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault ++4.default.name=Authority Key Identifier Default ++5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault ++5.default.name=AIA Extension Default ++5.default.params.authInfoAccessADEnable_0=true ++5.default.params.authInfoAccessADLocationType_0=URIName ++5.default.params.authInfoAccessADLocation_0= ++5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++5.default.params.authInfoAccessCritical=false ++5.default.params.authInfoAccessNumADs=1 ++6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault ++6.default.name=Key Usage Default ++6.default.params.keyUsageCritical=true ++6.default.params.keyUsageDigitalSignature=true ++6.default.params.keyUsageNonRepudiation=true ++6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageKeyEncipherment=false ++6.default.params.keyUsageKeyAgreement=true ++6.default.params.keyUsageKeyCertSign=false ++6.default.params.keyUsageCrlSign=false ++6.default.params.keyUsageEncipherOnly=false ++6.default.params.keyUsageDecipherOnly=false ++7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault ++7.default.name=Extended Key Usage Extension Default ++7.default.params.exKeyUsageCritical=false ++7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +diff --git a/base/ca/shared/conf/eccServerCert.profile b/base/ca/shared/conf/eccServerCert.profile +new file mode 100644 +index 0000000..8c679f7 +--- /dev/null ++++ b/base/ca/shared/conf/eccServerCert.profile +@@ -0,0 +1,39 @@ ++# ++# ECC Server Certificate ++# ++id=serverCert.profile ++name=All Purpose SSL server cert with ECC keys Profile ++description=This profile creates an SSL server certificate with ECC keys that is valid for SSL servers ++profileIDMapping=caECServerCert ++profileSetIDMapping=serverCertSet ++list=2,4,5,6,7 ++2.default.class=com.netscape.cms.profile.def.ValidityDefault ++2.default.name=Validity Default ++2.default.params.range=720 ++2.default.params.startTime=0 ++4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault ++4.default.name=Authority Key Identifier Default ++5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault ++5.default.name=AIA Extension Default ++5.default.params.authInfoAccessADEnable_0=true ++5.default.params.authInfoAccessADLocationType_0=URIName ++5.default.params.authInfoAccessADLocation_0= ++5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++5.default.params.authInfoAccessCritical=false ++5.default.params.authInfoAccessNumADs=1 ++6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault ++6.default.name=Key Usage Default ++6.default.params.keyUsageCritical=true ++6.default.params.keyUsageDigitalSignature=true ++6.default.params.keyUsageNonRepudiation=false ++6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageKeyEncipherment=false ++6.default.params.keyUsageKeyAgreement=true ++6.default.params.keyUsageKeyCertSign=false ++6.default.params.keyUsageCrlSign=false ++6.default.params.keyUsageEncipherOnly=false ++6.default.params.keyUsageDecipherOnly=false ++7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault ++7.default.name=Extended Key Usage Extension Default ++7.default.params.exKeyUsageCritical=false ++7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +diff --git a/base/ca/shared/conf/eccSubsystemCert.profile b/base/ca/shared/conf/eccSubsystemCert.profile +new file mode 100644 +index 0000000..d11dabb +--- /dev/null ++++ b/base/ca/shared/conf/eccSubsystemCert.profile +@@ -0,0 +1,39 @@ ++# ++# ECC Subsystem Certificate ++# ++id=subsystemCert.profile ++name=Subsystem cert with ECC keys Profile ++description=This profile creates a subsystem certificate with ECC keys that is valid for SSL clients ++profileIDMapping=caECSubsystemCert ++profileSetIDMapping=serverCertSet ++list=2,4,5,6,7 ++2.default.class=com.netscape.cms.profile.def.ValidityDefault ++2.default.name=Validity Default ++2.default.params.range=720 ++2.default.params.startTime=0 ++4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault ++4.default.name=Authority Key Identifier Default ++5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault ++5.default.name=AIA Extension Default ++5.default.params.authInfoAccessADEnable_0=true ++5.default.params.authInfoAccessADLocationType_0=URIName ++5.default.params.authInfoAccessADLocation_0= ++5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++5.default.params.authInfoAccessCritical=false ++5.default.params.authInfoAccessNumADs=1 ++6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault ++6.default.name=Key Usage Default ++6.default.params.keyUsageCritical=true ++6.default.params.keyUsageDigitalSignature=true ++6.default.params.keyUsageNonRepudiation=false ++6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageKeyEncipherment=false ++6.default.params.keyUsageKeyAgreement=true ++6.default.params.keyUsageKeyCertSign=false ++6.default.params.keyUsageCrlSign=false ++6.default.params.keyUsageEncipherOnly=false ++6.default.params.keyUsageDecipherOnly=false ++7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault ++7.default.name=Extended Key Usage Extension Default ++7.default.params.exKeyUsageCritical=false ++7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +diff --git a/base/ca/shared/conf/rsaAdminCert.profile b/base/ca/shared/conf/rsaAdminCert.profile +new file mode 100644 +index 0000000..5e84d74 +--- /dev/null ++++ b/base/ca/shared/conf/rsaAdminCert.profile +@@ -0,0 +1,39 @@ ++# ++# Server Certificate ++# ++id=adminCert.profile ++name=All Purpose admin server cert Profile ++description=This profile creates an administrator's certificate ++profileIDMapping=caAdminCert ++profileSetIDMapping=adminCertSet ++list=2,4,5,6,7 ++2.default.class=com.netscape.cms.profile.def.ValidityDefault ++2.default.name=Validity Default ++2.default.params.range=720 ++2.default.params.startTime=0 ++4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault ++4.default.name=Authority Key Identifier Default ++5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault ++5.default.name=AIA Extension Default ++5.default.params.authInfoAccessADEnable_0=true ++5.default.params.authInfoAccessADLocationType_0=URIName ++5.default.params.authInfoAccessADLocation_0= ++5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++5.default.params.authInfoAccessCritical=false ++5.default.params.authInfoAccessNumADs=1 ++6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault ++6.default.name=Key Usage Default ++6.default.params.keyUsageCritical=true ++6.default.params.keyUsageDigitalSignature=true ++6.default.params.keyUsageNonRepudiation=true ++6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageKeyEncipherment=true ++6.default.params.keyUsageKeyAgreement=false ++6.default.params.keyUsageKeyCertSign=false ++6.default.params.keyUsageCrlSign=false ++6.default.params.keyUsageEncipherOnly=false ++6.default.params.keyUsageDecipherOnly=false ++7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault ++7.default.name=Extended Key Usage Extension Default ++7.default.params.exKeyUsageCritical=false ++7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.4 +diff --git a/base/ca/shared/conf/rsaServerCert.profile b/base/ca/shared/conf/rsaServerCert.profile +new file mode 100644 +index 0000000..e740760 +--- /dev/null ++++ b/base/ca/shared/conf/rsaServerCert.profile +@@ -0,0 +1,41 @@ ++# ++# Server Certificate ++# ++id=serverCert.profile ++name=All Purpose SSL server cert Profile ++description=This profile creates an SSL server certificate that is valid for SSL servers ++profileIDMapping=caServerCert ++profileSetIDMapping=serverCertSet ++list=2,4,5,6,7,8 ++2.default.class=com.netscape.cms.profile.def.ValidityDefault ++2.default.name=Validity Default ++2.default.params.range=720 ++2.default.params.startTime=0 ++4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault ++4.default.name=Authority Key Identifier Default ++5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault ++5.default.name=AIA Extension Default ++5.default.params.authInfoAccessADEnable_0=true ++5.default.params.authInfoAccessADLocationType_0=URIName ++5.default.params.authInfoAccessADLocation_0= ++5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++5.default.params.authInfoAccessCritical=false ++5.default.params.authInfoAccessNumADs=1 ++6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault ++6.default.name=Key Usage Default ++6.default.params.keyUsageCritical=true ++6.default.params.keyUsageDigitalSignature=true ++6.default.params.keyUsageNonRepudiation=false ++6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageKeyEncipherment=true ++6.default.params.keyUsageKeyAgreement=false ++6.default.params.keyUsageKeyCertSign=false ++6.default.params.keyUsageCrlSign=false ++6.default.params.keyUsageEncipherOnly=false ++6.default.params.keyUsageDecipherOnly=false ++7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault ++7.default.name=Extended Key Usage Extension Default ++7.default.params.exKeyUsageCritical=false ++7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 ++8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault ++8.default.name=Copy Common Name to Subjec Alternative Name Extension +diff --git a/base/ca/shared/conf/rsaSubsystemCert.profile b/base/ca/shared/conf/rsaSubsystemCert.profile +new file mode 100644 +index 0000000..fa8f84e +--- /dev/null ++++ b/base/ca/shared/conf/rsaSubsystemCert.profile +@@ -0,0 +1,39 @@ ++# ++# Subsystem Certificate ++# ++id=subsystemCert.profile ++name=All Purpose SSL server cert Profile ++description=This profile creates a subsystem certificate that is valid for SSL client ++profileIDMapping=caSubsystemCert ++profileSetIDMapping=serverCertSet ++list=2,4,5,6,7 ++2.default.class=com.netscape.cms.profile.def.ValidityDefault ++2.default.name=Validity Default ++2.default.params.range=720 ++2.default.params.startTime=0 ++4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault ++4.default.name=Authority Key Identifier Default ++5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault ++5.default.name=AIA Extension Default ++5.default.params.authInfoAccessADEnable_0=true ++5.default.params.authInfoAccessADLocationType_0=URIName ++5.default.params.authInfoAccessADLocation_0= ++5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 ++5.default.params.authInfoAccessCritical=false ++5.default.params.authInfoAccessNumADs=1 ++6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault ++6.default.name=Key Usage Default ++6.default.params.keyUsageCritical=true ++6.default.params.keyUsageDigitalSignature=true ++6.default.params.keyUsageNonRepudiation=true ++6.default.params.keyUsageDataEncipherment=true ++6.default.params.keyUsageKeyEncipherment=true ++6.default.params.keyUsageKeyAgreement=false ++6.default.params.keyUsageKeyCertSign=false ++6.default.params.keyUsageCrlSign=false ++6.default.params.keyUsageEncipherOnly=false ++6.default.params.keyUsageDecipherOnly=false ++7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault ++7.default.name=Extended Key Usage Extension Default ++7.default.params.exKeyUsageCritical=false ++7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +diff --git a/base/ca/shared/conf/serverCert.profile b/base/ca/shared/conf/serverCert.profile +deleted file mode 100644 +index e740760..0000000 +--- a/base/ca/shared/conf/serverCert.profile ++++ /dev/null +@@ -1,41 +0,0 @@ +-# +-# Server Certificate +-# +-id=serverCert.profile +-name=All Purpose SSL server cert Profile +-description=This profile creates an SSL server certificate that is valid for SSL servers +-profileIDMapping=caServerCert +-profileSetIDMapping=serverCertSet +-list=2,4,5,6,7,8 +-2.default.class=com.netscape.cms.profile.def.ValidityDefault +-2.default.name=Validity Default +-2.default.params.range=720 +-2.default.params.startTime=0 +-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +-4.default.name=Authority Key Identifier Default +-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +-5.default.name=AIA Extension Default +-5.default.params.authInfoAccessADEnable_0=true +-5.default.params.authInfoAccessADLocationType_0=URIName +-5.default.params.authInfoAccessADLocation_0= +-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +-5.default.params.authInfoAccessCritical=false +-5.default.params.authInfoAccessNumADs=1 +-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +-6.default.name=Key Usage Default +-6.default.params.keyUsageCritical=true +-6.default.params.keyUsageDigitalSignature=true +-6.default.params.keyUsageNonRepudiation=false +-6.default.params.keyUsageDataEncipherment=true +-6.default.params.keyUsageKeyEncipherment=true +-6.default.params.keyUsageKeyAgreement=false +-6.default.params.keyUsageKeyCertSign=false +-6.default.params.keyUsageCrlSign=false +-6.default.params.keyUsageEncipherOnly=false +-6.default.params.keyUsageDecipherOnly=false +-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +-7.default.name=Extended Key Usage Extension Default +-7.default.params.exKeyUsageCritical=false +-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1 +-8.default.class=com.netscape.cms.profile.def.CommonNameToSANDefault +-8.default.name=Copy Common Name to Subjec Alternative Name Extension +diff --git a/base/ca/shared/conf/subsystemCert.profile b/base/ca/shared/conf/subsystemCert.profile +deleted file mode 100644 +index fa8f84e..0000000 +--- a/base/ca/shared/conf/subsystemCert.profile ++++ /dev/null +@@ -1,39 +0,0 @@ +-# +-# Subsystem Certificate +-# +-id=subsystemCert.profile +-name=All Purpose SSL server cert Profile +-description=This profile creates a subsystem certificate that is valid for SSL client +-profileIDMapping=caSubsystemCert +-profileSetIDMapping=serverCertSet +-list=2,4,5,6,7 +-2.default.class=com.netscape.cms.profile.def.ValidityDefault +-2.default.name=Validity Default +-2.default.params.range=720 +-2.default.params.startTime=0 +-4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +-4.default.name=Authority Key Identifier Default +-5.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +-5.default.name=AIA Extension Default +-5.default.params.authInfoAccessADEnable_0=true +-5.default.params.authInfoAccessADLocationType_0=URIName +-5.default.params.authInfoAccessADLocation_0= +-5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +-5.default.params.authInfoAccessCritical=false +-5.default.params.authInfoAccessNumADs=1 +-6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +-6.default.name=Key Usage Default +-6.default.params.keyUsageCritical=true +-6.default.params.keyUsageDigitalSignature=true +-6.default.params.keyUsageNonRepudiation=true +-6.default.params.keyUsageDataEncipherment=true +-6.default.params.keyUsageKeyEncipherment=true +-6.default.params.keyUsageKeyAgreement=false +-6.default.params.keyUsageKeyCertSign=false +-6.default.params.keyUsageCrlSign=false +-6.default.params.keyUsageEncipherOnly=false +-6.default.params.keyUsageDecipherOnly=false +-7.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +-7.default.name=Extended Key Usage Extension Default +-7.default.params.exKeyUsageCritical=false +-7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg +index e727648..c575e68 100644 +--- a/base/server/etc/default.cfg ++++ b/base/server/etc/default.cfg +@@ -400,12 +400,12 @@ pki_source_flatfile_txt=%(pki_source_conf_path)s/flatfile.txt + pki_source_profiles=/usr/share/pki/ca/profiles + pki_source_proxy_conf=%(pki_source_conf_path)s/proxy.conf + pki_source_registry_cfg=%(pki_source_conf_path)s/registry.cfg +-pki_source_admincert_profile=%(pki_source_conf_path)s/adminCert.profile ++pki_source_admincert_profile=%(pki_source_conf_path)s/%(pki_admin_key_type)sAdminCert.profile + pki_source_caauditsigningcert_profile=%(pki_source_conf_path)s/caAuditSigningCert.profile + pki_source_cacert_profile=%(pki_source_conf_path)s/caCert.profile + pki_source_caocspcert_profile=%(pki_source_conf_path)s/caOCSPCert.profile +-pki_source_servercert_profile=%(pki_source_conf_path)s/serverCert.profile +-pki_source_subsystemcert_profile=%(pki_source_conf_path)s/subsystemCert.profile ++pki_source_servercert_profile=%(pki_source_conf_path)s/%(pki_sslserver_key_type)sServerCert.profile ++pki_source_subsystemcert_profile=%(pki_source_conf_path)s/%(pki_subsystem_key_type)sSubsystemCert.profile + pki_subsystem_emails_path=%(pki_subsystem_path)s/emails + pki_subsystem_profiles_path=%(pki_subsystem_path)s/profiles + +-- +1.8.3.1 + + +From 2a9c2022d39e293269c49d806fa142992bef8abd Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 12 Jun 2018 11:47:57 -0700 +Subject: [PATCH 7/7] Ticket 2865 X500Name.directoryStringEncodingOrder + overridden by CSR encoding + +This patch allows profile to have control over whether to override the subjectDN +encoding in the CSR with the encoding set by the system. + +New parameter in profile: +policyset..<#>.default.params.useSysEncoding=true + +where "true" means to override the subjectdn with the system default order or +the order set by X500Name.directoryStringEncodingOrder in CS.cfg + +by default, without useSysEncoding in profile, it is treated as false. + +fixes https://pagure.io/dogtagpki/issue/2865 + +Change-Id: I41f8f5371f26668909624f056a77ffbf66f0f5e1 +--- + .../cms/profile/def/UserSubjectNameDefault.java | 83 +++++++++++++++++----- + base/server/cmsbundle/src/UserMessages.properties | 1 + + .../netscape/cmscore/cert/X500NameSubsystem.java | 7 +- + 3 files changed, 72 insertions(+), 19 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java +index 9064bc1..636b045 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java +@@ -44,9 +44,11 @@ import com.netscape.certsrv.request.IRequest; + public class UserSubjectNameDefault extends EnrollDefault { + + public static final String VAL_NAME = "name"; ++ public static final String CONFIG_USE_SYS_ENCODING = "useSysEncoding"; + + public UserSubjectNameDefault() { + super(); ++ addConfigName(CONFIG_USE_SYS_ENCODING); + addValueName(VAL_NAME); + } + +@@ -55,6 +57,16 @@ public class UserSubjectNameDefault extends EnrollDefault { + super.init(profile, config); + } + ++ public IDescriptor getConfigDescriptor(Locale locale, String name) { ++ if (name.equals(CONFIG_USE_SYS_ENCODING)) { ++ return new Descriptor(IDescriptor.BOOLEAN, null, ++ "false", ++ CMS.getUserMessage(locale, "CMS_PROFILE_CONFIG_USE_SYS_ENCODING")); ++ } else { ++ return null; ++ } ++ } ++ + public IDescriptor getValueDescriptor(Locale locale, String name) { + if (name.equals(VAL_NAME)) { + return new Descriptor(IDescriptor.STRING, null, null, +@@ -64,52 +76,79 @@ public class UserSubjectNameDefault extends EnrollDefault { + } + } + +- public void setValue(String name, Locale locale, +- X509CertInfo info, String value) +- throws EPropertyException { +- if (name == null) { +- throw new EPropertyException(CMS.getUserMessage( +- locale, "CMS_INVALID_PROPERTY", name)); +- } +- if (name.equals(VAL_NAME)) { ++ private X500Name getX500Name(X509CertInfo info, String value) { ++ String method = "UserSubjectNameDefault: getX500Name: "; + X500Name x500name = null; ++ /* ++ * useSysEencoding default is false ++ * To change that, add the following in the affected profile: ++ * policyset..<#>.default.params.useSysEncoding=true ++ */ ++ boolean useSysEncoding = getConfigBoolean(CONFIG_USE_SYS_ENCODING); ++ CMS.debug(method + ++ "use system encoding: " + useSysEncoding); + + try { +- x500name = new X500Name(value); ++ if (value != null) ++ x500name = new X500Name(value); + ++ // oldName is what comes with the CSR + CertificateSubjectName oldName = info.getSubjectObj(); + if (oldName != null) { ++ CMS.debug(method + "subjectDN exists in CSR. "); ++ } else { ++ CMS.debug(method + "subjectDN does not exist in CSR. "); ++ } ++ if ((useSysEncoding == false) && (oldName != null)) { + /* If the canonical string representations of + * existing Subject DN and new DN are equal, + * keep the old name so that the attribute + * encodings are preserved. */ + X500Name oldX500name = oldName.getX500Name(); + if (x500name.toString().equals(oldX500name.toString())) { +- CMS.debug( +- "UserSubjectNameDefault: setValue: " ++ CMS.debug( method + + "new Subject DN has same string representation " + + "as current value; retaining current value." + ); + x500name = oldX500name; + } else { +- CMS.debug( +- "UserSubjectNameDefault: setValue: " ++ CMS.debug(method + + "replacing current value `" + oldX500name.toString() + "` " + + "with new value `" + x500name.toString() + "`" + ); + } + } + } catch (IOException e) { +- CMS.debug(e.toString()); ++ CMS.debug(method + e.toString()); + // failed to build x500 name + } +- CMS.debug("UserSubjectNameDefault: setValue name=" + x500name); ++ return x500name; ++ } ++ ++ public void setValue(String name, Locale locale, ++ X509CertInfo info, String value) ++ throws EPropertyException { ++ String method = "UserSubjectNameDefault: setValue: "; ++ if (name == null) { ++ CMS.debug(name + "name null"); ++ throw new EPropertyException(CMS.getUserMessage( ++ locale, "CMS_INVALID_PROPERTY", name)); ++ } ++ CMS.debug(method + "name = " + name); ++ if (value != null) ++ CMS.debug(method + "value = " + value); ++ else ++ CMS.debug(method + "value = null"); ++ ++ if (name.equals(VAL_NAME)) { ++ X500Name x500name = getX500Name(info, value); ++ CMS.debug(method + "setting name=" + x500name); + try { + info.set(X509CertInfo.SUBJECT, + new CertificateSubjectName(x500name)); + } catch (Exception e) { + // failed to insert subject name +- CMS.debug("UserSubjectNameDefault: setValue " + e.toString()); ++ CMS.debug(method + e.toString()); + throw new EPropertyException(CMS.getUserMessage( + locale, "CMS_INVALID_PROPERTY", name)); + } +@@ -155,9 +194,17 @@ public class UserSubjectNameDefault extends EnrollDefault { + throws EProfileException { + // authenticate the subject name and populate it + // to the certinfo ++ CertificateSubjectName req_sbj = request.getExtDataInCertSubjectName( ++ IEnrollProfile.REQUEST_SUBJECT_NAME); + try { +- info.set(X509CertInfo.SUBJECT, request.getExtDataInCertSubjectName( +- IEnrollProfile.REQUEST_SUBJECT_NAME)); ++ info.set(X509CertInfo.SUBJECT, req_sbj); ++ ++ // see if the encoding needs changing ++ X500Name x500name = getX500Name(info, req_sbj.toString()); ++ if (x500name != null) { ++ info.set(X509CertInfo.SUBJECT, ++ new CertificateSubjectName(x500name)); ++ } + } catch (Exception e) { + // failed to insert subject name + CMS.debug("UserSubjectNameDefault: populate " + e.toString()); +diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties +index 9c324f5..208632d 100644 +--- a/base/server/cmsbundle/src/UserMessages.properties ++++ b/base/server/cmsbundle/src/UserMessages.properties +@@ -754,6 +754,7 @@ CMS_PROFILE_ENCODING_ERROR=Error in BER encoding + CMS_PROFILE_REVOKE_DUPKEY_CERT=Revoke certificate with duplicate key + CMS_PROFILE_CONFIG_ALLOW_SAME_KEY_RENEWAL=Allow renewal of certification with same keys + CMS_PROFILE_CONFIG_KEY_USAGE_EXTENSION_CHECKING=Allow duplicate subject names with different key usage for agent approved requests ++CMS_PROFILE_CONFIG_USE_SYS_ENCODING=Use subject DN encoding from system-defined order + CMS_PROFILE_INTERNAL_ERROR=Profile internal error: {0} + CMS_PROFILE_DENY_OPERATION=Not authorized to do this operation. + CMS_PROFILE_DELETE_ENABLEPROFILE=Cannot delete enabled profile: {0} +diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java +index 7accf2b..f1b3eb6 100644 +--- a/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java ++++ b/base/server/cmscore/src/com/netscape/cmscore/cert/X500NameSubsystem.java +@@ -185,10 +185,15 @@ public class X500NameSubsystem implements ISubsystem { + */ + private void setDirStrEncodingOrder() + throws EBaseException { ++ String method = "X500NameSubsystem: setDirStrEncodingOrder: "; + String order = mConfig.getString(PROP_DIR_STR_ENCODING_ORDER, null); + +- if (order == null || order.length() == 0) // nothing. ++ if (order == null || order.length() == 0) { // nothing. ++ CMS.debug(method + "X500Name.directoryStringEncodingOrder not specified in config; Using default order in DirStrConverter."); + return; ++ } ++ CMS.debug(method + "X500Name.directoryStringEncodingOrder specified in config: " + order); ++ + StringTokenizer toker = new StringTokenizer(order, ", \t"); + int numTokens = toker.countTokens(); + +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.9-beta.patch b/SOURCES/pki-core-10.5.9-beta.patch new file mode 100644 index 0000000..aef53b2 --- /dev/null +++ b/SOURCES/pki-core-10.5.9-beta.patch @@ -0,0 +1,97 @@ +From f5ffc69f79e4e0f4989094561ab0fd5ff5536d14 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 12 Jul 2018 10:24:33 -0700 +Subject: [PATCH 1/2] Bugzilla 1548203 LDAP password from console update in + audit + +This patch replace ldap passwords with "(sensitive)" in audit log. + +fixes https://bugzilla.redhat.com/show_bug.cgi?id=1548203 + +Change-Id: I6271ec1da4164f731dd3a61534b0e511097a845a +(cherry picked from commit cf9c23a842000755d872202777b0a280bda7f1a1) +--- + .../server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +index 769e8e4..2b8cec7 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java +@@ -991,7 +991,11 @@ public class AdminServlet extends HttpServlet { + if (name.equals(Constants.OP_TYPE)) continue; + if (name.equals(Constants.RS_ID)) continue; + +- String value = req.getParameter(name); ++ String value = null; ++ if (name.equalsIgnoreCase("PASSWORD_CACHE_ADD")) ++ value = "(sensitive)"; ++ else ++ value = req.getParameter(name); + params.put(name, value); + } + +-- +1.8.3.1 + + +From 46e808e86bb393848cca6434cc06c79a14611fa9 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Mon, 15 Jan 2018 13:59:33 -0800 +Subject: [PATCH 2/2] Test fix for TPS server side key gen for only identity + cert problem. + +Change-Id: I15fc1b8a3fa92568aca853f0e89b9e87bbad463d +(cherry picked from commit c87d7820f7b1af97134197a23543e9fc4be1aa39) +(cherry picked from commit c1314749b7b3a2a6647aadd6945186833e539da8) +--- + .../server/tps/cms/TKSRemoteRequestHandler.java | 26 +++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java +index 65d0ed0..8155f90 100644 +--- a/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java ++++ b/base/tps/src/org/dogtagpki/server/tps/cms/TKSRemoteRequestHandler.java +@@ -103,7 +103,8 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler + String tokenType) + throws EBaseException { + +- CMS.debug("TKSRemoteRequestHandler: computeSessionKey(): begins."); ++ String method = "TKSRemoteRequestHandler: computeSessionKey(): "; ++ CMS.debug(method + " begins."); + if (cuid == null || kdd == null || keyInfo == null || card_challenge == null + || card_cryptogram == null || host_challenge == null) { + throw new EBaseException("TKSRemoteRequestHandler: computeSessionKey(): input parameter null."); +@@ -111,10 +112,25 @@ public class TKSRemoteRequestHandler extends RemoteRequestHandler + + IConfigStore conf = CMS.getConfigStore(); + +- boolean serverKeygen = +- conf.getBoolean("op.enroll." + +- tokenType + ".keyGen.encryption.serverKeygen.enable", +- false); ++ boolean serverKeygen = false; ++ ++ //Try out all the currently supported cert types to see if we are doing server side keygen here ++ String[] keygenStrings = { "identity", "signing", "encryption", "authentication", "auth"}; ++ for (String keygenString : keygenStrings) { ++ boolean enabled = conf.getBoolean("op.enroll." + ++ tokenType + ".keyGen." + ++ keygenString + ".serverKeygen.enable", false); ++ ++ CMS.debug(method + " serverkegGen enabled for " + keygenString + " : " + enabled); ++ if (enabled) { ++ serverKeygen = true; ++ break; ++ } ++ } ++ ++ ++ ++ + if (keySet == null) + keySet = conf.getString("tps.connector." + connid + ".keySet", "defKeySet"); + +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-10.5.9-snapshot-1.patch b/SOURCES/pki-core-10.5.9-snapshot-1.patch new file mode 100644 index 0000000..a9b1a3f --- /dev/null +++ b/SOURCES/pki-core-10.5.9-snapshot-1.patch @@ -0,0 +1,1010 @@ +From 8b462b3a7e8ded71bc5aaf7d6a8b23fdce2d7ece Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Mon, 30 Jul 2018 17:15:09 -0700 +Subject: [PATCH 1/5] Bug 1601071 Certificate generation happens with partial + attributes in CMCRequest file + +This patch addresses the issue where when a cmcSelfSisnged profile is used +in a cmcUserSigned case, the certificate is issued. +A new authToken variable TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT has +been introduced for shared token case so that the TOKEN_AUTHENTICATED_CERT_SUBJECT can be used for user-signed case. +A new constraint CMCSelfSignedSubjectNameConstraint has been introduced +to verify. +In additional, all profiles that authenticate through CMCUserSignedAuth are +turned off by default to allow site administrators to make conscious decision +on their own for these features. +Also, audit event CERT_STATUS_CHANGE_REQUEST_PROCESSED is now enabled by default. + +Change-Id: I275118d31b966494411888beb37032bb022c29ce +(cherry picked from commit 50b881b7ec1d4856d4bfcc182a22bf1c131cd536) +--- + base/ca/shared/conf/CS.cfg | 2 +- + base/ca/shared/conf/registry.cfg | 9 +- + .../profiles/ca/caECFullCMCSelfSignedCert.cfg | 8 +- + .../profiles/ca/caECFullCMCUserSignedCert.cfg | 2 +- + .../shared/profiles/ca/caFullCMCSelfSignedCert.cfg | 8 +- + .../shared/profiles/ca/caFullCMCUserSignedCert.cfg | 2 +- + .../certsrv/authentication/IAuthToken.java | 7 +- + .../com/netscape/cms/authentication/CMCAuth.java | 5 +- + .../cms/authentication/CMCUserSignedAuth.java | 16 ++- + .../netscape/cms/authentication/SharedSecret.java | 4 +- + .../netscape/cms/profile/common/EnrollProfile.java | 18 +++ + .../CMCSelfSignedSubjectNameConstraint.java | 129 +++++++++++++++++++++ + .../profile/def/AuthTokenSubjectNameDefault.java | 2 +- + .../servlet/profile/ProfileSubmitCMCServlet.java | 29 ++++- + base/server/cmsbundle/src/UserMessages.properties | 3 +- + 15 files changed, 216 insertions(+), 28 deletions(-) + create mode 100644 base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index 1d65835..fcd85a2 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION ++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED + log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) + log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) + log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) +diff --git a/base/ca/shared/conf/registry.cfg b/base/ca/shared/conf/registry.cfg +index 54e4d95..4fe6e93 100644 +--- a/base/ca/shared/conf/registry.cfg ++++ b/base/ca/shared/conf/registry.cfg +@@ -1,5 +1,5 @@ + types=profile,defaultPolicy,constraintPolicy,profileInput,profileOutput,profileUpdater +-constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl ++constraintPolicy.ids=noConstraintImpl,subjectNameConstraintImpl,uniqueSubjectNameConstraintImpl,userSubjectNameConstraintImpl,cmcSelfSignedSubjectNameConstraintImpl,cmcUserSignedSubjectNameConstraintImpl,caValidityConstraintImpl,validityConstraintImpl,keyUsageExtConstraintImpl,nsCertTypeExtConstraintImpl,extendedKeyUsageExtConstraintImpl,keyConstraintImpl,basicConstraintsExtConstraintImpl,extensionConstraintImpl,signingAlgConstraintImpl,uniqueKeyConstraintImpl,renewGracePeriodConstraintImpl,authzRealmConstraintImpl,externalProcessConstraintImpl + constraintPolicy.signingAlgConstraintImpl.class=com.netscape.cms.profile.constraint.SigningAlgConstraint + constraintPolicy.signingAlgConstraintImpl.desc=Signing Algorithm Constraint + constraintPolicy.signingAlgConstraintImpl.name=Signing Algorithm Constraint +@@ -36,9 +36,12 @@ constraintPolicy.uniqueSubjectNameConstraintImpl.name=Unique Subject Name Constr + constraintPolicy.userSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.UserSubjectNameConstraint + constraintPolicy.userSubjectNameConstraintImpl.desc=User Subject Name Constraint + constraintPolicy.userSubjectNameConstraintImpl.name=User Subject Name Constraint ++constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCSelfSignedSubjectNameConstraint ++constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.desc=CMC Self-Signed request User Subject Name Constraint ++constraintPolicy.cmcSelfSignedSubjectNameConstraintImpl.name=CMC Self-Signed request User Subject Name Constraint + constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.class=com.netscape.cms.profile.constraint.CMCUserSignedSubjectNameConstraint +-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User Subject Name Constraint +-constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User Subject Name Constraint ++constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.desc=CMC User-Signed request User Subject Name Constraint ++constraintPolicy.cmcUserSignedSubjectNameConstraintImpl.name=CMC User-Signed request User Subject Name Constraint + constraintPolicy.validityConstraintImpl.class=com.netscape.cms.profile.constraint.ValidityConstraint + constraintPolicy.validityConstraintImpl.desc=Validity Constraint + constraintPolicy.validityConstraintImpl.name=Validity Constraint +diff --git a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +index 144c05c..48e6499 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCSelfSignedCert.cfg +@@ -1,5 +1,5 @@ + desc=This certificate profile is for enrolling user certificates with ECC keys by using the self-signed CMC certificate request +-enable=true ++enable=false + enableBy=admin + name=Self-Signed CMC User Certificate Enrollment + visible=false +@@ -10,10 +10,8 @@ output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet + policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 +-policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl +-policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint +-policyset.cmcUserCertSet.1.constraint.params.accept=true +-policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* ++policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=CMC User-Signed Subject Name Constraint + policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl + policyset.cmcUserCertSet.1.default.name=Subject Name Default + policyset.cmcUserCertSet.1.default.params.name= +diff --git a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +index d2286de..e7b60ee 100644 +--- a/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caECFullCMCUserSignedCert.cfg +@@ -1,5 +1,5 @@ + desc=This certificate profile is for enrolling user certificates with EC keys by using the CMC certificate request with non-agent user CMC authentication. +-enable=true ++enable=false + enableBy=admin + name=User-Signed CMC-Authenticated User Certificate Enrollment + visible=false +diff --git a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +index bdcdc24..538b16a 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCSelfSignedCert.cfg +@@ -1,5 +1,5 @@ + desc=This certificate profile is for enrolling user certificates by using the self-signed CMC certificate request +-enable=true ++enable=false + enableBy=admin + name=Self-Signed CMC User Certificate Enrollment + visible=false +@@ -10,10 +10,8 @@ output.list=o1 + output.o1.class_id=certOutputImpl + policyset.list=cmcUserCertSet + policyset.cmcUserCertSet.list=1,2,3,4,5,6,7,8 +-policyset.cmcUserCertSet.1.constraint.class_id=subjectNameConstraintImpl +-policyset.cmcUserCertSet.1.constraint.name=Subject Name Constraint +-policyset.cmcUserCertSet.1.constraint.params.pattern=(UID|CN)=.* +-policyset.cmcUserCertSet.1.constraint.params.accept=true ++policyset.cmcUserCertSet.1.constraint.class_id=cmcSelfSignedSubjectNameConstraintImpl ++policyset.cmcUserCertSet.1.constraint.name=CMC Self-Signed Subject Name Constraint + policyset.cmcUserCertSet.1.default.class_id=authTokenSubjectNameDefaultImpl + policyset.cmcUserCertSet.1.default.name=Subject Name Default + policyset.cmcUserCertSet.1.default.params.name= +diff --git a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +index 9b5d3e9..b0ff8af 100644 +--- a/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg ++++ b/base/ca/shared/profiles/ca/caFullCMCUserSignedCert.cfg +@@ -1,5 +1,5 @@ + desc=This certificate profile is for enrolling user certificates by using the CMC certificate request with non-agent user CMC authentication. +-enable=true ++enable=false + enableBy=admin + name=User-Signed CMC-Authenticated User Certificate Enrollment + visible=false +diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java +index 59c6af2..d5d03b4 100644 +--- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java ++++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java +@@ -44,9 +44,14 @@ public interface IAuthToken { + public static final String GROUP = "group"; + public static final String GROUPS = "groups"; + +- /* Subject name of the certificate in the authenticating entry */ ++ /* Subject name of the certificate request in the authenticating entry */ + public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject"; + ++ /* Subject name of the authenticated cert */ ++ public static final String TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenAuthenticatedCertSubject"; ++ /* Subject DN of the Shared Token authenticated entry */ ++ public static final String TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT = "tokenSharedTokenAuthenticatedCertSubject"; ++ + /* NotBefore value of the certificate in the authenticating entry */ + public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore"; + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +index 86ffa2f..9b6a819 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java +@@ -959,8 +959,9 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + + IAuthToken tempToken = agentAuth.authenticate(agentCred); + netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); +- String ID = tempPrincipal.toString(); ++ String ID = tempPrincipal.getName(); + CMS.debug(method + " Principal name = " + ID); ++ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID); + + BigInteger agentCertSerial = x509Certs[0].getSerialNumber(); + authToken.set(IAuthManager.CRED_SSL_CLIENT_CERT, agentCertSerial.toString()); +@@ -1047,7 +1048,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo, + public void populate(IAuthToken token, IRequest request) + throws EProfileException { + request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, +- token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); ++ token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT)); + } + + public boolean isSSLClientRequired() { +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index d5f6c34..a9a7ade 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -674,7 +674,6 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + if (requestCertSubject.equals("")) { + requestCertSubject = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + } +- + authToken.set(AuthToken.TOKEN_CERT_SUBJECT, ss); + auditContext.put(SessionContext.CMC_REQUEST_CERT_SUBJECT, requestCertSubject); + //authToken.set("uid", uid); +@@ -1160,8 +1159,9 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + IAuthToken tempToken = new AuthToken(null); + netscape.security.x509.X500Name tempPrincipal = (X500Name) x509Certs[0].getSubjectDN(); +- String ID = tempPrincipal.toString(); //tempToken.get("userid"); ++ String ID = tempPrincipal.getName(); //tempToken.get("userid"); + CMS.debug(method + " Principal name = " + ID); ++ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ID); + + BigInteger certSerial = x509Certs[0].getSerialNumber(); + CMS.debug(method + " verified cert serial=" + certSerial.toString()); +@@ -1276,8 +1276,16 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + + public void populate(IAuthToken token, IRequest request) + throws EProfileException { +- request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, +- token.getInString(AuthToken.TOKEN_CERT_SUBJECT)); ++ String method = "CMCUserSignedAuth: populate: "; ++ String authenticatedDN = token.getInString(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT); ++ if (authenticatedDN != null) { ++ request.setExtData(IProfileAuthenticator.AUTHENTICATED_NAME, ++ authenticatedDN); ++ CMS.debug(method + "IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is: "+ ++ authenticatedDN); ++ } else { ++ CMS.debug(method + "AuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT is null; self-signed?"); ++ } + } + + public boolean isSSLClientRequired() { +diff --git a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java +index 5ebc213..2d8679c 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/SharedSecret.java +@@ -30,9 +30,9 @@ import org.mozilla.jss.crypto.SymmetricKey; + import org.mozilla.jss.pkix.cmc.PKIData; + + import com.netscape.certsrv.apps.CMS; +-import com.netscape.certsrv.authentication.AuthToken; + import com.netscape.certsrv.authentication.EInvalidCredentials; + import com.netscape.certsrv.authentication.IAuthCredentials; ++import com.netscape.certsrv.authentication.AuthToken; + import com.netscape.certsrv.authentication.IAuthToken; + import com.netscape.certsrv.authentication.ISharedToken; + import com.netscape.certsrv.base.EBaseException; +@@ -296,7 +296,7 @@ public class SharedSecret extends DirBasedAuthentication + } + + CMS.debug(method + "found user ldap entry: userdn = " + userdn); +- authToken.set(AuthToken.TOKEN_CERT_SUBJECT, userdn); ++ authToken.set(IAuthToken.TOKEN_CERT_SUBJECT, userdn); + + res = shrTokLdapConnection.search(userdn, LDAPv2.SCOPE_BASE, + "(objectclass=*)", new String[] { mShrTokAttr }, false); +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +index 929e629..f9903c6 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +@@ -209,6 +209,14 @@ public abstract class EnrollProfile extends BasicProfile + + // catch for invalid request + cmc_msgs = parseCMC(locale, cert_request, donePOI); ++ SessionContext sessionContext = SessionContext.getContext(); ++ String authenticatedSubject = ++ (String) sessionContext.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); ++ ++ if (authenticatedSubject != null) { ++ ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, authenticatedSubject); ++ } ++ + if (cmc_msgs == null) { + CMS.debug(method + "parseCMC returns cmc_msgs null"); + return null; +@@ -1795,6 +1803,16 @@ public abstract class EnrollProfile extends BasicProfile + auditSubjectID = ident_string; + sessionContext.put(SessionContext.USER_ID, auditSubjectID); + ++ // subjectdn from SharedSecret ldap auth ++ // set in context and authToken to be used by profile ++ // default and constraints plugins ++ authToken.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, ++ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT)); ++ authToken.set(IAuthToken.TOKEN_AUTHENTICATED_CERT_SUBJECT, ++ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT)); ++ sessionContext.put(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, ++ authToken.getInString(IAuthToken.TOKEN_CERT_SUBJECT)); ++ + auditMessage = CMS.getLogMessage( + AuditEvent.CMC_PROOF_OF_IDENTIFICATION, + auditSubjectID, +diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java +new file mode 100644 +index 0000000..d4554ca +--- /dev/null ++++ b/base/server/cms/src/com/netscape/cms/profile/constraint/CMCSelfSignedSubjectNameConstraint.java +@@ -0,0 +1,129 @@ ++// --- BEGIN COPYRIGHT BLOCK --- ++// This program is free software; you can redistribute it and/or modify ++// it under the terms of the GNU General Public License as published by ++// the Free Software Foundation; version 2 of the License. ++// ++// This program is distributed in the hope that it will be useful, ++// but WITHOUT ANY WARRANTY; without even the implied warranty of ++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++// GNU General Public License for more details. ++// ++// You should have received a copy of the GNU General Public License along ++// with this program; if not, write to the Free Software Foundation, Inc., ++// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. ++// ++// (C) 2013 Red Hat, Inc. ++// All rights reserved. ++// --- END COPYRIGHT BLOCK --- ++package com.netscape.cms.profile.constraint; ++ ++import java.util.Locale; ++ ++import com.netscape.certsrv.apps.CMS; ++import com.netscape.certsrv.authentication.IAuthToken; ++import com.netscape.certsrv.authentication.IAuthManager; ++import com.netscape.certsrv.base.IConfigStore; ++import com.netscape.certsrv.profile.EProfileException; ++import com.netscape.certsrv.profile.ERejectException; ++import com.netscape.certsrv.profile.IPolicyDefault; ++import com.netscape.certsrv.profile.IProfile; ++import com.netscape.certsrv.property.IDescriptor; ++import com.netscape.certsrv.request.IRequest; ++import com.netscape.cms.profile.common.EnrollProfile; ++import com.netscape.cms.profile.def.AuthTokenSubjectNameDefault; ++ ++import netscape.security.x509.CertificateSubjectName; ++import netscape.security.x509.X500Name; ++import netscape.security.x509.X509CertInfo; ++ ++/** ++ * This class implements the user subject name constraint for self-signed cmc requests. ++ * It makes sure the SharedSecret authenticated subjectDN and the rsulting cert match ++ * ++ * @author cfu ++ * @version $Revision$, $Date$ ++ */ ++public class CMCSelfSignedSubjectNameConstraint extends EnrollConstraint { ++ ++ public CMCSelfSignedSubjectNameConstraint() { ++ } ++ ++ public void init(IProfile profile, IConfigStore config) ++ throws EProfileException { ++ super.init(profile, config); ++ } ++ ++ public IDescriptor getConfigDescriptor(Locale locale, String name) { ++ return null; ++ } ++ ++ public String getDefaultConfig(String name) { ++ return null; ++ } ++ ++ /** ++ * Validates the request. The request is not modified ++ * during the validation. User encoded subject name ++ * is copied into the certificate template. ++ */ ++ public void validate(IRequest request, X509CertInfo info) ++ throws ERejectException { ++ String method = "CMCSelfSignedSubjectNameConstraint: "; ++ String msg = ""; ++ ++ CertificateSubjectName infoCertSN = null; ++ String authTokenSharedTokenSN = null; ++ ++ try { ++ infoCertSN = (CertificateSubjectName) info.get(X509CertInfo.SUBJECT); ++ if (infoCertSN == null) { ++ msg = method + "infoCertSN null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ CMS.debug(method + "validate user subject ="+ ++ infoCertSN.toString()); ++ X500Name infoCertName = (X500Name) infoCertSN.get(CertificateSubjectName.DN_NAME); ++ if (infoCertName == null) { ++ msg = method + "infoCertName null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ ++ authTokenSharedTokenSN = request.getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); ++ if (authTokenSharedTokenSN == null) { ++ msg = method + "authTokenSharedTokenSN null"; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ if (infoCertName.getName().equalsIgnoreCase(authTokenSharedTokenSN)) { ++ CMS.debug(method + "names matched"); ++ } else { ++ msg = method + "names do not match; authTokenSharedTokenSN =" + ++ authTokenSharedTokenSN; ++ CMS.debug(msg); ++ throw new Exception(msg); ++ } ++ ++ } catch (Exception e) { ++ throw new ERejectException( ++ CMS.getUserMessage(getLocale(request), ++ "CMS_PROFILE_SUBJECT_NAME_NOT_MATCHED") + e); ++ } ++ } ++ ++ public String getText(Locale locale) { ++ return CMS.getUserMessage(locale, ++ "CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT"); ++ } ++ ++ public boolean isApplicable(IPolicyDefault def) { ++ String method = "CMCSelfSignedSubjectNameConstraint: isApplicable: "; ++ if (def instanceof AuthTokenSubjectNameDefault) { ++ CMS.debug(method + "true"); ++ return true; ++ } ++ CMS.debug(method + "false"); ++ return false; ++ } ++} +diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java +index e789625..85bf241 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java ++++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthTokenSubjectNameDefault.java +@@ -140,7 +140,7 @@ public class AuthTokenSubjectNameDefault extends EnrollDefault { + X500Name name = new X500Name( + request.getExtDataInString(IProfileAuthenticator.AUTHENTICATED_NAME)); + +- CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.toString()); ++ CMS.debug("AuthTokenSubjectNameDefault: X500Name=" + name.getName()); + info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(name)); + } catch (Exception e) { + // failed to insert subject name +diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +index 12fd294..03e94a8 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +@@ -525,6 +525,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + CMS.debug("ProfileSubmitCMCServlet: null it out"); + ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, ""); + } ++ + String signingCertSerialS = null; + if (authToken != null) { + signingCertSerialS = (String) authToken.get(IAuthManager.CRED_CMC_SIGNING_CERT); +@@ -534,6 +535,14 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + ctx.set(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); + } + ++ String tmpSharedTokenAuthenticatedCertSubject = ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); ++ if (tmpSharedTokenAuthenticatedCertSubject != null) { ++ // unlikely to happen, but do this just in case ++ CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in ctx for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject); ++ CMS.debug("ProfileSubmitCMCServlet: null it out"); ++ ctx.set(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, ""); ++ } ++ + String errorCode = null; + String errorReason = null; + String auditRequesterID = ILogger.UNIDENTIFIED; +@@ -731,13 +740,31 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { + + tmpCertSerialS = reqs[k].getExtDataInString(IAuthManager.CRED_CMC_SIGNING_CERT); + if (tmpCertSerialS != null) { +- // unlikely to happenm, but do this just in case ++ // unlikely to happen, but do this just in case + CMS.debug("ProfileSubmitCMCServlet: found existing CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth:" + tmpCertSerialS); + CMS.debug("ProfileSubmitCMCServlet: null it out"); + reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, ""); + } + // put CMCUserSignedAuth authToken in request + if (signingCertSerialS != null) { ++ CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth"); ++ reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); ++ } ++ ++ tmpSharedTokenAuthenticatedCertSubject = reqs[k].getExtDataInString(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); ++ if (tmpSharedTokenAuthenticatedCertSubject != null) { ++ // unlikely to happen, but do this just in case ++ CMS.debug("ProfileSubmitCMCServlet: found existing TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in request for CMCUserSignedAuth:" + tmpSharedTokenAuthenticatedCertSubject); ++ CMS.debug("ProfileSubmitCMCServlet: null it out"); ++ reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, ""); ++ } ++ // put Shared Token authToken in request ++ String st_sbj = (String) ctx.get(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT); ++ if (st_sbj != null) { ++ CMS.debug("ProfileSubmitCMCServlet: setting IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT in req for CMCUserSignedAuth"); ++ reqs[k].setExtData(IAuthToken.TOKEN_SHARED_TOKEN_AUTHENTICATED_CERT_SUBJECT, st_sbj); ++ } ++ if (tmpSharedTokenAuthenticatedCertSubject != null) { + CMS.debug("ProfileSubmitCMCServlet: setting CRED_CMC_SIGNING_CERT in request for CMCUserSignedAuth"); + reqs[k].setExtData(IAuthManager.CRED_CMC_SIGNING_CERT, signingCertSerialS); + } +diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties +index 208632d..e5e6ecc 100644 +--- a/base/server/cmsbundle/src/UserMessages.properties ++++ b/base/server/cmsbundle/src/UserMessages.properties +@@ -956,7 +956,8 @@ CMS_PROFILE_CONSTRAINT_SIGNING_ALG_TEXT=This constraint accepts only the Signing + CMS_PROFILE_CONSTRAINT_SUBJECT_NAME_TEXT=This constraint accepts the subject name that matches {0} + CMS_PROFILE_CONSTRAINT_UNIQUE_SUBJECT_NAME_TEXT=This constraint accepts unique subject name only + CMS_PROFILE_CONSTRAINT_USER_SUBJECT_NAME_TEXT=This constraint accepts user subject name only +-CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the CMC request siging cert only ++CMS_PROFILE_CONSTRAINT_CMC_USER_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of user-signed CMC request only ++CMS_PROFILE_CONSTRAINT_CMC_SELF_SIGNED_SUBJECT_NAME_TEXT=This constraint accepts user subject name of the self-signed CMC request only + CMS_PROFILE_CONSTRAINT_VALIDITY_TEXT=This constraint rejects the validity that is not between {0} days. + CMS_PROFILE_CONSTRAINT_RENEWAL_GRACE_PERIOD_TEXT=This constraint rejects the renewal requests that are outside of the grace period {0} + CMS_PROFILE_CONSTRAINT_VALIDITY_RENEWAL_TEXT=This constraint rejects the validity that is not between {0} days. If renewal, grace period is {1} days before and {2} days after the expiration date of the original certificate. +-- +1.8.3.1 + + +From 99101af800addd61f66cdcf6b18c0b26f1e27011 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 1 Aug 2018 13:35:53 -0700 +Subject: [PATCH 2/5] Bug 1593805 Better understanding of + NSS_USE_DECODED_CKA_EC_POINT for ECC + +This patch removes the outdated reference to EC environment variable +NSS_USE_DECODED_CKA_EC_POINT for ECC in the HttpClient command line usage. + +More info in the usage are updated as well for correctness and clarity. + +Change-Id: I562e2c0cd86f91369f347b38cc660cc3cee585b9 +(cherry picked from commit 6eef4f5cb83cd4b7e2c45ad6a44ba453392ec051) +--- + .../src/com/netscape/cmstools/HttpClient.java | 32 ++++++++++++---------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java +index fcaf210..28934ab 100644 +--- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java ++++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java +@@ -251,43 +251,47 @@ public class HttpClient { + System.out.println("The configuration file should look like as follows:"); + System.out.println(""); + System.out.println("#host: host name for the http server"); +- System.out.println("host=host1.a.com"); ++ System.out.println("host=host.example.com"); + System.out.println(""); + System.out.println("#port: port number"); +- System.out.println("port=1025"); ++ System.out.println("port=8443"); + System.out.println(""); + System.out.println("#secure: true for secure connection, false for nonsecure connection"); +- System.out.println("#For secure connection, in an ECC setup, must set environment variable 'export NSS_USE_DECODED_CKA_EC_POINT=1' prior to running this command"); + System.out.println("secure=false"); + System.out.println(""); + System.out.println("#input: full path for the enrollment request, the content must be in binary format"); +- System.out.println("input=/u/doc/cmcReqCRMFBin"); ++ System.out.println("input=~/cmcReqCRMFBin"); + System.out.println(""); + System.out.println("#output: full path for the response in binary format"); +- System.out.println("output=/u/doc/cmcResp"); ++ System.out.println("#output could be parsed by running CMCResponse"); ++ System.out.println("output=~/cmcResp"); + System.out.println(""); +- System.out.println("#tokenname: name of token where SSL client authentication cert can be found (default is internal)"); ++ System.out.println("#dbdir: directory for NSS certificate/key databases"); + System.out.println("#This parameter will be ignored if secure=false"); +- System.out.println("tokenname=hsmname"); ++ System.out.println("dbdir=/.dogtag/nssdb"); + System.out.println(""); +- System.out.println("#dbdir: directory for cert8.db, key3.db and secmod.db"); ++ System.out.println("#password: password for NSS database"); ++ System.out.println("#This parameter will be ignored if secure=false and clientmode=false"); ++ System.out.println("password="); ++ System.out.println(""); ++ System.out.println("#tokenname: name of token where SSL client authentication cert for nickname can be found (default is internal)"); + System.out.println("#This parameter will be ignored if secure=false"); +- System.out.println("dbdir=/u/smith/.netscape"); ++ System.out.println("tokenname=internal"); + System.out.println(""); + System.out.println("#clientmode: true for client authentication, false for no client authentication"); + System.out.println("#This parameter will be ignored if secure=false"); + System.out.println("clientmode=false"); + System.out.println(""); +- System.out.println("#password: password for cert8.db"); +- System.out.println("#This parameter will be ignored if secure=false and clientauth=false"); +- System.out.println("password="); +- System.out.println(""); + System.out.println("#nickname: nickname for client certificate"); + System.out.println("#This parameter will be ignored if clientmode=false"); + System.out.println("nickname="); + System.out.println(""); + System.out.println("#servlet: target URL"); +- System.out.println("#This parameter may include query parameters"); ++ System.out.println("#This parameter may include query parameters;"); ++ System.out.println("# - reminder: profileId should be a profile that matches"); ++ System.out.println("# the intended certificate; for certificates intended"); ++ System.out.println("# for SSL (client or server), profiles should match"); ++ System.out.println("# the key type (RSA or EC) of the keys generated for CSR;"); + System.out.println("servlet=/ca/ee/ca/profileSubmitCMCFull?profileId=caFullCMCUserCert"); + System.out.println(""); + System.exit(0); +-- +1.8.3.1 + + +From a285327323d058218684cc671223b5b872bc9afc Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 2 Aug 2018 09:31:50 -0700 +Subject: [PATCH 3/5] Bug1608375 - CMC Revocations throws exception with same + reqIssuer & certissuer + +This patch resolves the possible encoding mismatch between the actual CA cert +and the X500Name gleaned from the CMC revocation request. + +Change-Id: I220f5d656a69c90fa02ba38fa21b069ed7d15a9d +(cherry picked from commit 4a085b2ea3ee0f89ef2e49e1c0dbee2e36abd248) +--- + .../cms/authentication/CMCUserSignedAuth.java | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +index a9a7ade..97971dd 100644 +--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java ++++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java +@@ -83,6 +83,7 @@ import com.netscape.certsrv.base.EBaseException; + import com.netscape.certsrv.base.IConfigStore; + import com.netscape.certsrv.base.IExtendedPluginInfo; + import com.netscape.certsrv.base.SessionContext; ++import com.netscape.certsrv.ca.ICertificateAuthority; + import com.netscape.certsrv.logging.ILogger; + import com.netscape.certsrv.logging.event.CMCUserSignedRequestSigVerifyEvent; + import com.netscape.certsrv.profile.EProfileException; +@@ -497,13 +498,27 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo, + // to CMCOutputTemplate so that we can + // have a chance to capture user identification info + if (issuerANY != null) { ++ // get CA signing cert ++ ICertificateAuthority ca = null; ++ ca = (ICertificateAuthority) CMS.getSubsystem("ca"); ++ X500Name caName = ca.getX500Name(); ++ + try { + byte[] issuerBytes = issuerANY.getEncoded(); +- X500Name issuerName = new X500Name(issuerBytes); +- CMS.debug(method + "revRequest issuer name = " + issuerName.toString()); ++ X500Name reqIssuerName = new X500Name(issuerBytes); ++ String reqIssuerNameStr = reqIssuerName.getName(); ++ CMS.debug(method + "revRequest issuer name = " + reqIssuerNameStr); ++ if (reqIssuerNameStr.equalsIgnoreCase(caName.getName())) { ++ // making sure it's identical, even in encoding ++ reqIssuerName = caName; ++ } else { ++ // not this CA; will be bumped off later; ++ // make a note in debug anyway ++ CMS.debug(method + "revRequest issuer name doesn't match our CA; will be bumped off later;"); ++ } + // capture issuer principal to be checked against + // cert issuer principal later in CMCOutputTemplate +- auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, issuerName); ++ auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, reqIssuerName); + } catch (Exception e) { + CMS.debug(method + "failed getting issuer from RevokeRequest:" + e.toString()); + } +-- +1.8.3.1 + + +From 9f3c6d13991cdafc748ded223a85b121ce2389b5 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Wed, 8 Aug 2018 18:41:52 -0700 +Subject: [PATCH 4/5] Ticket #3041 Enable all config audit events + +This patch enables the audit events concerning role actions (mostly config) +by default. + +Two additional minor issues are also addressed: +1. keyType typos in the two profiles: caDirUserCert and caECDirUserCert + (bugzilla #1610718) +2. removing unrecommended signing algorithms + +fixes: https://pagure.io/dogtagpki/issue/3041 +Change-Id: I795e8437e66b59f343044eb8a974b2dd0b95ad6d +(cherry picked from commit 5e9876da3fa7c1587b96e983f36ee2830398c099) +--- + base/ca/shared/conf/CS.cfg | 2 +- + base/ca/shared/profiles/ca/caDirUserCert.cfg | 2 +- + base/ca/shared/profiles/ca/caECDirUserCert.cfg | 2 +- + base/kra/shared/conf/CS.cfg | 2 +- + base/ocsp/shared/conf/CS.cfg | 2 +- + .../netscape/cms/profile/common/ServerCertCAEnrollProfile.java | 2 +- + .../com/netscape/cms/profile/common/UserCertCAEnrollProfile.java | 2 +- + base/server/cmsbundle/src/LogMessages.properties | 2 +- + base/tks/shared/conf/CS.cfg | 2 +- + base/tps/shared/conf/CS.cfg | 2 +- + base/util/src/netscape/security/x509/AlgorithmId.java | 8 ++++---- + 11 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg +index fcd85a2..6158d5a 100644 +--- a/base/ca/shared/conf/CS.cfg ++++ b/base/ca/shared/conf/CS.cfg +@@ -909,7 +909,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED ++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG + log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) + log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure) + log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure) +diff --git a/base/ca/shared/profiles/ca/caDirUserCert.cfg b/base/ca/shared/profiles/ca/caDirUserCert.cfg +index f12c7ed..0b7f6b7 100644 +--- a/base/ca/shared/profiles/ca/caDirUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caDirUserCert.cfg +@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180 + policyset.userCertSet.2.default.params.startTime=0 + policyset.userCertSet.3.constraint.class_id=keyConstraintImpl + policyset.userCertSet.3.constraint.name=Key Constraint +-policyset.userCertSet.3.constraint.params.keyType=EC ++policyset.userCertSet.3.constraint.params.keyType=RSA + policyset.userCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 + policyset.userCertSet.3.default.class_id=userKeyDefaultImpl + policyset.userCertSet.3.default.name=Key Default +diff --git a/base/ca/shared/profiles/ca/caECDirUserCert.cfg b/base/ca/shared/profiles/ca/caECDirUserCert.cfg +index 0663b40..b65999e 100644 +--- a/base/ca/shared/profiles/ca/caECDirUserCert.cfg ++++ b/base/ca/shared/profiles/ca/caECDirUserCert.cfg +@@ -34,7 +34,7 @@ policyset.userCertSet.2.default.params.range=180 + policyset.userCertSet.2.default.params.startTime=0 + policyset.userCertSet.3.constraint.class_id=keyConstraintImpl + policyset.userCertSet.3.constraint.name=Key Constraint +-policyset.userCertSet.3.constraint.params.keyType=- ++policyset.userCertSet.3.constraint.params.keyType=EC + policyset.userCertSet.3.constraint.params.keyParameters=nistp256,nistp384,nistp521 + policyset.userCertSet.3.default.class_id=userKeyDefaultImpl + policyset.userCertSet.3.default.name=Key Default +diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg +index f314234..878e5f8 100644 +--- a/base/kra/shared/conf/CS.cfg ++++ b/base/kra/shared/conf/CS.cfg +@@ -304,7 +304,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED ++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL + log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure) + log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure) + log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure) +diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg +index dc993b0..b412e5e 100644 +--- a/base/ocsp/shared/conf/CS.cfg ++++ b/base/ocsp/shared/conf/CS.cfg +@@ -220,7 +220,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION ++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) + log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) + log.instance.SignedAudit.expirationTime=0 +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java +index a1a83a4..2dcf9c1 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/ServerCertCAEnrollProfile.java +@@ -77,7 +77,7 @@ public class ServerCertCAEnrollProfile extends CAEnrollProfile + defConfig4 + .putString( + "params.signingAlgsAllowed", +- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); ++ "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); + + IProfilePolicy policy5 = + createProfilePolicy("set1", "p5", +diff --git a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java +index 710a461..9b1eacb 100644 +--- a/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java ++++ b/base/server/cms/src/com/netscape/cms/profile/common/UserCertCAEnrollProfile.java +@@ -79,7 +79,7 @@ public class UserCertCAEnrollProfile extends CAEnrollProfile + defConfig4 + .putString( + "params.signingAlgsAllowed", +- "SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); ++ "SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC"); + + IProfilePolicy policy5 = + createProfilePolicy("set1", "p5", +diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties +index 7963f6f..d534506 100644 +--- a/base/server/cmsbundle/src/LogMessages.properties ++++ b/base/server/cmsbundle/src/LogMessages.properties +@@ -2133,7 +2133,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=:[AuditEvent=AUTH]{0} authenticatio + # and to be approved by an agent + # Op must be "approve" or "disapprove" + # +-LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate approval ++LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval + # + # LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION + # - used for proof of possession during certificate enrollment processing +diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg +index d1da996..e9bf03e 100644 +--- a/base/tks/shared/conf/CS.cfg ++++ b/base/tks/shared/conf/CS.cfg +@@ -212,7 +212,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION ++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) + log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) + log.instance.SignedAudit.expirationTime=0 +diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg +index c44bc75..3671100 100644 +--- a/base/tps/shared/conf/CS.cfg ++++ b/base/tps/shared/conf/CS.cfg +@@ -229,7 +229,7 @@ log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUM + log.instance.SignedAudit._006=## + log.instance.SignedAudit.bufferSize=512 + log.instance.SignedAudit.enable=true +-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER ++log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER,CONFIG_ACL + log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure) + log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure) + log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure) +diff --git a/base/util/src/netscape/security/x509/AlgorithmId.java b/base/util/src/netscape/security/x509/AlgorithmId.java +index ae5975a..012575c 100644 +--- a/base/util/src/netscape/security/x509/AlgorithmId.java ++++ b/base/util/src/netscape/security/x509/AlgorithmId.java +@@ -798,17 +798,17 @@ public class AlgorithmId implements Serializable, DerEncoder { + * Supported signing algorithms for a RSA key. + */ + public static final String[] RSA_SIGNING_ALGORITHMS = new String[] +- { "SHA1withRSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "MD5withRSA", "MD2withRSA" }; ++ { "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA" }; + + public static final String[] EC_SIGNING_ALGORITHMS = new String[] +- { "SHA1withEC", "SHA256withEC", "SHA384withEC", "SHA512withEC" }; ++ { "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" }; + + /** + * All supported signing algorithms. + */ + public static final String[] ALL_SIGNING_ALGORITHMS = new String[] + { +- "SHA1withRSA", "MD5withRSA", "MD2withRSA", "SHA1withDSA", "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withEC", +- "SHA256withEC", "SHA384withEC", "SHA512withEC" }; ++ "SHA256withRSA", "SHA384withRSA", "SHA512withRSA", "SHA1withRSA", ++ "SHA256withEC", "SHA384withEC", "SHA512withEC", "SHA1withEC" }; + + } +-- +1.8.3.1 + + +From b4ef13f36124aeaadf3e43ae7c0560c38233c78a Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Fri, 10 Aug 2018 14:04:14 -0700 +Subject: [PATCH 5/5] Ticket #2481 ECC keys not supported for signing audit + logs + +This patch addes support for ECC audit log signing key. +All enrollment profiles for audit signing certificate are updated to allow that. + +fixes https://pagure.io/dogtagpki/issue/2481 + +Change-Id: Idedd3cc2ed7655e73ee87ebcd0087ea17fb57f3f +(cherry picked from commit 435ede04d525d8816345271a887753a620795d56) +--- + base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg | 4 ++-- + base/ca/shared/profiles/ca/caSignedLogCert.cfg | 8 ++++---- + base/java-tools/src/com/netscape/cmstools/AuditVerify.java | 6 +++--- + base/server/cms/src/com/netscape/cms/logging/LogFile.java | 8 +++----- + 5 files changed, 14 insertions(+), 16 deletions(-) + +diff --git a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg +index ff4856c..642e67b 100644 +--- a/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg ++++ b/base/ca/shared/profiles/ca/caCMCauditSigningCert.cfg +@@ -29,8 +29,8 @@ policyset.auditSigningCertSet.2.default.params.range=720 + policyset.auditSigningCertSet.2.default.params.startTime=0 + policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl + policyset.auditSigningCertSet.3.constraint.name=Key Constraint +-policyset.auditSigningCertSet.3.constraint.params.keyType=RSA +-policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 ++policyset.auditSigningCertSet.3.constraint.params.keyType=- ++policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 + policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl + policyset.auditSigningCertSet.3.default.name=Key Default + policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl +diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg +index b850f1c..4acaab7 100644 +--- a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg ++++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg +@@ -31,7 +31,7 @@ policyset.auditSigningCertSet.2.default.params.startTime=0 + policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl + policyset.auditSigningCertSet.3.constraint.name=Key Constraint + policyset.auditSigningCertSet.3.constraint.params.keyType=- +-policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096 ++policyset.auditSigningCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 + policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl + policyset.auditSigningCertSet.3.default.name=Key Default + policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl +@@ -74,7 +74,7 @@ policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false + policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false + policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.auditSigningCertSet.9.constraint.name=No Constraint +-policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl + policyset.auditSigningCertSet.9.default.name=Signing Alg + policyset.auditSigningCertSet.9.default.params.signingAlg=- +diff --git a/base/ca/shared/profiles/ca/caSignedLogCert.cfg b/base/ca/shared/profiles/ca/caSignedLogCert.cfg +index 6fdb8b5..c568572 100644 +--- a/base/ca/shared/profiles/ca/caSignedLogCert.cfg ++++ b/base/ca/shared/profiles/ca/caSignedLogCert.cfg +@@ -3,7 +3,7 @@ visible=true + enable=true + enableBy=admin + auth.class_id= +-name=Manual Log Signing Certificate Enrollment ++name=Manual Audit Log Signing Certificate Enrollment + input.list=i1,i2 + input.i1.class_id=certReqInputImpl + input.i2.class_id=submitterInfoInputImpl +@@ -29,8 +29,8 @@ policyset.caLogSigningSet.2.default.params.range=720 + policyset.caLogSigningSet.2.default.params.startTime=0 + policyset.caLogSigningSet.3.constraint.class_id=keyConstraintImpl + policyset.caLogSigningSet.3.constraint.name=Key Constraint +-policyset.caLogSigningSet.3.constraint.params.keyType=RSA +-policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096 ++policyset.caLogSigningSet.3.constraint.params.keyType=- ++policyset.caLogSigningSet.3.constraint.params.keyParameters=1024,2048,3072,4096,nistp256,nistp521 + policyset.caLogSigningSet.3.default.class_id=userKeyDefaultImpl + policyset.caLogSigningSet.3.default.name=Key Default + policyset.caLogSigningSet.4.constraint.class_id=noConstraintImpl +@@ -68,7 +68,7 @@ policyset.caLogSigningSet.8.default.name=Subject Key Identifier Extension Defaul + policyset.caLogSigningSet.8.default.params.critical=false + policyset.caLogSigningSet.9.constraint.class_id=signingAlgConstraintImpl + policyset.caLogSigningSet.9.constraint.name=No Constraint +-policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=MD5withRSA,MD2withRSA,SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC ++policyset.caLogSigningSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withRSA,SHA384withEC,SHA512withEC + policyset.caLogSigningSet.9.default.class_id=signingAlgDefaultImpl + policyset.caLogSigningSet.9.default.name=Signing Alg + policyset.caLogSigningSet.9.default.params.signingAlg=- +diff --git a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java +index 7693ba3..be9c0ed 100644 +--- a/base/java-tools/src/com/netscape/cmstools/AuditVerify.java ++++ b/base/java-tools/src/com/netscape/cmstools/AuditVerify.java +@@ -25,7 +25,6 @@ import java.io.FilenameFilter; + import java.io.IOException; + import java.security.PublicKey; + import java.security.Signature; +-import java.security.interfaces.DSAPublicKey; + import java.security.interfaces.RSAPublicKey; + import java.util.List; + import java.util.StringTokenizer; +@@ -34,6 +33,7 @@ import java.util.Vector; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.crypto.ObjectNotFoundException; + import org.mozilla.jss.crypto.X509Certificate; ++import org.mozilla.jss.pkcs11.PK11ECPublicKey; + + import com.netscape.cmsutil.util.Utils; + +@@ -159,8 +159,8 @@ public class AuditVerify { + String sigAlgorithm = null; + if (pubk instanceof RSAPublicKey) { + sigAlgorithm = "SHA-256/RSA"; +- } else if (pubk instanceof DSAPublicKey) { +- sigAlgorithm = "SHA-256/DSA"; ++ } else if (pubk instanceof PK11ECPublicKey) { ++ sigAlgorithm = "SHA-256/EC"; + } else { + throw new Exception("Unknown signing certificate key type: " + pubk.getAlgorithm()); + } +diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +index 74a8ada..b04f70d 100644 +--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java ++++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java +@@ -41,8 +41,6 @@ import java.security.PrivateKey; + import java.security.Provider; + import java.security.Signature; + import java.security.SignatureException; +-import java.security.interfaces.DSAPrivateKey; +-import java.security.interfaces.RSAPrivateKey; + import java.text.ParseException; + import java.text.SimpleDateFormat; + import java.util.Date; +@@ -611,10 +609,10 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo { + mSigningKey = cm.findPrivKeyByCert(cert); + + String sigAlgorithm; +- if (mSigningKey instanceof RSAPrivateKey) { ++ if (mSigningKey.getAlgorithm().equalsIgnoreCase("RSA")) { + sigAlgorithm = "SHA-256/RSA"; +- } else if (mSigningKey instanceof DSAPrivateKey) { +- sigAlgorithm = "SHA-256/DSA"; ++ } else if (mSigningKey.getAlgorithm().equalsIgnoreCase("EC")) { ++ sigAlgorithm = "SHA-256/EC"; + } else { + throw new NoSuchAlgorithmException("Unknown private key type"); + } +-- +1.8.3.1 + diff --git a/SOURCES/pki-core-nsds5replicaLastInitStatus-format.patch b/SOURCES/pki-core-nsds5replicaLastInitStatus-format.patch new file mode 100644 index 0000000..9fe713b --- /dev/null +++ b/SOURCES/pki-core-nsds5replicaLastInitStatus-format.patch @@ -0,0 +1,35 @@ +From 151ecf63106425cada104d141a81722570ba2b28 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 2 Aug 2018 10:33:08 +0300 +Subject: [PATCH] ConfigurationUtil: support new format for + nsds5replicaLastInitStatus value + +pkispawn is reading the attribute nsds5replicaLastInitStatus in +cn=masterAgreement1-$hostname-pki-tomcat,cn=replica,cn=o\3Dipaca,cn=mapping +tree,cn=config in order to find the replication status. The new format +(in 389-ds-base-1.3.7) for this attribute is "Error (0) Total update +succeeded" but pkispawn is expecting "0 Total update succeeded" + +389-ds-base introduced this change with https://pagure.io/389-ds-base/issue/49599 + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1596629 +--- + .../cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +index 576feff56..e443116d7 100644 +--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java ++++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +@@ -2025,7 +2025,7 @@ public class ConfigurationUtils { + } + + String status = replicationStatus(replicadn, masterConn, masterAgreementName); +- if (!status.startsWith("0 ")) { ++ if (!(status.startsWith("Error (0) ") || status.startsWith("0 "))) { + CMS.debug("setupReplication: consumer initialization failed. " + status); + throw new IOException("consumer initialization failed. " + status); + } +-- +2.14.4 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index adf53aa..c9837a8 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -13,7 +13,7 @@ %global package_rhel_packages 1 # Package RHCS-specific RPMS Only %global package_rhcs_packages 0 -%define pki_core_rhel_version 10.5.1 +%define pki_core_rhel_version 10.5.9 %else # 0%{?fedora} # Fedora always packages all RPMS @@ -65,8 +65,8 @@ Name: pki-core %if 0%{?rhel} -Version: 10.5.1 -%define redhat_release 15 +Version: 10.5.9 +%define redhat_release 6 %define redhat_stage 0 #%define default_release %{redhat_release}.%{redhat_stage} %define default_release %{redhat_release} @@ -110,9 +110,9 @@ BuildRequires: nspr-devel BuildRequires: nss-devel >= 3.28.3 %if 0%{?rhel} && 0%{?rhel} <= 7 -BuildRequires: nuxwdog-client-java >= 1.0.3-7 +BuildRequires: nuxwdog-client-java >= 1.0.3-8 %else -BuildRequires: nuxwdog-client-java >= 1.0.3-13 +BuildRequires: nuxwdog-client-java >= 1.0.3-14 %endif BuildRequires: openldap-devel @@ -167,11 +167,10 @@ BuildRequires: policycoreutils-python-utils BuildRequires: python-ldap BuildRequires: junit BuildRequires: jpackage-utils >= 0:1.7.5-10 +BuildRequires: jss >= 4.4.4-3 %if 0%{?rhel} && 0%{?rhel} <= 7 -BuildRequires: jss >= 4.4.0-13 BuildRequires: tomcatjss >= 7.2.1-7 %else -BuildRequires: jss >= 4.4.4-3 BuildRequires: tomcatjss >= 7.2.4-3 %endif BuildRequires: systemd-units @@ -208,19 +207,10 @@ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{ Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{release}/%{name}-%{version}%{?prerel}.tar.gz %endif -Patch0: pki-core-10.5.1-alpha.patch -Patch1: pki-core-10.5.1-beta.patch -Patch2: pki-core-10.5.1-snapshot-1.patch -Patch3: pki-core-10.5.1-snapshot-2.patch -Patch4: pki-core-10.5.1-snapshot-3.patch -Patch5: pki-core-10.5.1-snapshot-4.patch -Patch6: pki-core-10.5.1-snapshot-5.patch -Patch7: pki-core-10.5.1-batch-1.0.patch -Patch8: pki-core-10.5.1-batch-1.1.patch -Patch9: pki-core-10.5.1-batch-2.0.patch -Patch10: pki-core-10.5.1-batch-2.1.patch -Patch11: pki-core-10.5.1-batch-3.0.patch -Patch12: pki-core-10.5.1-batch-4.0.patch +Patch0: pki-core-10.5.9-alpha.patch +Patch1: pki-core-10.5.9-beta.patch +Patch2: pki-core-nsds5replicaLastInitStatus-format.patch +Patch3: pki-core-10.5.9-snapshot-1.patch # Obtain version phase number (e. g. - used by "alpha", "beta", etc.) # @@ -320,11 +310,7 @@ Group: System Environment/Libraries Requires: java-1.8.0-openjdk-headless Requires: jpackage-utils >= 0:1.7.5-10 -%if 0%{?rhel} && 0%{?rhel} <= 7 -Requires: jss >= 4.4.0-13 -%else Requires: jss >= 4.4.4-3 -%endif Requires: nss >= 3.28.3 Provides: symkey = %{version}-%{release} @@ -403,11 +389,7 @@ Requires: slf4j-jdk14 %endif Requires: javassist Requires: jpackage-utils >= 0:1.7.5-10 -%if 0%{?rhel} && 0%{?rhel} <= 7 -Requires: jss >= 4.4.0-13 -%else Requires: jss >= 4.4.4-3 -%endif Requires: ldapjdk >= 4.19-5 Requires: pki-base = %{version}-%{release} @@ -518,9 +500,9 @@ Requires: hostname Requires: net-tools %if 0%{?rhel} && 0%{?rhel} <= 7 -Requires: nuxwdog-client-java >= 1.0.3-7 +Requires: nuxwdog-client-java >= 1.0.3-8 %else -Requires: nuxwdog-client-java >= 1.0.3-13 +Requires: nuxwdog-client-java >= 1.0.3-14 %endif Requires: policycoreutils @@ -825,15 +807,6 @@ This package is a part of the PKI Core used by the Certificate System. %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 %clean %{__rm} -rf %{buildroot} @@ -1372,55 +1345,99 @@ fi %endif # %{with server} %changelog -* Mon Aug 13 2018 Dogtag Team 10.5.1-15 +* Tue Aug 21 2018 Dogtag Team 10.5.9-6 +- Updated nuxwdog dependencies +- ########################################################################## +- # RHEL 7.6: +- ########################################################################## +- Bugzilla Bug #673182 - ECC keys not supported for signing + audit logs (cfu) +- Bugzilla Bug #1593805 - Better understanding of + NSS_USE_DECODED_CKA_EC_POINT for ECC (cfu) +- Bugzilla Bug #1601071 - Certificate generation happens with + partial attributes in CMCRequest file (cfu) +- Bugzilla Bug #1601569 - CC: Enable all config audit events + (cfu) +- Bugzilla Bug #1608375 - CMC Revocations throws exception + with same reqIssuer & certissuer (cfu) - ########################################################################## -- # RHEL 7.5: +- # RHCS 9.4: - ########################################################################## -- Bugzilla Bug #1600905 - pki console configurations that involves ldap - passwords leave the plain text password in signed audit logs - [rhel-7.5.z] (cfu) -- Bugzilla Bug #1611245 - Certificate generation happens with partial - attributes in CMCRequest file [rhel-7.5.z] (cfu) -- Bugzilla Bug #1611250 - Better understanding of - NSS_USE_DECODED_CKA_EC_POINT for ECC [rhel-7.5.z] (cfu) -- Bugzilla Bug #1612880 - CMC Revocations throws exception with - same reqIssuer & certissuer [rhel-7.5.z] (cfu) -- Bugzilla Bug #1614837 - ipa-replica-install --setup-kra broken on - DL0 with latest version [rhel-7.5.z] (abokovoy) -- Bugzilla Bug #1614839 - CC: Enable all config audit events - [rhel-7.5.z] (cfu) -- Bugzilla Bug #1615266 - ECC keys not supported for signing audit - logs [rhel-7.5.z] (cfu) +- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to + # latest upstream 10.5.x (RHCS) (mharmsen) + +* Thu Aug 9 2018 Dogtag Team 10.5.9-5 - ########################################################################## -- # RHCS 9.3: +- # RHEL 7.6: +- ########################################################################## +- Bugzilla Bug #1596629 - ipa-replica-install --setup-kra broken on DL0 + with latest version (abokovoy) - ########################################################################## -- # Bugzilla Bug #1539933 - keyGen fails when only Identity - # certificate exists. [rhcs-9.3.z] (jmagne) +- # RHCS 9.4: +- ########################################################################## +- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to + # latest upstream 10.5.x (RHCS) (mharmsen) -* Mon Jul 2 2018 Dogtag Team 10.5.1-14 -- Updated "jss" build and runtime requirements (mharmsen) -- Updated "tomcatjss" build and runtime requirements (mharmsen) +* Tue Jul 31 2018 Dogtag Team 10.5.9-4 - ########################################################################## -- # RHEL 7.5: +- # RHEL 7.6: - ########################################################################## -- Bugzilla Bug #1574848 - servlet profileSubmitCMCSimple throws NPE - [rhel-7.5.z] (cfu) -- Bugzilla Bug #1593585 - Need proper default subjectDN for CMC request - authenticated through SharedToken [rhel-7.5.z] (cfu) -- Bugzilla Bug #1594128 - CMC: Audit Events needed for failures in - SharedToken scenario's [rhel-7.5.z] (cfu) -- Bugzilla Bug #1595606 - AuditVerify failure due to line breaks - [rhel-7.5.z] (cfu) -- Bugzilla Bug #1596525 - Address ECC profile overrides [rhel-7.5.z] (cfu) -- Bugzilla Bug #1596551 - X500Name.directoryStringEncodingOrder overridden - by CSR encoding [rhel-7.5.z] (cfu) -- Bugzilla Bug #1553068 - Using a Netmask produces an odd entry in a - certifcate [rhel-7.5.z] (ftweedal) +- Bugzilla Bug #1548203 - pki console configurations that involves ldap + passwords leave the plain text password in signed audit logs (cfu) - ########################################################################## -- # RHCS 9.3: +- # RHCS 9.4: - ########################################################################## -- # Bugzilla Bug #1471303 - Rebase redhat-pki, redhat-pki-theme, pki-core, - # and pki-console to 10.5.x in RHCS 9.3 +- # Bugzilla Bug #1494591 - keyGen fails when only Identity + # certificate exists (jmagne) + +* Mon Jul 23 2018 Dogtag Team 10.5.9-3 +- Re-spin alpha builds + +* Thu Jul 5 2018 Dogtag Team 10.5.9-2 +- ########################################################################## +- # RHEL 7.6: +- ########################################################################## +- Bugzilla Bug #1471935 - X500Name.directoryStringEncodingOrder overridden + by CSR encoding (cfu) +- Bugzilla Bug #1538311 - Using a Netmask produces an odd entry in a + certificate (ftweedal) +- Bugzilla Bug #1540440 - CMC: Audit Events needed for failures in + SharedToken scenario's (cfu) +- Bugzilla Bug #1550742 - Address ECC profile overrides (cfu) +- Bugzilla Bug #1562841 - servlet profileSubmitCMCSimple throws NPE (cfu) +- Bugzilla Bug #1572432 - AuditVerify failure due to line breaks (cfu) +- Bugzilla Bug #1592961 - Need proper default subjectDN for CMC request + authenticated through SharedToken (cfu) +- ########################################################################## +- # RHCS 9.4: +- ########################################################################## +- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to + # latest upstream 10.5.x (RHCS) (mharmsen) + +* Mon Jun 11 2018 Dogtag Team 10.5.9-1 +- ########################################################################## +- # RHEL 7.6: +- ########################################################################## +- Bugzilla Bug #1538311 - Using a Netmask produces an odd + entry in a certifcate (ftweedal) +- Bugzilla Bug #1544843 - ExternalCA: Installation failed during + csr generation with ecc (rrelyea, gkapoor) +- Bugzilla Bug #1557569 - Re-base pki-core from 10.5.1 to latest + upstream 10.5.x (RHEL) (mharmsen) +- Bugzilla Bug #1580394 - CMC CRMF requests result in + InvalidKeyFormatException when signing algorithm is ECC (cfu) +- Bugzilla Bug #1580527 - CVE-2018-1080 pki-core: Mishandled + ACL configuration in AAclAuthz.java reverses rules that allow + and deny access (ftweedal, cfu) +- Bugzilla Bug #1585866 - CRMFPopClient tool - should allow + option to do no key archival (cfu) +- Bugzilla Bug #1588655 - Cert validation for installation with + external CA cert (edewata) +- ########################################################################## +- # RHCS 9.4: +- ########################################################################## +- # Bugzilla Bug #1557570 - Re-base pki-core from 10.5.1 to + # latest upstream 10.5.x (RHCS) (mharmsen) * Sat Jun 9 2018 Dogtag Team 10.5.1-13.1 - Rebuild due to build system database problem